Program
|
||||||||||
| Richard Epstein | And You Thought the Killer Robot Was Bad | This paper describes a project that the author has
begun and which
he would like to share with the Information Assurance education
community. The
idea is to create a detailed fictitious scenario that is
intended to educate
students about the intersection between information assurance
and software
engineering. The scenario covers a variety of topics, including
basic security
concerns in software development, how security needs to be
integrated into
software processes, and work culture issues that can have a
major impact upon
the security of a product that an organization produces.
Professional
responsibilities and ethics are also important foci of the
scenario.
|
| Julie Ryan and Daniel Ryan | Biological Systems and Models in Information Security | The term virus is widely used for one type of malicious code
affecting computer
systems and networks. Such usage suggests the mental picture of
malicious code
as a disease infecting computers and implies that information
security can use
a medical paradigm for protecting against those diseases. In
fact, using the
concepts of biological systems and models can inform, guide and
inspire
information security as it seeks to understand, prevent, detect,
interdict and
counter threats to information assets and systems. The
biological approach is
especially useful in enabling quantitative risk management and
informing
management decisions in information security. Statistical
analyses are used to
evaluate treatment protocols in medicine. Nonparametric models
can estimate
probabilities of improved longevity due to different drug
protocols. Another
approach views the risks of patients dying from various causes
as competing
risks and determines the correlation coefficients of different
treatments to
longevity. Since the times and causes of death in such studies
are
uncorrelated, the hazards associated with each risk are
proportional. A similar proportional hazards approach can be usefully applied in information security by defining the risks of compromises of confidentiality, integrity and availability as competing to destroy information assets. By correlating system survival times to use of specific design enhancements and security countermeasures, as well as to system exposure based on choice of operational functionality, guidance can be obtained for making investments in information security.
|
| Weichao Wang, Aidong Lu, Li Yu and Zhiwei Li | A Digital Lego Set and Exercises for Teaching Security Protocols | To bridge the gap between the instruction of security primitives
and protocols,
we have designed and developed a digital Lego system and
supporting course
materials. Our digital Lego pieces are designed to use shapes to
provide a
generic representation of security protocols. With the automatic
Lego piece
generation and fitting method, we have developed a protocol
demonstration and
experiment environment that allows students to practice with
these abstract
concepts. The developed exercises will expose the relationship
among security
primitives and properties, and train students' capabilities to
design secure
protocols under different requirements. Our approach applies the
pedagogical
methods learned from toy construction sets by treating security
atomics as Lego
pieces and protocols as construction results.
|
| Michael Collins, Dino Schweitzer and Dan Massey | CANVAS: A Regional Assessment Exercise for Teaching Security Concepts | Competitive exercises are one means to motivate and teach
information security
concepts to students. Along the Colorado front range, schools
have joined
together to teach students security concepts using a regional
security
assessment exercise, known as the Computer and Network
Vulnerability Assessment
Simulation, or CANVAS. CANVAS shares some elements with a
typical Capture the
Flag exercise, but differs from other security competitions in
the overall
approach to the exercise, in the exercise objectives, in team
makeup, and in
the evaluation criteria. Teams are formed at the exercise and
combine students
from different backgrounds. Points are awarded based on
successful strategy
and written reports as well as typical 'flags'. We have
successfully run the
exercise for two years, and are currently planning the third
iteration. This
paper will describe the exercise, examine the differences from
other
competitions, and share our experiences from the first two
exercise
instantiations.
|
| Ravi Akella, Bruce McMillin and Travis Service | Teaching of Security in Cyber-Physical Systems | This paper describes the results of applying formal security
models to
Cyber-Physical systems work in a classroom setting. The
structure of the course
required that each student select an infrastructure that had
significant cyber
and physical components. During the course, when they learned a
model, they
applied it to their infrastructure. Formal models included the
HRU, Take-Grant,
Bell-Lapadula, Biba, Noninterference, Non-inference, and
Non-deducibility. The
approach is described, results of the models, and student
feedback are
reported.
|
| Jeff Livermore and Nan Poulios | Integrating a Capstone Project into an Information Assurance Program | Walsh College included a capstone course into their Information
Assurance graduate (MSIA) program. The IA capstone course is
modeled after the
MSBIT/MSIS capstone course developed by Dr. W. Don Gottwald. The
capstone course
was designed to be integrative, broadly focused, and demanding
on the student.
To complete the capstone course, the student needs to
demonstrate their
knowledge of project management techniques and a mastery of the
skills taught
across their program.
The capstone course meets three times during the 11 week semester. The students are sent an e-mail prior to the first week of the semester where they are asked to have a project picked out prior to the first class meeting of the semester. Capstone students are required to present their capstone projects at a capstone fair held at the end of the semester. Students, faculty, and local business leaders attend the fair to see the projects and meet the graduating students.
|
| Dipankar Dasgupta, Larry Howard, Eric Imsand and Ken Pence | Online Information Security Education through Anchored Instruction | The Internet is unquestionably the most extensive and accessible
resource for
information and commerce in history. But it is also providing a
medium for new
forms of crime, espionage, and even terror, targeting
organizations and
individuals alike. Broad awareness of vulnerabilities and
defenses is needed
to protect against all types of cyber attacks. While online
learning
environments provide a great opportunity to train large numbers
of people, they
have yet to demonstrate effectiveness in high-stakes
situations. In an effort
to better prepare cyberspace defenders, we are developing a
multidisciplinary
training program that encompasses topics from computer science,
management
information systems, and legal and ethical studies, using
state-of-the-art
online learning methods and technology. This paper describes the
Adaptive
Cyber-security Training (ACT) Online program, giving details of
its targeted
training population, curriculum, and instructional design
strategy. We further
report pilot testing results from two recently developed courses
that show
significant learning gains following this cyber-security
training.
|
| Denise Ferebee and Dipankar Dasgupta, PhD. | Security Visualization Survey | Visualization plays a major role in understanding
and interpreting security requirements. Security visualization
means different things to different people. Some consider it as
viewing the state of the environment and system. The purpose
of this paper is to review some of the current methods used in
security visualization.
|
| William Murray | What Information Assurance Graduates Needs to know about Cryptography | It appears that at many, not to say, most, schools, cryptography
is being
taught to computer security and Information Assurance students
by
mathematicians or cryptographers. By their own reports,
mathematicians and
cryptographers tend to teach what interests them, at the expense
of what the
student needs to know. While this may simply be a matter
of pedagogy, it is
often a matter of content. While the student may identify or
infer for himself
what he needs to know, it should not be left either to him or to
chance.
Security people need to know different things about cryptography than do cryptographers or mathematicians. It would appear that those who are teaching cryptography may not have given very much thought to what the student needs to know, as contrasted to what they would like for him to know or what they would like to teach him. This paper attempts to identify things that users of cryptography need to know. It does so in the hope that it will encourage the teaching of these things.
|
| Gary Kessler and Jim Hoag | The Power of Simple Hands-On Cyberforensics Exercises: A Guide for Faculty | Computer forensics is a hands-on discipline. Introductory
skills, however, can
be taught using simple exercises that require neither expensive
laboratory
facilities nor even face-to-face courses. This paper describes a
simple floppy
disk analysis project that allows an instructor to address
issues ranging from
the computer forensics process and basics of file systems to
long file names,
file signatures, and hashing. Projects are essential to teaching
this
discipline as they support active learning, constructivism, and
active
learning. These hands-on projects also offer an opportunity for
courses to be
taught online and for students to build their own toolkits using
open source or
commercial software.
|
| Ju An Wang, Max North and Sarah North | Designing a Security Thread in Computing Curricula | Information security is one of the pervasive themes in computing
curriculum. As
computing security becomes more important in all sectors of
society, so does
the preparation of our students with knowledge and understanding
of critical
security concepts, methodologies, and techniques. Unfortunately,
despite the
deep and pervasive impact of security, undergraduate computing
curricula and
programs today often look much as it did several decades ago.
This paper
introduces the Threads model for computing curriculum originated
from Georgia
Tech's College of Computing, an innovative way to restructuring
computing
curriculum. We believe that a security thread should be
developed for any
undergraduate computing programs. We discuss the rationales,
design, and
implementation for an information security thread in computer
science, software
engineering, and information technology programs as well as the
challenging
issues we have faced.
|
| Kara Nance and Brian Hay | Ubiquitous Computer Security: A Call to Action | Information assurance provides us with the foundational means to
protect our
digital assets. As we build programs to meet the needs of our
ever-growing
computer user base, we seem to be fighting an uphill
battle. This research
effort describes some of the findings from an NSF-funded project
to investigate
the state-of-the-art in computer security laboratory
environments and how they
are being used in an effort to develop a plan for improving the
capabilities
and facilities available in the State of Alaska. The major
ancillary finding
is that research and educational environments do not exist in
isolation. The
best way to reach the diverse populations that need more
computer security
information is through a breadth-first approach that combines
research,
education, and outreach as an overarching umbrella to reach our
many new
constituencies. As computer systems become increasingly
ubiquitous, we need to
ensure that computer security research, education, and outreach
are just as
omnipresent in order to ensure that the next generation of
computer users is
better-prepared to protect their own digital assets and are an
integral part of
the future of information assurance.
|
| Leslie G Smith, William J Caelli, AO and Neil McNair | Information Assurance Education In A Specialist Defense Environment | The RAAF's imperative is to train members of its No 462 squadron
in the
appropriate disciplines required for the squadron to meet its
charter. As a
result No 462 Squadron and the Queensland University of
Technology, in
Brisbane, Queensland, Australia have developed a prototype
training and
education program designed to meet the Squadron's charter in a
cooperative
effort between a defence establishment and a public academic
institution.
This paper discusses the experience gained in the development and delivery of a formally recognised Australian tertiary qualification in information assurance designed to meet No 462 Squadron's Information and Communications Technology (ICT) and Information Assurance education and training requirements.
|
| N. Paul Schembari | The Pennsylvania Workforce Leadership Program in Computer Security | As indicated in the National Strategy to Secure Cyberspace, one
of the
priorities of the United States is to grow and then maintain the
number of
skilled professionals in Information Assurance. In fact, such
professionals
are needed at all levels of industry - from those implementing
our networks to
those researching and designing the technologies. The National
Center of
Academic Excellence in Information Assurance Education, East
Stroudsburg
University of Pennsylvania, has partnered with the NSA
recognized (IA-CMM) firm
Backbone Security, Northampton Community College, Monroe Career
and Technical
Institute, and northeastern PA secondary schools to address this
priority.
With funding from the Pennsylvania Department of Community and Economic Development we have created our 2 + 2 + 2 Workforce Leadership Program in Computer Security, a six-year program from the junior year of secondary school through the Bachelor's degree, focused on growing the IA workforce. In this paper we will give an overview of our program and discuss some of the challenges in its design and implementation.
|
| Dorothy Yuan, Austin Frazier, Yaohang Li and Stephan Hudson | Developing Software System Security Course Modules | Each year the reported number of security vulnerabilities
increases as does the
sophistication of attacks to exploit these vulnerabilities. Most
security vulnerabilities are the result of insecure coding practices.
There is a
critical need to increase the security education of computer
science students,
particularly in software security. We are designing course
modules to integrate
software system security into our computer science curriculum.
The course
modules we have developed, and are developing, include:
operating system
security, software security testing, code review, risk analysis,
and database
security. Each course module includes lecture materials,
in-class
demonstrations, and hands-on assignments. The software security
testing and
database security modules were taught at this university in the
Fall 2007
semester and received positive feedback. The other modules will
be taught in
the Spring 2008 semester. Future work will include the
development of more
modules in secure software development.
|
| Keyu Jiang and Mark Bannister | Secure 'Information at Your Fingertips' -- Just One Course can Help | This article briefly explains the motive, purpose, feasibility
and vision of
creating an introductory information assurance course serving
not only students
seeking to become INFOSEC professionals, but which also reaches
out to students
from such diverse academic areas as Accounting, Business
Administration,
Education, and Criminal Justice to provide fundamental knowledge
and skills.
This course has been successfully mapped to meet 100% of the
requirements of
National Security Telecommunications and Information Systems
Security (NSTISS)
standards 4011 and 4013E.
|
| Edwin Armistead and Thomas Murphy | Developing Standards for IO Using CNSS as a Model | The Information Assurance community has long benefitted from the
development of
standards as part of the CNSS process. This paper
summarizes efforts conducted over the last year to start a similar standards based
methodology for
Information Operations and to develop a framework for IO
training and
education.
|
| Tanya Zlateva, Leo Burstein, Anatoly Temkin, Andrew MacNeil and Lou Chitkushev | Virtual Laboratories for Learning Real World Security | We present a laboratory module that follows an end-to-end
security process
pattern in securing real world applications. The overall goal
is to relate
theoretical concepts of cryptography and security protocols to
implementation
solutions and their use in the workplace. In a series of
activities for
installing, certifying and working with systems, each
configuration decision
and communication exchange is evaluated and discussed in the
context of the
theoretical knowledge acquired in our core courses in
cryptography, network and
software security, and network management and security. All
systems are
implemented as part of a virtual network environment thus
reducing costs, and
allowing the student easy access to different lab systems and
the ability to
play different roles and analyze security issues from the point
of the systems
manager, end user, cryptanalyst, or certification authority
administrator.
|
| Rajni Goel Ayodele Mobolurin, and Narendra Rustagi | Challenges of Establishing Centers of Excellence in Information Assurance at an HBCU: A Case Study | There is a strong need for minority institutions to establish
their place in
the Information Assurance (IA) education arena. The Information
Systems and
Decisions Sciences Department at Howard University believes that
we can extend
our programs to incorporate the rapidly developing field of
information
security. Howard hosts both Bachelor in Business Administration
in Computer
Based Information Systems with a concentration in Information
Assurance, and a
Master of Science with an Information Security certificate
programs. This paper
first presents the status of the many factors that are
associated with the
barriers of starting and sustaining a Center for Information
Assurance, and
then proposes a strategic plan to accomplish such a goal. The
strategies and
approaches adopted are justified through consultation with major
stakeholders
(students), our experiences and are made adaptable to fit the
information
security curriculum development process.
|
| Doug Jacobson and Julie Rursch | High School Cyber Defense Competitions | At this point in time when we are at a juxtaposition of falling
enrollments in
computer science and computer engineering and rising the need
for creative
minds to solve pressing security problems, our institution, a
well-known land
grant with robust programs in computer security and information
assurance at
the undergraduate and graduate levels, recognized the need to
encourage more
Millenials to study in an information technology-related
area.
Our high school program was created as an after-school, extra curricular activity which allows students to explore information technology in a non-threatening, non-graded environment and is in its third year of implementation. In addition to educational materials such as video-taped lectures and lab experiments for students to watch and try on their own, the high school IT club gets equipment to setup their own cyber security lab and a local IT professional to serve as their mentor to guide them in their exploration. The students� end goal in their experimentation is to compete in a state-wide cyber defense competition. This goal is what guides their progression throughout the months of IT club meetings and experimentation prior to the event. The primary goal of the high school cyber defense program was to pique the interest of students in information technology and through that increased interest, raise the number of students who opt to study information technology as their college career and their employment path. Although a secondary, an ultimately as worthy goal, was to make the whole experience fun. The program is not about structured learning or examinations, but exploring networking and security concepts through our provided educational materials and contact with a local IT professional who serves as a mentor. It also is about participating in a team event where you are competing with other schools, but also making friends with them in a real celebration of IT environment that has elements of an all night pajama party rolled into it. In May of 2006, we had 12 high schools and 75 high school students who participated in the event. In 2007 we doubled the number of students with more than 150 coming to play. These students represented 19 high schools from across the state. Both years the event proved to be 18-hours of on-your-feet action jam-packed with more end user requests and attacks on networks than should be allowed in one sitting. That, coupled with a ton of free food and caffeinated beverages produced a group of tired, over-stimulated but happy high school students who had a new interest in technology. For the current season, our third, we have expanded into new areas of experimentation to include robotics based upon the Lego Mindstorms NXT platform and game design based upon the virtual world programming environment of Alice. However, cyber defense is still the most wildly popular area with nearly 35 teams signed up at this juncture to play in that venue. Additionally, we have had to rent our athletic coliseum in which to hold the event because to date we have recruited 40 high schools to participate in our program with approximately 400 high school students from 70 teams having signed up to compete.
|
| Tim Rosenberg and Casey O'Brien | The Growth of the Mid-Atlantic CCDC: Public-Private Partnerships at Work | For the past three years, White Wolf Security has partnered with
CyberWATCH and
CCBC to design, conduct and score the Middle Atlantic Collegiate
Cyber Defense
Competition. Over the course of those three engagements, the
competition has
grown in the number of teams, the size and diversity of
infrastructure and the
sophistication of the scoring process and visualization.
As the teams finish up the 2008 Middle Atlantic CCDC Regionals,
the principal
partners of White Wolf Security and CCBC are already laying the
foundations for
increasing the scale and complexity of next year�s competition.
New
technologies and more protocol diversity are on the drawing
board to include
SCADA, RFID, remote and mobile assets. This paper will discuss the evolution of the Middle Atlantic CCDC from a single 3 day event of 5 teams and a handful of servers to two rounds of exercises culminating in a three day exercise involving nearly 20 Class C networks, 1 Class B network, Two Class A networks, 10 Red Cell, spectators, fiber, VOIP, a real CEO and leadership and team building sessions. As the exercises continue to mature and expand, easy integration into course lesson plans, labs and quantifiable skill sets becomes not only a possibility, but a necessity.
|
| David Dittrich | On Developing Tomorrow's "Cyber Warriors" | Threats of cyber-warfare attacks (and counter attacks) by
countries with the
largest econ-omies in the world, massive losses of financial and
personal data
on millions of Americans to cyber-crime, and the potential to
disrupt Americas
critical infrastructures, should be on the minds of all
Americans. Why?
Because those who design, build, operate and defend the computer
systems and
networks that our economy relies upon are our fellow
citizens. But where will
these professionals acquire the skills in Information Assurance
necessary to
secure our future? The National Security Agency has, for over a decade, run a program that defines standards for Information Assurance education, certifies curricula that map to these standards. NSA has designated dozens of universities across the United States as Centers of Academic Excellence (CAE), and supports scholarships for students who study at these Centers. Could a creative, modular design of IA-specific topics allow an educational institution to increase the number of CNSS elements mappable to an undergraduate program, and simultaneously adding "hands-on" learning opportunities to students? Could this model set the stage for expanding IA education to other programs within the instution, as well as extending partnerships into the broader community? We consider a model that could support delivery of up-to-date demonstrations of current threats found on the Internet, showing students how to protect against, detect, and react to these active threats. In turn, this sets a foundation for establishing a long-term educational path for students that will strengthen the cyber-defenses of our nation in years to come.
|
| Jungwoo Ryoo and Taehwan Oh | Teaching IP Encryption and Decryption Using the OPNET Modeling and Simulation Tool | Combining theoretical instruction with meaningful hands-on
exercises is often
challenging due to the lack of resources such as laboratory
facilities and
equipment resources. To overcome this problem, a
simulation/virtualization
technology such as the OPNET simulation tool can be considered.
In this paper,
we discuss how one can use the OPNET simulation tool to
effectively teach IP
encryption and decryption concepts such as those found in IPSec.
|
| Jill Slay and Elena Sitnikova | SCADA Systems Security: Developing Specialist Discipline within the Systems Engineering Curriculum | This paper responds to the need to understand the
nature of SCADA
systems security concepts, their important role in the nation's
critical
infrastructure protection and highlights the necessity of this
as a specialist
discipline in the systems engineering curriculum. It defines
the nature of the
field and the roles and qualifications of system engineering
practitioners who
serve in the field. It emphasizes the role of the specialist
discipline within the tertiary curriculum that produces potential systems engineering specialists with the knowledge required to achieve robustness and resilience of critical infrastructure systems and services. |