Papers
Formal models are important in information security education. The ability to abstract security concepts and apply formal reasoning techniques provides a basis for students to understand fundamental results and have a broader perspective on security issues. Our experience at the undergraduate level is that students often struggle with the abstract models, how to apply them, and the associated implications. To provide students a more concrete approach to working with and understanding security protection models, we have developed interactive visualization tools that allow students to create, manipulate, and experiment with the models.
The Federal Information Security Management Act places obligations upon Federal agencies and their contractors, effected through National Institute of Standards and Technology standards and guidelines. FISMA compliance has, however, limited recognition beyond the Federal domain, whereas there is an increasing move in the private sector towards the international standard ISO/IEC 27001 (“Information security management systems – Requirements”), formally-certified conformity to which has widespread acknowledgement and international mutual recognition.
This paper proposes the inclusion of a required course in information security for university students. College students possess an array of computer hardware, the ability to use Internet resources, and the savvy to find any music, movie, or game online but are ignorant about the fundamentals of information security. Often student computing behavior is reckless and exposes them, their data, and the university network to damage or legal liability. Information security professionals know the value of awareness, training, and education in information security. Awareness programs have not been successful in informing students about the risks they face online and the consequences of their computing behaviors.
Trustworthiness and Education figure among the challenges and risks facing the constructive use of information technology. Security, reliability, survivability, predictability are among system attributes that are not receiving enough attention. Critical infrastructures are still vulnerable to attacks and accidental collapses. University curricula seem to be less responsive to trustworthiness needs of critical systems and infrastructures. In this paper, we propose two approaches for embedding trustworthy computing foundational topics within the knowledge areas of two computing-related disciplines, namely computer science and computer engineering.
This paper discusses aspects of a Network-Centric environment that should be considered as part of an information assurance course for the future.
This paper describes an undergraduate course in software engineering that introduces students to a variety of processes that are used to develop software. Students are asked to consider the security implications of the various processes. Special emphasis is given to PSP, CMM and agile processes (like eXtreme Programming and Scrum). An important issue in this course is whether agile processes can produce secure software and, if not, how they might be improved to make agile processes more secure. Students work on a major team project that involves developing a software process for a pretend company and a team presentation project that addresses the security issues specifically.
Networks of compromised machines called botnets are one of the most threatening adversaries over the Internet due in large part to the difficulty of identifying botnet traffic patterns. We have witnessed that existing signature-based detection and protection methods are ineffective in dealing with new unknown bots. By slightly modifying the code of an existing bot, bot commanders can bypass most signature based mechanisms. We believe that by analyzing bot traffic for malicious patterns, it is possible to develop a taxonomy of bot characteristics and in turn use these characteristics to develop risks which will ultimately be used in the decision making process of allowing or blocking traffic.
To meet the current industry demand for qualified security professionals, we need innovative courseware that can help students apply information assurance theory into practice. This paper describes our experience in designing hands-on information assurance courseware that addresses the current demand. In addition, we have presented a survey instrument to assess our design based on the contents of lectures, the contents of laboratory exercises, the relevance between the lecture and laboratory exercises, and the overall impact of the class on students.
A computer forensics course was offered during the 2006 Alaska Summer Research Academy (ASRA) at the University of Alaska Fairbanks. The two-week course provided a small number of high school students with the opportunity to gain experience in and an understanding of the field of digital forensics. Topics covered in the course included ethical issues related to digital forensics, digital footprints, forensics for digital media, and network-based forensics.
This article briefly covers the need, feasibility and a potential solution for creating an Internet Portal for INFOSEC [1] professionals – in other words, access to an electronic knowledge base/dynamic. The major components are recommended to cover research, theory and sound practice within a multitude of INFOSEC environments: public, private, and non-profits. The connection to the major categories of the NSTISS 4011 standard is equally critical. The author proposes the establishment of an Internet Portal for INFOSEC professionals under the auspices of a neutral organization.
Experiential learning has been shown to be one of the best methods for learning, especially when combined with other forms of instruction. While much of the literature has illustrated experiential learning techniques for information assurance curriculum in general, the “Cryptography” course has not been studied in great detail with regard to experiential learning. We discuss exercises of multiple forms which demonstrate the intersection of experiential learning and cryptography.
Information Assurance and Security is a pervasive theme that must be integrated throughout the information technology curriculum. In this paper, the development of three information assurance concentration programs which is to integrate information assurance topics with existing Computer Science Curricula at Arizona State University. Observations and lessons learned from the development process, including how to arrange and schedule the series of information assurance courses, how to improve student involvement, and what kinds of textbooks are most needed in this area are presented.
This paper describes aspirations for the information system security profession and steps for advancing them. It is about what the profession would look like if the authors and their associates could have it any way they wanted it to be. It describes a strategic vision. We do not expect this vision to be realized by accident. However, we believe that it can be achieved by design and intent within a decade. We make recommendations for meeting the requirements and challenge The Colloquium to lead the education component.
The paper presents a known sequential and a new parallel/concurrent actor-oriented solution of the Dominator problem. The new parallel/concurrent actor-oriented Dominator algorithm computes sets of dominators of nodes of a given control flow graph in a parallel/concurrent actor oriented way. The new Dominator algorithm is implemented as the multi-actor system in the Easel programming language. The new Dominator algorithm and its implementation are important contributions to the theory and practice of parallel / concurrent algorithms and actor-oriented programming. Because Dominator algorithm has applications in Information Assurance and Computer Security in detecting and locating program attacks – this novel and innovative Dominator algorithm may greatly influence these disciplines.
September 11 caused America to recognize the need to secure all parts of the nation’s critical infrastructure, including information technology. In 2002, the President released the National Strategy to Secure Cyberspace, a document that provides direction for strengthening cybersecurity. A key recommendation of the National Strategy to Secure Cyberspace is to build foundations for the development of security certification programs that will be broadly accepted by the public and private sectors. The Department of Homeland Security – National Cyber Security Division (DHS-NCSD) Training and Education Program has been tasked to lead these efforts by effectively articulating the needs of the public and private sector IT security community.
Cryptography is an essential component of America’s national security infrastructure. Billions of dollars are spent on cryptosystems every year, in both the public and private sector. Unfortunately, the field is rife with dubious claims, snake oil salesmen, and outright fraud. This paper highlights the importance of skepticism and critical thinking in the role of evaluating and procuring cryptosystems. We discuss our experiences in teaching future leaders about testing extraordinary cryptographic claims by asking hard questions, and show examples from our own experience. We believe that the rigorous application of skepticism and critical thinking in cryptography are absolutely essential to the wise use of America’s resources and the security of the nation.
In 2005 the first regional competition was held in what has become known as the Collegiate Cyber Defense Competition. The following year four regional competitions were held along with the first national competition. In 2007 the national competition continued with state competitions being added to the overall plan. The National Collegiate Cyber Defense Competition is well on its way to being established as an annual event with more schools joining the event each year. This paper addresses what the next steps are for the competition if it is to continue to gain recognition among schools and to indeed be established as the single recognized collegiate cyber defense competition.
Industry has recognized that creating secure systems requires incorporating security concepts throughout the software development lifecycle. A similar effort is required in education, integrating security best practices and risk management into the curriculum. At Towson University, we are developing and implementing a model to thread security throughout our computer science curriculum. Key to our plan is the use of security checklists and scorecards. Checklists provide a quantifiable list of security criteria to aid in writing secure code and reinforce security principles. Additionally, scorecards and checklists provide a consistent means of evaluation and assessment.
Ethical hacking is the controversial practice of employing the tools and tactics of hackers to test the security precautions protecting a network. Ethical hacking is becoming an accepted business practice and a number of schools are including ethical hacking in their Information Assurance (IA) curriculum. Some educators feel that it is necessary to know how to attack a network to truly understand how to defend a network. Schools that teach ethical hacking provide instruction to students along with the hardware and software tools they need to conduct ethical hacking exploits. Schools with Information Assurance or Information Security programs need to address the ethical, legal, and practical issues surrounding teaching ethical hacking.
Copyright © 2024 CISSE™. All rights reserved.