This article discuss how, as our society becomes more and more reliant on technology, the need to increase the protection on this technology becomes greater as well. This need creates a demand for professionals with certain skills - specifically those in IT Security. This need has literally created a completely new industry and has also pushed businesses and governments to become more aware of just how unsafe the internet can be.
Many employers have begun hiring "ethical hackers" as the article calls them - or "white hat hackers" as discussed in class. The government has begun programs to interest undergrad and graduate students to begin studying in these areas. These programs include tuition reimbursements, scholarship, and on job training. Universities are beginning to offer more and more classes, some are even beginning to offer majors in this area of IT. Raytheon is one such company who, beginning next year, will have over 700 of these professionals working for them. Raytheon has gone as far as to create simulations for their "hackers" to practice and develop their skills, creating a "capture the flag" sort of game. According to the article, "450,000 high-tech college graduates per year are going to be needed so that we can continue to be a technology-driven country." This is a huge number and presents great opportunities for students in this field.
I feel as this industry grows and becomes more attracting to students there is going to be an influx of graduates with a technology degree. This is going to be necessary in order to keep us running with such a high reliance on technology. However, this could also create decreases in other necessary regions of study and possibly even create a shortage in other industries. As more and more students are drawn to the IT field, it is also highly possible to create a surplus and saturate this market. As it stands now there is a great need for those with technical skills and degrees, and there are many programs out there looking for "white hat hackers."
http://www.washingtonpost.com/wp-dyn/content/article/2010/08/30/AR2010083001935_2.html
Tuesday, August 31, 2010
Friday, August 27, 2010
Course Slides from This Week
Here are links to the course materials from this week:
Tuesday's introductory slides
Thursday's risk management sample problem
Tuesday's introductory slides
Thursday's risk management sample problem
Monday, August 23, 2010
Case Studies
In order to provide a broad exposure to information security issues and events, each studentis expected to present one case study to the class during the course of the semester. The case study topics we'll tentatively cover each day are listed below. If you would like to cover a topic not appearing below, feel free to suggest something new and we'll cover it in class.
Available topics: SQL Slammer worm, Express Scripts extortion
- 9/2: Therac-25 - Lane
- 9/7: Monster.com - Cristin
- 9/9: Fake Subpoenas - Patrick K.
- 9/21: Norwegian ATMs - Kelly F.
- 9/21: Open Topic - Matt
- 9/23: Epilepsy Foundation - Blake
- 9/28: Stock Spam - Kathleen
- 9/28: Open Topic - David S.
- 9/30: Lost Laptop - Kevin
- 10/5: Hacking Jail - Casey
- 10/5: Open Topic - Michael
- 10/7: Getting Hackers Through Their Targets - Tyrone
- 10/28: Hotel Hackers - Erica
- 11/2: Election Hacking - Mark
- 11/2: Open Topic - Luke
- 11/4: Click Fraud - Ian
- 11/4:Open Topic - Jimmy K
- 11/9: Social Engineering at DefCon - Caela
- 11/9: Open Topic - Alex M.
- 11/11:Blaster and the Blackout - Steve
- 11/16: Landline Hacking - Jimmy L.
- 11/23:Open Topic - Mike H.
- 11/30:Open Topic - Jackie
- 11/30:Open Topic - Matt
- 12/2:Open Topic - Alex W.
Available topics: SQL Slammer worm, Express Scripts extortion
The topics above are linked to supporting materials, where available. You may need to do additional research to provide enough material to fill your class discussion time. Your talk should be about 10 minutes long and cover the following items:
- What happened?
- What is the root cause of the event?
- What would you have done differently?
Please select a topic by adding a comment to this blog post. First come, first served
Welcome to the Course Blog
This blog is designed for students in the Information Security course in Notre Dame's Computer Applications Program (CAPP 40260). You are expected to read this blog regularly and participate frequently. As discussed in the course syllabus, it will comprise a significant portion of your grade.
Blog Purpose
The blog has two purposes. First and foremost, it is a discussion venue for information security topics that we discuss in class or that you encounter in the real world. More on that in a second. I will also use this blog to disseminate information about the course, including assignments, lecture notes and other materials.
Accessing the Blog
There are two ways you can access the blog:
Your participation in this blog is an important part of the course and will play a role in determining your grade. You'll need to create a Google account (if you don't already have one) to create or comment on blog posts.
Important note: any posts or comments you make on this blog will be readable by anyone on the Internet. This includes your roommates, significant other, future spouse, employers and the CIA. For this reason, I don't expect that you will use your real name on your postings. It's perfectly acceptable to post under a pseudonym (which you can set using the Display name option in your Google Account). Just send me an e-mail letting me know what pseudonym you've adopted so I can track your participation for grading purposes.
I expect that, during the course of the semester, you will make at least one contribution per week (excluding Fall Break and Thanksgiving week). Those contributions may either original blog posts or substantial comments on another student's blog post. Your participation grade will depend much more on the quality of your posts than the quantity of your posts. Here are some additional guidelines:
The goal of the security reviews is to help you develop a security mindset. To quote Bruce Schneier, "This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems."
In your security review postings, I'd like you to choose a particular technology (it doesn't need to be high technology!) and write a detailed evaluation of the security features of that technology. Your evaluation should include:
A University of Washington course followed a similar process and came up with some good reviews. Please note that the professor for that course used a different format than I am requesting you use. Highlights included:
Current Events
Current Events postings are descriptions of a current event in the world of information security. These might be stories about security incidents that occur during the course of the semester, announcements of security vulnerabilities, or other interesting security news.
When you make a current events post, provide a link to the original article. Include in your post the following details:
Acknowledgments
This idea is not original. The concept of building a security mindset through class participation in a blog community, including the use of security reviews and current events discussions comes from Professor Tadayoshi Kohno of the University of Washington's Computer Science and Engineering Department. He used this concept in a Computer Security course at UW and Bruce Schneier wrote about it in a blog posting entitled The Security Mindset.
Blog Purpose
The blog has two purposes. First and foremost, it is a discussion venue for information security topics that we discuss in class or that you encounter in the real world. More on that in a second. I will also use this blog to disseminate information about the course, including assignments, lecture notes and other materials.
Accessing the Blog
There are two ways you can access the blog:
- Typing the blog URL (securitycourse.blogspot.com) into your web browser.
- Subscribing to the blog's RSS feed using a blog aggregator. I personally prefer Bloglines for this purpose, but there are many good alternatives.
Your participation in this blog is an important part of the course and will play a role in determining your grade. You'll need to create a Google account (if you don't already have one) to create or comment on blog posts.
Important note: any posts or comments you make on this blog will be readable by anyone on the Internet. This includes your roommates, significant other, future spouse, employers and the CIA. For this reason, I don't expect that you will use your real name on your postings. It's perfectly acceptable to post under a pseudonym (which you can set using the Display name option in your Google Account). Just send me an e-mail letting me know what pseudonym you've adopted so I can track your participation for grading purposes.
I expect that, during the course of the semester, you will make at least one contribution per week (excluding Fall Break and Thanksgiving week). Those contributions may either original blog posts or substantial comments on another student's blog post. Your participation grade will depend much more on the quality of your posts than the quantity of your posts. Here are some additional guidelines:
- At least one contribution every month should be a full blog post (either a security review or a current event). This means that you should make at least 4 full posts during the course of the semester.
- At least one of the posts you make during the semester should be a security review.
- At least one of the posts you make during the semester should be a current event. Please do not create multiple full posts about the same event -- that's what comments are for!
The blog posts and comments will be an important part of our classroom discussions. Therefore, I expect that you will read each other's posts and comments before coming to each class session. Please be prepared to continue the blog discussion in the classroom.
Security ReviewsThe goal of the security reviews is to help you develop a security mindset. To quote Bruce Schneier, "This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems."
In your security review postings, I'd like you to choose a particular technology (it doesn't need to be high technology!) and write a detailed evaluation of the security features of that technology. Your evaluation should include:
- A short (5-10 sentence) description of the technology with references, as appropriate.
- Explain the security goals that you would have for the technology if you were the owner. Reference this in terms of confidentiality, integrity and availability. Include a description of the asset(s) in question.
- Explain the goals you would have if you were an attacker attempting to exploit the technology. Explain this in terms of disclosure, alteration and denial. Include a description of the threat(s) that may exist.
- Describe any vulnerabilities you might identify in the technology. Are there weaknesses that you can see that an attacker might exploit? Describe a potential attack.
- Discuss the risk that you perceive is inherent in this technology based upon the asset's value, the threats and the vulnerabilities.
- Make a recommendation to the owner of the system regarding the appropriate risk management strategy (or mix of strategies) they should pursue based upon your risk assessment. Recall that the possible risk management strategies are risk avoidance, risk acceptance, risk mitigation and risk transference.
A University of Washington course followed a similar process and came up with some good reviews. Please note that the professor for that course used a different format than I am requesting you use. Highlights included:
- Apple's Time Capsule
- Smart Pillboxes May Be Too Smart
- Social Engineering Your Way Into a Dorm Room
- GM OnStar
- QuietCare Independent Living System
- (un)-Safe Deposit Box Security Review
Current Events
Current Events postings are descriptions of a current event in the world of information security. These might be stories about security incidents that occur during the course of the semester, announcements of security vulnerabilities, or other interesting security news.
When you make a current events post, provide a link to the original article. Include in your post the following details:
- Brief summary of the event
- Thoughts on the actual or potential cause of the event (depending upon what information is available)
- Recommendations on how the affected individuals/organization should respond to the event. (e.g. in the case of a security breach, what should the company do? What should individuals affected by the breach do?)
- SearchSecurity.com (In the interests of full disclosure, I am a regular contributor to this website)
- Schneier on Security
- ComputerWorld Security News
Acknowledgments
This idea is not original. The concept of building a security mindset through class participation in a blog community, including the use of security reviews and current events discussions comes from Professor Tadayoshi Kohno of the University of Washington's Computer Science and Engineering Department. He used this concept in a Computer Security course at UW and Bruce Schneier wrote about it in a blog posting entitled The Security Mindset.
Subscribe to:
Posts (Atom)
Posts
