Archives

Formal models are important in information security education. The ability to abstract security concepts and apply formal reasoning techniques provides a basis for students to understand fundamental results and have a broader perspective on security issues. Our experience at the undergraduate level is that students often struggle with the abstract models, how to apply them, and the associated implications. To provide students a more concrete approach to working with and understanding security protection models, we have developed interactive visualization tools that allow students to create, manipulate, and experiment with the models.

The Federal Information Security Management Act places obligations upon Federal agencies and their contractors, effected through National Institute of Standards and Technology standards and guidelines. FISMA compliance has, however, limited recognition beyond the Federal domain, whereas there is an increasing move in the private sector towards the international standard ISO/IEC 27001 (“Information security management systems – Requirements”), formally-certified conformity to which has widespread acknowledgement and international mutual recognition.

This paper proposes the inclusion of a required course in information security for university students. College students possess an array of computer hardware, the ability to use Internet resources, and the savvy to find any music, movie, or game online but are ignorant about the fundamentals of information security. Often student computing behavior is reckless and exposes them, their data, and the university network to damage or legal liability. Information security professionals know the value of awareness, training, and education in information security. Awareness programs have not been successful in informing students about the risks they face online and the consequences of their computing behaviors.

Trustworthiness and Education figure among the challenges and risks facing the constructive use of information technology. Security, reliability, survivability, predictability are among system attributes that are not receiving enough attention. Critical infrastructures are still vulnerable to attacks and accidental collapses. University curricula seem to be less responsive to trustworthiness needs of critical systems and infrastructures. In this paper, we propose two approaches for embedding trustworthy computing foundational topics within the knowledge areas of two computing-related disciplines, namely computer science and computer engineering.

This paper discusses aspects of a Network-Centric environment that should be considered as part of an information assurance course for the future.

This paper describes an undergraduate course in software engineering that introduces students to a variety of processes that are used to develop software. Students are asked to consider the security implications of the various processes. Special emphasis is given to PSP, CMM and agile processes (like eXtreme Programming and Scrum). An important issue in this course is whether agile processes can produce secure software and, if not, how they might be improved to make agile processes more secure. Students work on a major team project that involves developing a software process for a pretend company and a team presentation project that addresses the security issues specifically.

Networks of compromised machines called botnets are one of the most threatening adversaries over the Internet due in large part to the difficulty of identifying botnet traffic patterns. We have witnessed that existing signature-based detection and protection methods are ineffective in dealing with new unknown bots. By slightly modifying the code of an existing bot, bot commanders can bypass most signature based mechanisms. We believe that by analyzing bot traffic for malicious patterns, it is possible to develop a taxonomy of bot characteristics and in turn use these characteristics to develop risks which will ultimately be used in the decision making process of allowing or blocking traffic.

To meet the current industry demand for qualified security professionals, we need innovative courseware that can help students apply information assurance theory into practice. This paper describes our experience in designing hands-on information assurance courseware that addresses the current demand. In addition, we have presented a survey instrument to assess our design based on the contents of lectures, the contents of laboratory exercises, the relevance between the lecture and laboratory exercises, and the overall impact of the class on students.

A computer forensics course was offered during the 2006 Alaska Summer Research Academy (ASRA) at the University of Alaska Fairbanks. The two-week course provided a small number of high school students with the opportunity to gain experience in and an understanding of the field of digital forensics. Topics covered in the course included ethical issues related to digital forensics, digital footprints, forensics for digital media, and network-based forensics.

This article briefly covers the need, feasibility and a potential solution for creating an Internet Portal for INFOSEC [1] professionals – in other words, access to an electronic knowledge base/dynamic. The major components are recommended to cover research, theory and sound practice within a multitude of INFOSEC environments: public, private, and non-profits. The connection to the major categories of the NSTISS 4011 standard is equally critical. The author proposes the establishment of an Internet Portal for INFOSEC professionals under the auspices of a neutral organization.