Archives

Many information technologists and others are interested in learning about information security. Some people want to teach themselves about the field; others are willing to take courses from academic centers. This paper reviews a range of options for anyone seeking knowledge of INFOSEC. The format uses questions similar to those that practitioners may receive from correspondents. Topics include helpful books for beginners, courses (live, computer-based and Web-based), videos, associations, conferences, certificate programs and academic programs. The author hopes that the questions, answers and appendices containing specific recommendations and sources will be helpful to all INFOSEC educators.

How do you provide security training and education to people who cannot travel, are "on the go" or physically distributed? Traditional classrooms and audio/video methods are impractical or fall short of a high-quality educational experience. Have you ever received a bunch of talking-head PowerPoint charts? It’s not education! There is an effective method to train information security professionals or end users, using only a web browser. This paper discusses how we created Information Security University (InfosecU), what it does, how it does it, and how it can be used to educate both end users and professionals.

The growth and availability of the Internet created serious vulnerabilities in connected systems. In response to this, the Federal Government has created several programs. Significant among those is the National Security Telecommunications and Information Systems Security Policy and the implementing directives that specify training standards for various professional positions related to telecommunications and information systems security. In response to the directives of the National Security Telecommunications and Information Systems Security Committee (NSTISSC) and to the results of independent research, the faculty of the College of Information Science and Technology at the University of Nebraska at Omaha decided to implement a concentration in Information Assurance as an option in the Master of Science in Management Information Systems Program.

We propose a new method to enforce the fault-tolerant and recovery capabilities of critical network services in a distributed computing environment. With our approach a service can be dynamically dispatched onto any available host, and at any time, each service is not only viable but also consumes the normal amount of resources without duplication. In the events or indications of system failures, services would reestablish themselves onto other hosts via a non-preemptive remote execution process. The basic simulation is to have a vital service reside on a primary host, with a secondary host designated as standing by. The primary host performs the service until the occurrence or indication of fatal faults in the system. Then, the secondary host resumes the service and becomes the primary host, with yet another host being designated as the new secondary host for that service.

Too many students are graduating from colleges and universities without taking a single course in information assurance. The need for students to receive more and better education in information assurance is undisputed. For those educational institutions already requiring and/or teaching such courses, the educational experience can be greatly enhanced with a supportive laboratory environment where carefully chosen hands-on tutorials or exercises can be assigned to support the material being presented in the classroom. This paper describes the experiences of supporting information assurance exercises and tutorials at the Naval Postgraduate School. Recommendations are provided so that others may learn from the experience.

The US Military Academy at West Point issued a challenge to the five United States service academies to participate in an inter-academy Cyber Defense Exercise (CDE). This exercise was initiated and implemented by faculty and cadets assigned to the US Military Academy, West Point, with funding and direction provided by the National Security Agency. The concept of defending the network was derived to evaluate cadet skills and the effectiveness of the Information Assurance (IA) education invoked at West Point. The Cyber Defense Exercise served as the final project for senior-level Computer Science majors enrolled in the Information Assurance (IA) course. The IA - Service Academy Group for Education Superiority (IA-SAGES), a group formed to plan, develop and share IA curriculum, proposed that all US service academies teaching an IA course participate in the exercise. The US Air Force Academy and US Military Academy accepted the challenge to compete in 2001.

This paper suggests that the instruction of computer security in the university environment should begin with a through examination of the 1970 Report of the Defense Science Board Task Force on Computer Security, "Security Controls for Computer Systems". Dr. Willis Ware was the chair of this task force in 1970. While the report itself is dated and the architectures discussed no longer exist, the problem identification contained in the report and the technical issues examined remain valid today - some 30 years after the report was released. Students having read this report prior to beginning a semester course appear better prepared to then understand and follow on with formal instruction in models, multilevel security, trusted operating systems, and the need for a holistic approach to the security problem. Teaching Saltzer and Schroeder’s principles is made far easier as is the need for trusted development environments, strong process control, policy enforcement, and accountability.