| Patricia
Logan |
An
Information Security
Course: A Possible
Antidote to Clueless
Students |
This
paper proposes the
inclusion of a required
course in information
security for university
students. College
students possess an
array of computer
hardware, the ability to
use Internet resources,
and the savvy to find
any music, movie, or
game online but are
ignorant about the
fundamentals of
information security.
Often student computing
behavior is reckless and
exposes them, their
data, and the university
network to damage or
legal liability.
Information security
professionals know the
value of awareness,
training, and education
in information security.
Awareness programs have
not been successful in
informing students about
the risks they face
online and the
consequences of their
computing behaviors.
Knowledge can mitigate
or prevent data loss and
the impacts of malicious
or inadvertent activity.
Requiring an information
security course can
change student behavior,
give them the ability to
analyze risks, and
select the correct tools
to protect their data
and computers.
Information security
represents the new
computer literacy. |
| Paul
Schembari |
Hands-On
Crypto:Experiential
Learning in Cryptography |
Experiential learning
has been shown to be one
of the best methods for
learning, especially
when combined with other
forms of instruction.
While much of the
literature has
illustrated experiential
learning techniques for
information assurance
curriculum in general,
the “Cryptography”
course has not been
studied in great detail
with regard to
experiential learning.
We discuss exercises of
multiple forms which
demonstrate the
intersection of
experiential learning
and cryptography. |
| Barry S.
Fagin, Leemon C.
Baird, Jeffrey W.
Humphries, Dino L.
Schweitzer |
Teaching Information
Security With Skepticism
and Critical Thinking |
Cryptography is an
essential component of
America’s national
security infrastructure.
Billions of dollars are
spent on cryptosystems
every year, in both the
public and private
sector. Unfortunately,
the field is rife with
dubious claims, snake
oil salesmen, and
outright fraud. This
paper highlights the
importance of skepticism
and critical thinking in
the role of evaluating
and procuring
cryptosystems. We
discuss our experiences
in teaching future
leaders about testing
extraordinary
cryptographic claims by
asking hard questions,
and show examples from
our own experience. We
believe that the
rigorous application of
skepticism and critical
thinking in cryptography
are absolutely essential
to the wise use of
America’s resources and
the security of the
nation. |
| Ellen
Roth-Perreault,
Brenda Oldfield |
Strengthening the
Security Workforce: A
Competency and
Functional Framework for
Information Technology
Security Professionals |
September 11 caused
America to recognize the
need to secure all parts
of the nation’s critical
infrastructure,
including information
technology. In 2002, the
President released the
National Strategy to
Secure Cyberspace, a
document that provides
direction for
strengthening
cybersecurity. A key
recommendation of the
National Strategy to
Secure Cyberspace is to
build foundations for
the development of
security certification
programs that will be
broadly accepted by the
public and private
sectors. The Department
of Homeland Security –
National Cyber Security
Division (DHS-NCSD)
Training and Education
Program has been tasked
to lead these efforts by
effectively articulating
the needs of the public
and private sector IT
security community. The
foundation for the
President’s
recommendation is clear:
currently, over one
hundred (100)
worthwhile,
well-regarded IT
security certifications
exist, and each has been
developed using
different criteria. It
is challenging to
identify—with
certainty—which
certifications validate
which workforce
competencies and which
certifications would be
the best choice to
confirm or build the
strengths of specific
types of workers. To
account for this
complexity and
uncertainty, the
Development Team created
a competency-based,
functional framework
that links competencies
and functions to IT
security roles fulfilled
by personnel in the
public and private
sectors. The proposed IT
Security Competency and
Functional Framework:
(1) articulates the
functions that
professionals within the
IT security workforce
perform, in a common
format and language; (2)
provides a reference
against which to compare
the content of IT
security certifications,
which have been
developed independently
according to various
criteria; (3) can be
used to substantiate the
wide acceptance of
already-developed
certifications so that
they can be leveraged
appropriately for
workforce development;
and (4) provides a
content guideline that
can be used to guide the
development of future
certifications. The
Framework builds upon
the work of established
bodies of knowledge,
defines key terms and
concepts for
well-defined
competencies, identifies
notional security roles,
defines four (4) primary
functional perspectives,
and establishes an IT
Security Role,
Competency, and Function
Matrix to untangle the
certification landscape. |
| Li-Chiou
Chen,
Chienting Lin |
Combining Theory with
Practice in Information
Security Education |
To meet
the current industry
demand for qualified
security professionals,
we need innovative
courseware that can help
students apply
information assurance
theory into practice.
This paper describes our
experience in designing
hands-on information
assurance courseware
that addresses the
current demand. In
addition, we have
presented a survey
instrument to assess our
design based on the
contents of lectures,
the contents of
laboratory exercises,
the relevance between
the lecture and
laboratory exercises,
and the overall impact
of the class on
students. From the
evaluation results of
fifty students, we found
that students generally
agreed that they have
learned better with the
hands-on laboratory
exercises. Given that
many of the students we
surveyed expressed
interests in applying
security in their
respective domains, we
believe that it is
needed to start focusing
on creating
interdisciplinary IA
courseware. |
| W. Vic
Maconachy, Corey
Schou |
Information Assurance
Education: The way ahead
in a network-centric
environment |
This
paper discusses aspects
of a Network-Centric
environment that should
be considered as part of
an information assurance
course for the future. |
| Richard
G.
Wilsher, Matthew
King |
Alignment of Information
Security Assessment Best
Practices |
The
Federal Information
Security Management Act
places obligations upon
Federal agencies and
their contractors,
effected through
National Institute of
Standards and Technology
standards and
guidelines. FISMA
compliance has, however,
limited recognition
beyond the Federal
domain, whereas there is
an increasing move in
the private sector
towards the
international standard
ISO/IEC 27001
(“Information security
management systems –
Requirements”),
formally-certified
conformity to which has
widespread
acknowledgement and
international mutual
recognition. This paper
compares these two
approaches to assuring
an organisation’s
information security
management practices and
proposes steps to align
the two models, yielding
economies for those
entities which stand to
benefit from the
fulfilling both sets of
criteria. |
| Christopher
Hecker,
Brian Hay, and Kara L.
Nance |
Computer
Forensics at the 2006
Alaska Summer Research
Academy |
A
computer forensics
course was offered
during the 2006 Alaska
Summer Research Academy
(ASRA) at the University
of Alaska Fairbanks. The
two-week course provided
a small number of high
school students with the
opportunity to gain
experience in and an
understanding of the
field of digital
forensics. Topics
covered in the course
included ethical issues
related to digital
forensics, digital
footprints, forensics
for digital media, and
network-based forensics.
It also included
presentations by UAF
instructors, guest
lecturers, and the
students themselves.
While the 2006 course
was very successful, the
lessons learned during
that session will be
used to improve further
offerings in this area,
both within the ASRA
program, and in the
wider educational and
outreach mission of the
university. |
| John
Collins |
Creating
an Internet Portal for
INFOSEC Professionals |
This
article briefly covers
the need, feasibility
and a potential solution
for creating an Internet
Portal for INFOSEC [1]
professionals – in other
words, access to an
electronic knowledge
base/dynamic. The major
components are
recommended to cover
research, theory and
sound practice within a
multitude of INFOSEC
environments: public,
private, and
non-profits. The
connection to the major
categories of the NSTISS
4011 standard is equally
critical. The author
proposes the
establishment of an
Internet Portal for
INFOSEC professionals
under the auspices of a
neutral organization.
One existing knowledge
base portal was
discussed to help
skeptics see that this
endeavor is very
feasible. Additionally
there are many
connections for all
members of a given
learning community as
well. This author is
convinced that if the
portal is built, many
will come… so that our
voices from within the
professional security
field can be heard, and
more importantly shared. |
| Vojislav
Stojkovic, William
Lupton |
Sequential and
Parallel/Concurrent
Actor-Oriented Solutions
of the Dominator Problem |
The
paper presents a known
sequential and a new
parallel/concurrent
actor-oriented solution
of the Dominator
problem. The new
parallel/concurrent
actor-oriented Dominator
algorithm computes sets
of dominators of nodes
of a given control flow
graph in a
parallel/concurrent
actor-oriented way. The
new Dominator algorithm
is implemented as the
multi-actor system in
the Easel programming
language. The new
Dominator algorithm and
its implementation are
important contributions
to the theory and
practice of parallel /
concurrent algorithms
and actor-oriented
programming. Because
Dominator algorithm has
applications in
Information Assurance
and Computer Security in
detecting and locating
program attacks – this
novel and innovative
Dominator algorithm may
greatly influence these
disciplines. |
| Dino
Schweitzer, Mike
Collins, Leemon Baird |
A Visual
Approach to Teaching
Formal Models in
Security |
Formal
models are important in
information security
education. The ability
to abstract security
concepts and apply
formal reasoning
techniques provides a
basis for students to
understand fundamental
results and have a
broader perspective on
security issues. Our
experience at the
undergraduate level is
that students often
struggle with the
abstract models, how to
apply them, and the
associated implications.
To provide students a
more concrete approach
to working with and
understanding security
protection models, we
have developed
interactive
visualization tools that
allow students to
create, manipulate, and
experiment with the
models. As a result,
students demonstrate a
greater understanding of
the core concepts than
in previous course
offerings. This paper
will describe the visual
tools, how they are used
in the classroom, and
our experience with
their effectiveness. |
| Napoleon
C.
Paxton, Gail-Joon
Ahn, Richard Kelly,
Kevin Pearson, Bei-Tseng
Chu |
Understanding Bot
Behaviors in a
Risk-Aware
Networkcentric Attack
Detection and Prevention
Framework |
Networks
of compromised machines
called botnets are one
of the most threatening
adversaries over the
Internet due in large
part to the difficulty
of identifying botnet
traffic patterns. We
have witnessed that
existing signature-based
detection and protection
methods are ineffective
in dealing with new
unknown bots. By
slightly modifying the
code of an existing bot,
bot commanders can
bypass most signature
based mechanisms. We
believe that by
analyzing bot traffic
for malicious patterns,
it is possible to
develop a taxonomy of
bot characteristics and
in turn use these
characteristics to
develop risks which will
ultimately be used in
the decision making
process of allowing or
blocking traffic. In
this paper, we introduce
our Honeynet-based Bot
Analysis Architecture
which is the first step
towards our Risk-Aware
Network-centric Malware
Detection and Prevention
Framework. We discuss
our current architecture
and how it could be
realized towards
identifying unknown bots
and other malware. In
addition, we discuss our
results and lessons
learned from this work. |
| Blair
Taylor,
Shiva Azadegan |
Using
Security Checklists and
Scorecards in CS
Curriculum |
Industry
has recognized that
creating secure systems
requires incorporating
security concepts
throughout the software
development lifecycle. A
similar effort is
required in education,
integrating security
best practices and risk
management into the
curriculum. At Towson
University, we are
developing and
implementing a model to
thread security
throughout our computer
science curriculum. Key
to our plan is the use
of security checklists
and scorecards.
Checklists provide a
quantifiable list of
security criteria to aid
in writing secure code
and reinforce security
principles.
Additionally, scorecards
and checklists provide a
consistent means of
evaluation and
assessment. This paper
focuses on the
development of security
checklists for use with
student laboratory work.
Our plan is a work in
progress; initial
implementation began
spring, 2007, with
preliminary results
available in June 2007.
We are actively seeking
partnership and
collaboration
opportunities with other
universities and this
paper serves as a
vehicle for inviting
ideas and feedback. |
| Kassem
Saleh, Imran
Zualkernan |
Approaches for
Integrating Trustworthy
Computing in the
Curricula |
Trustworthiness and
Education figure among
the challenges and risks
facing the constructive
use of information
technology. Security,
reliability,
survivability,
predictability are among
system attributes that
are not receiving enough
attention. Critical
infrastructures are
still vulnerable to
attacks and accidental
collapses. University
curricula seem to be
less responsive to
trustworthiness needs of
critical systems and
infrastructures. In this
paper, we propose two
approaches for embedding
trustworthy computing
foundational topics
within the knowledge
areas of two
computing-related
disciplines, namely
computer science and
computer engineering.
These additional topics
are elicited from the
information security
common body of knowledge
introduced by (ISC)2,
and from the main
requirements for
compliance to the
ISO17799 information
security management
standard. |
| Stephen
Yau,
Zhaoji Chen |
Information Assurance
Concentration Programs:
Integrating Information
Assurance in Existing
Computer Science
Curricula |
Information Assurance
and Security is a
pervasive theme that
must be integrated
throughout the
information technology
curriculum. In this
paper, the development
of three information
assurance concentration
programs which is to
integrate information
assurance topics with
existing Computer
Science Curricula at
Arizona State
University. Observations
and lessons learned from
the development process,
including how to arrange
and schedule the series
of information assurance
courses, how to improve
student involvement, and
what kinds of textbooks
are most needed in this
area are presented. |
| Richard
Epstein |
Can
Software Engineers Be
Both Agile and Secure? |
This
paper describes an
undergraduate course in
software engineering
that introduces students
to a variety of
processes that are used
to develop software.
Students are asked to
consider the security
implications of the
various processes.
Special emphasis is
given to PSP, CMM and
agile processes (like
eXtreme Programming and
Scrum). An important
issue in this course is
whether agile processes
can produce secure
software and, if not,
how they might be
improved to make agile
processes more secure.
Students work on a major
team project that
involves developing a
software process for a
pretend company and a
team presentation
project that addresses
the security issues
specifically. |
| William
H.
Murray, Corey Schou,
W. Vic Maconachy |
Professionalizing the
Practice of Information
Security |
This
paper describes
aspirations for the
information system
security profession and
steps for advancing
them. It is about what
the profession would
look like if the authors
and their associates
could have it any way
they wanted it to be. It
describes a strategic
vision. We do not expect
this vision to be
realized by accident.
However, we believe that
it can be achieved by
design and intent within
a decade. We make
recommendations for
meeting the requirements
and challenge The
Colloquium to lead the
education component. |
| Jeffrey
Livermore |
What Are
Faculty Attitudes Toward
Teaching Ethical Hacking
and Penetration Testing? |
Ethical
hacking is the
controversial practice
of employing the tools
and tactics of hackers
to test the security
precautions protecting a
network. Ethical hacking
is becoming an accepted
business practice and a
number of schools are
including ethical
hacking in their
Information Assurance
(IA) curriculum. Some
educators feel that it
is necessary to know how
to attack a network to
truly understand how to
defend a network.
Schools that teach
ethical hacking provide
instruction to students
along with the hardware
and software tools they
need to conduct ethical
hacking exploits.
Schools with Information
Assurance or Information
Security programs need
to address the ethical,
legal, and practical
issues surrounding
teaching ethical
hacking. These issues
include liability for
damages caused by
attacks, security lab
design, and curriculum
design. Schools that
provide access to the
hardware and software
necessary to hack into
outside systems must
accept the legal and
ethical responsibility
for the actions of their
students using these
computing resources.
This research project
consisted of a
literature review to
identify the ethical
issues involved with
ethical hacking followed
by a survey of IA
faculty members to
determine their
attitudes toward these
issues. The surveyed
faculty members agreed
that ethical hacking and
penetration testing
should be taught along
with a course on ethics.
The faculty did not feel
that incoming students
should be screened for
criminal backgrounds or
that teaching
penetration skills
should be limited to law
enforcement personnel.
The faculty did agree
that student should be
made to sign a student
code of conduct before
being allowed to access
IA computer labs and
that those labs should
be multi-platform labs
that can be isolated
from other networks. |
| Greg
White,
Ronald C. Dodge |
The
National Collegiate
Cyber Defense
Competition: What are
the next steps? |
In 2005
the first regional
competition was held in
what has become known as
the Collegiate Cyber
Defense Competition. The
following year four
regional competitions
were held along with the
first national
competition. In 2007 the
national competition
continued with state
competitions being added
to the overall plan. The
National Collegiate
Cyber Defense
Competition is well on
its way to being
established as an annual
event with more schools
joining the event each
year. This paper
addresses what the next
steps are for the
competition if it is to
continue to gain
recognition among
schools and to indeed be
established as the
single recognized
collegiate cyber defense
competition. |
