We present an approach to emphasizing good programming practices and style throughout a curriculum. This approach draws on a clinic model used by English programs to reinforce the practice of clear, effective writing, and law schools to teach students legal writing. We present our model for a good programming practices clinic, and discuss our experiences in using it.
This paper proposes a framework for teaching information security ethics at colleges and universities. The framework requires that students examine information security ethics from four dimensions: the ethical dimension, the security dimension, the solutions dimension and the personal moral development dimension. The intent is to use the framework to develop and/or select pedagogical resource materials for information security ethics education.
The East Stroudsburg University of Pennsylvania course "Risk Analysis / Certification and Accreditation" is offered as a model for implementation of NSTISSI 4015 – the National Training Standard for System Certifiers. The experiences of the instructors in teaching this course are illustrated.
In this paper we examine the Committee on National Security Systems (CNSS) 4011-4016 family of standards for high assurance academic programs. Currently, institutions that apply for the NSA Center of Academic Excellence in Information Assurance Education (CAEIAE) or Information Assurance Courseware Evaluation (IACE) designation must map their curricula to the CNSS standards. We survey academic institutions that have earned either the CNSS CAEIAE or IACE about their experiences in performing the mapping.
Network security plays an increasingly important role in technology. As the world gets more and more interconnected, the need for security increases. While there are several tools that offer a fair amount of security, it is still crucial that students are educated well on the design and operation of malware, and learn to develop countermeasures that prevent malicious activity. To assist in this, we developed a software package that studies the actions of known or suspected malware in a controlled environment, and provides information on the effects of malware on the system without actually compromising a system. By means of a virtual environment, this program collects data before and after the malware has infected the virtual machine.
Systems software and application software make it possible for our systems and networks to function effectively and efficiently, enabling creation, processing, storage and communication of the information assets that drive our economy and our way of life. Our dependency on the information infrastructure makes software assurance an essential element of national security and homeland defense. The interdependence of our critical infrastructures with the information infrastructure, the size and complexity of software systems, our increasing reliance on outsourcing for software development and maintenance, and the growing sophistication of malicious threats argue for increased rigor and use of software assurance methodology in developing or acquiring software.
College curricula for computer programming has been developed from a bottom up, primitive to system-level approach. Although efficient from a task centric viewpoint, this methodology leaves crucial learning tasks until after behavioral habits are reinforced through several courses of instruction. These habits are inadequate to meet the needs of current programming standards. The current learning process deemphasizes important issues such as security and testability, sacrificing them in the name of time. This paper outlines a new approach to provide a more comprehensive, systems engineering based education approach in an attempt to correct these deficiencies in the current instructional methodology.
The sixth annual US Service Academies Cyber Defense Exercise proved to be an opportunity to meet pre-planned learning objectives. Rather than focusing on the competition, the planning team designed the exercise to meet objectives which balanced: creativity versus realism, security versus network operations and timely incident reporting. Additional benefits included teaming and leadership opportunities as well as providing an outstanding recruiting tool for Computer Science and Information Technology majors.
We describe the development of an information security program which contains three security courses and a laboratory for the undergraduate students at New York City College of Technology, CUNY, one of the minority serving institution. We also explore collaboration with other minority serving institutions on information security education.
System security personnel fight a seemingly unending battle to secure their digital assets against an ever-increasing onslaught of attacks. Honeypots provide a valuable tool to collect information about the behaviors of attackers in order to design and implement better defenses, but most current configurations are static setups consisting of either low interaction or high-interaction environments. Although static honeypots help address this issue, the ability to construct dynamic honeypots easily would enable security personnel to identify potential security vulnerabilities in the attempt to build better defenses. This research effort describes a method to automatically and dynamically configure honeypots based on the results of network scans.
These times of declining academic budgets coupled with increased demand for information assurance professionals presents unique challenges for academic departments wishing to build capacity in information assurance. This paper discusses the evolution of the Advanced System Security Education, Research, and Training (ASSERT) Lab at the University of Alaska Fairbanks. The effort began with the low cost construction of a proof-of-concept dedicated information assurance lab that was then used to leverage additional funding to build a high capacity research and educational environment to meet the needs of the students, faculty, and researchers who now utilize this vital facility.
The IT2005 model curriculum describes Information Assurance and Security as a pervasive theme that must be integrated throughout the IT curriculum. The associated knowledge area provides a minimum set of outcomes for every IT student associated with this important subject. Implementing a knowledge area that is required across the entire curriculum is a significant challenge, since security has historically been given weak coverage in computing courses. In this paper we introduce the approaches used in two IT programs for implementing the IT2005 requirement for IAS as a “pervasive theme”.
This paper responds to the need to understand the nature of forensic computing and the roles that are involved in the discipline. It defines the nature of the field and the roles and qualifications of the forensic computing practitioners who serve in the filed. It emphasizes the role of the specialist and the need for the development a tertiary curriculum which produces graduates who are able to take up entry-level graduate positions in Law Enforcement and government.
Security protocols are an important concept in teaching information security. Students need to understand both the sequence of passed information and computations, as well as the various attacks on them via eavesdroppers, forged messages, communication blocks, and message replays. A traditional approach to teaching protocols is to use a static diagram showing the transfer of messages between participants over time. This paper describes an interactive visualization tool that allows arbitrary protocols to be demonstrated visually in a user-controlled step-wise manner.
Traditional face-to-face courses have been used as the predominant delivery mode for degree programs in the area of information security. This mode of delivery is a barrier to information security education for the population of adult learners who are working information technology and law enforcement professionals. Participation in full distance learning programs has been minimal among the CAEIAE (Center of Excellence in Information Assurance Education) schools. An increase in online degree programs can increase the number of degree-qualified professionals in information security.
The long awaited final portion of the Department of Defense instruction on tracking and certifying Information Assurance education and training was released in December 2005. This paper delineates how one military contractor proposes to ensure that not only do they meet the requirements of this mandate, but also to offer a solution to support the government as well. This proposal could benefit a number of the CISSE institutions as they are listed as organizations that can provide the required training and education that the IA Workforce will need to comply with this requirement.
This paper discusses how the author integrated issues in Information Assurance into parts of the undergraduate curriculum at his university. The emphasis is on his course on computer ethics and the social implications of computing.
In order to effectively perform in today’s fast paced environment, the Information Systems Security Officer (ISSO) must be well prepared to deal with technical, regulatory and legal issues as well as policy oriented concerns. A multidisciplinary curriculum is therefore required to properly prepare the Information Assurance (IA) degree seeking student for the many challenges the future ISSO will face. To address this issue, Fountainhead College of Technology has implemented a bachelor degree program that attempts to simulate the “real-world” corporate or government agency environment. This paper provides an overview of the program methodology, coursework and labs required for the Bachelor of Applied Science in Network Security & Forensics (BASNSF) program.
The recent implementation of security and privacy regulations have increased the operational overhead of organizations. The authors attempt to identify challenges valuing information security investments by examining three primary approaches to measuring information value: Normative, Perceived and Real. Literature is reviewed and the approaches are examined in terms of their strengths and weaknesses in providing value measurements for secure information systems. A framework is presented to suggest at what level in an organization and in what situations these information value approaches are most suitable.
In addition to enable students to understand the theories and various analysis and design techniques, an effective way of improving students’ capabilities of developing secure software is to develop their capabilities of using these theories, techniques and effective tools in the security software development process. In this paper, the development and delivery of a graduate-level course on secure software engineering with the above objective at Arizona State University are presented. The developing process, stimulating techniques and tools used in this course, as well as lessons learned from this effort, are discussed.
In this paper, we describe the SWARM course. SWARM was designed for Honor Senior students to learn and practice secure wireless communication in the setting of rescue mission type of applications . The theoretical component of the course covers aspects such as cryptography, security protocols, and wireless communication protocols. On the practical side, the students’ teams design a system composed of a smartphone, a sensor network, 2-3 robots controlled through a multi-hop network, and compete for quickly localizing an object that periodically transmits a beacon message.
A large portion of security vulnerabilities result from mistakes in the design or code of software systems. To address this problem, secure development lifecycle practices have been introduced into the software engineering curriculum at five different universities. Each phase of the software development lifecycle has been modified in at least one university to incorporate security. This paper provides a survey of practices involved in the secure development lifecycle and describes how these practices can be introduced into the software engineering curriculum. Each contributor discusses his or her experiences and challenges while integrating security into one phase of the software development process.
First defenders (system and network administrators) can significantly benefit from an educational foundation that helps enterprise networks survive the challenges found in today’s Internet. The Survivability and Information Assurance Curriculum, created by the CERT® Program1, a part of the Software Engineering Institute (SEI), provides such a foundation. This paper describes this freely available curriculum.
In 2004 a workshop was held in San Antonio, TX to discuss the possibility of establishing a national collegiate cyber security competition. Academicians and students from across the nation were invited to share their ideas on how such a competition should be conducted. The final report from this workshop included a number of recommendations and described a general consensus among the participants that such an event should be pursued. Several participants from the Texas school presents agreed to develop a regional competition which was held in March of 2005.
The recently proposed Secure Software Assurance Common Body of Knowledge is a first effort at collecting information about security-enhanced programming and systems development. One of its stated goals is to drive curriculum development in academic institutions. This paper analyzes the SwACBK’s usefulness in programs for advanced undergraduate and graduate education, and offers suggestions for strengthening it.
This paper describes a comprehensive threat model for a new breed of threats based on XML content, including XML languages used in the Service Oriented Architecture (SOA) paradigm such as SOAP  and the Web Services Description Language . In addition to defining a new threat model, this paper compares it to a more traditional network security threat model, by defining it in terms of the network stack. This document also illustrates the concept of XML Intrusion Prevention (XIP) as an analog to traditional network-based intrusion prevention.