A First Course in Information Security Nancy Smithfield Computer Science and IT Department Austin Peay State University smithfieldn@apsu.edu www.apsu.edu/smithfieldn
Presentation Outline Introduction Define Information Security Principles of Information Security Course Prerequisites Objectives Sample Topics Sample Assignments Lab Activities Group Project Resources Future Directions I plan to share lessons learned and my continuing education into this exciting and somewhat fearful world of information security Where do you go to find information on security topics No lack of information (Web, textbooks) Web – NIST, ACM, SANS, searchsecurity.com
Introduction Securing Data on Networks and Computer Systems Malware Attacks Operating System Vulnerabilities Application Software Vulnerabilities Identity Theft Data Theft Botnet Hijackings Cyberterrorism Networks, computer systems, and the data stored, transmitted and processed on those systems is under seige Malware such as viruses, worms, adware, spyware, spam, and trojans Operating system and application software vulnerabilities that must be patched Identity theft though phishing scams and social engineering (process of convincing an authorized individual to provide confidential information Data theft due to trojans, stolen laptops, Computers can be hacked and controlled to be the source of DDos or phishing scams cyberterrorism is any "politically motivated attack against computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents
Introduction Information Security Problems Privacy legislation Industry Government Academe Other Organizations Online User Privacy legislation Organizations Have Legal Responsibilities Protect Information Disclose Privacy Policies Report Breaches security problems occur in business, government, organizations, and the online user Implementing security is more than use of technology, it is also the use of policies, procedures, standards to detail what users and administrator need to be doing to secure systems and data Laws have been passed HipAA (regulates collection, storage and distribution of healthcare information) Expensive penalities for non-compliance. If your university provides health services or keeps health care info it must comply with the law Sarbanes-Oxley (financial disclosure by public organizations) Gramm-Leach Bliley – banks protect customer privacy
Introduction Computer Science and IT Department at APSU Higher Education Addresses Security Education Master’s programs in information security areas Undergraduate concentrations Specific security courses Security topics within existing courses Computer Science and IT Department at APSU Two Courses in Security Principles of Information Security Focus of this paper Network Security Has prerequisite Data Communications and Networking Incorporate Security Topics in Existing Courses Higher education adhas responded with master’s programs in information security areas as well as undergraduate concentrations and/or specific security courses. The Computer Science and IT Department at APSU has recently added two courses in security Beginning course on the Principles of Information Security which is the focus of this paper Course on Network Security that has as its prerequisite the Data Communications and Networking Class
Definition of Information Security Information Security is the protection of information assets as well as the hardware and systems that store, transmit and process the information from unauthorized acquisition, modification, damage, disclosure, or loss of use.
Course Prerequisites Computer literacy course, or Programming course such as CS1 Includes introductory topics computer hardware OS networks Permission of instructor Note: Students of all majors can take this class need introductory topics hardware, OS, networks At APSU the class is numbered CSCI 3200 and is required of Information Systems, Internet and Web, and Database Concentration students Prerequisites - Computer literacy course, programming course such as CS1 where computer hardware is introduced or permission of instructor Programming course such as CS1 where computer hardware, OS and networks are introduced or the permission of instructor
Course Objectives Understand information security issues and practices Understand techniques to identify and prioritize information assets Be aware of vulnerabilities and strategies for securing networked computer systems in a global environment Identify tools and technology for combating threats to information assets Describe legal implications of security and privacy issues Understand risk management Understand the development of an information security policy and architecture Prerequisites - Computer literacy course, programming course such as CS1 where computer hardware is introduced or permission of instructor
Course Sample Topics History of Information Security Information characteristics that must be protected Security terminology Threat and attack analysis Legal issues Risk management Security Planning Defense through management, operational and technology controls Specific security technology such as malware detectors, firewalls, IDS, and spam filters Cryptography and hash functions Personal, Physical, Desktop, Network, Internet and Enterprise Security
Course Assessments Exams Assignments Lab Activities Group Project
Assignments ~ 70% of the assignments based on understanding content of two text books Submitting written answers to questions Taking online practice quizzes In-class student led discussions on topics ~ 30 % of assignments based on Security news topics Security awareness Investigation of NIST security documents Approximately 70% of the assignments were based on understanding the content of the two text books. Submitting written answers to questions Taking online practice quizzes In-class student led discussions on topics Other 30 % of assignments based on security news topics, security awareness, and investigation of NIST security documents Taking online practice quizzes – can be done in Blackborad or WebCT (Web enhanced class) – take quiz as often as they like In-class student led discussions on topics. I would pick a student to lead class discussion on a security topic that all students should have been prepared to discuss. Helps students understand terminology better, Good practice of communication skills
Sample Security News Topic Assignment In 2006 a laptop with sensitive VA information was reported stolen. Over 20 million veterans were affected. Every year over 700,000 laptops are stolen in the U.S. Assignment - Investigate Laptop Security Write about securing the actual laptop and the data it contains with existing hardware and software tools What are the advantages and disadvantages of encrypting data on laptops? What security tools and services are available to find missing laptops such as cyberangel? Describe how they work. In 2006 a laptop with sensitive VA information was reported stolen. Over 20 million veterans were affected. Every year over 700,000 laptops are stolen in the U.S. Assignment - Investigate Laptop Security Write about securing the actual laptop and the data it contains with existing hardware and software tools What are the advantages and disadvantages of encrypting data on laptops? What security tools and services are available to find missing laptops such as cyberangel? Describe how they work.
Sample Security Awareness Assignment October - cyber security awareness month Each student was given a security protection hot-topic to investigate. Two to three students were given the same topic but it was not a group project. Assignment - Create an illustrated one page poster on the topic. Sample topics (strong passwords, protection against phishing, social engineering, protection against viruses, protecting software copyright) Posters were used to create a cyber awareness display
Sample Lab Activities Sample active learning during 3 to 4 labs at class times Running a Password cracker (dictionary and brute force attacks) Windows security settings including firewall and browser settings Running antispyware software (Windows Defender, SpySweeper, Ad-Aware) Running a web site detector Spoofstick Managing Windows updates, disabling Windows services, managing windows accounts
Group Project Students divided into 3 person groups Each group - different research topic Write an 8-10 page paper Prepare and give group presentation Sample topics (viruses, spyware, phishing, security settings in browsers, intrusion detection and prevention systems)
Example Project: Security Settings in Browsers Research security features available in three popular browsers, one of which must be IE . Explain each of the security settings/configurations and list pros and cons for each setting. Include possible settings for cookies, Java and ActiveX controls. List security features of IE7. Prepare a chart comparing and contrasting the browsers.
Course Resources Textbooks Principles of Information Security Second Edition by Whitman and Mattford ISBN : 0-619-21625-5 Security Awareness: Applying Practical Security in Your World by Ciampa ISBN: 1-4188-0969-1
Course Resources Computer Security Resource Center of National Institute for Standards and Technology (http://csrc.nist.gov) Glossary of terms Free Special Publications such as: SP 800-12 An Introduction to Computer Security SP 800-14 Best Practices and Security Principles SP 800- 26 Self Assessment Guide for IT Systems SP 800-30 Risk Management SP 800-100 Information Security Handbook for Managers
Course Resources United States Computer Emergency Readiness Team http://www.us-cert.gov/reading_room/ Internet Storm Center Presentations http://isc.sans.org/presentations/index.php Educause Web Site on CyberSecurity Awareness Month with links to projects at many higher education sites http://www.educause.edu/content.asp?page_id=7479&bhcp=1
Course Resources Videos on cyber awareness http://www.staysafeonline.org/basics/assemblyinabox.html National Strategy to secure cyberspace http://www.whitehouse.gov/pcipb/ Kennesaw State’s Center for Information Security Education and Awareness http://infosec.kennesaw.edu/ Current Security Topics http://searchsecurity.techtarget.com/
Lessons Learned - Future Directions Overwhelming amount of material for course resources Security news - source of discussion topics Current course needs more active learning Labs Security analysis of small businesses or non-profit As part of course goals, promote security awareness across the University Questions?