Information security education
K. SUBRAMANIAN
ADVANCED technologies/equipments/systems are rapidly penetrating the Indian market following the reform and liberalization policies being implemented as a priority by the present government. India has also seen the growth of better communication facilities and value added services as a part of the total information revolution in India. The impact of this technological revolution is far-reaching, forcing us to recognize information as a vital resource for management decision making in the country.
Just as safeguarding and protection of physical and financial assets of the industry/corporate sector/government played an important role during the industrial revolution, protection of information resources as assets will equally be a major concern during the coming decades. The availability of consistent, integrated and timely information for management decision making at various levels is vital to improve production technology in the manufacturing sector, and to produce quality products at an optimal cost to gain a competitive advantage in international trade.
Information protection assumes a different dimension compared to physical assets protection. Unfortunately, this area has so far been neglected in the country. Professional organizations like the Computer Society of India, Bureau of Indian Standards and Institution of Electrical and Electronics Engineers have organized seminars and debates to make managers, professionals and workers aware of the threats facing the information industry. On the one hand, we want information to be shared between various organizations, persons and countries and, on the other, need to protect sensitive and trade related information. Security is no longer a technology issue; it is considered to be a management issue. Depending upon the type and classification of information, protection measures are available at a cost. This requires a reclassification of information so that appropriate security measures can devised for protecting classified information.
W
hen the Bureau of Indian Standards was reorganized in 1988, there was a need to recognize information security as a crucial area in need of standardization and guidelines. Recognizing the need, the Bureau of Indian Standards set up a committee (LTD-38) to devise/adapt standards and issue guidelines for the information security practitioners. One such working group was to look into the area of security education and they strongly recommended introducing a curriculum at the masters’ level at the institutes of advance learning in this country. Consequently, the Computer Society of India set up Division-7 to look into data security and conduct various national programmes/workshops for security education and to evolve means to protect of information in various environments.The International Standards Organization (ISO) also recognized the need to create a separate working group to deal with this sensitive area of information protection and constituted a committee (ISO JTC-1 SC-27) to evolve standards and guidelines. Similarly, the International Federation for Information Processing (IFIP) set up a working group under Information Security (TC-11) and the working group on information security education (Working Group 11.8) has several committees working on various aspects promoting professionalism.
One such committee has collected information about courses available at universities, colleges and technical institutes in different parts of the world and the subcommittee chaired by Louise Yngrtrom of the Department of Computer Science at Stockholm University, which is engaged in developing an international master’s programme in information security. There is a proposal for a consortium of universities for standardizing the master’s degree programme which will be recognized internationally.
O
rganizations entrusted with securing information are being asked to share their knowledge to design a proper curriculum to be administered by a consortium of universities. It will ensure that a standard internationally recognized master’s degree programme in the area of information security is set up to produce information security administrators. This will hopefully fill the gap that exists in the information evolution scenario. The Department of Computer and Systems Science, Stockholm University and the Royal Institute of Technology and the Faculty for Information Technology, Queensland Institute of Technology, Australia will operate a full master’s degree programme on information security.The programme is in principle tailor-made to the requirements of each country. It provides two options for students who will branch into either the industry or to an academic programme for continuing research in the area. The programme, directed towards global information and security systems, will facilitate work in other specialized and related areas such as advanced cryptography, distributed systems, trusted systems, functional multimedia systems, fault tolerant and dependable system, etc. The initial programme is organized around three main specializations – security design, security management and security assessment/evaluation. It aims to provide understanding and professional skills for design, implementation, management, audit, assessment and evolution of global integrated security systems in a generalized open distributed environment.
T
he courses, seminars, tutorials, laboratory work, projects, thesis may include, but is not limited to the following topics: (a) organization, structure and operation of computer networks and distributed systems in an open environment; (b) modern applications in the computer networks and open distributed systems and associated security features (secure financial transactions, automated international trade systems, software licensing and distributed system, voting schemes etc.); (c) introduction to information and computer security principles (security algorithms, security mechanisms, security services and security protocol etc.); (d) design, implementation and application of global integrated security systems in large computer networks (national and global); (e) network security assessments: vulnerability and security analysis and evaluation and verification of security products, security protocol and security systems, recovery and reliability procedures etc.; (f) user aspects of information computer security (education and training): specific aspects of user-system interfaces, legal aspects, psychological aspects, privacy etc.; (g) organizational aspects: general systems management, security management, security audit and support for IT user organizations; and (h) international activities in the area of computer security (standardization, evaluation criteria, international security projects, organization of CIRTs, international aspects of security management).
A
fter considerable debate on the structure of this programme, it was decided to focus on (a) establishing a basis for harmonized modern educational programme in the area of information/computer security; (b) offering different areas of specialization and expertise; (c) facilitating integration into local requirements, especially in developing countries like India;and (d) designing advance level programmes leading to local research projects as well as regional area individual specialization.Overall, four specializations envisaged and planned for are: security design, security management and security assessment/evaluation. All students will devote half their time to a core programme consisting of four courses and the other half to the chosen specialization, including elective courses and thesis writing.
The course on Global Implications of IT Security will cover the social implications of the use of IT with special emphasis on security problems, demands and methods of coping: (i) systems and the environment vulnerability, threats, risks, possibilities, demands, visions and goals; (ii) individual and group perspectives, privacy ethics, culture, gender, knowledge, education, responsibility demands, values, religion, facts, fiction, theories and methods; (iii) organizational and societal perspectives: development, management values, work, progress, legal regulation; and (iv) the evolution and landscapes for the future: changing environments, evolving society, information technology era, etc.
The course on Operating Systems Security will provide an over-view of the principles of security in operating systems and review security in existing operating systems. This will also cover the methodology of designing and implementing correct programmes (quality as well as maintaining security in network software systems and applications against virus, Trojan horses, covert channels etc.). (i) Threats to operating systems and software security with no access, with physical access, with system access, with programming access, viruses, worms, Trojan horses, covert channels, etc. (ii) OS security implementation: authentications, access control, address translation, state switching, and network protocol security. (iii) Features and attributes of correct programmes: testing and evaluation methodologies, design principles and structures, operability, maintainability and modes of usage. (iv) Software protection: integrity, secure distribution of software, security maintenance and usage of special software distribution security schemes (licensing, copyright, IPR etc.)
T
he course on Security Architecture for Open Distributed Processing Systems will be an overview of available and desirable security mechanisms and services and approach to conceptual modelling, designing and integrated security systems in open distributed processing environment. The models covered are security mechanisms, security services for communication and security services for database and protection of procedures and security architecture in open distributed systems. (i) Security mechanisms: numerical mechanisms, authentication mechanisms, cryptographic (symmetric and asymmetric mechanisms, special mechanisms and protocol). (ii) Security services for users and communication: identification and authentication, bilateral authentication, group security services, security cooperation between mutually suspicious users, messages and communication security services. (iii) Security services for database and processes protection: This covers confidentiality and integrity of the records and segments in database, different access control schemes, dynamic protection schemes, prevention of inference, protection of data and database management systems. (iv) Security architecture in ODPS: It covers security agents, protocol, secures operational interfaces, security management centres, security servers, security protocol and applications and distributed SMIB segments.
S
ecurity in standardized networks and applications: Security network include X.25 (OSI) and TCP/IP networks; and this course gives a detailed overview of security features of these networks. (i) OSI/ISO security architecture: This covers ISO model of communications, OSI security mechanisms and services, security management functions, OSI security architecture. (ii) Security in standardized OSI systems and applications: FTAM security, EDIFACT security.Cryptographic algorithms, protocol and applications: This course gives an overview of basic principles of encryption and decrypting, its algorithms and protocol together with some indications of potential usage of cryptography for computer security. (i) Symmetric and asymmetric algorithms: DES, FEAL, RSA, El Garmal, trapdoor algorithms, elliptic curve algorithms, probabilistic encryption, quantum cryptographic design principles and analytical methods. (ii) Cryptographic protocol: It covers key exchange protocol, authentication protocol, and digital signature (message authentication) protocol. (iii) Advanced security mechanisms and protocol: This covers zero knowledge mechanisms, protocol for cooperation of suspicious users, distributed computation protocol. (iv) Non-traceable transactions: anonymous communications, untraceable payments system, digital pseudonyms.
The management aspect of security dealing with the general aspects of security management starting from ISO/OSI principles of managing national/global security systems up to most general management implications of security in large organizations. This also covers long-term and short-term business and other perspectives of the organizations. The course coverage includes systems planning, organizing, leading, controlling and adapting the internal and external changes affecting the organization. (i) Opportunities and threats, vulnerabilities and long-term and short-term strategies are outlined. (ii) An integrated model for security management proactive and reactive approaches. Predictable and unpredictable threats and opportunities and the structures and functions of integrated information security management systems.
T
he syllabus on Security in Distributed Systems covers: (i) Design methods of distributed data processing system and also details of systems decomposition, design of reusable modules and fault isolation and recovery procedures. (ii) The distributed data processing environments also demands a special care for systems management in the usage of domain as a set of managed objects to which common security management policy applies. Identification of boundaries of responsibilities and authorities of usage of domain for configuration management and in general security management at large. (iii) Security policies decide the type of accepted control systems and authentication mechanisms and also define access rights for specifications across the user and the target domains.
D
evelopment and usage of secure applications covers creating and using user interfaces, assistance to users, tools and methods for building systems and running secure networks applications for users and use point of view. The following thematics are covered under this programme:a) The user interfaces defining mandatory and permissive security features, dialogue oriented and interactive methods, user guidance and learning principles.
b) User oriented security architectures: This includes user oriented modules, monitoring, login recovery modules and user security policies and protocol.
c) Secure applications in a network environment including key management, protocol management, especially secure application management (financial transactions, sensitive database queries anonymous transactions etc.).
d) Special security applications and protocol: secure mail distribution is one of the essential types covered under the special security applications and protocol as mail traverses over the network. Secure electronic trading systems, secure medical information processing, financial information processing, jurisdictional and other security sensitive networks and secure electronic patents office management.
The course on Risk Analysis, Evaluation and Certification of Secure Products and Systems is expected to cover the genesis of the ‘orange book’ which defines ‘what to do’, ‘when to do’, and ‘how to do’ in case of emergencies. This term is borrowed from the defence sector and is essential for electronic information transfers and database access across the network which has to define the emergency handling procedures as a standard guideline for operations. The orange book concept is important even for computer communication and network management and databases access through distributed environments. This programme also covers the evaluation of information technology security evaluation criteria.
As far as India is concerned, the question of whether to accept US Department of Defence evaluation or European IT evaluation criteria is under debate. It is understood that India may follow the European security evaluation criteria which provides an in-depth classification of security systems. This necessitates defining risk analysis, risk evaluation methodologies, principles and models for risk evaluation and risk management. It is also designed to help certification and evaluation of information technology security evaluation methodologies in India. This course provides an overview of existing methodologies and the practice in vogue in various countries.
W
ith the development of information technology in the area of artificial intelligence and knowledge based systems, the complexities of security management pose an even greater challenge. Research work is going on in the area of security in applications of AI and expert systems. Another area where group communication is in vogue, security implications of group communication systems are being studied and will be finalized in a couple of years. Understanding information technology across national boundaries and its legal implications needs agreements with regard to transborder data flow and safeguarding intellectual property rights.Security analysis and security management of protection of this information in a global network, as well as protection of intellectual property rights, pose new challenges. The acceptance of electronic information transfer has necessitated the importance of fault tolerant dependable systems, and security guidelines for this are important despite the reliability of the systems. There is considerable importance given to totally reliable fault tolerant dependable systems. Another area demanding considerable work in India is the jurisdiction aspect of information security. There are many laws to be amended as well as new laws to be enacted to give legal protection for information technology applications to be accepted inthe day to day management decision making process and to provide evidence, to transact electronic fund transfer and to trade with EDI and to store and retrieve sensitive information in the electronic media.
This paper only outlines the general coverage of information security education curriculum for a developing country like India. It has to be refined to be adapted at the master’s level. Suggestions from experts are being sought on this proposal before formally submitting the recommendations to the government for introducing a master’s level programme in information security management. The need for information security administrators is recognized and we need to gain knowledge of auditing information based systems and to certify that systems function as per the specifications. This is the preliminary work done by the working group at the Bureau of Indian Standards, and the interaction we had with international experts who are working in the curriculum for information security education and certification programmes.
*
The author wishes to acknowledge Dr N. Seshagiri, the Late Special Secretary and Director General, National Informatics Centre, Ministry of Communications and Information Technology and CAG of India for giving encouragement to work in the area of information security and IT/IS audit and also represent India in the international forum; The Director General, Bureau of Indian Standards for giving support for constituting a committee in the area of information security to work out detailed guidelines and standards in this important area. The author wishes to acknowledge the support given by the vice-chancellor of IGNOU to launch MS and M. Tech programs in cyber security, and design curriculums with leading academia and industry segments in the area of cyber forensics technology and management courses in India.