APPLIED INFORMATION TECHNOLOGY PROGRAM ASSESSMENT REPORT. For

Transcription

1 APPLIED INFORMATION TECHNOLOGY PROGRAM ASSESSMENT REPORT For School of Information Arts and Technologies Yale Gordon College of Liberal Arts University of Baltimore 1.0 INTRODUCTION. The goal of this report is to provide an independent assessment of the proposed Bachelor of Science degree in Applied Information Technology (AIT) to determine if the Program Mission Statement can be successfully achieved. Additionally, this report includes an independent assessment of the program s learning objectives. 2.0 EVALUATION OF APPLIED INFORMATION TECHNOLOGY PROGRAM Overall, the mission statement for this program is clear and practical; however, the program goals identified in the Program Self-Study, dated March 16, 2007, needs to address the broader Information Technology (IT) needs of government and business. Paragraph C.1 is too limited in scope, only addressing databases and web-servers. The program should prepare students to also address the technical challenges of designing and implementing IT enterprises. The lower and upper division University requirements should also include courses that introduce the student to the broad IT challenges facing the global market place and address: Technology trends Ability to understand various IT applications Assess and analyze IT requirements from an operational perspective Software development and system architecture processes It s essential the students understand these fundamentals prior to enrolling in the AIT courses. This section includes an evaluation of each of the Applied Information Technology Requirements categories, with an emphasis on Information Security. 2.1 NETWORKING These three courses (COSC 305, 307, and 401) provide a good foundation of the technologies surrounding IT network issues. For COSC 401, recommend that week 14, Introduction to Network Security, not duplicate course material from COSC 433, Network Security. There s a tendency to repeat textbook information, such as firewall or Page 1

2 Virtual Private Network (VPN) issues. The instructor may want to combine classes from weeks 10 and 14 for COSC 401. This would free one class to spend more time to address systems integration and architecture issues with networking, and improving analytical capabilities of the students. 2.2 DESIGN AND IMPLEMENTATION OF DESKTOP AND SERVER-BASED APPLICATIONS These three courses (COSC 310, 403, and 401) provide a good foundation to help students understand the design and implementation of desktop and database applications. Recommend these courses also include learning objectives to improve the understanding of system and network administration and opportunities for hands-on exercises with Microsoft products to learn how to configure desktop and server applications. 2.3 WEB DEVELOPMENT AND SECURITY These courses will form the foundation for learning about many aspects of IT Security, which should include the fundamental concepts of information security and the principles of conducting a security assessment of an IT enterprise and evaluation of current IT security products. Topics should include understanding system vulnerabilities, threats, and the identification of security solutions, use of cryptography, high assurance system design, secure database design, web security and legal issues, and the risk management process COSC Information Assurance This course will form the foundation of learning about IT security and should be a prerequisite for COSC 430 and 432. The title of the course could be misleading and recommend it be changed to Information Security and Assurance. Information Assurance is a term used by the Department of Defense (DoD) and some federal agencies, but it s not a term adopted throughout industry. For example, the financial sector, the private sector s leader in the use of IT Security products and investment, does not focus on assurance. Rather this sector focuses on risk acceptance. This course should be designed for students preparing to enter the workplace in government or the private sector. There are several textbooks available to teach a course like COSC 432, but there isn t a single textbook that can adequately address all of the required topics and learning objectives. Principles of Information Security and Security in Computing are both very good textbooks, but should be supplemented with other materials. I m more familiar with Charles Pfleeger s textbook, which has a fourth addition release. Each chapter is presented in a simple, easy to understand approach. I particularly like the chapter on Economics of Cybersecurity, which addresses real-world, applications-oriented issues. Many students, both at the undergraduate and graduate levels enter the work place unprepared to address real-world technical challenges. This course and program should help prepare them for this challenge. Page 2

3 Before specific recommendations about the course syllabus are provided, there are a couple of administrative recommendations for this course. First, not allowing students to take a make-up exam should be changed. Obviously, make-up exams should be discouraged and be accompanied with a valid reason. Second, recommend including a course project assigned to a group of students, along with the case studies to reinforce the course material. Reallocation of grading weights should be considered, such as 25% each for quizzes/homework assignments, case study/group project, and mid-term and final exams, instead of weighting the mid-term and final exams so much. Some of the students don t do well with talking exams, but may demonstrate their knowledge of the course material with class participation and written assignments. Based on the tentative schedule, it s difficult to fully understand the topics to be included in each class. List below are topics and learning objectives to be considered in each weekly class and additional resources to be used to supplement the textbook: Week 1 Introduction to Information Security and Assurance Understand what Information Security is and its implications in the global market place Comprehend the history of computer security and how it evolved into Information Security Understand the key terms and critical concepts described in the textbook selected for the course Outline the phases of the security systems development life cycle (review NIST Special Publication , Security Considerations in the Information Systems Development Life Cycle, June 2004, Understand the role Information Security professionals provide in an organization (e.g., Chief Information Security Officer) Critical characteristics of protecting information (Confidentiality, Integrity, and Availability) Useful websites (NIST and SANS Week 2 Combine the Need for Security in the first class Understand the threats posed to Information Security and the more common attack techniques associated with those threats Differentiate threats to information systems from attacks against information systems Understand the classes of threats (Interruption, Interception, and Modification) Understand where to obtain threat information Understand malicious code and the types of attacks (e.g., IP scanning, web browsing, viruses, SNMP attacks) Understand and be able to detect signs of insider threats (may want to consider incorporating week 12, Security and Personnel, into this class) Page 3

4 Week 3 Risk Management Process Understand the risk management process Understand various risk assessment methodologies. Recommend reviewing the NIST website and using a GAO report, Information Security Risk Assessment Practices of Leading Organizations, dated November 1999 (GAO/AIMD-00-33) Introduce a case study in class where students demonstrate their knowledge of the risk management process. Another good source of information is the Risk Management Principles for Electronic Banking, Basel Committee Publications No. 82, May Week 4/5 Planning for Security and Physical Security This is a broad topic that can include the development of security policy and continuity of operations/disaster recovery. Security in Computing devoted an entire chapter on this topic, which includes developing a security plan, incident response plans, and physical security. Recommend moving the topic for week 10, Physical Security, to week 5. Recommend including a case study that addresses Incident Response Planning. An excellent article to use is called Outbreak Security Special Attack, from CIO Magazine, dated June 1, 2001 (http// Week 6/7 Cryptography and Public Key Technology Recommend introducing the topic of cryptography before Firewalls, VPNs, and Intrusion Detection Systems (IDS), since many of these security products use encryption and Public Key technology. Students will be better prepared to understand the capabilities of these security products if they understand the concepts of symmetric and asymmetric key cryptography. Emphasize the importance of good/strong authentication Understand terminology (e.g., clear-text, cipher codes, algorithms, key size and key management issues) Understand methods of encryption (e.g., stream cipher, block cipher, transposition, substitution) Understand and discuss various types of algorithms (e.g., DES, AES, PGP, RSA, Kerberos) Understand Public Key technology and the use of public/private keys Recommend including a case study focusing on Public Key technology. A case study that compares and contrasts two widely used PKI providers (Entrust and Verisign) Recommended reading for students that want to learn more about cryptography is Dr. Dobb s Essential Book on Cryptography and Security Week 8 Introduce the topic of Access Control, Authentication, and Biometrics Recommend moving the topics of Firewalls, VPNs, and IDS after the mid-term Page 4

5 Understand authorization and privileges, such as the use of access control lists, the concept of least privilege and separation of duties, and access control methods Understand the three types of authentication (passwords, tokens, Biometrics) Understand the threats to passwords and the need to encrypt (e.g., spoofing, session hijacking and replay, social attacks) Understand strong forms of authentication and the concerns of DNS poisoning, masquerading, and use of one-time passwords Understand the uses of tokens (e.g., Secure ID), badges, ATM cards, and its limitations Understand Biometric methods (e.g., fingerprints, iris, hand, facial, voice) and how Biometric systems work The Biometrics Consortium is an excellent Website to visit, as well as reviewing commercial products at Week 9 Mid-Term The syllabus should clarify if this is an open or closed book exam. Week 10 Firewalls, VPNs and IDS Combine these three topics into one class. Implementation details should be taught in COSC 433 Week 11 High Assurance Standards and Solutions This topic is not currently included in the syllabus, but recommends it be added. Both the private sector and government (US and foreign) are placing more emphasis on the importance of testing, software reliability, and the use of international standards and criteria. Understand the existence of the Common Criteria and the use of its security requirements syntax Understand how to find a Protection Profile or Security Target for a specific product or category of technology, and translate security requirements and capabilities/functionality. Many commercial sectors are demanding higher assurance security products, such as Firewalls or secure DBMS products. Review the Common Criteria Evaluation and Validation Scheme (CCEVS), which can be accessed at the NIST website ( Week 12 Wireless Security Understand various authentication and encryption protocols (e.g., WEP, SSID, MAC, TTLS, PEAP, WTLS) Introduce a case study or homework assignment where students demonstrate their knowledge of a wireless application and the use of the Common Criteria. For example, the student will identify the applicable security functional classes/requirements using a wireless PDA in a hospital environment. Understand wireless threats and attack techniques (e.g., passive eavesdropping, man-in-the-middle, session high-jacking) Page 5

6 Understand wireless security mechanisms (e.g., authentication, encryption, integrity checking) Week 13 Database and Web Security Building on the concepts learned from COSC 425, understand the security requirements for databases, such as physical database security, logical database security, element integrity, auditability, access control, partitioning, and user authentication Understand security for object-oriented databases (e.g., models for mandatory access control, Clark-Wilson Integrity Interpretation) Understand Inference by Direct Attack, which is discussed in Pfleeger s textbook Understand client and server web security issues Understand security protocols, such as Secure HTTP and SSL Understand vulnerabilities, such as active content (e.g., JAVA and Active X) Understand web privacy and Cookies Week 14 Legal and Ethical Issues in Information Security Understand the implications of the First Amendment On-Line Understand US and International laws dealing with cyber security and the differences Discuss various case studies dealing with cyber censorship, cyber privacy, privacy strategies in the workplace, and computer crimes Introduce the concept of search and seizure and the use of computer forensics to help prosecute computer hackers and to protect information assets Week 15 Review/Group Presentations Group presentations should focus on one of the topics discussed during the semester and help prepare students for COSC 433 and 416 Week 16 Final Exam The syllabus should clarify if this is an open or closed book exam COSC 433 Network Security This course should expand the students knowledge of Firewalls, VPNs, and IDS introduced in COSC 432. Recommend expanding the course description to include configuring Firewalls, and the installing, maintaining, and configuring VPNs and IDS. This course should be more hands-on and spend time in a lab. The school must be able to accommodate the students with lab facilities with various commercial security products already installed. Additionally, there should be a lab administrator to assist the professor and students with achieving the course goals. Recommend adding COSC 432, Information Assurance, as a prerequisite. Page 6

7 Recommend modifying the learning objectives, to include installation and configuration of Firewalls, VPNs, and IDS. These skills will help prepare students to enter the workplace as an IT professional. Mastering Network Security is an excellent textbook, which also includes a CD to help the students understand network security products, such as Firewall-1, NT Manage, NetAlert, Guardian Firewall, Real Secure, and Internet Scanner. Case studies should be incorporated into this course using this CD, as well as the products installed in the lab. The syllabus should include a list of commercial products in the lab and the expectations of demonstrating knowledge and use of these products. Students may also be required to understand basic Unix commands to use these products. The syllabus should be expanded to include topics to be discussed each week, assignments, and the grading policy. Recommend adding this statement to the assessment strategy, item 14: Demonstrate the ability to install tools, execute and analyze the results of these tools. Other suggested textbooks include: Firewalls and Internet Security Repelling the Wily Hack, William Cheswick and Steve Bellovin, ISBN Building Internet Firewalls, Brent Chapman and Elizabeth Zwickly, ISBN COSC 416 Advanced Web Development Expand the course description to include web security topics and clearly identify the learning objectives for the course. Additionally, the descriptions of each lesson are well planned, but recommend incorporating web security topics into the lesson plan. For example, the class on February 8 th, Request/Response, should also include discussion of Secure-HTTP. Recommend continuing to build upon the learning objectives introduced in COSC 432, Week 13, and include hands-on experience with commercial tools. Additional learning objectives should include: Understand the concept of Secure web applications Become familiar with some of the commands used with the Windows and Linux operating systems and gain experience with security tools that use these operating systems Become familiar with common vulnerabilities that are leveraged by attackers and countermeasures used to protect against future attacks Be able to test existing web applications against common exploitation techniques Understand the principles of designing and developing more secure web applications Page 7

8 2.4 CAPSTONE EXPERIENCE There was minimal information in the packet of documents reviewed that addressed COSC 490, Practicum in Information Technology. I like the idea of an IT project that supports local non-profit organizations, but I would also include other organizations that benefit the community and society. Organizations such as state and local government, as well as not-for-profit organizations (e.g., Federal Funded Research and Development Centers) also support the University s mission statement. These types of organizations can also better prepare students after graduation. This type of experience should include a topic or career field the student is interested in pursuing after graduation. The topic should be approved by a faculty member, as well as the organization being supported. Recommend including information about course prerequisites and course expectations for the student and faculty advisor. Example Information Security projects include: Installing software firewalls and instructing system administrators (most likely people that donate their time and may not be familiar with computers) how to review the audit trail reports to determine if their system has been compromised Develop procedures for an organization to implement secure web applications Conduct a risk assessment of an organization s IT enterprise 3.0 CENTER OF ACADEMIC EXCELLENCE IN INFORMATION ASSURANCE EDUCATION The School of Information Arts and Technologies may want to consider becoming one of the dozens of schools in the country that already have become certified as a Center of Academic Excellence in Information Assurance. There are several schools in the Baltimore-Washington area that have been certified, such as Johns Hopkins University, Towson University, and George Mason University. In March 2005, the U.S. National Security Agency (NSA) and the Department of Homeland Security designated Nova Southeastern University (NSU) a National Center of Academic Excellence in Information Assurance Education for the academic years Official letters of notification from NSA were sent to NSU s President Ray Ferrero, Florida s Governor Jeb Bush, Florida Members of Congress, and appropriate Congressional Committees. Securing cyberspace and information infrastructures are more important now than ever before. NSA s goal in establishing centers of academic excellence is to reduce vulnerability in our national information infrastructure by promoting higher education in Information Assurance (IA) and producing more professionals with Information Security expertise in various disciplines. This designation applies to the entire university. Page 8

9 Benefits and features of the program are: Prestige: national recognition for NSU in information assurance/security NSU will be expected to serve as a regional center of expertise in IA NSU students will be eligible for scholarships and grants under two programs: - DoD Information Assurance Scholarship Program - Federal Cyber Service Scholarship for Service Program (SFS) Eligibility of NSU faculty/staff for grants and contracts from NSA and DoD At the date of NSU s designation NSA has established 55 such national centers of excellence in the U.S. Examples of other centers of excellence include: Stanford University Georgia Institute of Technology Johns Hopkins University University of Illinois University of North Carolina Carnegie Mellon University of Pennsylvania University of Virginia University of Massachusetts In order to apply, institutions must first obtain certification by NSA of their curriculum in information security. NSA s website for the Centers of Academic Excellence: RECOMMENDATIONS. Overall, the lower and upper level courses, and the Applied Information Technology courses prepare the students to enter the workplace to meet today s IT challenges. Specific recommendations were made in Section 2 of this assessment report that can improve the program. Additionally, recommend the school review the benefits and features of NSA s Center of Excellence Program for Information Assurance and determine if this program supports the school s mission statement. Page 9