HOME   •      •   LAB DEVELOPMENT   •   LOGIN   •   DOWNLOAD   •   CONTACTS
 

 

 

 

 

 

 

 

 

 

 

 Module based curriculum development 

Lab development

Wireless Sensor Networks



PROJECT GOALS AND OBJECTIVES

The proposed Adaptation and Implementation builds on the Information Systems and Internet Security (ISIS) Lab at Polytechnic University of New York (POLY), for the development of a distributed computer security laboratory and lab modules. The proposed project is part of our long-term plan to develop a module-based model on computer security, which includes an array of security modules that can be easily adapted by universities to satisfy their respective needs and constraints. Our goal is to assist undergraduate computing programs in integrating computer security into their curricula to meet the challenge of the huge national demand for computer security professionals. To reach the goal, the project has 4 main objectives (Table 1).

a) Establish a multiple-site Distributed Computer Security Laboratory (DCSL) across UHCL and UHD.  The Lab is insulated but connected, in the sense that, it is safely insulated from the respective campus networks while providing a remotely connected network platform on which issues of distributed security and related technology can be studied.
b) Develop a module-based curricular model on computer security to include an array of security modules that can be easily adapted by colleges and universities to develop their own security curricula.
c) Apply the module-based approach to adapt the courseware developed at POLY to create two undergraduate courses: Computer Security and Web Security, as well as short courses, workshops and integration of lab modules to existing computing courses.
d) Disseminate results from the project to facilitate other universities to adopt the module-based approach and/or the insulated-but-connected security lab model.  Dissemination will include not only the usual national channels, but also regional conferences, which typically attract participants from smaller universities.
Table 1: Objectives of the Project

Top

THE PROBLEM AND NEED FOR SOLUTION

For the past decade, partly due to the widespread use of the Internet, computer security has become a top issue in industry, academia and government. The demand for well-trained security professionals has grown dramatically. The integration of security into computing curricula, however, has not kept up with this demand [5]. There is a large discontinuity between the demand for security professionals and the academic programs that produce them. This deficiency deepens in undergraduate programs, where few have security courses. A related problem is, despite the ubiquitous nature of security, most existing computing courses lack security components. The problems are even more serious for smaller universities where resources tend to be limited. The NSA (National Security Agency) has designated 36 US universities as Centers of Academic Excellence in Information Assurance Education [4].

Our study has indicated the overwhelming majority of those programs are at the graduate level, with emphasis on research. For most universities in the U.S., security education at the undergraduate level is generally inadequate.

We have identified two primary problems in the current college-level computer security education:

  1. Lack of a curricular model for integrating security into undergraduate computing education;

  2. Insufficient coverage of security technology and issues in existing computing curricula. Our preliminary study has identified 8 potential causes of the problems (Table 2).


A. Most existing computer security curricula and programs are at the graduate level.
B. Due to the advancement of computer security knowledge and technology, most computing faculty, especially at the undergraduate level, are not equipped with sufficient knowledge in computer security, and proper training is usually not easy to obtain.
C. There exists no flexible curricular model that can be easily adopted by smaller undergrad programs, especially those without the support of graduate programs, to fit their needs.
D. Most undergraduate computing programs are already saturated with various requirements, making it difficult to add new courses into existing degree requirements.
E. Lack of appropriately configured specialized laboratories contributes to the difficulty of providing hands-on experience to students in learning computer security technologies.
F. The pervasiveness of computer security in computing curriculum makes it difficult to build a comprehensive model for teaching computer security issues and technology.
G. Computer security is multi-disciplinary in nature, including but not limited to disciplines such as psychology, sociology, political science, law, computer science, computer engineering, and management [1].
H. Fast advancement of Internet technology has contributed to continuous change in security-related technology, which makes the above issues even more difficult to manage.
Table 2: Possible Causes of the Insufficient Security Education Problem

Both UHCL and UHD are not exempted from the problem of inadequate undergraduate security education. At UHCL, there exist two security courses at the graduate level in the CS/CIS programs: CSCI5233 Computer Security, and CSCI5931 Web Security, yet neither institution offers undergraduate computer security courses. Furthermore, security has not been systematically integrated into existing computing courses.
 

Top

PROPOSED SOLUTION

There are very few undergraduate computer security programs in the U.S. We have identified and studied three of them: the North Carolina State University (NCSU), the East Stroudsburg University of Pennsylvania (ESU), and the ISIS Lab at Polytechnic University of NY (POLY).

The Information Security concentration at NCSU requires two courses in computer security, plus a related technical elective and a non-technical security elective [
3]. The Bachelor degree in Computer Security at ESU requires five security-related courses plus an internship [2].

POLY has a two-course sequence in Information Systems Security: CS392 Computer Security and CS393 Network Security. The Computer Security course covers cryptography, capability, access controls, authentication, security models, OS security, malicious codes, security policy formation & enforcement, and legal & ethical aspects of security. The Network Security course includes cryptographic authentication, firewalls, e-mail security, anonymity & privacy, Web Security, IP Security, and intrusion detection. Together, the two courses form a sequence that establishes a strong core for undergraduate security education. To support the two courses, the ISIS Lab consists of heterogeneous platforms and interconnected networks to facilitate hands-on experimentation and information-security-related project work.

Although we would like to eventually develop a concentration or a Bachelor degree in computer security, we feel that the ISIS Lab at POLY and the two-course sequence fit our current needs the best. POLY is one of the Centers of Academic Excellence in Information Assurance Education designated by the NSA and the ISIS Lab was initiated by an NSF*-CCLI grant.

Therefore our proposed solution will be adapted from the ISIS Lab of POLY. Professor Memon, founder of the ISIS Lab and active information security researcher and educator, agrees to serve as the mentor of our project. He will share courseware, insight and experience in setting up ISIS curriculum and laboratory. He will also exchange visits with the UHCL/UHD team to facilitate the adaptation.

We propose two extensions to the ISIS model. The first is a module-based curricular model, which will facilitate the development of an array of security modules that enable flexible adoption and integration. The second extension is the creation of an insulated-but-connected Distributed Computer Security Lab (DCSL) across two campuses. The rationale and design of the curricular model and the DCSL will be discussed in details in the following subsections.

We believe the proposed approach will address many of the causes listed in Table 2. The approach will provide an easy-to-adopt curricular model for undergraduate institutions and will help to eventually remove Cause A (few undergraduate security courses and programs). Cause B (faculty development) must be addressed by internal and external funding at each individual academic institution, but a well-designed set of security modules covering the main security topics will help. Our responses to the remaining causes are listed in
Table 3.

Cause(s) Response & Impact
E (lack of laboratory)
We will establish the DCSL, not only to help UHCL/UHD have a specialized laboratory for computer security, but to introduce a model for designing and configuring an insulated-but-connected lab that can be adopted by other smaller universities.
C (no curricular model),
D (saturated curricula),
F (pervasive nature)
We will create an array of security modules which can be flexibly integrated into an existing program.
G (multidisciplinary nature) Response: Two of the modules, Legal Issues and Ethics and Security Systems Management, will address social and managerial issues in security. Experts in law, ethics and management will be consulted when the two modules are developed.
H (fast technology advancement) We plan to continually update the content of the modules to accommodate advancement and changes in computer security technology and make the updated modules available to other colleges and universities.
Table 3: Responses and Impact


It should be noted that the proposed DCSL and the module-based curricular model are independent. The security modules may be supported by various types of laboratories, from whatever is available to support general programming to whatever lab facilities are there to support the OS and Data Base courses and, ideally, a dedicated distributed platform. Small universities can adopt the security modules by using their existing lab support, while, if desirable, upgrading their labs for more advanced instrumentations and/or infrastructure.

Furthermore, for many small undergraduate CS programs, it may not be possible to offer any undergraduate security courses. For such universities, an easier approach may be to integrate security topics into existing computing courses, such as operating systems, databases, software engineering, etc. Our module-based approach will help to provide such flexibility.
 

Top

MODULE-BASED CURRICULAR MODEL FOR COMPUTER SECURITY

Our model contains an array of modules on security topics. Each module will cover a major topic. Subject to revisions, our current design consists of 10 modules:

  • Computer Security Intro.
  • Cryptography
  • Database Security
  • Malicious Programs & Secure Programming
  • OS Security
  • Web Security
  • Network Security
  • Wireless Security
  • Legal Issues & Ethics
  • Security Systems Management

Each module will be divided into several self-sufficient sub-modules that address specific aspects of the module. For example, in our current design, the Cryptography module contains six sub-modules: Cryptography overview I & II, symmetric encryptions, asymmetric encryptions & hashing, and cryptographic protocols I & II. Due to the ubiquitous nature of computer security, a given sub-module may be cross-listed in several modules. Whereas a smaller program may integrate the first one or two sub-modules of a module into an existing course, a larger program may use all the sub-modules to create a security course.  To combat the problems of limited financial resources and faculty expertise in smaller programs, each sub-module is designed with the characteristics shown in Table 4.

  • Will be independent and cover approximately three hours of lecture.
  • Has a clearly defined title, general description, goals and objectives.
  • Has a collection of lecture notes, teaching guidelines, labs and illustrative examples.  The collection of illustrative examples is especially important for smaller programs as students usually respond better to examples than to abstract theory alone.
  • Has a Web page for resource links, laboratory setup guidelines, etc.
Table 4: Characteristics of Sub-Modules


Supplementary Documentation 1 contains a sample design of modules and sub-modules. The design will be refined using established work, such as Dark and Davis [1] and available work from POLY as well as IEEE, National Colloquium for Information Systems Security Education (NCISSE), etc.  In this proposal, we plan to develop four lab modules: Malicious Programs and Secure Programming, OS Security, Web Security, and Security Systems Management.  Two additional modules, Introduction to Computer Security and Networking Security, will be adapted from the two courses of POLY. To complete the module-based curricular model, we will seek additional funding in the future (e.g., the NSF* CCLI EMD grant) to fully develop all modules.

The modules and sub-modules can be used flexibly:

(a) a sub-module can be incorporated into an existing course;
(b) sub-modules from various modules can be combined to produce a security course; and
(c) a module itself can be offered as a special-topic short course or a workshop.


The planned activities in
Table 5 demonstrate the flexibility of this approach.

Activities 
Usage
  • Security modules will be integrated into selected existing courses, such as CSCI4230 Internet Application Development and CSCI4634 Computer Systems Administration.
(a)
  • The PIs at UHCL will develop two courses: Computer Security and Web Security.  § The PI at UHD will develop a new course: Computer Security.
(b)
  • We plan to offer selected short courses and/or workshops on various security topics, such as Cryptography, Network Security Overview, IP Security, etc.
(c)
Table 5: Development Activities and Demo of Flexible Usage


The set of modules and sub-modules will serve as a complete basis for other educators to refine, update and add new modules and sub-modules, in a way similar to how open source software has been working.

Click on Modules to get the detailed information.

Top

REFERENCES

[1] Dark, M. and Davis, J.  “Report on Information Assurance Curriculum Development”.  Proceedings of the National Colloquium for Information Systems Security Education (NCISSE 2002).  June 2002. 
Available at on line at
this site.

[2] East Stroudsburg University of Pennsylvania, BS degree in Computer Security. 
Available at
http://www.esu.edu/cpsc/courses/sebs_req.htm.

[3] North Carolina State University, concentration in Information Security at the BS level in computer science. 
Available at
http://ecommerce.ncsu.edu/infosec/courses.html.

[4] NSA MEDIA ADVISORY, 8 March 2002. 
Available at
http://www.nsa.gov/releases/20020308.htm.

[5] Yang, T. A.  "Computer security and impact on computer science education".  The Journal of Computing in Small Colleges, Volume 16 Issue 4.  May 2001.  Available at
http://sce.uhcl.edu/yang/research/p233-yangJCSC.pdf.

[6] Yang, T. A. “Design of a Network Security Testing Environment”. Working paper. 
Available at
http://sce.uhcl.edu/yang/research/NetworkSecurityTestingEnvironment.pdf.

Top

DISCLAIMER
*-Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF).
COPYRIGHT © 2007 University of Houston Clear Lake. ALL RIGHTS RESERVED.