Knowledge Flow with Information Assurance Track Wasim A. Al-Hamdani, PhD Division of Computer and Technical Sciences Kentucky State University Frankfort, KY 40601 502-597-6728
[email protected] ABSTRACT
Three years ago, a master’s degree program at Kentucky State
A master program at KSU was started three years ago, and one of the tracks, which has been offered now for a year is “Information Assurance”. The major problem with the courses in this track is there is a weakness in the flow of information and knowledge delivery comparing with other universities (with longer experiences). This paper, therefore, looks at the existing knowledge flow, extracting the weaknesses and suggesting a better knowledge flow to enhance the curriculum and student performance. This paper will also justify the change need to be made and look at advance levels of education, such as a Ph.D. in information security.
University’s (KSU) Division of Computer and Technical Sciences started with two tracks – Information Theory (THR) and Information Technology (IT). This division also proposed to offer a graduate Information Security and Assurance (InfoAssure) track. Students seeking concentration in this track will have to complete five core courses of the InfoAssure track (COS 533, COS 581-COS 584), two InfoAssure electives (COS 585-COS589) and three courses from the THR or IT tracks for a total of 30 credit hours for the track. After one year of offering these courses and looking at: • Details subjects flow • Other universities with longer experiences [18-23] This indicates some weaknesses in the flow of information and knowledge harmony. In addition, the complexity of the prerequisites required for certain current courses lock up the availability for opening or creating new courses.
Categories and Subject Descriptors C.2.0 [Computer Communications Networks]: General – Security and protection D.4.6 [Operating Systems]: Security and Protection - Access controls – Authentication, Cryptographic controls, Information flow controls, Invasive software. H.2.0 [Database Management]: General - Security, integrity, and protection
This paper describes the organization of the current courses, as well as presents flow weaknesses and better course sequencing to harmonize the flow of information. This paper also gives an overview of future visions for further education, such as doctoral degrees in this track.
K.3.2 [Computers and Education] - Computer and Information Science Education – Curriculum, Information systems education K.6.5 [Management of Computer and Information Systems]: Security and Protection- Authentication, Insurance, Invasive software, Physical security
2. CURRENT COURSE ORGANIZATION The current courses in KSU book [1] organized as 7 core courses, each with three credits these are
General Terms
COS 533 INTRODUCTION TO CRYPTOGRAPHY ALGORITHMS
Security
The students are introduced to the area of Cryptography. The topics covered are concepts of cryptography, communication channels, cryptography classifications, classical cryptography algorithms, Stream Cipher algorithms, Block cipher algorithms, DES, and AES. Public key encryption, digital signature, and hash functions.
Keywords Information Security, Information Assurance, Information Security Curriculum, Information Assurance Curriculum, Curriculum Development
1. INTRODUCTION
COS 581 ADVANCED CRYPTO ALGORITHMS Prerequisite: COS 533. Introduction to the advanced cryptography algorithms, block encryption algorithms, public key algorithms, digital signature algorithms, PKI key managements, authentication and implementation issues, protocols theory, protocol use, and protocol design theory.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. InfoSecCD Conference’06, September 22-23, 2006, Kennesaw, GA, USA. Copyright 2006 ACM 1-59593-437-5/00/0006…$5.00.
COS 582 SECURE E-COMMERCE Prerequisite: COS 581. The course covers the topics related to secure electronic commerce technology: models and issues; related principles with case studies; security architectures;
52
digital signatures; certificates; public key infrastructure (PKI); and legal and national policy on secure electronic commerce and others.
threats, and qualitative risk analysis. Figure 1 shows the current knowledge flow according to the Prerequisite
COS 583 ENTERPRISE SECURITY MANAGEMENTS Prerequisite: COS 581, COS 582. Students are introduced to the managerial aspects of computer security and risk management for enterprises. Also covered are accreditation; procurement; extension, and operation principles for secure enterprise information systems; security policy; plan development; contingency, continuity and disaster recovery planning; and incident handling and response. COS 584 SECURE SYSTEM ADMINISTRATION AND CERTIFICATION Prerequisite: COS 583. The course deals with the provisioning, procurement and installation of network hardware and software systems for mission critical enterprises. System configuration and maintenance; incident handling and response; system certification; and testing and validation will also be covered. In addition to seven compulsory courses there are 3 electives, from the following courses: COS 585 INFORMATION SECURITY Prerequisite: COS 582. The course introduces the basic notions of confidentiality; integrity; availability; authentication models; protection models; security kernels; audit; intrusion detection; operational security issues; physical security issues; security system life cycle management; personnel security; policy formation and enforcement; trust modeling; risks and vulnerabilities assessment; basic issues of law and privacy; trade secrets; employee covenants; copyright; database protection; software and hardware validation; verification and certification; and other security tools. COS 586 INFORMATION SYSTEM ASSURANCE
Figure 1. The Current Curriculum knowledge flow
3. CURRENT WEAKNESS Looking at the course sequencing and flow of knowledge, we can see that the core knowledge is based on Cryptography (two courses) and Secure E-commerce. There is no strong argument about Cryptography’s sequencing and the base of knowledge that it holds, but other major objections about this course and the e-commerce course would be:
Prerequisite: COS 582. This course deals with the in-depth study of the design and analysis of high assurance information systems. The topics include safety; reliability and security; specification of mission-critical system properties; software and hardware validation; and verification and certification.
• •
COS 587 DATABASE SECURITY •
Prerequisite: COS 533. This course will focus on the issues related to the design and implementation of the secure data stores. Emphasis will be placed on multi-level security in database systems, covert channels, and security measures for relational and object-oriented database systems.
•
COS 588 COMPUTER NETWORK SECURITY Prerequisite: COS 582. This course deals with aspects of Network Security from the viewpoint of security services, attacks, and encryption algorithms that provide privacy, message authentication, and non-repudiation. The course provides an overview of the basic building blocks in the security of enterprise networks and issues and techniques employed to address them. The emphasis in the first half of the course is on cryptography. The latter half discusses network security practice and system security.
•
Cryptography theory is taking 1/5 of the weight of the degree (too much). E-commerce protocols are not essential as an information security course (to create basic background), E-commerce protocols could be embedded with a network security course. Major subjects are missing, such as: o Information security ethics o Programming security o Security operation o Security policy organization o Communication security o Multimedia security o Software design security o Secure Web design and others.
The overall courses are toward theoretical aspects, rather than practical aspects. The major problem with these courses is that they are organized without practical experience at hand and focus on the collection of non-harmonic information. The most pressing need is for these courses to harmonize with the knowledge needed, such as:
COS 589 INFORMATION SECURITY RISK ANALYSIS Prerequisite: COS 582. The course deals with the introduction to risk analysis for network and systems as well as the associated risks to assets and operations. Some of the topics are costeffective risk analysis techniques to identify and quantify the 53
• • •
laws that relate to the practice of information security, The role of culture as it applies to ethics in information security, The current regulatory environment for Security and Privacy in Health Care Information Systems, The Organization's Security Blueprint as a Project Plan, The main components of a Project using the Work Breakdown Structure (WBS) method
One or two courses will create the general basis for knowledge. These courses must be broad introductions and more general. These two (or one) courses must cover the following subjects: o General knowledge on information security o Why information security? o Management issues o Risk and vulnerabilities assessment o Disaster recovery o Continuing business plans o Cryptography (theory and applications) o Communication issues and protocols o Access control o Code of esthetics: Law and computer forensic science o Operation security o Physical security o Security architecture design and life cycles o Security application o Programming language security o Audit and intrusion detection systems o Firewall structures
RISK IDENTIFICATION Risk Management and its Role in the Security Systems Development Life Cycle, Assess risk based on the likelihood of occurrence and impact on an organization, the fundamental aspects of documenting Risk Identification and Assessment, Why risk control is needed in today's organizations? The risk Mitigation Strategy options for controlling risks, Formulate a Cost Benefit Analysis, Maintain and Perpetuate Risk Controls, Information Security Audit MANAGEMENT'S ROLE Management's role in the Development, Maintenance, and Enforcement of Information Security Policy, Standards, Practices, Procedures, and Guidelines, the differences between the organization's General Information Security Policy and the requirements and Objectives of the Organization's IssueSpecific and System-Specific Policies, Information Security Blueprint, What are Security Policy major components? How an organization institutionalizes its Policies, standards, and Practices using Education, Training, and Awareness Programs
4. NEW PROPOSE The proposed flow of information is based on these basic two courses – COS 585 Information Security and COS 533 Cryptography Algorithms. These two courses should cover the base line of information assurance and must play a major part in creating the basis for student’s learning in further courses.
INFORMATION SECURITY ARCHITECTURE AND MODELING What Information Security Architecture is? What it includes and how it is used? What Contingency Planning is and how Incident Response Planning? Disaster Recovery Planning, and Business Continuity Plans are related to Contingency Planning, The elements that comprise a Business Impact Analysis and the information that is collected for the Attack Profile, The components of an Incident Response Plan, The Capabilities and Limitations of Current Incident Response Systems, The steps involved in Incident Reaction and Incident Recovery, The Disaster Recovery Plan and its parts, the Business Continuity Plan and its parts, The reasons for and against involving Law Enforcement Officials in Incident Responses, the various types of Firewalls, Approaches to Firewall implementation
COS 585 INFORMATION SECURITY To provide an overview of Information Security and Assurance, to exposed the spectrum of Security activities, methods, methodologies, and procedures, Protection of information assets, detection of and reaction to threats to information assets, Examination of pre- and post-incident procedures, Technical and managerial responses and an overview of the Information Security Planning and Staffing functions. An introduction to the various technical and administrative aspects of Information Security and Assurance Determining the levels of protection and response to security incidents, and designing a consistent, reasonable information security system, with appropriate intrusion detection and reporting features
INFORMATION SECURITY GENERAL CONCEPTS
CRYPTOGRAPHY The process of encryption and define key terms, Common approaches to cryptography, Classical Cryptography, Block Cipher, Stream Cipher algorithms, Public Key algorithms, Digital Signatures, Hash Functions, Key Managements
What information security is and how it came to mean what it does today? The history of computer security and how it evolved into information security, Define key terms and critical concepts of information security, the phases of the security Systems Development Life Cycle, The role of professionals involved in information security in an organizational structure, The business need for information security , The threats posed to information security and discuss the more common attacks associated with those threats, Differentiate threats to information systems from attacks against information systems , Differentiate between laws and ethics, identify major national
ACCESS CONTROL AND PHYSICAL SECURITY Essential elements of Access Control, Various approaches to Biometric Access Control, The conceptual need for Physical Security , Threats to Information Security that are unique to Physical Security, The key physical security considerations for selecting a facility site, Physical Security Monitoring Components, The criticality of Fire Safety Programs to all Physical Security Programs, The components of Fire Detection and Response, The impact of Interruptions in the service of supporting utilities, Technical details of uninterruptible power
Detail topics could be selected from the following list [2-16]:
54
supplies and how they are used to increase availability of information assets, Critical Physical Environment considerations for computing facilities, Countermeasures to the Physical Theft of Computing Devices,
ETHICS Multiple Roles of Computers in Crime, Code of Information Ethics, Legal Aspects of Information Technology, Privacy and Information System Security, Security and the Law, Challenges the Legal System Faces, Laws and Statutes that apply to Security APPLICATIONS & SYSTEMS DEVELOPMENT System life cycle, Security phases with system life cycle, Embedded Security System, Database security Security in Sun Java System OPERATION SECURITY Program Administrators, Define and implement division level security related initiatives including, policies, standards, procedures, and guidelines, Monitors the information systems security conditions, Router Configuration, Local Account procedures, Password Recovery, Disabling unneeded services, Disabling unused interfaces, Ingress and Egress Filtering, Remote Administration, Secure Channel, Communications, Two-factor authentication, Auditing Router Security, Reviewing ACL’s, DOS Vulnerability Checking
Figure 2. A Proposal Curriculum Knowledge Flow There are several arguments that could arise from this course flow, such as: •
COMMUNICATION AND NETWORKING Data Communications and Networking Overview: communications, networking, information, technology, standards, equipment, Architectural Principles: layering, services, protocols, layer-specific mechanisms, Communications Mechanisms: networking, data transmission, Communications Case Studies: ASN.1 (Abstract Syntax Notation 1), UDP/TCP (User Datagram Protocol/Transmission Control Protocol), IP (Internet Protocol) and Related Protocols, Network Management Protocols (Simple Network Management Protocol), LANs (Local Area Networks, Ethernet, Wireless, other kinds), Wireless Networks (Blue tooth, Mobile Telephony),The Communication System, Radio Wave (Air link) Fundamentals, Optical Link Fundamentals, Baseband Modulation, Phase Shift Keying, Frequency Shift Keying , Spread Spectrum, Time Hopping, Multiple Access (Multi-User), Multi-User Interference
•
•
A selected topic from the above topics will create the correct General Board base for any farther course. Figure 2 shows courses flow for the new proposal
Data Communication Theory and Practice issues – This subject is a key subject in most proficient information security certifications [13,16]. For this argument, we propose that Most of the communication issues could be covered with network security. “Why two courses for cryptography?” Since the general ideas needed for the courses are presented in “Information Security”, for this we propose that the first course is a step-by-step algorithm design that covers most classic, block, stream cipher and public key. The algorithms are presented in a step-by-step format to close the hole between programming language, cryptography and information security, while the second course is focuses on cryptography protocols design and analysis, which will be required for Secure E-communication. “Why cryptography?” Since most of the needed subject is covered with information security.
The last argument is absolutely in the right direction, which suggests minimizing the large dependence of the courses and freeing some courses from the prerequisites. This will also free the faculty to open courses more freely. This approach is shown in Figure 3.
55
• • • •
Fuzzy Access Control Self Detective System Design and Control System Assurance Detective and Correctives System Security Heeling Theory
6. CONCLUSION An Information Security Track at KSU began running one academic year ago. Throughout this period, we have found there are some weaknesses in the flow of knowledge that have a negative impact on student performance and class information delivery. In this paper, we have looked at the knowledge flow and information harmony of this track, as well as suggested a better flow based on one course, Information Security, with which a large number of unrelated prerequisites would be minimized. This Information Security course has been described as a collection of many different subjects, presented as a short mini-introduction to the track for students. This paper also suggested that the Cryptography course could be a single stream, rather than feed to many courses (include the major topics within the Information Security course). Finally, this paper suggested that different subjects be extracted from the master’s degree program to feed into a higher degree (Ph.D.) program.
Figure 3. A Proposal Curriculum Knowledge Flow
5. CHANGE JUSTIFICATION AND TOWARD HIGHER DEGREE
7. REFERENCES
Looking at different curriculums from different universities [1823] with longer experiences in Information Security education it was found that courses such as “Information Security”, “Introduction to Information Security”, “Secure Computer Systems”, “Foundations of Information Security and Assurance” has always lower course number. This indicate that these courses are introductory to other courses such as “Information Managements”, “Legal and Ethical Aspects of Computing”, “Risk Managements” , “Trusted Systems” , “Network Security”, “ Digital Rights and Content Management”. Comparing these findings with KSU flow of knowledge Figure 1 indicates that: •
The curriculum has not put the flow of information for these courses in the proper place, and
•
Major focus is “Cryptography as the major issue in Information Security”,
[1] [2] [3] [4] [5] [6] [7]
[8]
[9]
while the facts and the professional [7, 9, 11, 24] indicate that the “Cryptography” is one phase of “Security Issue” complements with “Information Managements”, “secure Communication”, “Ethics”, “operation”, “Physical” , “Architecture”, “System Certification”. Figure 3 is the most accurate to match the flow of knowledge with some of the courses need to change their prerequisites, while others could be used toward a Ph.D. program. Such courses suggested for the Ph.D. program are: • • • • •
[10]
[11]
[12]
Programming Language Security Structure Programming Languages Design as First Defiance Layer Information Security Ethics Research (a comparison studies for international Information Security Law) Security Managements Matrices Risks Analysis Theory
[13]
[14]
[15] 56
Kentucky state University Catalogue 2005-2007 http://www.itm.iit.edu/578/ http://ia.gordon.army.mil/ia_courses.htm http://www.ccs.neu.edu/graduate/msia.html http://www.walshcollege.edu/pages/883.asp http://www.sans.org/resources/ Michael E. Whitman, Herbert J. Mattord Principles of Information Security Second Edition Course Technology; (November 23, 2004) Mark Egan, Tim Mather The Executive Guide to Information Security : Threats, Challenges, and Solutions Addison-Wesley Professional (November 30, 2004) Mark Merkow, James Breithaupt Information Security : Principles and Practices Prentice Hall (August 19, 2005) Thomas R. Peltier Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management AUERBACH; 1 edition (December 20, 2001) Hossein Bidgoli Handbook of Information Security, Threats, Vulnerabilities, Prevention, Detection, and Management Wiley (January 3, 2006) Jan Killmeyer, Jan Killmeyer Tudor "Information Security Architecture, Second Edition AUERBACH; 2 edition (June 28, 2003) Susan Hansche, J. Berti and C. Harre Official (ISC)2 Guide to the CISSP Exam AUERBACH; (December 15, 2003) Michael G Solomon and Mike Chapple Information Security Illuminated Jones and Bartlett Illuminated Series 2004 Susan Hansche Offical (ISC)2 Guide to the CISSPISSPCBK AUERBACH; (2006)
[22] Nova Southeastern University http://www.scis.nova.edu/ [23] Iowa State University http://www.bus.iastate.edu/ [24] https://www.isc2.org/ [25] http://www.isaca.org/
[16] ED Harold F. Tipton and Micki Krause “Information security Management Handbook” Third edition, Auerbach Pub, ISBN 0-8493-9561-5 [17] ED Harold F. Tipton and Micki Krause “Information security Management Handbook” Fifth edition, Auerbach Pub, ISBN 0-8493-1997-8 [18] Lewis University http://www.lewisu.edu/ [19] Georgia Tech http://www.cc.gatech.edu [20] Kennesaw State University http://infosec.kennesaw.edu/ [21] University of San Francisco http://www.usfca.edu/online/
57
