Archives

Designation as a National Security Agency/Department of Homeland Security Center of Academic Excellence requires a campus wide commitment to information assurance curricula as well as a rigorous application process. This article describes one institution's lessons learned in the application process from initial decisions to apply though to final application submission.

To address a perceived lack of availability of educational resources for students and teachers in the field of information security, and advance the quality of information security education in general, our institutions have begun development of a web portal to house information security related educational materials, research and virtual exercises, as well as provide links to other resources. This portal is termed the PRISM, Public Repository for Information Security Materials This paper details the initial vision for the PRISM repository, outlines user interface, technical, and personnel requirements, and discusses some of the more interesting aspects of implementation including access control provisioning, and protocols for content submission, review and classification. Current status of the project is also presented, followed by a brief overview of near-term future plans.

Generally discussions of digital signatures, cryptography and computer security focus on the complicated technical details behind the systems. Students are often led to the false conclusion that such systems are truly secure. We describe a very simple Trojan horse attack on a Department of Defense digital signature system, and how its demonstration in the classroom led to an improved understanding of weaker links in the security trust chain, and a healthy skepticism of security claims.

The Computer Science Department at Boston University Metropolitan College offers a sequence of two graduate courses on cryptography. Being mathematical in nature, they lay down a solid foundation of knowledge that can be utilized in semester projects. Two projects are designed which tie together the concepts from both courses to implement real world scenarios in public key infrastructure and web of trust modeling. Several cryptographically secure algorithms are required to be implemented by students to successfully complete these projects.

Virtualization is gaining popularity as a way to offer a more flexible platform for providing hands-on laboratory experiences. Until now most organizations have been much decentralized in the manner of building and providing the virtualization infrastructure. This is not a desirable approach due to the duplicated efforts made in reinventing the wheel. A more efficient approach is to have a template or standard from which practitioners can build their respective customized versions.

The TCP three-way handshake can be used as a pedagogical tool when teaching network security in an introductory course in information security. I use it as a common theme that runs through various network security topics so that it is easier for students to grasp new concepts while reinforcing old knowledge. This paper describes the rationale for so doing and shares examples of some learning tools I created in this respect.

Many security vulnerabilities are caused through flaws in the developed software. We investigate the hypothesis that using a structured software development framework reduces the flaws introduced by programmers, leading to more secure software. To test this hypothesis, we conducted an empirical study comparing applications developed using Struts I, a widely used framework for Java-based web applications, against applications written in JSP/Servlet. Our results suggest that a structured framework may reduce security vulnerability density, mainly as a result of using libraries that abstract away low level API calls. Modular design, e.g. the MVC model, had only a modest impact.

Spear phishing, targeted e-mail that attempts to extract sensitive information without authorization, is a growing concern for individuals who need to protect their personal information and companies that need to safeguard their intellectual property. Technical controls on networks and systems cannot totally prevent spear phishing e-mail from reaching users’ e-mail inboxes, thereby requiring the e-mail recipients to understand how to recognize spear phishing attempts. To underscore the risks and importance of handling spear phishing e-mail appropriately, a security awareness method with immediate impact is needed.

Security has become an increasingly important topic in software engineering. In this paper, an approach of using the workflow technology in teaching secure software engineering courses is presented. This approach can free students from low level tools manipulation and command line interactions so that students can focus on learning the important secure software principles. Four case studies using the workflow technology, including using a local static analysis tool for code review, using a remote tool for code analysis, integrating local and remote tools, and implementing a web service fuzzer for penetration tests, are presented. Our educational practice has shown that the benefits of using the workflow technology in teaching secure software engineering classes have been well received by the students.

Developing realistic cyber training environments enables hands-on training of cyber security topics in a controlled fashion. Cost, space, time, and reproducibility are major factors that prevent large-scale network replications for individual training purposes. This paper discusses the ways that existing virtualization technologies could be packaged to provide a more accessible, comprehensive, and realistic cyberspace training and education environment to the individual user. The paper maps ways of merging two existing virtualization methods in order to leverage the unique benefits that each type of virtualization technique provides.