Security Class

Well straight to the point. Im(Teacher Assistant) helping a teacher to formulate a class in the fall and it will offer an introduction to computer and network security. I was asked by the teacher to do some reasearch and provide him with what i would feel is a good structure for the class. So far this is what i have:

- A simple introduction to what computer, network, information and internet security is about.
- Cryptography (Information)
- Anti software (computer)
- Updates and upgrades (Computer)
- Firewalls (Network, computer)
- IDS (Network)
- Authentication (Network)
- Web Security (internet)

I've been looking into security for a little while and i would appreciate any advice on the structure i should follow in my research and offer to the teacher. And if anyone has some more detailed advice about any of the sections please let me know.

Thanks

I would think about what happens when your network has been pentrated.

maybe do a little packet sniffing and let them see the TCP/IP process and how connection is created and closed. Knowing what is in a packet can give them a little more of an understanding on how hacking utilities work.

I would start out at the bottom of the OSI layer and work your way up.

example, start with ICMP and work your way up through IP, TCP, UDP and DNS.

Have them use a Kinnopix disk and run ethereal. Ethereal is pretty sweet, does all the decoding for you.

Definitely how important logging, documentation. policies, and procedures are.

All good answer! :)

I teach small module titled network and data communications, and I would say that practical aspects teach 100 times better than theory. I got them to install windump and try to capture each others passwords as they were popping(POP). Thay loved it. Stayed after class for about an hour or so looking at packets. Think in terms of practical assignments and using sniffing, and forensics tools. (sysinternals stuff, snort might be an overkill, but windump/tcpdump goes a long way).

Codercycle,

I teach pretty much all that you have listed (makes for a good intro course). You might want to split based on specific OS. That is, Unix Security and Windows Security as the attitude and reasoning is somewhat different to each eventhough the ultimate goal is the same. Never forget the CIA principle.

You also might want to look at the Wargames Tutorials I wrote. I use those in class and having students trying to defend as well as attack is interesting. For added twist, you can add some "elements" (DoSes, etc.) into the fray to see if they figure it out. I can show you an outline of an assignment I give my students to do for their wargames. (Remember, wargames is another way of saying... audit). :D

I'm assuming that since you say "in the fall" you mean a single semester class. The problem with that is that you are looking at a _huge_ subject and you are going to try to cram it all into what, 12 weeks, a couple of hours a week? If that is the case allow me to try to help.

If you try to cram all that stuff in during a course of that length you will end up with the students knowing/understanding very little and worse yet misunderstanding any or all of the basic concepts they need in the first place. Since you are looking at a restricted instructional period I would suggest a more generic view of computer security. I would suggest:-

1. Why is computer security important to a corporation?: Loss of profit, loss of reputation, loss of company secrets, damage to customers, potential for lawsuit.

2. Why is computer security important to a home user?: Theft of identity, loss of money, loss of privacy, loss of internet/email due to action by ISP, potential for lawsuit.

3. What are the biggest failings in computer security?: Improper implementation of services, lack of basic protections, (firewall, AV etc.), weak passwords, improperly implemented access controls, failure to promptly apply patches to known vulnerable systems.

4. How do systems get abused?: Badly written software, web pages containing passwords, easy to guess "hidden" files, buffer overflows not checked for etc.

5. How can a system be protected?: Run only essential services, Firewall the system and only allow communication to essential ports, run anti virus real time protection, lock the system down per the OS recommendations, monitor the system for changes, log the system access.

I hope I'm not repeating what someone else has already said in this thread...

Consider spending some time looking into the psychology of security.

The simplest example of this is those spoofed e-mails that appear to come from microsoft, e-bay, and others telling you that you need to update your personal information, install the "patch" attached to the message, or whatever. I am amazed at how many intelligent people fall for this -- intelligent people who KNOW not to open unexpected attachments. The reason they fall for it is that the person who created the e-mail knew how to push the right buttons. It is natural to panic when you see a legitimate looking e-mail telling you about your recent $500 purchase at amazon that you didn't make.

Another example of the psychology angle is when people call in and purport to be someone they aren't and either harass or sweet talk the callee into giving out crucial information that enables the attacker to get at what they want. Our help desk receives calls regularly where the caller claims to be someone they aren't to get a password or other information. At a bank I worked for many years ago, we would receive several calls a week from people claiming to have "forgotten" their PIN and wanted us to give them the PIN over the phone and the only information they had was the card number from the ATM card. That and they called the computer center for the PIN rather than the bank. Again, you may not fall for it, but you would be surprised at how many intelligent people will.

I don't care how good the tech side of your security is, if people at your org don't understand the human side of it, a moderately determined attacker, with the right type of people skills, can get through the technology.

--FZ

I would also think that anything dealing with the 10 domains of the CISSP. I guess it would also depend on why your students are taking the class, but that is just my two cents.