A First Course in Information Security

Nancy Smithfield

Computer Science and IT Department

Austin Peay State University

smithfieldn@apsu.edu

www.apsu.edu/smithfieldn

Presentation Outline Introduction Define Information Security Principles of Information Security Course

Prerequisites Objectives Sample Topics Sample Assignments Lab Activities Group Project

Resources Future Directions

Introduction Securing Data on Networks and

Computer Systems Malware Attacks Operating System Vulnerabilities Application Software Vulnerabilities Identity Theft Data Theft Botnet Hijackings Cyberterrorism

Introduction

Information Security Problems Industry Government Academe Other Organizations Online User

Privacy legislation Organizations Have Legal Responsibilities

• Protect Information• Disclose Privacy Policies • Report Breaches

Introduction Higher Education Addresses Security Education

Master’s programs in information security areas Undergraduate concentrations Specific security courses Security topics within existing courses

Computer Science and IT Department at APSU Two Courses in Security

• Principles of Information Security• Focus of this paper

• Network Security • Has prerequisite Data Communications and Networking

Incorporate Security Topics in Existing Courses

Definition of Information Security

Information Security is the protection of information assets as well as the hardware and systems that store, transmit and process the information from unauthorized acquisition, modification, damage, disclosure, or loss of use.

Course Prerequisites Computer literacy course, or Programming course such as CS1

Includes introductory topics• computer hardware• OS • networks

Permission of instructor Note: Students of all majors can take this class

• need introductory topics hardware, OS, networks

At APSU the class is numbered CSCI 3200 and is required of Information Systems, Internet and Web, and Database Concentration students

Course Objectives

Understand information security issues and practices Understand techniques to identify and prioritize

information assets Be aware of vulnerabilities and strategies for securing

networked computer systems in a global environment Identify tools and technology for combating threats to

information assets Describe legal implications of security and privacy issues Understand risk management Understand the development of an information security

policy and architecture

Course Sample Topics

History of Information Security

Information characteristics that must be protected

Security terminology Threat and attack

analysis Legal issues Risk management Security Planning

Defense through management, operational and technology controls

Specific security technology such as malware detectors, firewalls, IDS, and spam filters

Cryptography and hash functions

Personal, Physical, Desktop, Network, Internet and Enterprise Security

Course Assessments

Exams Assignments Lab Activities Group Project

Assignments

~ 70% of the assignments based on understanding content of two text books Submitting written answers to questions Taking online practice quizzes In-class student led discussions on topics

~ 30 % of assignments based on Security news topics Security awareness Investigation of NIST security documents

Sample Security News Topic Assignment

In 2006 a laptop with sensitive VA information was reported stolen. Over 20 million veterans were affected.

Every year over 700,000 laptops are stolen in the U.S. Assignment - Investigate Laptop Security

• Write about securing the actual laptop and the data it contains with existing hardware and software tools

• What are the advantages and disadvantages of encrypting data on laptops?

• What security tools and services are available to find missing laptops such as cyberangel? Describe how they work.

Sample Security Awareness Assignment

October - cyber security awareness month Each student was given a security protection hot-

topic to investigate. Two to three students were given the same topic but it was not a group project.

Assignment - Create an illustrated one page poster on the topic.

Sample topics (strong passwords, protection against phishing, social engineering, protection against viruses, protecting software copyright)

Posters were used to create a cyber awareness display

Sample Lab Activities

Sample active learning during 3 to 4 labs at class times Running a Password cracker (dictionary and

brute force attacks) Windows security settings including firewall

and browser settings Running antispyware software (Windows

Defender, SpySweeper, Ad-Aware) Running a web site detector Spoofstick Managing Windows updates, disabling

Windows services, managing windows accounts

Group Project

Students divided into 3 person groups Each group - different research topic Write an 8-10 page paper Prepare and give group presentation Sample topics (viruses, spyware,

phishing, security settings in browsers, intrusion detection and prevention systems)

Example Project: Security Settings in Browsers

Research security features available in three popular browsers, one of which must be IE .

Explain each of the security settings/configurations and list pros and cons for each setting.

Include possible settings for cookies, Java and ActiveX controls.

List security features of IE7. Prepare a chart comparing and contrasting the

browsers.

Course Resources

Textbooks Principles of Information Security Second

Editionby Whitman and MattfordISBN : 0-619-21625-5

Security Awareness: Applying Practical Security in Your World by Ciampa ISBN: 1-4188-0969-1

Course Resources Computer Security Resource Center of National

Institute for Standards and Technology (http://csrc.nist.gov) Glossary of terms Free Special Publications such as:

• SP 800-12 An Introduction to Computer Security• SP 800-14 Best Practices and Security Principles • SP 800- 26 Self Assessment Guide for IT Systems• SP 800-30 Risk Management• SP 800-100 Information Security Handbook for

Managers

Course Resources United States Computer Emergency Readiness

Team http://www.us-cert.gov/reading_room/

Internet Storm Center Presentations http://isc.sans.org/presentations/index.php

Educause Web Site on CyberSecurity Awareness Month with links to projects at many higher education siteshttp://www.educause.edu/content.asp?page_id=7479&bhcp=1

Course Resources Videos on cyber awareness

http://www.staysafeonline.org/basics/assemblyinabox.html

National Strategy to secure cyberspacehttp://www.whitehouse.gov/pcipb/

Kennesaw State’s Center for Information Security Education and Awarenesshttp://infosec.kennesaw.edu/

Current Security Topicshttp://searchsecurity.techtarget.com/

Lessons Learned - Future Directions Overwhelming amount of material for

course resources Security news - source of discussion topics Current course needs more active learning

Labs Security analysis of small businesses or

non-profit As part of course goals, promote security

awareness across the University

Questions?