Archives

Information assurance provides us with the foundational means to protect our digital assets. As we build programs to meet the needs of our ever-growing computer user base, we seem to be fighting an uphill battle. This research effort describes some of the findings from an NSF-funded project to investigate the state-of-the-art in computer security laboratory environments and how they are being used in an effort to develop a plan for improving the capabilities and facilities available in the State of Alaska. The major ancillary finding is that research and educational environments do not exist in isolation.

To bridge the gap between the instruction of security primitives and protocols, we have designed and developed a digital Lego system and supporting course materials. Our digital Lego pieces are designed to use shapes to provide a generic representation of security protocols. With the automatic Lego piece generation and fitting method, we have developed a protocol demonstration and experiment environment that allows students to practice with these abstract concepts. The developed exercises will expose the relationship among security primitives and properties, and train students’ capabilities to design secure protocols under different requirements. Our approach applies the pedagogical methods learned from toy construction sets by treating security atomics as Lego pieces and protocols as construction results.

This paper describes a project that the author has begun and which he would like to share with the Information Assurance education community. The idea is to create a detailed fictitious scenario that is intended to educate students about the intersection between information assurance and software engineering. The scenario covers a variety of topics, including basic security concerns in software development, how security needs to be integrated into software processes, and work culture issues that can have a major impact upon the security of a product that an organization produces. Professional responsibilities and ethics are also important foci of the scenario.

The term virus is widely used for one type of malicious code affecting computer systems and networks. Such usage suggests the mental picture of malicious code as a disease infecting computers and implies that information security can use a medical paradigm for protecting against those diseases. In fact, using the concepts of biological systems and models can inform, guide and inspire information security as it seeks to understand, prevent, detect, interdict and counter threats to information assets and systems. The biological approach is especially useful in enabling quantitative risk management and informing management decisions in information security. Statistical analyses are used to evaluate treatment protocols in medicine.

Competitive exercises are one means to motivate and teach information security concepts to students. Along the Colorado front range, schools have joined together to teach students security concepts using a regional security assessment exercise, known as the Computer and Network Vulnerability Assessment Simulation, or CANVAS. CANVAS shares some elements with a typical “Capture the Flag” exercise, but differs from other security competitions in the overall approach to the exercise, in the exercise objectives, in team makeup, and in the evaluation criteria. Teams are formed at the exercise and combine students from different backgrounds. Points are awarded based on successful strategy and written reports as well as typical “flags”.

There is a strong need for minority institutions to establish their place in the Information Assurance (IA) education arena. The Information Systems and Decisions Sciences Department at Howard University believes that we can extend our programs to incorporate the rapidly developing field of information security. Howard hosts both Bachelor in Business Administration in Computer Based Information Systems with a concentration in Information Assurance (IA), and a Master of Science with an Information Security certificate programs.

Each year the reported number of security vulnerabilities increases as does the sophistication of attacks to exploit these vulnerabilities. Most security vulnerabilities are the result of insecure coding practices. There is a critical need to increase the security education of computer science students, particularly in software security. We are designing course modules, to be used at the undergraduate or graduate level, to integrate software system security into our computer science curriculum. The course modules we have developed, and are developing, include: operating system security, software security testing, code review, risk analysis, and database security.

Information security is one of the pervasive themes in computing curriculum. As computing security becomes more important in all sectors of society, so does the preparation of our students with knowledge and understanding of critical security concepts, methodologies, and techniques. Unfortunately, despite the deep and pervasive impact of security, undergraduate computing curricula and programs today often look much as it did several decades ago. We want to infuse information security into our computing curriculum, and we found a good model for doing that. This paper introduces the Threads model for computing curriculum originated from Georgia Tech’s College of Computing, an innovative way to restructuring computing curriculum.

This paper responds to the need to understand the nature of SCADA systems security concepts, their important role in the Australian nation’s critical infrastructure protection and highlights the necessity of this as a specialist engineering course within a systems engineering program. It defines the nature of the field and the roles and qualifications of system engineering practitioners who serve in the field. It emphasizes the role of the specialist course within the tertiary program that produces potential systems engineering specialists with the knowledge required to achieve robustness and resilience of critical infrastructure systems and services.

The Information Assurance community has long benefited from the development of standards as part of the CNSS process. This paper summarizes efforts conducted over the last year to start a similar standards based methodology for Information Operations (IO) and to develop a framework for IO training and education.