Papers
Information assurance provides us with the foundational means to protect our digital assets. As we build programs to meet the needs of our ever-growing computer user base, we seem to be fighting an uphill battle. This research effort describes some of the findings from an NSF-funded project to investigate the state-of-the-art in computer security laboratory environments and how they are being used in an effort to develop a plan for improving the capabilities and facilities available in the State of Alaska. The major ancillary finding is that research and educational environments do not exist in isolation.
To bridge the gap between the instruction of security primitives and protocols, we have designed and developed a digital Lego system and supporting course materials. Our digital Lego pieces are designed to use shapes to provide a generic representation of security protocols. With the automatic Lego piece generation and fitting method, we have developed a protocol demonstration and experiment environment that allows students to practice with these abstract concepts. The developed exercises will expose the relationship among security primitives and properties, and train students’ capabilities to design secure protocols under different requirements. Our approach applies the pedagogical methods learned from toy construction sets by treating security atomics as Lego pieces and protocols as construction results.
This paper describes a project that the author has begun and which he would like to share with the Information Assurance education community. The idea is to create a detailed fictitious scenario that is intended to educate students about the intersection between information assurance and software engineering. The scenario covers a variety of topics, including basic security concerns in software development, how security needs to be integrated into software processes, and work culture issues that can have a major impact upon the security of a product that an organization produces. Professional responsibilities and ethics are also important foci of the scenario.
The term virus is widely used for one type of malicious code affecting computer systems and networks. Such usage suggests the mental picture of malicious code as a disease infecting computers and implies that information security can use a medical paradigm for protecting against those diseases. In fact, using the concepts of biological systems and models can inform, guide and inspire information security as it seeks to understand, prevent, detect, interdict and counter threats to information assets and systems. The biological approach is especially useful in enabling quantitative risk management and informing management decisions in information security. Statistical analyses are used to evaluate treatment protocols in medicine.
Competitive exercises are one means to motivate and teach information security concepts to students. Along the Colorado front range, schools have joined together to teach students security concepts using a regional security assessment exercise, known as the Computer and Network Vulnerability Assessment Simulation, or CANVAS. CANVAS shares some elements with a typical “Capture the Flag” exercise, but differs from other security competitions in the overall approach to the exercise, in the exercise objectives, in team makeup, and in the evaluation criteria. Teams are formed at the exercise and combine students from different backgrounds. Points are awarded based on successful strategy and written reports as well as typical “flags”.
There is a strong need for minority institutions to establish their place in the Information Assurance (IA) education arena. The Information Systems and Decisions Sciences Department at Howard University believes that we can extend our programs to incorporate the rapidly developing field of information security. Howard hosts both Bachelor in Business Administration in Computer Based Information Systems with a concentration in Information Assurance (IA), and a Master of Science with an Information Security certificate programs.
Each year the reported number of security vulnerabilities increases as does the sophistication of attacks to exploit these vulnerabilities. Most security vulnerabilities are the result of insecure coding practices. There is a critical need to increase the security education of computer science students, particularly in software security. We are designing course modules, to be used at the undergraduate or graduate level, to integrate software system security into our computer science curriculum. The course modules we have developed, and are developing, include: operating system security, software security testing, code review, risk analysis, and database security.
Information security is one of the pervasive themes in computing curriculum. As computing security becomes more important in all sectors of society, so does the preparation of our students with knowledge and understanding of critical security concepts, methodologies, and techniques. Unfortunately, despite the deep and pervasive impact of security, undergraduate computing curricula and programs today often look much as it did several decades ago. We want to infuse information security into our computing curriculum, and we found a good model for doing that. This paper introduces the Threads model for computing curriculum originated from Georgia Tech’s College of Computing, an innovative way to restructuring computing curriculum.
This paper responds to the need to understand the nature of SCADA systems security concepts, their important role in the Australian nation’s critical infrastructure protection and highlights the necessity of this as a specialist engineering course within a systems engineering program. It defines the nature of the field and the roles and qualifications of system engineering practitioners who serve in the field. It emphasizes the role of the specialist course within the tertiary program that produces potential systems engineering specialists with the knowledge required to achieve robustness and resilience of critical infrastructure systems and services.
The Information Assurance community has long benefited from the development of standards as part of the CNSS process. This paper summarizes efforts conducted over the last year to start a similar standards based methodology for Information Operations (IO) and to develop a framework for IO training and education.
Those of us in the fields of computer engineering and computer science find ourselves in the middle of an oxymoron. We are at the intersection where enrollments in our disciplines are dropping while at the same time the need for creative minds to solve pressing security problems is on the rise. Our institution, a well-known land grant with robust programs in computer security and information assurance at the undergraduate and graduate levels, recognized the need to encourage more Millennials to study in an information technology-related area and has started a program to try to entice students to enter our chosen professions.
The RAAF’s imperative is to train members of its No 462squadron in the appropriate disciplines required for the squadron to meet its charter. As a result No 462 Squadron and the Queensland University of Technology, in Brisbane, Queensland, Australia have developed a prototype training and education program designed to meet the Squadrons charter in a cooperative effort between a defense establishment and a public academic institution. This paper discusses the experience gained in the development and delivery of a formally recognized Australian tertiary qualification in information assurance designed to meet No 462 Squadron’s Information and Communications Technology (ICT) and Information Assurance education and training requirements.
Walsh College included a capstone course into their Information Assurance graduate (MSIA) program. The IA capstone course is modeled after the MSBIT/MSIS capstone course developed by Dr. W. Don Gottwald. The capstone course was designed to be integrative, broadly focused, and demanding on the student. To complete the capstone course, the student needs to demonstrate their knowledge of project management techniques and a mastery of the skills taught across their program.
Threats of cyber-warfare attacks (and counter attacks) by countries with the largest economies in the world, massive losses of financial and personal data on millions of Americans to cybercrime, and the potential to disrupt Americas critical infrastructures, should be on the minds of all Americans. Why? Because those who design, build, operate and defend the computer systems and networks that our economy relies upon are our fellow citizens. But where will these professionals acquire the skills in Computer Network Operations necessary to secure our future?
The Internet is unquestionably the most extensive and accessible resource for information and commerce in history. But it is also providing a medium for new forms of crime, espionage, and even terror, targeting organizations and individuals alike. Broad awareness of vulnerabilities and defenses is needed to protect against all types of cyber attacks. While online learning environments provide a great opportunity to train large numbers of people, they have yet to demonstrate effectiveness in high-stakes situations. In an effort to better prepare cyberspace defenders, we are developing a multidisciplinary training program that encompasses topics from computer science, management information systems, and legal and ethical studies, using state-of-the-art online learning methods and technology.
This article briefly explains the motive, purpose, feasibility and vision of creating an introductory information assurance course serving not only students seeking to become INFOSEC professionals, but which also reaches out to students from such diverse academic areas as Accounting, Business Administration, Education, and Criminal Justice to provide fundamental knowledge and skills. This course has been successfully mapped to meet 100% of the requirements of National Security Telecommunications and Information Systems Security (NSTISS) standards 4011 and 4013E.
Visualization plays a major role in understanding and interpreting security requirements. Security visualization means different things to different people. Some consider it as viewing the state of the environment and system. The purpose of this paper is to review some of the current methods used in security visualization.
Combining theoretical instruction with meaningful hands-on exercises is often challenging due to the lack of resources such as laboratory facilities and equipment. To overcome this problem, the use of a simulation/virtualization technology such as the OPNET simulation tool can be considered. In this paper, we discuss how one can use the OPNET simulation tool to effectively teach IP encryption and decryption concepts such as ones found in IP Security (IPSec).
This paper describes the results of applying formal security models to Cyber-Physical systems work in a classroom setting. The structure of the course required that each student select an infrastructure that had significant cyber and physical components. During the course, when they learned a model, they applied it to their infrastructure. Formal models included the HRU, Take-Grant, Bell-LaPadula, Biba, Non-interference, Non-inference, and Non-deducibility. The approach is described, results of the models, and student feedback are reported.
For the past three years, White Wolf Security has partnered with the CyberWATCH Center and the Community College of Baltimore County (CCBC) to design, conduct and score the Mid- Atlantic Regional Collegiate Cyber Defense Competition (CCDC). Over the course of those three engagements, the competition has grown in the number of teams, the size and diversity of infrastructure and the sophistication of the scoring process and visualization.
As indicated in the National Strategy to Secure Cyberspace [1], one of the priorities of the United States is to grow and then maintain the number of skilled professionals in Information Assurance. In fact, such professionals are needed at all levels of industry – from those implementing our networks to those researching and designing the technologies. The National Center of Academic Excellence in Information Assurance Education, East Stroudsburg University of Pennsylvania, has partnered with the NSA recognized (IACMM) firm Backbone Security, Northampton Community College, Monroe Career and Technical Institute, and northeastern PA secondary schools to address this priority.
Computer forensics is a hands-on discipline. Introductory skills, however, can be taught using simple exercises that require neither expensive laboratory facilities nor even face-to-face courses. This paper describes a simple floppy disk analysis project that allows an instructor to address issues ranging from the computer forensics process and basics of file systems to long file names, file signatures, and hashing. Projects are essential to teaching this discipline as they support active learning, constructivism, and active learning. These hands-on projects also offer an opportunity for courses to be taught online and for students to build their own toolkits using open source or commercial software.
We present a laboratory module that follows an end-to-end security process pattern in securing real world applications. The overall goal is to relate theoretical concepts of cryptography and security protocols to implementation solutions and their use in the workplace. In a series of activities for installing, certifying and working with systems, each configuration decision and communication exchange is evaluated and discussed in the context of the theoretical knowledge acquired in our core courses in cryptography, network and software security, and network management and security.
It appears that at many, not to say, most, schools, cryptography is being taught to Computer Security and Information Assurance students by mathematicians or cryptographers. By their own reports, mathematicians and cryptographers tend to teach what interests them, even at the expense of what the student needs to know. While this may simply be a matter of pedagogy, it is often a matter of content. While the student may identify or infer for himself what he needs to know, it should not be left either to him or to chance.
Copyright © 2024 CISSE™. All rights reserved.