A Computer Science Course in Cyber Security and Forensics for a Multidisciplinary Audience

Transcription

1 A Computer Science Course in Cyber Security and Forensics for a Multidisciplinary Audience Wendy A. Lawrence-Fowler Department of Computer Science The University of Texas-Pan American Edinburg, Texas wfowler@utpa.edu Abstract The preparation of a graduate level cyber security and forensics course in a computer science department that addresses theory, policy, and application for a multidisciplinary student audience can be daunting when the majority of students in the class do not have a computer science background. The course takes a holistic approach to broaden knowledge and deepen understanding of the domain of cyber security using cross disciplinary teams to gain understanding and experience taking theory to practice and practice to theory. A framework of understanding is built through the examination of the body of scholarly conceptual and technical works and hands on experience with hardware and software platforms and networks. Computer Science provides the theoretical underpinnings and technical details, methods, and tools to examine security concepts; Forensic Science provides the approach to critical analysis of digital evidence; and Behavioral Analysis provided a way to synthesize knowledge and scientific method to gain some understanding of criminal behavior as well as the breadth and economic impact of cybercrime. This approach resulted in students who gained technical proficiency and perspective and experience working with people with divergent backgrounds, abilities and knowledge sets. Keywords cyber security, forensics, multidisciplinary learning, security education, information security training I. INTRODUCTION In the era of information, security is a common topic of discussion in public and private, large and small organizations. While information security is not a new field, the increasing number of security breaches and threats to personal, organizational, and national safety have created a focus on cyber security. This has created an increased demand for qualified security professionals in both the private and the public sector. Emerging fields of study and practice in cyber security computer forensics, network security, software security, and critical infrastructure protection are increasingly important areas of interest [1]. The U.S. government has recognized that securing cyberspace is an extraordinarily difficult challenge that requires a coordinated and focused effort from our entire society the federal government, state and local governments, the private sector and the American people [2]. In addition to the National Initiative for Cybersecurity (NICE) at NIST, the U.S. Intelligence Community established the Intelligence Community Center of Excellence in National Security Studies Program (IC CAE) in 2005 to strategically meet the nation s demand for a competitive, knowledgeable and ethnically diverse pipeline of professionals to meet the United States National Security Imperatives in the 21 st Century. In 2007, The University of Texas Pan American, a Hispanic Serving Institution, established an Intelligence Community Center of Academic Excellence (IC CAE) with funding from the Office of the Director of National Intelligence (ODNI). The purpose of the Center is to prepare students for careers in intelligence and security through advanced interdisciplinary studies using an approach that assures that the next generation of Intelligence Community professionals is prepared with the appropriate skills and breadth of knowledge to be leaders in the national security challenges in the global economy of the 21 st century. Recognizing the breadth of knowledge required to lead security initiatives and recognizing that solutions to the current challenges in security demand the integration of human and technical resources, the UTPA IC CAE uses a multidisciplinary approach to achieve substantial synergies in combining knowledge from different disciplines to IC challenges in information assurance and analysis, risk assessment, management, leadership, and technology. Housed in the College of Social and Behavioral Sciences, the IC CAE leads the discourse on national security across the campus and identifies specific needs associated with bridging seemingly disparate disciplines. The UPTA IC CAE created and manages an interdisciplinary Global Securities Studies and Leadership Program (GSSL) that involves significant outreach activities to expand the potential workforce pipeline and educate the general community about national security. Like the other MSI based Centers of Excellence, the UTPA GSSL program includes significant outreach efforts to attract individuals to the pipeline for security professionals. However, unlike many of the centers, the GSSL program introduced new courses, /13/$ IEEE

2 new degree programs and a certificate program in Global Security Studies and Analysis to the UTPA curriculum. The GSSL programs also differ from programs offered by NSA Centers of Academic Excellence in Cyber Operations that tend to be deeply technical in a substantial number of topics. As of 2008, the GSSL program coordinates an undergraduate minor, a graduate certificate and a Master s degree in Interdisciplinary Studies (MAIS). With the exception of the new courses, the program design consists almost entirely of existing UTPA courses, taught by current faculty in established departments. Its near-universal reach across the university curriculum is ambitious because it articulates skill and knowledge sets that reside in many of UTPA s departments. This paper discusses the challenges of delivering a Computer Science course in Cyber Security and Forensics as a part of the technical competency course sequence for the GSSL MAIS. The original course is designed as a masters level course in computer science that addresses theory, policy, and application. This course is modified to provide a computer science perspective on theory, policy and application to simultaneously meet the needs of a diverse multidisciplinary audience in three graduate programs: Computer Science, Information Technology, and Global Security Studies. II. THE GLOBAL SECURITY STUDIES PROGRAM A. Overview of Master s of Interdisciplinary Studies(MAIS) The MAIS degree prepares students for careers in Intelligence and National Security through focus on advanced research, effective cross-discipline team communication, and critical analysis. Given that jobs in government or private industry often require multidisciplinary cooperation, the GSSL MAIS prepares students to work with people from different backgrounds, abilities, and knowledge bases. This approach assures that students have the opportunity to gain the perspective of and proficiency in multiple disciplines, preparing them for careers in national security. The Intelligence Community has defined and organized 5 Primary Critical Skill Sets/Competencies based on categories of security employment that people will specialize in: 1) Information Technology Specialists, 2) Political/Economic Specialists, 3) Language Specialists, 4) Threat Specialists, and 5) Scientific/Technical Specialists [3]. The GSSL programs engage students and faculty in each of these five Primary Critical Skill Sets. In addition to the primary skill sets, a number of IC defined Specific General Competencies for Intelligence Professionals areas are addressed in the program including analysis, analytical reasoning, critical thinking, communications (oral and written), research, developing rational conclusions and deriving alternative solutions from ambiguity and limited data sets[3]. B. MAIS Curriculum The GSSL MAIS consists of 36 semester hours of study, including a 12 hour core sequence, a 15 hour concentration in interdisciplinary studies and a 9 hour technical competency sequence. Through the core sequence the students learn how skill sets relate to the global context of intelligence and security work. The core courses address the competency skill areas including advanced research, problem solving, critical thinking, technical writing, and leadership. The core courses consist of Global Security, Open Source Research, Interdisciplinary Research and Analysis, and a practicum in Global Studies Security Studies. The interdisciplinary course sequence addresses critical competencies required to understand the globalization of communication, societies, cultures, governments, businesses, and technology. The required courses include Culture and Communication, International Management, Cross Cultural Psychology, Statistics and a graduate level elective. The technology competency sequence provides students with the essentials of information technology and computer systems with a focus in information security. The course sequence consists of Information Security, Principles of Information Technology Systems, and Cyber Security and Forensics [3, 4]. The first course in the technology series is offered by the faculty in the Department of Computer Information Systems located in the College of Business. The second two courses are taught by faculty in the Department of Computer Science in the College of Engineering and Computer Science. All three of these courses existed in their respective departments with intended audiences other than the participants in the GSSL program prior to their identification as the technical competency sequence. III. CYBER SECURITY AND FORENSICS COURSE Using a variety of learning resources, the Cyber Security and Forensics course addresses a broad set of topics in cyber security and cyber forensics. The goal is to assure that students gain an understanding of the breadth and depth of what cyber security and cyber forensics mean in abstract terms and in the context of real systems. Through reading, lecture, discussion, and thought experiments [5] students learn about the underlying formalisms and technologies that address challenges and potential threats to confidentiality, integrity, and availability. Students learn aspects of cybercrime and ways in which to uncover, protect, exploit, and document digital evidence. Students are exposed to different types of tools, techniques, and procedures, as well as policy and legal issues. The use of a hands-on-laboratory component reinforces formalisms and technologies introduced in lecture and discussion. Augmenting lecture and discussion based thought experiments, the labs support understanding through direct experience in applying knowledge in new situations [6,7,8]. Students develop skills in the reduction of theory to practice and abstraction of practice to theory. A Blackboard instance of the course is used to manage learning resources, support communication, and the sharing of knowledge and perspectives on the discipline. Rather than assigning a textbook, the course uses a set of scholarly and technical works from academic, industrial, and government sources. Students have access to a variety of open source tools, commercial hardware and software products and a laboratory in which they are free to experiment.

3 A. Learning Objectives Upon completion of the course, students are expected to (1) understand the basic theory and concepts of cyber security and privacy including policies, models, and mechanisms; (2) understand ethics, legal issues, and human factors associated with cyber security and forensics; (3) understand security vulnerabilities and be able to describe threats and risks; (4) be able to explain best practices in giving access to systems and networks and implement proper authentication techniques; (5) be familiar with cryptographic techniques, asymmetric key algorithms, and create certificates; (6) describe the requirements for a cyber forensic investigation and demonstrate an understanding of tools, techniques and procedures; and (7) be conversant in current security related issues in the fields of cyber security and cyber forensics. B. Course Topics The course begins with an overview of the security problem followed by an introduction of fundamental tools and techniques for addressing security. After providing a broad introduction to security, the course focus shifts to forensics. Course topics include: Confidentiality, integrity and access policies (policy and metapolicy) Information flow and content (encoding and entropy) Cryptography and ciphers Network security Malicious logic, vulnerability analysis Strategic planning for security Law and legal issues Volatile and persistent data First responder activities Hacking: ethical and not The discussion on strategic planning for security includes a presentation of requirements to create a security organization. This discussion, intentionally placed two thirds of the way through the semester, presents a scaffolding that provides a real-world context and supports the creation of connections between security topics. This discussion illustrates the real world application of all that has been covered to date and creates an opportunity to shift the course focus from security to forensics. C. Laboratory Component The laboratory component of the course gives students practical experience with the concepts introduced in lecture and discussion. Each lab is designed so that students gain experience working with real world tools and real world problems. A broad array of commercial hardware and software, and open source tools are provided to develop solutions for problem based challenges involving confidentiality, integrity, access, and trust. Students identify and disable network attacks. They find hidden information, and they conduct forensic investigations using a systematic approach to evidence identification, preservation, analysis, documentation, and presentation following acceptable legal procedures and laws of evidence[6]. Lab exercises are completed by interdisciplinary teams to encourage transfer of understanding and perspective across the spectrum of divergent bodies of knowledge held by course students and to address varying levels of comfort and skill in using technology. Lab exercises are designed to be completed in real world settings on either personal computers or in the Computer Sciences Advanced Studies Lab. While connected to the campus network for internet access, the Advanced Studies Lab is reconfigurable as need be for this course and the networking courses that share the facilities. Lab exercises assigned during the course include: Controlling access to files and folders with special access to network shared folders in Windows and Unix/Linux environments Mining cache, cookies, and history for traces of activity and hidden value Mining programs and files: Registry tracks Network security: Identifying and disabling network attacks with Security Onion, Squil, Sqert, and Snorby Securing networks with software and hardware firewalls Public faces Social media and the flow of information Imaging and analyzing storage devices with EnCase Imaging and analyzing storage devices and capturing volatile data with open source tools Steganography Two additional lab exercises are available for students that are interested in testing their programming abilities. The first exercise involves creating a covert channel to pass one bit of data. The second exercise involves implementing a robust queue. They are given Bishop and Elliott s 2011 paper on robust programming as a resource for this exercise [9]. D. AssessmentTechniques Used Formative and summative evaluations are given to both make adjustments to content delivery and to assess student learning. Students are given weekly assignments that include a set of readings and at minimum one deliverable. Deliverables vary by week, but in general consist of one or more of the following: 1) short responses to issue specific questions used to measure understanding of the lecture and reading assignments, 2) lab results along with self-assessment of success, and suggestions on improving the lab, 3) short essays on how a reading relates to past, current, or future experiences in global information security, 4) contribution to a course glossary by adding terms and definitions to build a broad and common lexicon for security, 5) identification of a resource and explanation of its value, 6) a reaction paper on a particular

4 assigned reading. Every class begins with a background knowledge probe to assess student familiarity with terms and concepts. Thought exercises introduced during lectures provide a means to gather input on how well students comprehend the content of discussion and lecture. These experiments require higher order thinking: analysis, synthesis, and evaluation, providing the instructor with information about students learning and a self-assessment tool for students. All laboratory exercises include a request for feedback on the activity and most include a required opinion either on the tools, process, or the lab s value add to the learning experience. A relatively casual atmosphere in lab leads to conversation and additional opportunities to gather feedback about content delivery and student learning. Two larger learning exercises serve as exams. The first exercise serves as a midterm. Students are given three questions: two questions that require students to research specific security models not previously presented in lecture and discuss their application. A third question serves as a thought exercise requiring critical thinking and synthesis. The second large exercise serves as a final. Students choose one of two challenges. In the first challenge students must build a forensic tool kit from existing open source resources and write a comprehensive user s guide on when, why and how to use each tool in acquisition, analysis and presentation during a forensic investigation. In challenge two, students read Cliff Stoll s book The Cuckoo s Egg and write a 7 to 10 page response to one of three prompts. Each of the prompts requires analysis, synthesis, critical and creative thinking. IV. DISCUSSION Computers, the Internet, , wireless technology toys, and social networks are pervasive and a ubiquitous part of everyday life. The growth in digital details that are created, captured, and stored in more places than most people realize is exponential as is the growth rate of crimes in which cyber technology is the instrument of, the target of, or by its nature, the location where evidence is stored or recorded. The number of security breaches and threats to personal, organizational, and national safety and the increasing costs of security breaches have create a focus on cyber security[10,11,12] and a demand for qualified security professionals in both the private and the public sector[2,3]. Academic institutions respond by offering new undergraduate and graduate courses in cyber security [13] and forensics [6]. A. Background The course that was chosen for the GSSL MAIS technology sequence to address cybersecurity was originally designed for graduate students in a computer science master s program. Students were expected to be familiar with networks, operating systems, data structures, programming languages, software application programming and hardware. The course takes a breadth first approach to introducing the fundamentals of computer security and forensics. Balancing lecture content with hands-on laboratory exercises, students have the opportunity to experience theoretical concepts and their implementation. Reflective learning exercises are designed to empower students to link prior knowledge with new knowledge and develop a deep understanding of the complexity of cyber security and forensics theory and practice. B. Challenges It is a challenging task to offer this graduate level Computer Science Security and Forensics course to graduate students in programs outside of computer science. Traditionally at UTPA, the course is an elective in the Master s of Computer Science and the Master s of Science in Information Technology (MSIT) programs. The course is taken after students have completed an advanced networking course. However, with the inclusion of this course in the GSSL MAIS, the demographic profile of students taking the course changes radically. Less than 3% of the students have undergraduate degrees in computer science and are pursuing a Master s degree in Computer Science. The remaining 97% of the students program affiliations are split between the MSIT and the MAIS. Of this group, only 8% have formal undergraduate training in information technology. The new demographic includes students who have undergraduate degrees in accounting, computer science, criminal justice, early childhood education, economics, graphic design, information technology, political science, psychology, and sociology. The majority of MAIS students move directly from their undergraduate education to the graduate program. The majority of MSIT students are currently working as professionals in information technology and have extensive experience in either networking or management information technology systems. On occasion the class includes a Chief Security Officer from a banking institution or local government agency. A prerequisite course, Principles of Information Technology Systems, provides leveling preparation for the concepts introduced in the class. However, 40% of the class has either not taken the leveling course or are completing it concurrently. Recognizing that the essential body of knowledge for the domains of security and forensics are broadly distributed and include deep subdomains, the first challenge is to modify the course. A set of topics are defined using the IC CAE documents, the five Primary Critical Skill Sets [3], and the UTPA GSSL program goals and curriculum. An approach to the topics is developed that recognizes that security issues do not rest solely in the domains of Computer Science and Information Technology[14]. Competency in mathematics presents a second challenge. Given the nontechnical nature of most students backgrounds, competency in mathematics clusters at the level of college algebra. This means that when using theoretical constructs to introduce security concepts such as confidentiality, integrity, and information theory, additional techniques must be implemented to facilitate the learning or building up of the formal concepts. Metaphors provide excellent support in understanding concept proofs. For example, a love triangle is useful in explaining a trusted relationship. A coin is used to demonstrate encoding. Translating the concepts into examples

5 from everyday life allows students to transfer existing knowledge. The diversity in students program of study demands the establishment of a common vocabulary in security and forensics to support effective communication and to facilitate sharing of perspectives and knowledge across the disciplines. To address this third challenge, students use a forum to provide profiles, including their backgrounds and expertise. They create a wiki, submitting terms and definitions, to build a common lexicon. A second wiki serves as a repository for students contributed resource materials. These wikis create a framework for growing the Essential Body of Knowledge (EBT) [15] and support peer to peer learning where knowledge is transferred and created in a learning community. The diversity of academic training, perspectives and experience means that students are exposed to the breadth of knowledge that professionals should know to be conversant in the field. Students, at minimum, know the key concepts and terms to perform their work functions in security and they gain, at least, a basic familiarity with all of the key terms and concepts in the EBT [15]. Thought exercises are used throughout the lectures to provide an opportunity for students to think independently, discuss their thoughts in pairs, and share their ideas with the class. This think-pair-share approach also serves as the basis for work outside of class. Students reflect on concepts and present their thoughts on forums or in the form of short essays. These reflections serve as the basis for conversation and the opportunity to elaborate on ideas. This approach increases personal communication that is necessary to process, organize and retain ideas[16]. The approach takes advantage of the students diverse knowledge base to expand individual perspectives on security and forensics topics. There is also a great diversity among the students skill levels in the use and the understanding of computing environments. Labs, originally designed to expose students to the concepts introduced in lecture and discussion are found to be too complex. The labs are modified so that students with minimal background in computing are able to complete the exercises and gain conceptual insight. In addition, early in the semester students are intentionally directed into interdisciplinary teams. Each team has at least one individual with a strong background in information technology or networking. The multi-disciplinary nature of the lab teams is leveraged to assure exposure to alternative viewpoints and process design. Due to the lack of programming skills among students in the course, two additional labs are available for deeper investigation by those individuals that are interested: (1) programming a covert channel and (2) programming a nonrobust queue [9]. Among other challenges include faculty competency across the breadth of the course topics. Fortunately, there is strong interest and investment in information security at the institutional level. Taking advantage of the human capital resources in Privacy and Security and in the UTPA Division of Information Technology, subdomain experts in network security and forensic investigation provide lectures and lab instruction and guidance. The University s Chief Security Officer, along with recognized security experts from the health industry and intelligence community, discuss strategic planning for security. C. Observations and Course Outcomes As a collective, the mix of learning activities complements the course learning objectives. Aside from the lectures, classroom and lab based activities are modified to reinforce collaborative learning. The intent in building a common lexicon and resource base is to allow students to discover the breadth and depth of issues related to cyber security and forensics. They have the opportunity to both review and build on each other s work. It is evident in the questions and comments in the forums and the contributions to the wikis that students are expanding their knowledge base. Periodically in lecture, thought exercises are used to gain a feeling for student understanding. These typically involve a specific problem to solve that requires the application of a new concept. Using the think-pair-share approach allows the students in the different programs another opportunity to learn how individuals with different backgrounds might approach the same problem. Essays on readings often contain not only reflections on course content, but also reflections on classroom think-pairshare and lab discussions. In addition, student essays on content and its projection on their lives often include commentary on how their views or knowledge have changed. Labs that proved too difficult to complete without a prerequisite computer science background are reworked such that they are too difficult for one person to complete working alone, but are easily completed when individuals work in teams. The casual lab environment and multidisciplinary teams expose students to different approaches to solve problems and they are encouraged to investigate, compare and evaluate multiple approaches. On many occasions student teams define competitions for themselves to develop the most efficient or effective solutions or processes. Students often stay well past the end of the lab to do self-initiated benchmarking or complete peer reviews. There are a number of times throughout the semester that discussions lead to one or more members of the class taking responsibility for peer teaching. For example, a student who served as a data analyst in a combat zone shared his direct experiences with encryption and ciphers. On another occasion, one GSSL student who serves as the Chief Security Officer for a bank explained security policies and processes for internet transactions, a second student in the MSIT program explained a possible underlying implementation, and a third student from Computer Science provided an alternative approach. And on yet another occasion a GSSL and a MSIT student worked outside of class to implement and subsequently demonstrate to the class a virus that would bypass the firewalls set up during a lab exercise. The students in the MAIS program tend to be very high verbal, while the students in the MSIT and MSCS programs tend to be computationally stronger. It is apparent from essays, presentations and final challenge submissions that the writing and course discussions throughout the semester help to improve students verbal and written communication skills as

6 well as their awareness. While this is evidenced as the course progresses, this improvement is most apparent in the choices made for the final learning challenge. Even though the class is fairly evenly split between GSSL and technology based graduate students and the MSIT and MSCS students are focused on the forensics toolkit project, in the end, the majority of the students choose to complete the challenge in which they read a book and respond to a prompt. In all of the responses, students thoroughly address the technological issues discussed in the book as well as provide critical analysis of the strengths and failings of the human systems. Finally, based on the responses collected from the university s standard Student Evaluation of Teaching Form, students appreciate the opportunity not only to take on responsibility for their own learning, but are more fully engaged when presented with the challenge. The opportunity for collaborative learning empowers students to learn. The exposure to multiple perspectives on the same concepts through active and meaningful interaction is received well. They indicate an appreciation of the exposure to a wide range of experts from the field and the juxtaposition of policy and implementation in theory and practice. Students indicate that they feel the information learned in the class is important, the mix of activities are beneficial to learning and the overall quality of the course is very good to excellent. V. CONCLUSION This paper describes a Computer Science course in Cyber Security and Cyber Forensics offered at UTPA. The challenges of offering this course to a multidisciplinary audience lead to changes that leverage the diverse student knowledge base. During the course students learn, practice and gain understanding of concepts and develop the technical and leadership skills required of cyber security professionals. Hands-on lab exercises facilitate understanding of difficult concepts and procedures. Using both commercial and open source tools provides a rich environment. Using interdisciplinary teams facilitates the exchange of knowledge and understanding. Students see how complex the issues in cyber security and forensics are. Students gain an appreciation for true multidisciplinary nature of the field. ACKNOWLEDGMENT I would like to recognize Jennifer Garcia Avila for guiding us through EnCase, Ramon Herrera for providing expertise in network security Joe Voje for providing a strategic view for security, Dr. John Abraham for access to resource materials, Jeremy Miller in implementing many of the hands-on-labs and the UTPA IC CAE for coordinating the 2012 Cyber Security Symposium. REFERENCES [1] Stinikova, Elena and Ray Hunt. Engging students through refelctive practice assessment within a software security lifecycle June Proceedings of the 16 th Colloquium for Information Systems Security Education, Lake Buena Vista, FL. p [2] Bush, George. Forward to The National Strategy to Secure Cyberspace, [3] Office of the Director of National Intelligence. United State of America. United States Intelligence Community Centers of Academic Excellence (IC CAE) in National Security Studies, Guidance and Procedures, Program Plan for Fiscal Years April [4] UTPA IGKNU GSSL website: igknu_home/igknu_gssl/gssl_grad_deg. Accessed: 20 December, [5] Young, William D. Developng a blended computer security course June Proceedings of the 16 th Colloquium for Information Systems Security Education. Lake Buena Vista, FL. p [6] Chi, Hongmei, Edward L. Jones, Christy Chatmon and Deidre Evans. Design and implementaiton of digital forensics labs November Proceedings of the 12 IASTED International Conference on Computers and Advanced Technology in Education. St. Thomas, US Virgin Isalnds. CATE.pdf Accessed: 22 December [7] Eckert, Ben. Real-world security lab environment June Proceedings of the 16 th Colloquium for Information Systems Security Education. Lake Buena Vista, FL. p [8] Fulton, Steven and Dino Schweitzer. A concept focused security lab environment June Proceedings of the 15 th Colloquium for Information Systems Security Education. Fairborn. Ohio. p [9] Bishop, Matt and Chip Elliot. Robust Programming by Example June Proceedings of the 7 th World Conference on Information Security Education. Lucerne, Switzerland. p [10] Mecuri, R Analyzing security costs. Communication of the ACM. Vol. 46, no 6, pp [11] Information security & data breach report, June 2012 update, June Navigant. InfoSec_Data_Breach_Report_Navigant.pdf Accessed: July [12] Armerding, Taylor, The 15 Worst data security breaches of the 21st century. CSO Security and Risk, February Accessed: February 2012 [13] Rigby, Steven Teaching cybersecurity at the seams June Proceedings of the 15 th Coloquium for Information Systsems Security. Fairborn Ohio. p [14] Nance, Kara L. and Brian Hay. A breadth-first approach to computer security. 2-4 June Proceedings of the 12 th Colloquium for Information Systems Security Education. Dallas, TX. p [15] Roth-Perreault, Ellen and Brenda Oldfield. Strengthening the security workforce: a competency and functional framework for information technology security professionals. 4-7 June Proceedings of the 11 th Colloquium for Infomration Systems Security Education. Boston, MA. p [16] Pimm, D. (1987). Speaking mathematically: Communication in mathematics classrooms. New York. Routledge & Kegan Paul.