COMPUTER SECURITY AND IMPACT ON COMPUTER SCIENCE EDUCATION
T. Andrew Yang
Computer Science Department
TEL: 724-357-7995
Email address: yang@grove.iup.edu
ABSTRACT
The integration of computer security into existing
Computer Science undergraduate education is an urgent and complicated task.
With the increasing risk of computer intrusion, computer crimes and information
wars, Computer Science educators bear the responsibility of cultivating a
new generation of graduates who are aware of computer security related issues
and are equipped with proper knowledge and skills to solve the problems.
The task of integrating computer security into existing Computer Science
programs, however, is complicated due to the fact that most faculty members
lack the specialty knowledge in this field.
This paper begins with a survey of the computer security field by examining
the sequence of actions that the
1.INTRODUCTION
Protection of information has been a major challenge since the beginning
of the computer age.Given the widespread
adoption of computer technology for business operations, the problem of information
protection has become more urgent than ever.
Computer files, databases, networking and the Internet-based applications
all have gradually become part of the most critical assets of an organization.
When these assets are attacked, damaged or threatened, data integrity becomes
an issue and the proper operation of the business may be interrupted.
The problem of protecting data and information on computers has become even
more critical and challenging since the widespread adoption of the Internet
and the Web.The Internet has made computers
across the globe interconnected.Despite
the convenience of data sharing and information exchange, the Internet has
also become the major highway for computer viruses to travel on.
Instead of infecting one computer at a time by spreading the virus via floppy
diskettes, the attackers/hackers use the Internet as the transmission channel
to spread their attacking agents.Whether
the spreading mechanism was a computer virus or a worm, thousands of computers
could be affected within a short period of time.
The famous ‘Denial of Service’ (DOS)
[1]
attack on some of the popular e-commerce
sites in 1999, for instance, had caught national attentions to the vulnerability
of the Internet.Ironically, this vulnerability
was part of the protocols that govern how the computers on the Internet communicate.
When computers communicate more frequently with other computers over the
Internet, they become increasingly vulnerable to hostile intruders who may
take advantage of the very protocols, which were intended for the establishment
and authentication of communication, to tie up our resources and to disable
our servers. Since these attacks occur before parties are authenticated to
each other, we cannot rely on enforcement of the appropriate access control
policy to protect us. Instead we must build our defenses, as much as possible,
into the protocols themselves (Meadows 1999).
The rest of the paper starts with examining the sequence of actions that
the
2.A LESSON OF HISTORY
The importance of computer security is best explained by examining the sequence
of actions that the
The primary purpose of the Computer Security Act of 1987
[2]
was to “assign to the National Bureau of
Standards responsibility for developing standards and guidelines for Federal
computer systems, including responsibility for developing standards and guidelines
needed to assure the cost-effective security and privacy of sensitive information
in Federal computer systems, drawing on the technical advice and assistance
(including work products) of the National Security Agency, where appropriate.”
As stated in the Joint Security Commission’s 1994 Report (see Joint
Security Commission 1994), “the security of information systems and networks
is the major security challenge of this decade and possibly the next century
... there is insufficient awareness of the grave risks we face in this arena.”
In the Executive Order 13010 (see Federal Register 1996), the President
of the US ordered the establishment of the President’s Commission on Critical
Infrastructure Protection (PCCIP), which consists of members from 10 executive
branch departments and agencies.An
Infrastructure Protection Task Force (IPTF) was also established with the
Department of Justice, chaired by the Federal Bureau of Investigation, to
undertake the interim coordinating mission.
The Commission submitted its report, Critical Foundations, to the White House
in October, 1997
[3]
. Among
the recommendations made by the Commission include:
a broad program of awareness and education; infrastructure protection through
industry cooperation and information sharing; reconsideration of laws related
to infrastructure protection; a revised program of research and development;
a national organization structure.
The Critical Infrastructure Assurance Office (CIAO), the National Information
Protection Center (NIPC), and the Information Sharing and Analysis Center
(ISAC) were established in May 1998 as part of the Presidential Decision
Directive 63 (PDD 63). PDD 63 officially
expanded the
In the Secretary of Defense’s 1998 Annual Report to the President and
the Congress
[4]
, a new center named Information Operations
Technology Center (IOTC) was mentioned as the agency that was established
to coordinate interagency information operations.
Information operations (IO) were defined in the same report as “actions taken
across the entire conflict spectrum to affect adversary information and information
systems while protecting one’s own information and information systems. Information
warfare is conducted during crisis or conflict to achieve specific objectives
over an adversary.” Also defined in
the same report, “Information assurance protects and defends information
and information systems by ensuring their availability, integrity, authenticity,
and confidentiality.”
On
3.ASSESSMENT OF NEEDS
While government agencies, major corporations and research institutions are
examining the complex issues of protecting the Internet infrastructure against
intrusions, CyberTerrorism, and even information warfare (Campen 1996; Minihan
1998), what and how should we as Computer Science educators prepare our students
to operate, professionally, in such an insecure environment?
I believe that it would take more than engineering and/or technology to cope
with the crisis of computer security.
In order to cope with the security issues, the revision of Computer Science
curriculum cannot focus only on technical aspects of the discipline, but
must also on broader, more comprehensive, and possibly “non-technical” aspects.
Here are some questions that educators in computing-related disciplines should
address before starting to revise their curriculum to include computer security:
- How would we prepare our students so they would be security literate?”
- Given the fast advancement of computer technology, how would a faculty
member become security aware and capable when teaching the new tools and techniques?
- In addition to technical solutions of computer security (such as firewalls,
encryption, access controls, audit trails, training, benchmarking, interoperability,
et al), should and how would the curriculum cover non-technical aspects such
as social, cultural, political, legal, economic, and organizational issues?
(Pattak 1999)
- Should computer security be integrated throughout the curriculum, or should
special courses and/or tracks be created to address the needs?
- Should alternative curriculum delivery mechanisms be used?
Examples include Web-based delivery, continuing education courses, corporate
training, distance education, et al.
Before trying to answer the above questions, let us first look at a report
on the 1998 NCISSE Conference, which was published in the November issue
of the Electronic Journal of the U.S. Information Agency as a response of
higher education to information security and warfare (Reynolds 1998).
The following items mentioned in the report were particularly relevant to
curricula in the higher education institutions:
i) Educational institutions are encouraged to increase programs with concentrations
in information security and include security courses in core curricula of
all college graduates.ii) The inclusions
of curricula that address the ethical and cultural issues that arise in modern
information systems are especially important.
iii) Since many ethical and cultural values are formed early in life, institutions
of higher education are encouraged to develop information security curricula
for and in collaboration with secondary education.
iv) Educational institutions were encouraged to solicit guidance from accreditation
organizations for appropriate placement of information security within their
curricula.v) Higher education was encouraged
to provide continuing educational programs for information security professionals
who are already working in the field.
vi) Information security educators are urged to develop and share practical
laboratory exercises in information security, design computer games that
express appropriate values for a responsible and information literate work
force, develop a place to share instructional materials, and write more textbooks,
especially on practical issues.vii)
Specialists in legal education were called upon to help
Based upon the report, I have made the following observations.
Observation #1: Involvement of
higher education in computer security is urgently needed in training both
college students and on-the-job professionals, in order to meet the challenges
of protecting the information infrastructure.
Observation #2: It is important
to address the ethical and cultural issues in the computer security curriculum.
4.PROFESSIONAL CERTIFICATION IN COMPUTER
SECURITY
Certification programs in computer security have been provided by government
agencies, professional organizations, and private corporations.
By examining the certification requirements set by these certification bodies,
I hope to identify common themes, which will provide useful insights into
the design of computer security curriculum.
The identified certification programs include the Certified Information Systems
Auditor (CISA) program, the Certified Information Systems Security Professional
(CISSP) program, the SNAP program, and the SAGE program.
Details of these programs are discussed in the rest of this section.
The Certified Information Systems Auditor (CISA®) program was established
in 1978 by the Information Systems Audit and Control Association (ISACA).
The CISA certification focuses on five domain areas
[7]
: Information
Systems Audit Standards and Practices and Information Systems Security and
Control Practices (8%); Information Systems Organization and Management (15%);
Information Systems Process (22%); Information Systems Integrity, Confidentiality,
and Availability (29%); and Information Systems Development, Acquisition,
and Maintenance (26%).
The Certified Information Systems Security Professional ( CISSP) program
was created by the International Information Systems Security Certification
Consortium (ISC)2, which is supported by Computer Security Institute
(CSI), Information Systems Security Association (ISSA), Canadian Information
Processing Society (CIPS), and other
industry presences (Power 1997).CISSP
certification requires the participants to pass the CISSP exam, which consists
of questions covering 10 test domains
[8]
: Access
Control Systems & Methodology; Computer Operations Security; Cryptography;
Application & Systems Development; Business Continuity & Disaster
Recovery Planning; Telecommunications & Network Security; Security Architecture
& Models; Physical Security; Security Management Practices; Law, Investigations
& Ethics.
The SNAP
[9]
program administered by GIAC
[10]
of the SANS
[11]
Institute is designed to serve the people
who are or will be responsible for managing and protecting important information
systems and networks.The GIAC program
consists of a LevelOne Module covering the basics of information security
followed by advanced and targeted LevelTwo Subject Area Modules.
The LevelOne module consists of 18 elements
[12]
: Information
Assurance Foundations; IP Concepts; IP Behavior; Internet Threat; Computer
Security Policies: The Good, The Bad and The Ugly; Antiviral Tools on Desktops;
Host Based Perimeter Protection; Windows NT Password Cracking; Unix Password
Management; Introduction To PGP; Introduction To Cryptography 1; Introduction
To Cryptography 2; Windows NT System Administration; Unix System Administration;
Backups For Windows NT; Backups For Unix; Basic Windows NT Security/Auditing;
Basic Linux Security/Auditing.
In 1999, after years of debate, SAGE
[13]
eventually took the first step in tackling
certification for system administrators.
As proposed in the latest update
[14]
,
“An overall certification program will need to have a core track with probably
three levels of difficulties or progressions.
…There may also be specialty modules:
security, networks, databases, et al.”
The Department of Defense has issued a mandate that all system administrators
will require “level 1” certification.
The certification is required by
5.SO, WHAT SHOULD WE TEACH OUR STUDENTS?
As pointed out by Powanda (1999), the basics of computer security education
include:i) Understand and comply with
security policy and laws; ii) Recognize potential security problems in their
environment; iii) Know how to be proactive in preventing security problems;
iv) React appropriately to an occurrence of a security problem; v) Know where
to find additional help or information; vi) Make informed decisions on security
matters; vii) Speak the “language”.
The goal of a computer security program in the Computer Science education
is to develop the student into a well-rounded professional who is capable
of understanding, recognizing, and preventing security problems.
When a problem occurs, he/she should be capable of getting necessary resources
to find a solution.In addition, the
computer security professional must be well versed when it comes to explaining
security issues, problems, or the impact to others, such as the supervisor
or co-workers.
In addition, the students graduating from the Computer Science programs
must possess the following abilities:
assessments of protection tools and methodologies, information on trends
in disruption of information and information infrastructure, education and
training on the employment of protection tools and methodologies, and the
ability to educate co-workers regarding computer security.
Observation #3: A majority of
computer security curriculum involves extension of traditional Computer Science
curriculum, such as networking, programming, databases, et al.
Observation #4: Computer security
education is more than just providing training on technical topics.
It should contain components that address business and managerial aspects
of computer security, such as law, investigations, ethics, physical security,
and business continuity & disaster recovery.
Observation #5: Similar to other
computer professions, the abilities of the students to recognize and analyze
a problem and get a “handle” of it is critical for being successful in the
profession of computer security.
6.A COMPREHENSIVE APPROACH
In this section, I try to answer the question of how computer security would
be integrated into undergraduate education, by first examining the knowledge
acquisition and transfer process in higher education institutions.
The faculty plays a central role in this acquisition and transfer process.
A faculty member enhances his/her professional knowledge by participating
in professional conferences and seminars, collaborating with major research
institutions and centers, engaging in curricular revision activities, conducting
theoretical/applied research, developing and offering topical workshops,
and interacting with students via classroom teaching and research activities.
The knowledge and experience acquired through theses activities are then
transferred to students via regular classes or workshops, as well as via
publications.This acquire/transfer
process is particularly characteristic in a field such as computer security,
which is new to most faculty members.
To facilitate effective faculty training for newer knowledge and skills
in computer security, the institution where the faculty member works must
play an active supporting role, especially at the initial stage.
Institutional support may include travel and/or training fund, reduced teaching
load, summer research grant for professional development and/or research,
support for publications and grant writing, and recognition of faculty accomplishments.
Collaboration with major research universities and research centers is an
important factor in faculty professional development.
Centers specializing in computer security research and training have been
set up in both governmental and academic institutions.
Among them are Center for High Assurance Computer Systems of the Naval Research
Laboratory, Computer Security Technology Center of Lawrence Livermore National
Laboratory (U.S. Department of Energy), Cyberspace Policy Institute at
With the convenience of accessing information over the Web, a wide variety
of resources are also available from Web sites.
A list of Web sites hosting information related to computer security has
been compiled and is available from my Web site
[16]
.
Observation #6: Similar to integrating
any new major technology into the Computer Science education, the integration
of computer security into the undergraduate programs requires strong support
from the Administration.
Observation #7: The process of
integrating computer security into a program is a continuous process and involves
the faculty’s involvement in multiple activities, including research, professional
development, curricular design, and teaching.
7.WORKSHOPS, COURSE REVISION, NEW COURSES,
& A NEW TRACK
In this section, results of integrating computer security into our existing
program are discussed. As stated in
the previous section, the revision is a continuous process.
What is presented here serves as tentative outcome from applying the comprehensive
approach to answer the challenges.
·
Proposed Workshops
As part of professional development as well as service to the local businesses
and community, I propose the faculty to offer workshops related to computer
security, by especially integrating security issues into existing technologies
and specific areas in Computer Science.
Sample workshops include Encryption and Cryptography, Dealing with CyberTerrorism,
XML & Privacy, Building Security into Systems, Hostile Applets and the
Java Security Model, Network Monitoring, Database Security, MFC & Security,
Securing Your OS, and Securing Large Transaction Processing Systems, et al.
The content of a workshop can later be incorporated into a regular course.
Through the preparation and offering of workshops, faculty in Computer Science
engage in learning computer security in their respective areas of specialty.
·
Revision of Existing Courses
[17]
Some existing courses will need to be revised to incorporate a computer security
component.In a database course, for
example, in addition to discussion of data modeling, SQL, et al, a major
topic of the course should cover security issues in the usage and development
of databases, and discuss the security features of existing database technologies.
The primary objective of this type of revision is to emphasize to the students
the fact that computer security is a prevailing issue in Computer Science
education, and a computer professional should take the issue into serious
consideration when using or developing computer systems.
In addition to CO441 Database Management Systems, the following courses
have also been identified as candidates for revision:
- CO105 Fundamentals of Computer Science
Suggested enhancement: Introduction to the importance of computer security,
ethics of computer usage and legal implications of misuse.
Introduction to computer viruses and awareness.
- CO 201 Internet and Multimedia
Suggested enhancement: Discussion of security of scripting languages (Anupam,
1998) and the security issues of Java applets, cookies, ActiveX, et al (Levine
1997)
- CO 205 Programming Languages for Secondary Education
Suggested enhancement: Discussion of security concerns and safe Internet
access in a school setting
- CO304 Internet Programming using Java
Suggested enhancement: Discussion of the Java security package
[18]
(Levine 1997)
- CO319 Software Engineering Concepts
Suggested enhancement: Introduction of topics related to the development
of secure software systems, such as the systems security engineering capability
maturity model (Hefner 1997) and cryptographic verification (Devanbu 1997).
·
New Courses
For areas that are highly related to computer security, I propose new courses
to cover computer security in these significant areas, which include Data
Communications, Operating Systems, Networking, and Web-based System Development.
In addition, courses that are not traditionally offered in Computer Science
programs need to be created to cover the fundamental, and sometimes non-technical,
aspects of computer security.These
courses include Introduction to Computer Security, Ethics, Laws and Organizational
Factors, Cryptography and Encryption, and CyberTerrorism and Counter Measures.
A new course titled Information Security Lab is proposed to provide
hands-on experience for students to gain first-hand experience in hacking
and defending computer systems.
|
Courses |
Prerequisites |
|
CO117 Introduction to Computer Security: Issues and Methodologies |
CO110 Problem Solving & Structured Programming |
|
CO207 Ethics, Laws and Organizational Factors |
CO117 |
|
CO217 Information Security Lab |
CO117 |
|
CO307 CyberTerrorism and Counter Measures |
CO217 |
|
CO317 Cryptography and Encryption |
CO310 Data Structures |
|
CO417 Security of Operating Systems |
CO432 Intro. to Operating Systems
CO317 |
|
CO427 Secure Networking |
CO345 Data Communications
CO317 |
|
CO437 Security of Web-based System Development |
CO415 Internet Architecture and Programming
CO317 |
Table 1: Proposed New Courses in Computer Security
The courses are listed in Table 1, along with their respective prerequisites.
For a listing of the exiting courses in our programs and their catalog descriptions,
please see our Web site.
[19]
We in
the Computer Science Dept. are currently in the process of designing these
new courses.The following paragraphs
provide sketches of the major topics in each of the courses.
- CO117 Introduction to Computer Security: Issues and Methodologies
Issues: Why Computer Security Training Needs to be Comprehensive?
One person’s action can affect an entire organization; Recovering from computer
virus infection is expensive; Break-in on one computer compromises a network;
Poorly configured firewall can enable compromise of organizational information
resources and reputation; Illegal user actions can incur liability to an
organization; Laws and directives mandate relevant security training; Computer
Security Act of 1987 (Powanda 1999).
Basic Units in Computer Security: Security Basics, Physical Security, Personnel
Security, Technical Security, Operations Security, Network and Information
Sharing, Special Applications Security, Review of Controls and Risk Management,
Incident Handling, Continuity of Business Operations, Acquisition Management;
Technological versus Non-Technical Aspects of Computer Security: an Overall
Methodology (Pattak 1999)
- CO207 Ethics, Laws and Organizational Factors
Continued from CO107, this course deals with more advanced and specific
topics of ethics, laws and organizational structures related to computer
security.
- CO217 Information Security Lab
A closed lab for faculty and students to experiment with computer security
theories and applications.Students may
be divided into groups trying to intrude the other groups’ system while protecting
its own computer.The emphasis of this
course is first hand experience on hacking/defending and information assurance.
- CO307 CyberTerrorism and Counter Measures
An intermediate level computer security course focusing on the discussions
and studying of CyberTerrorism, the mechanisms adopted to launch such attacks,
counter attacks that have been developed by the government agencies, legislation
and resources that have been allocated for the development of these counter
measures, and the link between CyberTerrorism and infowars.
- CO317 Cryptography and Encryption
Studying the technology of encoding and/or encrypting information so it
can only be read by authorized individuals, private and public cryptography,
certificates, digital signature, et al.
- CO417 Security of Operating Systems
The study of operating systems from perspectives of computer security, how
to design a secure operating system, how to use an operating system in a secure
manner, discussion of the existing mechanisms used by various operating systems
to prevent intrusions.
- CO427 Secure Networking
Focused study of network security, discussion of security concerns on a
network, the types of attacks that may be launched against a network, vulnerability
of network protocols, denial-of-service attacks, studying of existing secure
network servers, discussion of network protection measures such as firewalls,
intrusion detection software, secure servers, network monitoring, authentication,
encryption and access control methods
- CO437 Security of Web-based System Development
Discussion of security problems of scripting languages (Anupam & Mayer,
1998); New development of cryptographic protocols in Java development environment
(Nikander & Karila, 1998); Design and implementation of a secure, intrusion-tolerant
system (Wu, 1999); Major Issues of Web Security (McKee, 1999)
·
Adding a New Track in the Existing Program
With the new computer security courses in place, I propose to add a new
track in our undergraduate programs.
Figure 1 shows the pre-requisites chart for the new track.
The new track shares, with the other tracks in our programs, the lower level
core courses such as co110 (Problem Solving and Structured Programming), co210
(Object-Oriented Programming and GUI), and co310 (Data Structures).
It also shares some upper level core courses such as co432 (Introduction to
Operating Systems) and co415 (Internet Architecture and Programming) with
one of the tracks.
It is not feasible to require students majoring in this new track to take
all the security related courses to fulfill the major requirements.
Alternative scheduling is being investigated such that a student may choose
one of the alternatives and complete the major requirements.
Two of the alternatives are presented below.
Alternative 1:
freshmen year: co105, co110
sophomore year: co117, co210, co310,
and one of co207 and co217
junior year:co317, co432
senior year:co415, co437
Alternative 2:
freshmen year: co105, co110
sophomore year: co117, co210, co310,
co217
junior year:co307, co317, co345
senior year:co427
Figure 1: Pre-requisite Chart for the Computer Security Track
Depending on the area(s) in which a student is interested, he/she may pick
either alternative 1, focusing on secure operating system and Web-based development,
or alternative 2, focusing on CyberTerrorism and secure networking.
Other combinations are certainly possible.
8.SUMMARY
The integration of computer security into the existing Computer Science
undergraduate education is an urgent and complicated task.
With the increasing risk of computer intrusions, computer crimes and information
wars, Computer Science educators bear the responsibility of cultivating a
new generation of graduates who are aware of computer security related issues
and are equipped with proper knowledge and skills to solve the problems.
The task of integrating computer security into the Computer Science programs,
however, is complicated by the fact that most faculty members lack the specialty
of the field.In addition, the fast
advancement of computer technology, especially in the Internet and Web related
fields, makes the updating of professional knowledge and skills a constant
requirement.
In this paper, a comprehensive approach of integrating computer security
into an existing degree program was proposed.
Related issues and procedures were examined.
It was realized that the integration of a new field such as computer security
would have major impact on the overall curriculum and degree programs.
A comprehensive knowledge acquisition and transferring process was proposed
to enable successful integration.Strong
and innovative institutional support will play a major role in determining
the success of the integration.
Throughout the paper, observations that I made with respect to what should
be taught and how computer security could be integrated into the undergraduate
education were discussed.New courses
and a new track on computer security were proposed as part of the integration.
9.REFERENCE
Anupam, V. & A. Mayer 1998: Security of Web Browser Scripting Languages:
Vulnerabilities, Attacks, and Remedies, Proceedings of the 7th USENIX Security
Symposium, USENIX.
Campen, A.D. et al (Ed.) 1996, CyberWar: Security, Strategy and Conflict
in the Information Age, AFCEA International Press.
Federal Register 1996, Executive Order 13010 – Critical Infrastructure Protection,
Federal Register Vol. 61, No. 138,
Hefner, Rick 1997: Lessons learned with the systems security engineering
capability maturity model, Proceedings of the 1997 international conference
on Software engineering.
Joint Security Commission 1994, Redefining Security: A Report to the Secretary
of Defense and the Director of Center Intelligence
[20]
.
Levine, D.E. 1997, What's Brewing with Java And ActiveX?, Information Security
Magazine,December 1997.
McKee, B. 1999: A comprehensive view of Web security, Computer Security
Alert, Computer Security Institute, March 1999.
Meadows, C. 1999: A Formal Framework and Evaluation Method for Network Denial
of Service, Proceedings of the 1999 IEEE Computer Security Foundations Workshop,
IEEE.
Minihan, K.A. 1998: Defending The Nation Against Cyber Attack: Information
Assurance in the Global Environment, Electronic Journal of the
Nikander, P. & A. Karila 1998, A Java Beans Component Architecture for
Cryptographic Protocols, Proceedings of the I7th USENIX Security Symposium,
USENIX.
Pattak, P.B. 1999: Non-technical Factors Influencing IT Security, 12th Annual
FISSEA (Federal Information Systems Security Educators' Association) Conference
[21]
, NIST (National Institute of Standards and
Technology).
Powanda, J. 1999: Assembling a Curriculum for Various Security Disciplines,
12th Annual FISSEA Conference, NIST.
Power, R. 1997: Should You Take the CISSP Exam?, Computer Security Alert,
Computer Security Institute, March 1997.
Reynolds, C.W. 1998: The Response of Higher Education to Information Warfare,
Electronic Journal of the
Schwartau, W. 1999, Infrastructure Is Us, Information Security Magazine,
June 1999
[22]
.
Wu, T. et al, 1999: Building Intrusion Tolerant Applications, Proceedings of the USENIX Security Symposium, USENIX.