Loading...
Please wait, while we are loading the content...
Similar Documents
Adding Topics From Computer Security 101 To A Traditional Operating Systems Course
| Content Provider | Semantic Scholar |
|---|---|
| Author | Dreher, Felix |
| Copyright Year | 2004 |
| Abstract | The need to teach computer security topics has been emphasized in the press and in many curricula workshops. While we recently introduced an elective course in computer security, we could not guarantee that our computer science graduates would be exposed to a formal treatment of even the most basic computer security topics. This paper discusses how we added some fundamental computer security concepts and activities to our Operating Systems course. The Operating Systems course was selected since it is a core course and because Operating System textbooks typically cover material that lends itself to some basic, but fundamental computer security activities. We required our students to install and use two different operating systems during the first four weeks. We assigned activities involving these systems to introduce basic security topics early in the class, and we continued to inject security topics into most of the required exercises and reports. Background and History The Computer Science-Information Systems department, CSIS, was established in 1975 in the Kelce College of Business at Pittsburg State University. We have both a traditional BS degree in Computer Science and a BBA degree in Information Systems. We provide computer literacy courses, a Management Information Systems course for the BBA degree programs, and introductory programming classes for degrees in mathematics, the sciences, and the College of Technology engineering technology programs. The CSIS department progressed from a 'Mainframe' based, batch oriented instructional environment in the 1970's to a 'minicomputer' based, time-sharing instructional environment in the 1980's and then to a microcomputer based instructional environment using a college-wide computer lab for most courses. In the 1990's, almost all of the instructional activities moved to microcomputers running some version of Microsoft Windows operating systems. In 1998, a small, departmental lab using personal computers was created. This lab is maintained by two members of the CSIS faculty. The lab employs a Windows 2000 Server domain to provide a centralized file server and networked laser printer for students to use. It provides access to various software products required in upper-division classes. We use individual users accounts to limit access to the client workstations and the software in this lab to students taking upperdivision courses in our department. As one of the faculty responsible for maintaining this small, departmental network, we gained a new perspective on the role of security for computer systems. We realized that the background required to provide basic operational level support for a network is quite different from that required to write operating system code or do software development using a particular operating system. As we observed the placement of recent graduates, we began to see a trend that may well be duplicated in most parts of the country. As a regional institutional university, we attract many students from the immediate area and many of these students wish to remain in the area. During the past decade, our university employed several of our graduates as system administrators. Many local businesses and local governmental agencies have employed graduates as network administrators, systems programmers, end-user support personnel, and technical consultants. We have several graduates who started businesses in computer retailing, networking consulting, or Internet access and local Web Hosting as local ISP's. Students currently enrolled in our program often find positions in end-user support at the University or in local businesses. Other students serve as technical support staff for local telephone and Internet providers. Thus, it is becoming clear that our students are just as likely to be system administrators or technical support personnel as they are to be C++ , Java, or COBOL programmers. Because of this, we saw a need to cover some basic system administration topics and to insure that they get exposure to some very basic security related activities and procedures. One way to provide coverage of security topics is to teach one or more courses dealing with the area. Four members of CSIS faculty taught an introductory, elective course in Information Assurance and Computer Security during Fall 2003 using a team teaching approach. The course covered four areas: (1) An Overview and the Managerial Viewpoint of Security; (2) Network Security, Firewalls; (3) Encryption and it Role in Computer Security; and (4) Access Control, Host Security, and TCP/IP Overview. As the faculty member who covered the access control and host security area, we saw that we could easily blend some of these basic but very important topics into the traditional Operating System course. By doing this, we can better prepare all of our computer science majors to appreciate the critical issue of computer security and expand the coverage of computer security beyond a set of specialized, elective courses. Computer Security 101: Activities For Basic Computer Security While Trojan Horses, Viruses, Worms, Denial of Service Attacks, and similar network based security issues are widespread and widely publicized, many security concerns were present before the 'Internet' and 'e-commerce' became popular. Panko [1] notes that “the unauthorized access by insiders category is difficult to discuss because it represents a very broad spectrum of transgressions” and that “it is clear that unauthorized insider access to computer systems is fairly common and a credible threat.” Patrick Totty, who is a computer security consultant for Credit Unions [2], notes that “perhaps the most dangerous hackers are internal: employees who know the system so well that their intrusions and thefts are virtually undetectable.” Insiders can browse private records, disclose confidential information obtained from a computer system, and engage in many different types of financial fraud, the theft of trade secrets, and even sabotage. Common examples of sabotage include deleting files, destroying equipment, and crashing systems. External threats such as 'hacking' and 'denial-of-service' attacks use both a computer system and a network. The wide spread use of e-mail, web browsing, file transfers, e-commence, and web page servers places an increased emphasis on the design, implementation, and management of the security components for a networked computer system. There are many different sources for the various activities that can increase computer system's security. One can start with a computer security textbook such as Panko's [1], read readily available documentation for Microsoft and Linux systems for very detailed lists of concrete activities, or obtain material from professional societies, auditing firms, and regulatory agencies. The following list of activities is a good starting point. • Use strong passwords on all accounts. • Use access control to limit access to files and folders • Eliminate unneeded services and processes • Install Virus detectors, patches, fixes, and secure replacement for compromised services • Create and audit system logs • Harden network interfaces by installing firewalls, replacing compromised network services, limit resources available to root users and check for rootkits. Security In The Traditional Operating System Course The traditional coverage of security in an Operating Systems text will be near the end of the textbook, just before the case studies that have more recent material that can to be interleaved with the earlier core chapters. The Computing Curricula 2001 Computer Science model curriculum [3] lists security as an elective component of the Operating System course rather than as a core requirement. It gives the following learning objectives for a computer security component of an Operating System. “1. Defend the need for protection and security, and the role of ethical considerations in computer use. 2. Summarize the features and limitations of an operating system used to provide protection and security. 3. Compare and contrast current methods for implementing security 4. Compare and contrast the strengths and weaknesses of two or more currently popular operating systems with respect to security. 5. Compare and contrast the strengths and weaknesses of two or more currently popular operating systems with respect to recovery management.” We tried to address these five objectives through out the class. We also introduced a set of activities that could support two of the practical capabilities and skills deemed desirable for computer science graduates [3]. “Risk assessment. Identify any risks or safety aspects that may be involved in the operation of computing equipment within a given context. . Operation: Operate computing equipment and software systems effectively.” Panko [1] defines access control as “the policy-driven limitation of access to systems, data, and dialogs”. He listed the following steps that are required to provide for computer security. ” Determining what resources need to be controlled; determine a policy on access for each resource; identifying who should have access [and what type of access] to which resources; determining how the access control(s) to a particular resource will be implemented, and setting up procedures to insure that the access control policies have actually been implemented.” Many of the fundamental concepts related to the implementation of resource access control are covered in the chapter(s) on security in an operating systems course. The material related to risk assessment and the setting of policy and organizational procedures to insure security of systems are usually not covered. By using the exercises, reports, and text lectures as springboards, we try to provide some coverage of these less technical, but equally important areas. Reordering The Topics List For An Operating Systems Course One goal we added for our Operating System co |
| File Format | PDF HTM / HTML |
| Alternate Webpage(s) | http://www.micsymposium.org/mics_2004/Dreher.pdf |
| Language | English |
| Access Restriction | Open |
| Content Type | Text |
| Resource Type | Article |
