Building an Information Security Education Program

Building an Information Security Education Program Rayford B. Vaughn Jr.

David A. Dampier

Merrill B. Warkentin

Department of Computer Science and Engineering Box 9637, 300 Butler Hall Mississippi State, MS 39762-9637 +1 662-325-7450

Department of Computer Science and Engineering Box 9637, 300 Butler Hall Mississippi State, MS 39762-9637 +1 662-325-8923

Department of Management and Information Systems Box 9637, 300 Butler Hall Mississippi State, MS 39762-9637 +1 662-325-1955

[email protected]

[email protected]

[email protected]

ABSTRACT bear out this shortage [3]. Likewise, malicious attacks on systems and networks seem to be on the rise and efforts to thwart such endeavors seem to largely fail. For over twenty years, the federal government has been promoting vigilance, technology advancement, policy, and training to address this problem. In recent years, the government has invested a significant amount of money in academic programs to promote information assurance education. The Centers of Academic Excellence in Information Assurance Education Program was created to help academic institutions prepare security engineers for work in the government IT security area. Mississippi State University was recognized as a Center of Excellence in the second year of the program, and is currently under review for recertification. There are currently 50 Centers of Excellence in the program.

Information and computer security is a topic that has grown significantly in popularity in the last few years. With the increased level of funding for IT security research, and the support of information assurance education through the Information Assurance Scholarship Program (IASP) and the Scholarship for Service (SFS) program, information assurance education is enjoying a great period of growth in the U.S. Mississippi State University has embraced these programs and is responding with a slate of new information security courses designed to prepare students to serve as security engineers in either government service or in private industry.

Categories and Subject Descriptors C.2.0 [Computer Communications Networks]: General – Security and protection D.4.6 [Operating Systems]: Security and Protection - Access controls – Authentication, Cryptographic controls, Information flow controls, Invasive software. K.3.2 [Computers And Education] - Computer and Information Science Education – Curriculum, Information systems education. K.4.1, .2 & .4 [Computers And Society] - .1 Public Policy Issues - Abuse and crime involving computers, Computer-related health issues, Ethics, Intellectual property rights, Privacy. .2 - Social Issues - Abuse and crime involving computers. .4 Electronic Commerce - Security

When developing an information assurance program, the choices for where to put it seem to be limited to computer science, computer engineering, electrical engineering, management/business information systems, industrial engineering, or software engineering programs. Mississippi State University started its program in the Computer Science and Engineering (CSE) department, but has expanded to include programs in three different colleges of the university. Decentralizing the responsibility to several academic departments might seem unusual, but it is important to understand that a fundamental tenet of computer security training is that a "total" security solution is essential. To focus on one aspect of a system security solution (e.g. the operating system) and omitting another area (e.g., policy) still leaves vulnerability in the system and the security solution fails. When we talk about "holistic" security - this is what we mean.

General Terms Management, Security.

Keywords Information Security, Computer Forensics

1.

Information

Assurance

Education,

2.

WHERE ARE WE TODAY?

When we examine the state of academic offerings in information assurance today, we find that there are essentially three kinds of programs that one finds – those with strong, capable programs; those with emerging programs; and, those that have not addressed this subject in their curriculum. Observation would seem to suggest that the second and third groups are by far the dominant and that there is a need to migrate those in the third group to the second (as a minimum). This paper offers suggestions in section 3 on how such a migration might take place.

INTRODUCTION

Most federal government, state government and industrial leaders would agree that there is a critical shortage today of technical skills needed to secure enterprise-computing resources. Salaries for experienced technical staff with these skills would seem to Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. InfoSecCD Conference’04, October 8, 2004, Kennesaw, GA, USA. Copyright 2005 ACM 1-59593-048-5/04/0010…$5.00.

Before investing in a security program it is often advisable to inventory the tools necessary for success. In an academic environment these tools include (in no particular order):

41

ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ

Faculty interest Faculty reward and recognition Textbooks A body of knowledge from which to teach Unsolved problems to research Administration support Funding support Student interest and benefit

instructors are rather limited in supplemental texts, but sufficient conference proceedings and historical papers exist from which very focused instruction can occur. One excellent resource is [1] and the electronic INFOSEC bookshelf found at http://www.acsac.org/secshelf/secshelf.html. The textbooks and papers discussed here also address the body of knowledge issue and contain adequate historical reference to the foundational research activity in information security. Unsolved problems to research seem to abound. Few would disagree that security technology and security threat complexity are moving ahead at a faster pace than we seem to be able to offer solution sets. Conferences and discussion groups exist to address new security paradigms, and there seems to be no lack of material for these forums. Strong research opportunity exists in database, distributed parallel computing, high performance computing, network security, availability, intrusion detection, and ecommerce to name just a few. Most importantly, funding support for this research activity is increasing. As a result of the findings from the President's Commission on Critical Infrastructure Protection and the Presidential Decision Directive (PDD) 63, more federal agency research support is in place and projected for the near future. Recent denial of service attacks appear to have cemented the government's commitment to research in security.

It may be worthwhile to examine each of these elements of success in the small so that we can address the problem in the large. First is that of faculty interest. Faculty members tend to be hesitant to change their research area or focus for a number of reasons. A Ph.D. program involves a long period of study in a typically narrow area of interest under the tutelage of another professor who also chose that area of study. This means that we tend to manufacture new Ph.D. graduates in our own image and there are few who work in the computer security area and are acting as the seed corn necessary to populate emerging programs that need such expertise. Second, faculty members are generally hired through a rigorous search procedure that normally is oriented toward looking for very specific talent and research interest. Once hired into a department, a new faculty member may become integrated into a research collaboration effort, and it becomes very difficult to move into a new area of study. The expectation is that the faculty member will continue to work in the area for which they were hired, at least until they make tenure. There are instances where a major professor will agree, however, to lead a student in research that has a “security" twist - such as operating system security, database security, network security, etc. This, however, tends to create faculty with a very narrow view of security. Lastly, others can view changing or modifying a research interest as a "lack of focus" in research which then equates to poor results on proposals for research funding or poor evaluations in research schools.

University administration support may remain problematic. Computer security research seems to conjure up concerns of malicious activity ongoing on University computing systems and fear that "hacking" will be taught or practiced. Interested faculty, without significant difficulty, can address both these concerns. It is normally advisable to create an isolated laboratory for students to use and to run experiments on. This isolation is generally sufficient to reduce fear of damage to other computing facilities. The issue of controlling student activity outside the classroom is more difficult to address with the administration. Providing a copy of the detailed program of study, including ethics instruction, and citing other successful programs are tactics that might help.

Faculty reward and recognition are important factors. New faculty members are generally concerned with achieving tenure in their departments (as recognition of their research abilities, contributions, and future value to the institution). Failure to achieve this goal generally results in dismissal after a period of years (normally 5 to 7). Success in this area means strong performance on the part of the faculty member in the areas of teaching, research, and service. The research component of this formula is the one that generally carries the largest weighting factor at many schools, and it includes several dimensions – publications (“quantity”), grants and research, and "quality" of the research. To be successful, the field of study and research must have sufficient opportunity for the faculty member in terms of quality journals in which to publish, quality conferences in which to participate and serve, and funding availability on a broad scale to support the research upon which such programs are built. In the field of computer security, most would agree that we currently have a shortage of quality publication opportunities and that research funding is too little and often placed only with a few very well established programs.

Student interest and benefit is high when such courses are offered. Students tend to naturally gravitate to this subject area as one of interest and one that offers good skills and knowledge that employers may find attractive. The authors have experienced very high demand from students for security training. The demand seems equal at the graduate and undergraduate level and with domestic and international students. All of the courses currently offered at Mississippi State University are filled to capacity every semester they are offered. The new Business Information System Security Management course offered in the College of Business was similarly filled to capacity the first time it was offered, and reaction has been very positive.

3.

INTEGRATION OF SECURITY TRAINING

It is suggested that information and computer security courses should be integrated into degree programs in at least the following three areas: computer science, software engineering, management information systems. It is not recommended that an entire degree program be created for IT security, although some schools have done that successfully.

Textbooks were a problem in the past - and may still remain a problem for graduate student courses. There are, however a number of very good introductory texts on the market today. These include [7,8,17,19,20]. For those that wish to offer more focused topics (e.g., electronic commerce, web security, network security), choices exist today for student textbooks in these specific areas [9,21,22]. At the graduate level, however,

42

3.1

opportunities to introduce the notion of a trusted development environment and the cost of producing software under such restriction. Identification and discovery of the system security policy and how one models that policy for implementation within a working system is an excellent student exercise. Most software engineering courses also include significant discussion concerning requirement analysis, specification, and verification. Using the need to provide software to the customer that is known to implement a specified security model effectively makes an excellent case study for teaching the need for and techniques of verification. It is important in secure system design to demonstrate formally that a system specification maps to the model of security that it is implementing [11]. It is desirable to be able to formally verify that portions of the resulting code map to the specifications. Using secure system design as the teaching vehicle, the instructor has instant credibility in the student’s eyes for the need to learn formalisms.

The Computer Science Program

The discussion that follows provides a suggested approach that will lead to a better trained and more security aware undergraduate in a very short time with little impact on the traditional computing science course offerings Additionally, it requires that security topics be highlighted and addressed in the following courses: Operating Systems theory, Software Engineering, Database, Networks, and Artificial Intelligence (if such a course, or its equivalent, is offered). Additionally, courses in Business and Law can support the mission of broad information assurance education. ƒ Operating Systems Course: The fundamental work often cited in information security was very specific to operating systems – examples can be found in [2], [4] and [15]. It seems most appropriate to include this work within the operating systems block and to discuss the early research, findings, and importance of developing a security policy that is implemented by a trusted operating system in terms of mandatory access controls (MAC) working together with discretionary access controls (DAC) to provide a higher level of confidentiality and integrity than typically found in a less capable OS. The importance of separating security-relevant functionality from other OS functions and encapsulating it within a “security kernel” which is isolated, correct, and always invoked is another important topic to include. Work accomplished by the Department of Defense [10], the Federal Government [6] and the international community [4] also will be enlightening to the operating systems student. Access control mechanism discussion involving capability lists and access control lists offer excellent lecture opportunities to discuss security implementations and performance tradeoffs in trusted systems. The notion of a “security perimeter” being established for the user of a trusted system and the involvement of the operating system in enforcing the protection necessary for the perimeter will tend to increase student interest and invite discussion opportunities. At the graduate level of instruction, these same topics can be reviewed by focusing on current research papers related to trusted operating system architectures.

ƒ Computer Networks: Probably the most fertile ground available for discussing computer security lies within network courses. The Internet and its TCP/IP protocols are built to be open and accessible to anyone – it was built with user trust in mind and not user protection, so it is replete with system vulnerabilities that require thought and research to defend against. Topics such as spoofing, sniffing, weak authentication, source routing, interconnection of trusted and untrusted machines, encryption/decryption, and various known network vulnerabilities can and should be discussed during this course. [20,21] ƒ The Artificial Intelligence and Expert Systems Course: Most computer science programs contain some AI course offerings or at least some mention of expert systems, and most Business schools also teach a course in Decision Support and Expert Systems. The idea of using AI techniques to determine when a system may be under attack is an excellent case study for students to review and discuss. There is a large body of work in the area of intrusion detection systems that involve various AI or expert system implementations using audit data as input as well as monitoring user actions in a real time manner. Implementations of intelligent agents operating autonomously or communicating in a distributed fashion can be found in the literature and offer excellent case studies to which students can easily relate.

ƒ The Database Course: Database instruction offers another excellent forum from which to include security issues that relate to the storage and retrieval of data. Topics such as inference and aggregation have been discussed in the literature for nearly 20 years and remain an unsolved problem today. The issue of storing all data tables in a single database when the data itself has sensitivities of various levels is an important one to address. The use of various techniques to create a “multilevel” database capability can be posed to the students for discussion and the idea of use of encryption as a separation mechanism can be broached. The commonly accepted “balanced assurance” [16] philosophy should be introduced and discussed during this course also. In a security block of instruction, database confidentiality and integrity issues can both be addressed, as well as threats related to denial of database service. Toward the end of database instruction, the notion of polyinstantiation and research driven solutions can be discussed and debated. Modern textbooks in this field already contain some of this suggested material, but the diligent instructor will need to supplement the text with addition material such as that found in [1]. Within the Business course in Database management, considerable focus to database system security policies are established, including issues related to logical and administrative security protocols. ƒ

ƒ A Computer Security Course: In addition to including security topics in the courses above, it is important to offer a concentrated and focused security course that helps to tie the above together. This course should include laboratory exercises, encryption, historical basis, and a more detailed presentation of the topics addressed above as a minimum. This is an excellent opportunity to introduce research areas also. ƒ A Computer Forensics Course: It is often not sufficient to protect your systems. No system is completely secure. It becomes necessary to be able to find out how those systems were attacked and find evidence to prosecute the attackers. Computer forensics is a new area of academic focus, and concentrates on discovering evidence of computer crimes and protecting that evidence to use in a court of law to prosecute computer criminals. Further, computer forensics can be used to evaluate and establish evidence in civil legal cases (lawsuits) and in cases of corporate malfeasance, such as accounting fraud. Computer forensics courses are enhanced by courses in IT Auditing and Accounting Information Systems. ƒ

Software Engineering: Software engineering courses offer

43

A Network Security Course: Network security is another

professionals consider the holistic management of system security.

area that deserves specific emphasis. A course that specializes in techniques to secure networks is required. Mississippi State University is currently developing such course for its computer science and software engineering programs. Network security is one key focus of the new course in Business Information Systems Security Management.

3.2

The Department has developed a new course in Business Information Systems Security Management that incorporates these principles into a package oriented toward both technical and nontechnical organizational managers. While significant technical coverage is included (e.g., information storage platforms and data communications protocols), the primary orientation is on how to manage IS environments for information assurance and security. Topics include what tools and techniques to evaluate for purchase and installation, employee training for computer security, and crafting appropriate system security policies whether for large, international corporations or for small- and mediumsized enterprises.

The Software Engineering Degree Program

It is important to note at this point in the paper that there is a strong movement within many academic institutions to offer degree programs in the field of software engineering. Mississippi State University’s Software Engineering undergraduate program was recently one of the first four such programs accredited by ABET. Software engineering, as a separate degree program, offers us an opportunity to integrate a strong information security focus into these curricula. It is the authors’ opinion that information security is both an architectural requirement and a user requirement – both issues of software engineering interest [23,24]. This leads to a conclusion that a security-engineering course should be a required course in both undergraduate and graduate software engineering degree programs.

Specific objectives for the student include learning about 1) access control and physical security; 2) security problems and attack methods; 3) ethical issues and concerns; 4) protection via firewalls, host hardening, and cryptographic systems; and 5) incident and disaster response.

These degree programs are more directed at the practical than the theoretical. Pfleeger [18] synopsizes this difference very well in her recent text on Software Engineering where she writes, "We can concentrate on the computers and programming languages themselves, or we can view them as tools to be used in the designing and implementing a solution to a problem. Software Engineering takes the later view, ..." The IEEE Standard 610.12 defines software engineering as "... the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software; that is the application of engineering to software." In all software engineering programs this author is familiar with, computer science, computer engineering, and industrial engineering are supporting fields. This suggests that the student should be exposed to the vast majority of the course work outlined in section 3.1. above and can, therefore, be expected to receive bits and pieces of fundamental security training. It is the opinion of the authors that where software engineering programs exist, information security courses should be a requirement. Security is, after all, a user requirement that must be satisfied.

The course features extensive student-prepared reports on topics such as cryptography, smart cards, and biometrics controls. Numerous practical speakers in charge of organizational security are also featured.

5.

REFERENCES

3.3

[1]

Abrams, M.D., Jojodia, S., and Podell, H.J. (editors) (1995). Information Security. An Integrated Collection of Essays. IEEE Computer Society Press.

[2]

Anderson, J.P. (1973) Computer Security Technology Planning Study. ESD-TR-73-51, vol 1. Hanscom AFB, Mass

[3]

Anderson, T., (2002) On the Money, Security Management, ASIS.

[4]

Bell, D.E. and LaPadula, L.J. (1975) Secure Computer Systems: Unified Exposition and Multics Interpretation. MTR-2997, MITRE Corp.

[5]

Commission of the European Communities. (1991) Information Technology Security Evaluation Criteria (ITSEC), Provisional Harmonized Criteria: version 1.2. Office for Official Publications of the European Communities. Luxembourg.

4.

CONCLUSIONS AND SUMMARY

This paper has outlined three different approaches to the introduction of information security training in University programs today for both graduate and undergraduate education. In addition, a discussion of some of the inhibitors to such training in academia was presented. The authors are advocates of requiring computer security coursework in all computer science degree programs and within emerging undergraduate software engineering degree programs. At Mississippi State University, computer security is offered as both an elective computer science course and a required software engineering course, and now also as an elective course in Business Information Systems.

An Information Systems Degree Program

The Department of Management and Information Systems (M&IS) within the College of Business and Industry has worked closely with the Department of Computer Science and Engineering (CSE) to conduct relevant research, and to augment the technical focus of the CSE coursework with some practical organizational considerations in the past. Further, computer security principles are core topics covered within the graduate and undergraduate courses in Structured Systems Analysis and Design and Database Management, as described above. System security must be designed into systems from the beginning of logical designs and internal controls, not added onto systems design as a layer or an afterthought. Given that so-called “social engineering,” corporate policy, and human resource management issues (disgruntled employees, insufficient background checks, etc.) are a major security concern, it is imperative that IT

44

[6]

Congress, US. (1988). Computer Security Act of 1987, PL 100-235.

[7]

Gollmann, D. (1999). Computer Security, Wiley.

[16] Lunt T.F., et al. (1988) Secure Distributed Data Views: Security Policy and Interpretation for Database Management System for a Class A1 DBMS. RADC-TR89-313, vol 1. Rome Labs, Rome N.Y.

[8]

Denning, D. (1999). Information Warfare and Security, Addison Wesley.

[17] Pfleeger, C.P. (1997) Security in Computing – 2d edition, Prentice Hall.

[9]

Ghosh, A. (1998) E-Commerce Security, Weak Links, Best Defenses. Wiley.

[18] Pfleeger, S.L. (1998) Software Engineering – Theory and Preactice, Prentice Hall.

[10] DOD 5200.28-STD. (1985) DoD Trusted Computer System Evaluation Criteria.

[19] Summers, Rita (1997) Secure Computing – Threats and Safeguards, McGraw-Hill.

[11] Gasser, M. (1988). Building a Secure Computer System. Van Nostrand Reinhold.

[20] Stallings, W. (1998) Cryptography and Network Security, Principles and Practice – 2d ed, Prentice Hall.

[12] Irvine, C.E., Warren, D.F., and Clark, P.C. (1997) The NPS CIPR Graduate Program in INFOSEC: Six Years of Experience. 20th National Information Systems Security Conference (Baltimore, MD). 22-30.

[21] Stallings, W. (1999). Network Security Essentials. Prentice Hall. [22] Stein, L. (1998). Web Security, A Step-by-Step Reference Guide. Addison Wesley.

[13] Irvine,C.E., Chin, S., & Frincke, D. (1998), "Integrating Security into the Curriculum", IEEE Computer, December 98, 25-30.

[23] Vaughn, R. and Boggess, E., "Integration of Computer Security into Software Engineering and Computer Science Programs", The Journal of Systems and Software, Elsevier Science, North Holland, vol 49, pp 149-153, Dec 99.

[14] Johnson, Deborah G. (1994). Computer Ethics, Second Edition, Prentice-Hall, Engelwood Cliffs, New Jersey.

[24] Vaughn, R., "Application of Security to the Computing Science Classroom - Lessons Learned", SIGCSE 2000 Technical Symposium, Austin TX, March 8-12, 2000.

[15] Lampson, B.W. (1973) A Note on the Confinement Problem. Commun. of the ACM 16,10. 613-615.

45