Papers

A Clinic to Teach Good Programming Practices
Author:
Matt Bishop, B. J. Orvis
Date:
July 01, 2006

We present an approach to emphasizing good programming practices and style throughout a curriculum. This approach draws on a clinic model used by English programs to reinforce the practice of clear, effective writing, and law schools to teach students legal writing. We present our model for a good programming practices clinic, and discuss our experiences in using it.

A Framework for Information Security Ethics Education
Author:
Melissa Dark, Richard Epstein, Linda Morales, Terry Countermine, Qing Yuan, Muhammed Ali, Matt Rose
Date:
July 01, 2006

This paper proposes a framework for teaching information security ethics at colleges and universities. The framework requires that students examine information security ethics from four dimensions: the ethical dimension, the security dimension, the solutions dimension and the personal moral development dimension. The intent is to use the framework to develop and/or select pedagogical resource materials for information security ethics education.

A University Course in Information System Risk Analysis / Security Certification and Accreditation
Author:
N. Paul Schembari, Ph.D.
Date:
July 01, 2006

The East Stroudsburg University of Pennsylvania course "Risk Analysis / Certification and Accreditation" is offered as a model for implementation of NSTISSI 4015 – the National Training Standard for System Certifiers. The experiences of the instructors in teaching this course are illustrated.

An Academic Perspective on the CNSS Standards: A Survey
Author:
Carol Taylor, Jim Alves-Foss, Valerie Freeman
Date:
July 01, 2006

In this paper we examine the Committee on National Security Systems (CNSS) 4011-4016 family of standards for high assurance academic programs. Currently, institutions that apply for the NSA Center of Academic Excellence in Information Assurance Education (CAEIAE) or Information Assurance Courseware Evaluation (IACE) designation must map their curricula to the CNSS standards. We survey academic institutions that have earned either the CNSS CAEIAE or IACE about their experiences in performing the mapping.

Automated Reverse Engineering Tool
Author:
Ramakrishnan Ravindran, Richard R. Brooks
Date:
July 01, 2006

Network security plays an increasingly important role in technology. As the world gets more and more interconnected, the need for security increases. While there are several tools that offer a fair amount of security, it is still crucial that students are educated well on the design and operation of malware, and learn to develop countermeasures that prevent malicious activity. To assist in this, we developed a software package that studies the actions of known or suspected malware in a controlled environment, and provides information on the effects of malware on the system without actually compromising a system. By means of a virtual environment, this program collects data before and after the malware has infected the virtual machine.

Best Software Assurance Practices in Acquisition of Trusted Systems
Author:
Mary L. Polydys, Daniel J. Ryan, Julie J. C. H. Ryan
Date:
July 01, 2006

Systems software and application software make it possible for our systems and networks to function effectively and efficiently, enabling creation, processing, storage and communication of the information assets that drive our economy and our way of life. Our dependency on the information infrastructure makes software assurance an essential element of national security and homeland defense. The interdependence of our critical infrastructures with the information infrastructure, the size and complexity of software systems, our increasing reliance on outsourcing for software development and maintenance, and the growing sophistication of malicious threats argue for increased rigor and use of software assurance methodology in developing or acquiring software.

Bottom-Up meets Top-Down: A New Paradigm for Software Engineering Instruction
Author:
Wm. Arthur Conklin
Date:
July 01, 2006

College curricula for computer programming has been developed from a bottom up, primitive to system-level approach. Although efficient from a task centric viewpoint, this methodology leaves crucial learning tasks until after behavioral habits are reinforced through several courses of instruction. These habits are inadequate to meet the needs of current programming standards. The current learning process deemphasizes important issues such as security and testability, sacrificing them in the name of time. This paper outlines a new approach to provide a more comprehensive, systems engineering based education approach in an attempt to correct these deficiencies in the current instructional methodology.

Cyber Defense Exercise: Meeting Learning Objectives thru Competition
Author:
Thomas Augustine, Ronald C. Dodge Jr.
Date:
July 01, 2006

The sixth annual US Service Academies Cyber Defense Exercise proved to be an opportunity to meet pre-planned learning objectives. Rather than focusing on the competition, the planning team designed the exercise to meet objectives which balanced: creativity versus realism, security versus network operations and timely incident reporting. Additional benefits included teaming and leadership opportunities as well as providing an outstanding recruiting tool for Computer Science and Information Technology majors.

Development of a Security Education Program at a Minority Institution
Author:
Dr. Xiangdong Li, Dr. Lin Leung
Date:
July 01, 2006

We describe the development of an information security program which contains three security courses and a laboratory for the undergraduate students at New York City College of Technology, CUNY, one of the minority serving institution. We also explore collaboration with other minority serving institutions on information security education.

Dynamic Honeypot Construction
Author:
Christopher Hecker, Kara L. Nance, Brian Hay
Date:
July 01, 2006

System security personnel fight a seemingly unending battle to secure their digital assets against an ever-increasing onslaught of attacks. Honeypots provide a valuable tool to collect information about the behaviors of attackers in order to design and implement better defenses, but most current configurations are static setups consisting of either low interaction or high-interaction environments. Although static honeypots help address this issue, the ability to construct dynamic honeypots easily would enable security personnel to identify potential security vulnerabilities in the attempt to build better defenses. This research effort describes a method to automatically and dynamically configure honeypots based on the results of network scans.

Evolution of the ASSERT Computer Security Lab
Author:
Brian Hay, Kara L. Nance
Date:
July 01, 2006

These times of declining academic budgets coupled with increased demand for information assurance professionals presents unique challenges for academic departments wishing to build capacity in information assurance. This paper discusses the evolution of the Advanced System Security Education, Research, and Training (ASSERT) Lab at the University of Alaska Fairbanks. The effort began with the low cost construction of a proof-of-concept dedicated information assurance lab that was then used to leverage additional funding to build a high capacity research and educational environment to meet the needs of the students, faculty, and researchers who now utilize this vital facility.

Experience Implementing IT2005 IAS Curriculum in Existing Programs
Author:
Melissa Jane Dark, Joseph J. Ekstrom, Barry M. Lunt
Date:
July 01, 2006

The IT2005 model curriculum describes Information Assurance and Security as a pervasive theme that must be integrated throughout the IT curriculum. The associated knowledge area provides a minimum set of outcomes for every IT student associated with this important subject. Implementing a knowledge area that is required across the entire curriculum is a significant challenge, since security has historically been given weak coverage in computing courses. In this paper we introduce the approaches used in two IT programs for implementing the IT2005 requirement for IAS as a “pervasive theme”.

Forensic Computing: Developing Specialist Expertise within the CS Curriculum
Author:
Jason Beckett, Jill Slay, Benjamin Turnbull
Date:
July 01, 2006

This paper responds to the need to understand the nature of forensic computing and the roles that are involved in the discipline. It defines the nature of the field and the roles and qualifications of the forensic computing practitioners who serve in the filed. It emphasizes the role of the specialist and the need for the development a tertiary curriculum which produces graduates who are able to take up entry-level graduate positions in Law Enforcement and government.

GRASP: A Visualization Tool for Teaching Security Protocols
Author:
Dino Schweitzer, Leemon Baird, Michael Collins, Wayne Brown, Michael Sherman
Date:
July 01, 2006

Security protocols are an important concept in teaching information security. Students need to understand both the sequence of passed information and computations, as well as the various attacks on them via eavesdroppers, forged messages, communication blocks, and message replays. A traditional approach to teaching protocols is to use a static diagram showing the transfer of messages between participants over time. This paper describes an interactive visualization tool that allows arbitrary protocols to be demonstrated visually in a user-controlled step-wise manner.

Improving Outreach to Adult-Learners Through Online Degree Programs in Information Security: If You Build It, Will They Come?
Author:
Patricia Y. Logan, Ph.D.
Date:
July 01, 2006

Traditional face-to-face courses have been used as the predominant delivery mode for degree programs in the area of information security. This mode of delivery is a barrier to information security education for the population of adult learners who are working information technology and law enforcement professionals. Participation in full distance learning programs has been minimal among the CAEIAE (Center of Excellence in Information Assurance Education) schools. An increase in online degree programs can increase the number of degree-qualified professionals in information security.

Meeting the Requirements of DoD 8570.1-M
Author:
Leigh Armistead, Ph.D., Edith Cowan
Date:
July 01, 2006

The long awaited final portion of the Department of Defense instruction on tracking and certifying Information Assurance education and training was released in December 2005. This paper delineates how one military contractor proposes to ensure that not only do they meet the requirements of this mandate, but also to offer a solution to support the government as well. This proposal could benefit a number of the CISSE institutions as they are listed as organizations that can provide the required training and education that the IA Workforce will need to comply with this requirement.

One Professor's Odyssey into the Realm of Information Assurance
Author:
Richard G. Epstein
Date:
July 01, 2006

This paper discusses how the author integrated issues in Information Assurance into parts of the undergraduate curriculum at his university. The emphasis is on his course on computer ethics and the social implications of computing.

Practical Curriculum for the Future ISSO
Author:
Gerald Clevenger
Date:
July 01, 2006

In order to effectively perform in today’s fast paced environment, the Information Systems Security Officer (ISSO) must be well prepared to deal with technical, regulatory and legal issues as well as policy oriented concerns. A multidisciplinary curriculum is therefore required to properly prepare the Information Assurance (IA) degree seeking student for the many challenges the future ISSO will face. To address this issue, Fountainhead College of Technology has implemented a bachelor degree program that attempts to simulate the “real-world” corporate or government agency environment. This paper provides an overview of the program methodology, coursework and labs required for the Bachelor of Applied Science in Network Security & Forensics (BASNSF) program.

Security: Valuing Increased Overhead Costs
Author:
Tony Coulson, Jake Zhu, Kurt Collins, Walter Stewart, C.E. Tapie Rohm
Date:
July 01, 2006

The recent implementation of security and privacy regulations have increased the operational overhead of organizations. The authors attempt to identify challenges valuing information security investments by examining three primary approaches to measuring information value: Normative, Perceived and Real. Literature is reviewed and the approaches are examined in terms of their strengths and weaknesses in providing value measurements for secure information systems. A framework is presented to suggest at what level in an organization and in what situations these information value approaches are most suitable.

Software Security: Integrating Secure Software Engineering in Graduate Computer Science Curriculum
Author:
Stephen S. Yau, Zhaoji Chen
Date:
July 01, 2006

In addition to enable students to understand the theories and various analysis and design techniques, an effective way of improving students’ capabilities of developing secure software is to develop their capabilities of using these theories, techniques and effective tools in the security software development process. In this paper, the development and delivery of a graduate-level course on secure software engineering with the above objective at Arizona State University are presented. The developing process, stimulating techniques and tools used in this course, as well as lessons learned from this effort, are discussed.

SWARM: Secure Wireless Ad hoc Robots on Mission A course where wireless security meets robotics
Author:
Guevara Noubir
Date:
July 01, 2006

In this paper, we describe the SWARM course. SWARM was designed for Honor Senior students to learn and practice secure wireless communication in the setting of rescue mission type of applications [1]. The theoretical component of the course covers aspects such as cryptography, security protocols, and wireless communication protocols. On the practical side, the students’ teams design a system composed of a smartphone, a sensor network, 2-3 robots controlled through a multi-hop network, and compete for quickly localizing an object that periodically transmits a beacon message.

Teaching the Secure Development Lifecycle: Challenges and Experiences
Author:
Rose Shumba, James Walden, Stephanie Ludi, Carol Taylor, Andy Ju An Wang
Date:
July 01, 2006

A large portion of security vulnerabilities result from mistakes in the design or code of software systems. To address this problem, secure development lifecycle practices have been introduced into the software engineering curriculum at five different universities. Each phase of the software development lifecycle has been modified in at least one university to incorporate security. This paper provides a survey of practices involved in the secure development lifecycle and describes how these practices can be introduced into the software engineering curriculum. Each contributor discusses his or her experiences and challenges while integrating security into one phase of the software development process.

The CERT® Survivability and Information Assurance Curriculum: Education for First Defenders
Author:
Lawrence R. Rogers
Date:
July 01, 2006

First defenders (system and network administrators) can significantly benefit from an educational foundation that helps enterprise networks survive the challenges found in today’s Internet. The Survivability and Information Assurance Curriculum, created by the CERT® Program1, a part of the Software Engineering Institute (SEI), provides such a foundation. This paper describes this freely available curriculum.

The National Collegiate Cyber Defense Competition
Author:
Gregory B. White, Ph.D., Ronald C. Dodge Jr.
Date:
July 01, 2006

In 2004 a workshop was held in San Antonio, TX to discuss the possibility of establishing a national collegiate cyber security competition. Academicians and students from across the nation were invited to share their ideas on how such a competition should be conducted. The final report from this workshop included a number of recommendations and described a general consensus among the participants that such an event should be pursued. Several participants from the Texas school presents agreed to develop a regional competition which was held in March of 2005.

The Software Assurance CBK and University Curricula
Author:
Matt Bishop, Sophie Engle
Date:
July 01, 2006

The recently proposed Secure Software Assurance Common Body of Knowledge is a first effort at collecting information about security-enhanced programming and systems development. One of its stated goals is to drive curriculum development in academic institutions. This paper analyzes the SwACBK’s usefulness in programs for advanced undergraduate and graduate education, and offers suggestions for strengthening it.

XML Intrusion Prevention A Comprehensive Threat
Author:
Newton Howard, Sergey Kanareykin
Date:
July 01, 2006

This paper describes a comprehensive threat model for a new breed of threats based on XML content, including XML languages used in the Service Oriented Architecture (SOA) paradigm such as SOAP [6] and the Web Services Description Language [11]. In addition to defining a new threat model, this paper compares it to a more traditional network security threat model, by defining it in terms of the network stack. This document also illustrates the concept of XML Intrusion Prevention (XIP) as an analog to traditional network-based intrusion prevention.

 
Powered by Phoca Download