1 / 23

Lessons Learnt Teaching Security to Final Year Students

Lessons Learnt Teaching Security to Final Year Students. Harry R. Erwin, PhD Senior Lecturer of Computing University of Sunderland. What Do We Teach?. We Teach: Security Awareness The Security Analysis Process What We Don’t Teach: Security Engineering (MSc-level program)

elvis
Download Presentation

Lessons Learnt Teaching Security to Final Year Students

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lessons Learnt Teaching Security to Final Year Students Harry R. Erwin, PhD Senior Lecturer of Computing University of Sunderland

  2. What Do We Teach? • We Teach: • Security Awareness • The Security Analysis Process • What We Don’t Teach: • Security Engineering (MSc-level program) • Security Administration (inappropriate) • CISSP (beyond MSc) • SSCP (MSc-level material)

  3. Why Do We Teach It? • Initially, a US government agency suggested that I volunteer to teach security in the UK to help improve EU/UK security standards. • This need was later emphasized by my experience marking final year projects with a security element. • This module is designed to provide a foundation for undergraduate careers in security. The level is actually second-year, but we emphasize critical thinking at a third-year level.

  4. Who Teaches It? • The teaching team consists of myself, a computational neuroscientist (!), aided by a mathematician with a strong background in cryptography, who leads tutorials. • But I have a professional background in security engineering for the US Government. I do not have a CISSP. Neither does the mathematician. • This module could be taught by a visiting lecturer with a CISSP or a retired officer from GCHQ.

  5. How Do We Teach It? • 12 one-hour lectures • 10 discussion section meetings • 2 tutorial sessions, one exploring CCTool, an expert system for doing security analysis, and the other investigating specific websites useful for security analysis work.

  6. Primary Resources • Key text: R. Anderson, 2001, Security Engineering, Wiley, ISBN: 0-471-38922-6. Excellent on the technology. • Supplementary readings from: • B. Schneier, 2000, Secrets and Lies, Wiley. • B. Schneier, 2003, Beyond Fear, Wiley. • P. Neumann, 1995, Computer-Related Risks, Addison-Wesley. • Rescorla, E., 2001, SSL and TLS, Pearson Education. • Garfinkel and Spafford, Practical Unix and Internet Security, 3rd edition, O’Reilly. • Amoroso, 1999, Intrusion Detection, Intrusion.net. • Barrett and Silverman, 2001, SSH, the Secure Shell, O’Reilly.

  7. Topics Taught • Introduction (1 lecture) • Risk and Trust Analysis (2 lectures) • Security Analysis (3 lectures) • Security Mechanisms (3 lectures) • Security Management (3 lectures)

  8. Basic concepts and definitions Risk analysis Trust analysis Security policies (legal requirements) Assumptions of secure operations Security analysis process Security mechanisms How hackers operate Intrusion detection technology TCP/IP and encryption technology Firewall technology Securing e-commerce and CISSP certification Lecture Subjects

  9. Basic Concepts and Definitions • Discusses the questions to be answered by a security analyst. (See Schneier’s books) • Security concepts • Gives some rules of security • Formal definitions of terms

  10. Risk Analysis • Provides a quantitative definition of risk • Vulnerability • Threat • Consequences • Discusses sources of risk • Teaches how to do a quantitative risk analysis

  11. Trust Analysis • Defines trust • Seeks to understand trust and the multiple types of trust relationships • Provides a mapping methodology for analyzing trust (from Grandison and Sloman, 2000, “A Survey of Trust in Internet Applications,” IEEE Communications Surveys and Tutorials, 4th Quarter, 2000).

  12. Security Policies • Discusses the differences between various kinds of security policies • Concentrates on legal and corporate requirements (rather than the rules security mechanisms enforce). • Discusses in particular: • EU Data Protection Directive • US Privacy Act • US Government policies for classified information • Corporate security policies • Reputation • Risks involving lives

  13. Assumptions of Secure Operations • When you do a security analysis, you identify security objectives—what the target of evaluation (TOE—i.e., the ‘system’) should do. • Some of these objectives do not require specific security mechanisms because the system operates securely for other reasons. • Those other reasons are the ‘assumptions of secure operation’. This lecture examines typical ones.

  14. Security Analysis Process This lecture discusses the formal security analysis process that produces a protection profile (PP). • Identify the system (‘TOE’) and items to be protected. • Identify the security policies that must be enforced. • Define the trust relationships to be supported. • Perform a risk analysis to identify the threats. • Establish the assumptions of secure operation. • List the security objectives you must implement. • Define the resulting security functions (‘TSF’).

  15. Security Mechanisms • Discusses the basic categories of security mechanisms and gives examples: • Identification and Authentication • Access Control • Audit • Firewalls • Intrusion Detection • Cryptography and Public Key Infrastructure (PKI) • Virus Protection • Object Reuse/Media Sanitizing • Electronic Signatures

  16. How Hackers Operate • A ‘fun’ lecture • Defines the term ‘hacker’ and examines how malicious hackers operate. • Examines the vulnerabilities of TCP/IP. • Examines in detail how a hacker actually attacks a site and how to defend against it. • Discusses good password security.

  17. Intrusion Detection Technology • Defines what an intrusion detection system (IDS) does. • Critically discusses various approaches to building an IDS in the context of difficult technical requirements. • Mentions incident handling issues, including how to deal with a witch hunt.

  18. TCP/IP and Encryption Technology • Discusses TCP/IP in detail. • Introduces encryption • Presents SSH and SSL/TLS.

  19. Firewall Technology • Explores the problem of internet insecurity, discussing various vulnerabilities. • Considers how to design firewalls and other boundary protection mechanisms for a site. • Discusses how to set up and manage a network architecture to minimize vulnerability. • Finally addresses personal firewalls and malware detection programs.

  20. Securing E-Commerce and CISSP Certification • A two-part lecture • How to secure an e-commerce website based on everything they’ve learnt. • What they will need to learn to gain SSCP and CISSP certification.

  21. Assessment • Two reports: • A quantitative risk analysis (1000-1500 words) • A security analysis for a simple web site (3000-4000 words) • Marking criteria are deliberately based on those for our final year projects. • One examination • Validates that the student submitting the two reports actually did the work.

  22. Conclusions • You can successfully teach computer security to final year students. • You don’t need to be an active security professional to teach security awareness and analysis. • This is an appropriate class for the second year if you want to cover security technology in the third year. Basic self-protection is good in the first year. • Teaching computer security has not noticeably increased malicious hacking at Sunderland and does improve the security of student systems. • And it contributes to UK/EU computer security.

  23. Contact Details • E-mail: harry.erwin@sunderland.ac.uk • Web: http://scat-he-g4.sunderland.ac.uk/~harryerw

More Related