DESIGNING WEB LABS FOR TEACHING SECURITY CONCEPTS ABSTRACT



Similar documents
Using Visualization to Teach Security

Integrating Software Assurance and Secure Programming Concepts and Mindsets into an Undergraduate Computer Science Program

NETWORK FIREWALL VISUALIZATION IN THE CLASSROOM *

Center of Academic Excellence Cyber Operations Program 2013 Application

Proceedings of the 10 th Colloquium for Information Systems Security Education University of Maryland, University College Adelphi, MD June 5-8, 2006

SECURITY ACROSS THE CURRICULUM: USING COMPUTER SECURITY TO TEACH COMPUTER SCIENCE PRINCIPLES

Interactive Web-based Teaching for Computing in an Engineering Degree*

Exploring Computer Science A Freshman Orientation and Exploratory Course

A Systems Engineering Approach to Developing Cyber Security Professionals

Information Assurance Program at West Point

TEACHING COMPUTER SECURITY WITH A HANDS-ON COMPONENT

Textbooks: Matt Bishop, Introduction to Computer Security, Addison-Wesley, November 5, 2004, ISBN

A Laboratory Based Capstone Course in Computer Security for Undergraduates

How To Teach Information Security To Nurses

Teaching Game Development: At the Intersection of Computer Science and Humanities & Arts

A New Undergraduate Major: Interactive Media and Game Development

Multi-core Curriculum Development at Georgia Tech: Experience and Future Steps

Undergraduate Computer Security Education: A Report on our Experiences & Learning

TEACHING COMPUTER SECURITY TO UNDERGRADUATES A Hands-On Approach

An Accelerated Introductory Computer Science Course Sequence for Non-Traditional Master s Students

Integration of Mathematical Concepts in the Computer Science, Information Technology and Management Information Science Curriculum

The CS Principles Project 1

CS 450/650 Fundamentals of Integrated Computer Security

Tablet PC Video based Hybrid Coursework in Computer Science: Report from a Pilot Project

Curran, K. Tutorials. Independent study (including assessment) N/A

Report on Game Design and Development Courses Meeting Knowledge Areas

1. Introduction to ehealth:

INTRODUCING PROGRAMMING TO MIDDLE AND HIGH SCHOOLS USING GAME-BASED APPROACH. Emmanuel Udoh 1. INTRODUCTION

Major prerequisites by topic: Basic concepts in operating systems, computer networks, and database systems. Intermediate programming.

A Design Paradigm in Undergraduate Electrical Engineering Curriculum

Mastery approaches to mathematics and the new national curriculum

The USNA Cyber Program

Electrical and Computer Engineering Undergraduate Advising Manual

(IŞIK - IT201) 1 / 6 COURSE PROFILE. Theory+PS+Lab (hour/week) Local Credits. Course Name Code Semester Term ECTS

Software Assignments for a Course in Secure E-Commerce

Information Security Curriculum Creation: A Case Study

TEACHING INTRODUCTORY COMPUTER GRAPHICS WITH THE PROCESSING LANGUAGE

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY

Ccybersecurity Education

Proposal for a Graduate Certificate in Information Assurance Education Track 2. Submitted. by the. School of Technology West Lafayette Campus

CURRICULUM VITA. Michael J. Tammaro. Department of Physics University of Rhode Island Kingston, RI (401)

Animating Programs and Students in the Laboratory

Instructional Design Strategies for Teaching Technological Courses Online

A LOOK BACK: UNDERGRADUATE COMPUTER SCIENCE EDUCATION: A NEW CURRICULUM PHILOSOPHY & OVERVIEW

EC-Council. Program Brochure. EC-Council. Page 1

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

UNDERGRADUATE COMPUTER SCIENCE EDUCATION: A NEW CURRICULUM PHILOSOPHY & OVERVIEW

A STATISTICS COURSE FOR ELEMENTARY AND MIDDLE SCHOOL TEACHERS. Gary Kader and Mike Perry Appalachian State University USA

Two Models of a Cryptography and Computer Security Class in a Liberal Arts Context

Providing an Undergraduate Research Experience in a Senior Level Security Course

Course Title MG6029 Advanced Network Engineering 1 Version: July 2011

RFI Summary: Executive Summary

Tele-Lab IT Security: An Architecture for Interactive Lessons for Security Education

Masters in Human Computer Interaction

Soran University Faculty of Science and Engineering Computer Science Department Information Security Module Specification

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

Masters in Advanced Computer Science

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Masters in Artificial Intelligence

Masters in Computing and Information Technology

Computer and Information Sciences

Masters in Networks and Distributed Systems

The International Research Foundation for English Language Education

Including Real Networking Hardware in the Modeling and Simulation (M&S) Environment.

Master of Science in Information Systems & Security Management. Courses Descriptions

How To Train On Information Security

Issues in offering numeric based courses in an online environment

Cyber Exercises, Small and Large

Progressive Teaching of Mathematics with Tablet Technology

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

Introduction to Cyber Security / Information Security

Abstraction in Computer Science & Software Engineering: A Pedagogical Perspective

Criteria for Accrediting Computer Science Programs Effective for Evaluations during the Accreditation Cycle

AC : A COURSE SEQUENCE FOR INTEGRATING PROBLEM SOLVING AND CRITICAL THINKING IN A HYBRID OUTCOME-BASED IS/IT CURRICULUM

FORBIDDEN - Ethical Hacking Workshop Duration

Security Goals Services

CYBER DEFENSE COMPETITION: A TALE OF TWO TEAMS *

Evaluation of Pace University's Master's Degree Program for BNY Mellon Employees

90% of data breaches are caused by software vulnerabilities.

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Accelerated Bachelor of Science/Master of Science in Computer Science. Dual Degree Program

The Importance of Using Hacker Contests and Mindset in Teaching Networks and Information Assurance

Master of Science in Computer Science

Department of Information Systems and Cyber Security

AN ANALYSIS OF THE CURRICULUM COMPONENTS OF COMPUTER FORENSICS UNDERGRADUATE COURSES IN THE UNITED KINGDOM

Certifications and Standards in Academia. Dr. Jane LeClair, Chief Operating Officer National Cybersecurity Institute

Improving learning outcomes for first year introductory programming students

School of Computer Science for Business Management

BS Computer Science Annual Summary Cycle Year 3 ( )

ABET TAC CIP Report for the Academic Year Mechanical Engineering Technology (MET) Program

A Framework to Detect and Analyze Software Vulnerabilities: Analysis

PANEL TITLE: UNIVERSITY APPROACHES TO INFORMATION SECURITY EDUCATION - CHALLENGES, ISSUES, SUCCESSES, AND OPPORTUNITIES

A DELIBERATE INTEGRATION OF INFORMATION TECHNOLOGY INTO THE CLASSROOM

Software Assurance Forum for Excellence in Code

Masters in Information Technology

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY 229 Information Security Fundamentals

Graduate Program Goals Statements School of Social Work College of Education and Human Development

What is Web Security? Motivation

Transcription:

DESIGNING WEB LABS FOR TEACHING SECURITY CONCEPTS ABSTRACT Security education is critical in today s cyber threat environment. Many schools have investigated different approaches to teaching fundamental security concepts through lectures, hands on labs, security education tools, competitions, and integrated curricula. At our institution, we have used interactive tools in and out of the classroom to teach security concepts for several years. Several of our tools present concepts in a simulated environment with a higher level of abstraction than running a real tool on an actual machine. We have also begun experimenting with embedding the tools in a set of web pages that can be used to direct the student through the concepts, suggest experiments to try, and provide additional explanation of results. These web labs are well suited to remote access and online learning environments. This paper will describe the general design philosophy of such labs, give specific examples, and discuss our experience and future plans. INTRODUCTION Computer security and information assurance are important topics in computer science education. Security issues and principles are identified as core topic areas for computer science education by the ACM and IEEE recommended curricula (www.acm.org/education/curricula-recommendations). The National Security Agency (NSA) and Department of Homeland Security (DHS) offer the Center of Academic Excellence (CAE) in Information Security Education designation to schools meeting stringent requirements in curricular topics, research, and institutional support (www.nsa.gov/ia/academic_outreach/nat_cae). Many new textbooks, recommended curricula, and teaching approaches have been developed to address these topics. Conferences and workshops such as the Colloquium for Information Systems Security Education (CISSE ) and the Information Security Education Curriculum Development (InfoSecCD) have been created to provide a forum for promoting information security education techniques at both the undergraduate and graduate levels. Different approaches to teaching security have been presented in these forums. One approach is to distribute security concepts across existing CS courses and integrate them at the point they are most relevant [8]. The advantage of this approach is that security is seen as an integral part of all areas of computer science versus a separate topic in and of itself. A different approach is to create separate security courses and/or set up complete programs and concentrations in security [1,2,4,13]. Perhaps, the most common approach is a hybrid of these two in which one or two security courses are available that focus on security concepts while fundamental security topics are distributed in existing courses such as networks, operating systems, software engineering, and databases. Regardless of the course structure chosen for teaching security, many educators advocate a hands on approach to teaching security and integrate a laboratory component into their program [7]. This provides a means for students to receive instruction on the concepts of security while gaining experience with the tools and techniques of security professionals. The Department of Computer Science at our institution has been teaching information security since 1996. Over the past 13 years, we have developed a variety of security curricula, tried numerous approaches to teaching specific concepts, developed labs for security education, created educational tools to foster student participation and understanding, and participated in various information security competitions. In 2003, our institution pursued and was recognized as a Center of Academic Excellence in Information Assurance Education.

HANDS ON TECHNIQUES Security Laboratories Our program emphasizes a hands on approach to security education through labs, interactive tools, and participation in competitions. Teaching students tools and techniques for information security leads to obvious issues regarding ethical challenges in ensuring students are aware of appropriate behavior and are held accountable for their actions. We dedicate several lessons in various courses to the ethical and legal issues and responsibilities associated with security. In addition to the ethical component, security labs face logistical challenges unlike other CS labs. Students are experimenting with potentially harmful malicious software that needs to be properly handled and isolated. At our institution, the security lab is not tied into either the school network or the internet. This needs to be taken into consideration when developing labs. The challenges of security labs become even greater for distance learning environments in which a centralized physical laboratory is not practical. One approach that some schools have taken to deal with this issue is the use of virtual machines [3]. While virtualization software is available for free, there is a large overhead in terms of laboratory management and maintenance. The largest problem we have faced with our security labs is the level of detailed underlying knowledge our students must have to fully utilize existing tools and understand their impact. While our students are exposed to multiple operating systems, their level of knowledge at the system administrator level is limited. We need to carefully construct labs to provide sufficient background for students to understand what is happening without either overwhelming them with system level details, or simply giving them a checkbox list of things to do without explanation. Interactive Classroom Visualizations To address the problem of lack of background knowledge while still providing a meaningful experience with security concepts, we have developed a suite of interactive tools that operate at a more abstract level [9,10,11]. These tools, known as interactive classroom visualizations, or ICV s, were originally developed for use in the classroom as active learning techniques [12]. They are short interactive tools for teaching concepts such as cipher algorithms, formal security models, public key infrastructure, security protocols, etc. They teach concepts at an abstract level and do not require students understand underlying system details to interact with and learn the concepts. These tools were developed specifically for instructor demonstration followed by student interaction as a classroom activity. They were not intended to be used in a standalone mode without additional instructional material. While this was adequate for the primary purpose of this approach, it does not allow the flexibility necessary for applications such as independent student exploration or distance learning. WEB LABS Concept

Extending the goals of the interactive classroom visualizations, our aim in developing security web labs is to demonstrate complex security concepts in an easily accessible way while requiring minimal prior preparation, lab support, or background knowledge. We accomplish this by focusing on higher levels of abstraction and providing sufficient informational context to make each lab largely standalone for the intended audience. Design Our web labs are designed to meet the following stated goals: Combine higher level of abstraction with sufficient explanatory context, Provide sufficient background information to ensure each lab is standalone, and Ensure the labs are interactive and experimental. We rely heavily on visualization components to achieve higher levels of concept abstraction. For example, when presenting relative password strengths, one approach is to numerically or mathematically present the size of the search space or amount of potential entropy. Our approach uses visualization to graphically relate the size of the search space between passwords of different lengths or consisting of larger character sets (e.g. numbers and special characters included). In addition to the visual demonstration of the concept, sufficient explanatory text is always included to fully describe the concept. Our audience ranges from college aged, non computer science freshman to senior level computer science and computer engineering majors. Keeping the audience in mind, we target the depth and amount of background information to ensure each lab can be a standalone experience. An example of this can be seen in our buffer overflow web labs. We begin the lab with a discussion of the Von Newman architecture and the concept of instructions and data sharing memory space. This background is essential to ensure each audience has sufficient foundation to understand the concept being introduced. A key to creating compelling web labs is to make them interactive and experimental in nature. Our suite of cryptographic web labs accomplishes this by providing the student the ability to interactively enter information, choose an encryption key and method, and watch the cipher text creation on the fly. This is further enhanced by guiding them through a set of experiments that interactively demonstrate different attack techniques for each encryption method. In the end, the concepts are built from a set of foundational information, through several different encryption methods, accompanied by multiple historical cryptographic attacks based on the relative strengths and weaknesses of each method. We find that designing web labs with the above stated goals in mind increases the students ability to complete them, increases their interest and enjoyment while working through complex topics, and increases their ability to understand and eventually apply the knowledge they have gained. Using Web Labs There are a number of ways to integrate web labs into a course or workshop. As mentioned earlier, we use them in a number of contexts. Here is a short list of possible ways they can be used followed by a discussion of their application in a few of the many ways we have employed them. Web labs can be used: Pre lecture to motivate or reinforce the concepts included in a preparatory reading,

Separate lab experience to demonstrate or reinforce concepts presented in a lecture, Distance learning the web labs can be accessed either online or offline in support of distance learning, In class as a learning focused exercise in class to work through difficult concepts with concrete examples, and In small groups the exercises can be used to initiate discussions and problem solving in small groups of students to enable collaborative learning. We employ web labs in many ways, ranging from high school level guided workshops through senior college level computer science classes. In many cases we even utilize the same web lab in these very different applications. We accomplish this by creating unique sets of questions and experiments targeted to the audience being taught. The web lab is focused on presenting, explaining, and demonstrating concepts. The targeted set of questions and experiments build on the conceptual material in the web lab to focus each set of students with the correct level of depth and difficulty. A few examples may best illustrate the ability to tailor the use of web labs in these ways. Our most versatile and widely used web lab to date is the suite of cryptography tools. We use these in a summer scientific seminar to guide high school seniors through the history and application of cryptography. We are careful to guide them through each cipher, its techniques, applications, and eventual attack and defeat in a historical context similar to the story of cryptography told in Simon Singh s excellent work The Code Book [13]. The experiments and exercises are presented and worked through with close instructor guidance by the entire class or in small groups of students. The material is presented at a much slower pace with less depth to ensure the group stays focused and engaged. Contrast this with our use of the same cryptography web labs used in our introduction to computing course consisting of mainly college freshmen. We cover the same material in a 50 minute class lecture that was presented in a roughly 3 hour workshop to high school students. For the college freshman we introduce the complexity required to break each cipher and begin to discuss the mathematical nature of the encryption. Lastly, we apply this same web lab in our college senior level cryptography course taken by computer science and systems engineering majors. In this context we assign the web lab as a prelecture exercise to review background material and set the stage for a much more rigorous in class lecture on the mathematical details and analysis of a variety of historically significant ciphers. The other web labs developed to date have proven to be equally versatile. The SQL injection lab is equally applicable in our information warfare course and our database course when accompanied with appropriate tailored questions and experiments. The buffer overflow web lab can be introduced in an operating systems class to demonstrate the concepts of stack frames and shared memory. Later in the curriculum, we more fully utilize the buffer overflow web lab in our information warfare course to demonstrate the core concepts of this exploit. OUR EXPERIENCE One of the motivations for creating security web labs was to provide a hands on laboratory experience without requiring the necessary background knowledge to run an actual tool in an actual environment. In addition, we wanted students to have sufficient explanation and direction to be able to complete the labs without instructor interaction or extensive reference material. Our initial experience with them is that they satisfy these requirements. Students are able to complete the labs in a timely fashion without requiring additional assistance. Students rate the labs as enjoyable and less frustrating than understanding the details associated with actual security tools. We have not attempted to quantify the

educational impact of the labs, as we have a small sample size of students and a formalized analysis with control groups is not practical. However, student reaction suggests the labs are an enjoyable and motivational part of the course. Currently, the following web labs have been completed: Cipher algorithms SQL Injection Database inference Password strength and cracking Buffer overflow Our existing Interactive Classroom Visualizations in formal models, security protocols, and public key infrastructure are being converted from standalone applications to the web lab format. Additional web labs are being developed in the areas of firewalls, access control, and denial of service. The tools will be hosted on a publically accessible web site for general use. Further information can be obtained by contacting the authors. BIBLIOGRAPHY [1] Azadegan, S., Lavine, M., O'Leary, M., Wijesinha, A., and Zimand, M. 2003. An undergraduate track in computer security. In Proceedings of the 8th Annual Conference on innovation and Technology in Computer Science Education (Thessaloniki, Greece, June 30 July 02, 2003). D. Finkel, Ed. ITiCSE '03. ACM Press, New York, NY, 207 210. [2] Bacon, T. and Tikekar, R. 2003. Experiences with developing a computer security information assurance curriculum. J. Comput. Small Coll. 18, 4 (Apr. 2003), 254 267. [3] Bullers, W. I., Burd, S., and Seazzu, A. F. 2006. Virtual machines an idea whose time has returned: application to network, security, and database courses. In Proceedings of the 37th SIGCSE Technical Symposium on Computer Science Education (Houston, Texas, USA, March 03 05, 2006). SIGCSE '06. [4] Crowley, E. 2003. Information system security curricula development. In Proceeding of the 4th Conference on information Technology Curriculum (Lafayette, Indiana, USA, October 16 18, 2003). CITC4 '03. ACM Press, New York, NY, 249 255. [5] Ebeling, D. and Santos, R. Public Key Infrastructure Visualization. J. Comput. Small Coll. October 2007. [6] Ma, K. 2006. Cyber security through visualization. In Proceedings of the 2006 Asia Pacific Symposium on information Visualisation Volume 60 (Tokyo, Japan). K. Misue, K. Sugiyama, and J. Tanaka, Eds. ACM International Conference Proceeding Series, vol. 164. Australian Computer Society, Darlinghurst, Australia, 3 7. [7] Mattord, H. J. and Whitman, M. E. 2004. Planning, building and operating the information security and assurance laboratory. In Proceedings of the 1st Annual Conference on information Security Curriculum Development (Kennesaw, Georgia, October 08 08, 2004). InfoSecCD '04. ACM Press, New York, NY, 8 14. [8] Petrova, K., Philpott, A., Kaskenpalo, P., and Buchan, J. 2004. Embedding information security curricula in existing programmes. In Proceedings of the 1st Annual Conference on information Security Curriculum Development (Kennesaw, Georgia, October 08 08, 2004). InfoSecCD '04. ACM Press, New York, NY, 20 29. [9] Schweitzer D. and Baird L., The design and use of interactive visualization applets for teaching ciphers. Proceedings of the 7th IEEE Workshop on Information Assurance, June 2006.

[10] Schweitzer D., Baird L., Collins M., Brown W., Sherman M. GRASP: A visualization tool for teaching security protocols. Proceedings of the 10th Colloquium for Information Systems Security Education, June 2006. [11] Schweitzer D., Collins M., Baird L. A Visual Approach to Teaching Formal Access Models in Security. Proceedings of the 11th Colloquium for Information Systems Security Education, June 2007. [12] Schweitzer, D., Gibson, D., Collins, M. 2009. Active Learning in the Security Classroom, Proceedings of the Hawaii International Conference on System Science, HICSS 42,.[13] Vaughn, R. B., Dampier, D. A., and Warkentin, M. B. 2004. Building an information security education program. In Proceedings of the 1st Annual Conference on information Security Curriculum Development (Kennesaw, Georgia, October 08 08, 2004). InfoSecCD '04. ACM Press, New York, NY, 41 45. [13] Singh, S. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. Fourth Estate, London. 1999.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information