facebook twitter youtube


Information Assurance and Security

Information Assurance and Security at Polytechnic University of Puerto Rico

PUPR currently has a Master in Science in Computer Science with a specialization in Information Technology Management and Information Assurance in the Department of Electrical & Computer Engineering and Computer Science (ECECS). This program is the first and only of its kind in Puerto Rico. Graduate courses in IA include: Cryptography Protocol, Introduction to Information Security, Computer Security, CISSP Exam Prep, Network Security, Information Security Management, Database Security and Auditing, IT Auditing and Secure Operations, among others. PUPR also offers undergraduate courses on security such as: Computer Forensics, Ethical Hacking, Network Security, among others. We have offered more than 17 courses in the area of security at both undergraduate and graduate level.

There is a great demand for professionals that can bring solutions through collaboration, public awareness and the introduction of new methods of Information Assurance (IA) and cyber security. Information Assurance is an area that presents great challenges requiring solutions that can only be obtained by means of research and innovation, which leads to the introduction of new products and services.

The Center of Information Assurance for Research and Education in Puerto Rico (CIARE) provides a forum that can be used by faculty, students, and professionals from the public and private sectors. The Center is a vehicle for: training, research, invention, innovation, education, public awareness, entrepreneurship, economic development, and dissemination of best practices. The Center emphasizes on the participation of underrepresented groups. We plan to develop joint research projects in computer security, data integrity, and encourage the practice of emerging security standards with minority institutions.

Previous CAE/IAE Designation

In 2009 Polytechnic University of Puerto Rico (PUPR) was recognized as the first and only institution in Puerto Rico to be granted the special distinction from the National Security Agency (NSA) and Department of Homeland Security (DHS) as a Center of Academic Excellence in Information Assurance Education (CAE/IAE).

PUPR was one of the first 100 institutions to obtain this designation. With this designation as a CAE/IAE PUPR has obtained scholarships and fellowships that help outstanding students to pursue graduate studies in IA/CD, enabling them to work with the Federal Government or other federal institutions and agencies. The Institution is also constantly applying for Scholarships for Service (SFS) awards from the NSF; funds for faculty and student research; and many other benefits that are available for designated centers nationwide.

PUPR received recognition and an official certificate during the June 2009 CNSS Awards Ceremony, which were held at the 13th Colloquium for Information Systems Security Education (CISSE). This certificate, signed by the CNSS Chair, is valid through June 2014. The IACE Program provides consistency in training and education for the information assurance skills that are critical to our nation.

In the process of obtaining the CAE/IAE designation Polytechnic University of Puerto Rico also became the first academic institution in the Caribbean to be certified by the Committee on National Security Systems (CNSS).

The Information Assurance Courseware Evaluation (IACE) Program validated the Polytechnic University of Puerto Rico courseware as meeting all of the elements of the Committee on National Security Systems (CNSS) National Training Standards for:

Information Systems Security (INFOSEC) Professionals, NSTISSI No. 4011

System Administrators (SA), CNSSI No. 4013 Entry Level

As a result of CNSS certification:

  • PUPR was added to NSA’s list of referrals for students who seek training in the INFOSEC field.
  • Federal civilian and military personnel were permitted to take our certified courses under government sponsorship.
  • PUPR received recognition and a certificate during the CNSS Annual Conference (certificates were presented by the Assistant Secretary of Defense for Command, Control, Communications and Intelligence).
  • PUPR is authorized to issue certificates to students who complete its certified courses.
  • PUPR is permitted to use the CNSS logo on its certificates, literature, and advertising.

The New CAE IA/CD Designation

MISSION STATEMENT

Center for Information Assurance for Research and Education (CIARE) Polytechnic University of Puerto Rico

“The Center of Information Assurance for Research and Education (CIARE) of Puerto Rico in the Department of Electrical and Computer Engineering and Computer Science has the mission of promoting research, undergraduate and graduate education, and public outreach to benefit the Information Assurance and Cyber Defense (IA/CD) academic community and public in general, serving as a forum for students, faculty, and IA/CD professionals from different sectors of the economy. CIARE will help to produce more professionals with IA/CD expertise in various disciplines to secure and protect local and national information resources and cyberspace infrastructures.”

In particular, the goals of CIARE are:

  • “To reduce the vulnerability of our national information infrastructure by promoting higher education in information assurance (IA) and cyber defense (CD) with the development of graduate and undergraduate education programs for professionals in information assurance and cyber security.”
  • “To provide a forum that can be used by professors, professionals, industries and students to collaborate in the identification and solution of issues on IA and cyber security.”
  • “To be a vehicle for IA/CD training, research, invention, innovation, education, public awareness, entrepreneurship, economic development, and dissemination of best practices, among others.”
  • “To maintain collaboration programs with top universities nationwide and strengthen the existing and new industries and the overall economic development in the state of Puerto Rico by developing joint research projects between industry and academia in computer security, and encouraging the practice of emerging security standards within minority institutions.”

Polytechnic University of Puerto Rico (PUPR) notifies the intent of applying for designation as a Center of Academic Excellence in Information Assurance/Cyber Defense (IA/CD) Education.

PUPR is looking forward to re-designation of the CAE/IAE (2009) as the new CAE IA/CD 2014 designated by the DHS and the NSA. In 2009 we had the honor of being the first and only institution designated in Puerto Rico and the Caribbean, having a strategic position in the southeast of the United States. The Institution counts with excellent resources to support the initiative of increasing local Information Assurance and Cyber Security education; and to develop outreach activities.

The efforts to fulfill and maintain the required criteria to be designated as a CAE IA/CD will be supported by the Director of the Center for Information Assurance for Research and Education (CIARE), Dr. Alfredo Cruz. He will network with the Graduate School and the ECECS Department (where he is Associate Director) to enhance the curriculum; develop courses, programs, and certificates that will strengthen IA and Cyber Security education at PUPR.

The Master of Science in Computer Science (MS CS) was the first CS graduate program in Puerto Rico. The program started in the fall of 2005. The MS CS has three specialization areas: 1) IT Management & Information Assurance; 2) Knowledge Discovery & Data Mining; 3) Computer Graphics & Game Technology. The Information Assurance specialization under this program offers courses such as Software Testing; Ethical Hacking; Law, Investigation & Ethics; Database Security and Auditing; Cryptography Protocol; Network Security; Computer Security; IT Auditing and Secure Operations; CISSP Exam prep; Introduction to Information Security; Contingency Planning; Computer Forensics; Management of Information Security; Advanced Computer Forensics; Data Mining and Web Mining; Homeland Security and Cyber Terrorism, E-Discovery and Digital Forensics Investigation, E-Commerce Security and Privacy; Reverse Engineering; Software Assurance, among others.

Dr. Cruz has strengthened the Information Assurance specialization in the Master in Computer Science program, and the Master in Computer Engineering, by offering excellent curricular alternatives that provide students the security skills and knowledge to react to real world situations in the workplace (Government and Industry).

  • In the last year additional courses have been added in IA and Security such as:
    • Special Topics: E-Discovery and Digital Investigation
    • Special Topics: Social Engineering and Social Media
    • Special Topics: Usability Testing and Security
  • Three new courses are planned to be offered this year:
    • Software Assurance
    • Reverse Engineering and Software Protection
    • Ethical Hacking
  • We have purchased more equipment for the Computer Forensics Investigation Laboratory (CFIL):
    • Eight Dell Precision T1650 Desktops
    • Encase Academic V7, Forensic NAS
  • We continue to attract and retain high-profile researchers in Computer Science and Engineering thus increasing the number and quality of Hispanic student and faculty participation by fostering the integration of research and education in IA.

Dr. Alfredo Cruz and Dr. Duffany, have contributed significantly to the development of the Graduate Certificate in Information Assurance and Security (GCIAS) in 2009, and the development of the Graduate Certificate in Digital Forensics (GCDF) in 2012 that is currently seeking local accreditation by the Council of Education of Puerto Rico.

The GCIAS provides students and IT security professionals from private and public sectors with theoretical components and hands-on-practice in a curriculum that is specially designed to cover the managerial and technical aspects of Information Assurance and Security.

The GCDF will provide an in-depth introduction to key topics of digital forensics and provides a balanced teaching philosophy that contains both theory and hands-on practice. It is anticipated to attract people from local and national law enforcement agencies (and other public and private sectors) that need the background in this area to enhance their job skills and overall performance. The certificate is intended to provide exposure to current problems in a rapidly changing field and to encourage participants to experiment and learn firsthand innovative ideas and approaches.

We wish to obtain more opportunities for students in these areas of concern, helping them to continue graduate studies through grants offered by the DoD Information Assurance Scholarship Program (IASP), and the Federal Cyber Service Scholarship for Service (NSF SFS), among others. Dr. Cruz is actively submitting proposals for scholarships, fellowships, capacity building, and infrastructure to enhance the IA/CD programs.

Dr. Cruz will be the POC for Polytechnic University of Puerto Rico. He will work on the designation and assure that CIARE will be promoting the CAE IA/CD activities.

Academic Programs and Certificates in Information Assurance and Security

Since 2004 the Electrical & Computer Engineering and Computer Science (ECECS) Department and the Graduate School at Polytechnic University of Puerto Rico (PUPR) have developed curriculum for IA related courses for the Computer Science and Computer Engineering programs at PUPR, and for the Orlando Campus of the Polytechnic University of Las Americas, Florida, U.S.A.

In the Electrical and Computer Engineering and Computer Science (ECECS) Department, PUPR continues to strengthen the Information Assurance Specialization in the Master in Computer Science Program, and in the Master in Computer Engineering, by offering excellent curricular alternatives that provide students the security skills and knowledge to react to real world situations in the workplace (Government and Industry).

The Master in Science in Computer Science program in the ECECS Department currently has an enrollment of 55 students. This program is the first and only of its kind in Puerto Rico, and has a specialization in Information Technology Management and Information Assurance (ITMIA) that has 40 students.

The ITMIA specialization includes graduate courses in IA such as: Cryptography Protocol, Introduction to Information Security, Computer Security, CISSP Exam Prep, Network Security, Information Security Management, Database Security and Auditing, IT Auditing and Secure Operations, Homeland Security, Cyber terrorism, among others.

PUPR also offers undergraduate courses on security such as: Computer Forensics, Ethical Hacking, Network Security, and Reverse Engineering, among others. We offer more than 17 courses in the area of security at both undergraduate and graduate levels.

In the last year, additional courses have been added in IA and Security as Special Topics, such as: E-Discovery and Digital Investigation; Social Engineering and Social Media; Usability Testing and Security.

At least 7 new courses are planned to be offered in the next two years: Software Assurance; Reverse Engineering and Software Protection; Ethical Hacking; Homeland Security; History of U.S. Intelligence and National Security, Intelligence Analysis and Critical Thinking, Research Methods in Security and Intelligence Collection.

We have purchased more than $100,000.00 in equipment for the Computer Forensics Investigation Laboratory (CFIL): Eight Dell Precision T1650 Desktops; Encase Academic V7, Forensic NAS. PUPR is the only university in Puerto Rico and the Caribbean that hosts this equipment.

We continue to attract and retain high-profile researchers in Computer Science and Engineering thus increasing the number and quality of Hispanic student and faculty participation by fostering the integration of research and education in IA.

We also continue to strengthen the CAE IA/CD by creating the following two graduate certificates:

  • 1. The Graduate Certificate in Information Assurance and Security (GCIAS) provides students and IT security professionals from private and public sectors with theoretical components and hands-on-practice in a curriculum that is specially designed to cover the managerial and technical aspects of Information Assurance and Security. The certification is composed of 6 key courses (18 credits): Data Communication Networks; Computer Security; Principles of Information Security; Contingency Planning; IT Auditing and Secure Operations; Law, Investigation and Ethics. This Certificate has been approved by the Council of Education of Puerto Rico (CESPR). The GCIAS highlights the ITMIA specialization, delivering knowledge and skills to capacitate Computer Scientists and Engineers, as well as IT/IS professionals who are working in the development and/or maintenance of information and computer security systems or products. It prepares the student and professional with Information Assurance and Security skills that are already of great demand in today’s fast paced, high-tech, competitive work areas. The GCIAS can be completed while completing the ITMIA Specialization or as a stand-alone Certificate. Some graduate courses may require prerequisite courses.
  • 2. The Graduate Certificate in Digital Forensics (GCDF) is in the process of accreditation by the CESPR. We are expecting this accreditation at any moment during 2014. The GCDF will provide an in-depth introduction to key topics of digital forensics and provides a balanced teaching philosophy that contains both theory and hands-on practice. It is anticipated to attract people from local and national law enforcement agencies (and other public and private sectors) that need the background in this area to enhance their job skills and overall performance. The certificate is intended to provide exposure to current problems in a rapidly changing field and to encourage participants to experiment and learn firsthand innovative ideas and approaches. To complete the certificate program the student must take a total of 6 graduate courses of three (3) credits (18 credits): e-Discovery; Data Communication Networks; Computer Security; Network Security; Computer Forensics; Advanced Computer Forensics. Through this certificate, participants gain vital insight into obtaining and documenting digital information, determining the source of information compromises; and delivering expert testimony concerning digital crime related to data in computers, networks and hand-held devices. In addition, the program addresses recovery of corrupted, encrypted and hidden information, providing a comprehensive preparation for assisting in the prevention and prosecution of malicious information theft and other criminal activity. The GCDF provides a valuable intellectual asset for any IT professional interested in a demanding career in Computer Forensics and/or related fields of study.

Dr. Alfredo Cruz, Associate Director of the ECECS Department, and Director of the Center for Information Assurance Research and Education (CIARE) recently attended a meeting on September 2013 in Charleston, South Carolina to establish a Cyber Security Proposal. This was in collaboration with HBCUs in South Carolina, the Space and Naval Warfare Systems Command (SPAWAR), Lawrence Livermore National Laboratories (LLNL), the Charleston County School District, and Polytechnic University of Puerto Rico, among others. The goal is to leverage the capabilities and skills of each institution to create and capitalize on education, research innovation, outreach and economic development opportunities. This experience is being used to develop collaboration efforts between these institutions to engage in outreach activities, workshops, seminars, conferences, colloquiums, and internships related to Information Assurance, Cyber Security, Intelligence, and Homeland Security.

Furthermore, the Electrical and Computer Engineering and Computer Science (ECECS) Department at PUPR is planning to develop four elective graduate courses on Intelligence and Homeland Security for the Computer Science and Computer Engineering Master Programs this year. These courses will lead to a Graduate Certificate in Intelligence and Homeland Security and to a Specialization in Intelligence and Homeland Security for graduate students in the Master in Science in Computer Science (MS CS). PUPR faculty that will be participating in capacity development activities will help to develop the four graduate courses and other individual modules in Intelligence and National Security to enhance current security curriculum.

The four courses will constitute an on-line Graduate Certificate in Intelligence and Homeland Security to be accredited by local accrediting agency Council of Education of Puerto Rico (CEPR).

Benefits of the CAE/IAE Designation

In 2009 Polytechnic University of Puerto Rico (PUPR) became the first Center of Academic Excellence in Information Assurance Education (CAE/IAE) in Puerto Rico and the Caribbean, designated by the National Security Agency (NSA) and Department of Homeland Security (DHS).

PUPR is in a strategic position in the Caribbean where there is no designated institution close by. The Institution also counts with excellent resources to support the initiatives of increasing National Defense, as our highly skilled faculty and students are mostly bilingual American citizens.

All this is favorable for PUPR’s 2014 re-designation as a National Center of Academic Excellence in Information Assurance/Cyber Defense (CAE IA/CD).

Institutions that are successful at completed the required Knowledge Units, Focus Areas, and Criteria will be designated as a National Center of Academic Excellence in Information Assurance/Cyber Defense (CAE IA/CD) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Future criteria (including Knowledge Units and Focus Areas (as specified by the DHS and the NSA) will continue to be reviewed annually and strengthened as appropriate to keep pace with the evolving nature of IA/CD.

While working our way towards the CAE IA/CD designation we have:

  • Successfully established the Center of Information Assurance for Research and Education (CIARE) in the PUPR, Hato Rey campus, for research & education development in Information Assurance and Security, and Cyber Security. The Center has been the vehicle for developing/participating in many IA/CD activities, conferences, and workshops in recent years.
  • Increased collaboration opportunities between designated Centers of Excellence (COE’s) and aspiring institutions at local and national levels. This includes collaborative proposals, internships, faculty and student exchange, research, and publications, among other activities.
  • Continued our efforts at CIARE to support IA/CD research, education, and faculty capacity building through proposals to local and federal government funding for scholarships, fellowships, annual colloquiums, seminars, workshops, and capacity building activities.
  • Continued to utilize our high-tech equipment (such as our PC Clusters) to enhance IA education. These clusters help us work on security problems and applications, such as cryptanalysis. These powerful machines can speed up solutions that are otherwise prohibitive in uni-processor systems.
  • Enhanced the IA/CD infrastructure by purchasing equipment and establishing a Cyber Digital Forensics Investigation Laboratory (CDFIL).
  • Submitted infrastructure grants to continue enhancing the hands-on educational experience of great professional value in the IA discipline.
  • Supported students studying in the area of Information Assurance, helping them to continue graduate studies through grants offered by the DoD HBCU (Historically Black Colleges and Universities) and the Nuclear Regulatory Commission (NRC).

We are looking forward to being recognized as the first institution in Puerto Rico to be designated as a CAE IA/CD institution designated by the NSA and the DHS.

With this designation as a CAE IA/CD PUPR can compete and benefit from proposal calls (RFP) that are specifically for designated CAE/IAE institutions. These proposals offer millions of dollars from the DoD, NSF, NSA and DHS, among others, for research and infrastructure. The Institution can obtain scholarships from granting institutions such as the DoD IA Scholarship Program (IASP) and the NSF Scholarship for Service (SFS), DoD HBCU (Historically Black Colleges and Universities), and others, that help outstanding students pursue graduate studies in IA/CD also enabling them to work with the Federal Government or other federal institutions and agencies.

Center of Information Assurance for Research and Education in Puerto Rico (CIARE)

The CIARE research center provides a forum that can be used by faculty, students, and IA/CD professionals from the public and private sectors. This collaboration helps to identify the issues on IA and cyber security that need to be solved. The Center is a vehicle for: training, research, invention, innovation, education, public awareness, entrepreneurship, economic development, and dissemination of best practices.

The CIARE centers its efforts on the following activities:

  • Offer technical certification, training, workshops, conferences, lectures, as a continuing education to professionals. Each year there is special IA/CD training and awareness for teachers and high school students.
  • Strengthen the Master in Science in Computer Science with a specialization in IA through faculty capacity building and curriculum enhancement.
  • Collaborating research with the public and private sectors, including individuals.
  • Attract and retain outstanding PhD faculty/researchers for the MS CS program.
  • Provide consulting services.
  • Participate in joint development partnerships.
  • Promote best practices in IA & cyber security.
  • The Center emphasizes on the participation of underrepresented groups. We continue to expand our collaboration with the four-year colleges in Puerto Rico and sponsor some of their best senior students to participate in the IA research projects.
  • We encourage graduate and undergraduate undergraduate participation in IA/CD activities and also develop outreach program to high-school students and teachers. Part of this outreach program will be making university short courses in IA available to high schools and allowing teachers to attend workshops in IA.

Information Assurance Awareness (Policies and Best Practices)

(Policies and Best Practices) – Security awareness efforts have the purpose of changing behavior and/or reinforcing good security policies. NIST SP 800-16 defines security awareness as a means to “focus the employees’ attention on security”, not actually the process of training employees on security. It explains that “awareness presentations allow individuals to recognize IT security concerns and respond accordingly.” Establishing proper security awareness services and providing employees with presentations and other awareness material can reduce the incidence of accidental (or deliberate) security breaches and helps to create security awareness between employees, making them accountable for violations. Awareness programs are designed to modify employee behavior in a short time frame. This material and services give employees an immediate insight on security controls and measures that cover the basics. They mostly promote: how to handle information, use applications and operate within an organization. The idea is to make employees aware of policy penalties for failure to comply, and providing mechanisms for discovering and uncovering policy violations. The availability of posters, presentations, pamphlets, videos, Internet and/or intranet, e-mails, and other publicity means such as establishing an “awareness day” help computer and non-computer users in general to promote security awareness on campus for all categories of employees. The following resources are provided free of charge:

(On-line tutorials)- The following IA tutorials are provided for students and faculty at the NIH Website at the following link: http://irtsectraining.nih.gov/public.aspx

Some of the tutorials available are:
Entire Computer Security Awareness Course.
Securing Remote Computers.
Privacy Awareness Course.

(Security Tools)- The following links provide free security tools and information:

Microsoft provides security tools and bulletins at their Microsoft TechNet: Security TechCenter at:

http://technet.microsoft.com/en-us/security/cc297183.aspx#EUD

Students in the IA Lab have access to McAfee Threat Center. This site provides valuable information and security tools to inform students about new threats, viruses, and security tools: http://vil.nai.com/vil/default.aspx

About.com Internet/Network Security is a site that helps students who are new to computing, or at least new to computer security, to understand the threats and how to protect their computers. It helps them understand the fundamentals that they need to know in order to secure and protect data. There are different sections containing security tools, newsletters, forums, and a collection of tips, how-to’s and other advice to help understand the basics of computer and network security, and wireless security. Site includes: Security 101, Wireless Security, Basic Security, Web Browser Security, Email and Phishing Security, Pop-Ups and Spyware, Virus and Malware Security, Advanced Security, Information Resources, Tools & Utilities, Product and Book Reviews, Security Bulletins, and more: http://netsecurity.about.com/

(Guidelines to best practices)- The following links lead to sites that provide information on security issues to encourage IA awareness:

National Institute of Standards and Technology was founded in 1901. NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. http://nist.gov.

The NIST Computer Security Division provides guidelines and policies for IA awareness. The site can be accessed at: http://csrc.nist.gov/index.html.

Guidelines can be found to build an information technology security awareness and training p program at:http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf.

Virus Bulletin started in 1989 as a magazine dedicated to providing PC users with a regular source of intelligence about computer viruses, their prevention, detection and removal, and how to recover programs and data following an attack. Virus Bulletin quickly became the leading specialist publication in the field of viruses and related malware. http://www.virusbtn.com/index

NIATEC is a consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information Assurance. As the federally designated cornerstone for essential education and training components of a strong Information Assurance initiative, the mission is to establish an effective Information Assurance infrastructure for academic, industry and government organizations. http://niatec.info/ViewPage.aspx?id=0

(Incident Response Plan for Virus Attacks)- General Recommendations

The symptoms to determine if a virus infection has occurred:

  • The programs on the system start to load slowly or slower than usual. This happens because the virus is spreading to other files in your system.
  • Unusual files appear on the hard drive or files start to disappear from the system. Many viruses delete key files in the system to render it inoperable.
  • Program sizes change from the installed versions. This occurs because the virus is attaching itself to these programs in the disk.
  • The browser, word processing application, or other software begins to exhibit unusual operating characteristics. Screen or menus may change.
  • The system mysteriously shuts itself down or starts up, and does a great deal of anticipated disk activity.
  • Access is mysteriously lost to disk drives or other system resources. The virus has changed the settings of a device to make it unusable.
  • The system suddenly reboots or gives unexpected error messages during startup.

After the Virus Attack:

If the antivirus software has detected the attack:

Delete the virus or quarantine the file that carries it. Record any message. Update virus software as soon as possible.

If the computer is behaving strangely and you suspect a virus has not been detected:

  • Back-up files to a removable media.
  • Turn the computer off by pulling the plug.
  • Completely reformat drives and reinstall the operating systems and applications.

After reinstalling operating systems and applications install new antivirus software, download recent antivirus files, and scan the entire system.

After the scan is completed, reinstall data files and scan the system again for the actual viruses.

This process should eliminate all viruses from the system, application, and data files.

Before the Attack:

  • The best method of protection is to use a layered approach. Antivirus software should be at the desktop. The second method of preventing viruses is education. Do not open suspicious files and open only those files that are reasonably sure to be virus free. Scan every removable media, disk, e-mail and documents received before you open them.
  • Virus scanners – search hard disks, for viruses, detect and remove any viruses that might be in the computer.
  • Virus protection – It is necessary to update the virus software on a regular basis, possibly every day. New virus threats are recorded daily and new profiles should be added to the virus list.

(Data Classification)

Confidential Data

Confidential data is information that is not to be publicly disclosed. The disclosure, use, or destruction of confidential information can have adverse effects, and possibly carry significant civil, fiscal, or criminal liability. This designation is used for highly sensitive information whose access is restricted to selected authorized employees. The recipients of confidential information have an obligation not to reveal the contents to another individual unless that person has a valid need to know about the information. Confidential information must not be copied without authorization from the identified owner.

  • Documents used at a strategic level are usually confidential in their initial stages.
  • Trade secrets or intellectual property such as research activities.
  • HIPPA records.
  • Financial account information which by contract or agreement has committed to ensuring confidentiality.
  • Legal investigations conducted by institutions.
  • Employee screening information.

Confidential data can be organized into three categories:

  • Data that the unauthorized release could cause personal, institutional, financial loss, or a violation of statue, act or law.
  • Proprietary data that the disclosure can cause significant harm to the reputation.
  • Data that the unauthorized release would constitute a violation of confidentiality agreed to as a condition of possessing or producing or transmitting.

Sensitive Data

Sensitive data is information generally used internally or with an authorized partner. Its unauthorized release would not result in any business, financial, or legal loss but could negatively impact the privacy of individuals named or the integrity or reputation of the company. Some examples of sensitive data are:

  • Research data not considered confidential.
  • Marketing data.
  • Employee Directory information that has been suppressed.
  • Customer data.
  • Proprietary financial, budgetary personal information not explicitly approved by authorized parties to public release.
  • E-mails and other communications regarding internal matters which have not been specifically approved for public release.

Public Data

Public data is defined as any information that can be accessed by any external or internal entity. Examples of public data are:

  • Promotional material.
  • Brochures.
  • Company vision, mission and values.
  • Directories.
  • Contact information.

Conferences and Workshops

Information Assurance and Security conferences and workshops are delivered by both internal and external faculty, and resources from local and national industry and government. One or two activities yearly highlight the IA/CD extra-curricular activities and help students maintain a close relationship with local and national IA resources in all sectors.

Experienced faculty at the ECECS Department and the Graduate School have a proven track record planning IA/CD activities, workshops, and seminars, providing faculty and students with access to IA practitioners and IA awareness as early as 2003. These conferences from IA professionals for PUPR students and faculty have been held to create awareness even before CAE/IAE designation. Guest lecturers working in IA and security in industry or government will continue to be invited to participate in these workshops and conferences. Students and faculty from PUPR and other universities assist to these activities that are developed every year. The following events demonstrate that there is a current active participation of PUPR students in IA related academic endeavors. Some of the most recent Information Assurance and Security extracurricular activities that have been performed at the ECECS Department have been:

Recent PUPR hosted activities related to IA/CD:

Cybersecurity 2013 Conference – On April 19, 2013 the Polytechnic University of Puerto Rico held its first “CyberSecurity Cloud and Social Networking Forum” at the campus theater. The event gathered close to 400 students and professionals from the Financial, Insurance and Government sector. Ten conferences were offered to participants, making it a complete success. The “Cyber Security 2013: Cloud and Social Networking Forum” was a total success thanks to the commitment and active participation of committee members, and the support of the DoD and the PUPR Administration Office. Based on feedback from participants, we conclude that for a future event or forum, a higher response and attendance can be expected.

San Juan International Congress of Information Security – In March 2008, 2009, 2010, 2011, 2012, 2013, and 2014. PUPR co-sponsors this international conference where more than 400 persons from different sectors such as academia, industries, and local and federal agencies are present every year. Faculty and students from PUPR present topics in IA and Security in these activities.

FBI Outreach San Juan Counterintelligence Strategic Partnership Program. Date: August 29, 2011. Jessica Engler, Coordinator for the FBI’s San Juan Counterintelligence Strategic Partnership Program, provided information regarding two of the FBI’s outreach programs: The Counterintelligence Strategic Partnership Program and Cyber Infragard Program.

Inauguration of the Computer Forensics Investigation Laboratory (CFIL). Date: March, 2010. PUPR inaugurated the CFIL in presence of more than 400 persons, with coverage from local TV channels. Federal and local agencies such as the FBI, Secret Service, ICE, local Police; and administration, faculty, and students from PUPR and other institutions were all present. Dickie George, advisor to the Director of the NSA inaugurated the lab.

Recent off-campus extracurricular activities where PUPR faculty and students participate almost every year:

TAPIA 2013 and 2014 Conferences – The goal of the Tapia Conference is to bring together more than 1,000 undergraduate and graduate students, faculty, researchers, and professionals in computing from all backgrounds and ethnicities. Dr. Cruz delivered a talk on cryptography for participants from top universities such as Berkeley and Stanford. Five graduate students and one undergraduate student from PUPR participated in the code-a-thon in cryptography. Three of the PUPR students (Lyan Lugo, undergraduate; Diana Darabi and Fabian del Valle, graduate students) were on the winning team in the competition. Two of our students, Diana Darabi, and Eduardo Melendez, have attended this conference. Eduardo Melendez also presented a Workshop in Cryptography and Steganography with Dr. Cruz and Dr. Duffany.

12th Annual Security Conference. Date: April, 2013. The 12th Annual Security Conference in Las Vegas, Nevada on April, 2013. The Security and Privacy conference is an event in the security, assurance and privacy arena. It facilitates discussions and builds a community of interest. Graduate student Eduardo Melendez: presented a paper: “From Random Embedding Techniques Using Inherited Image Point Adjacent Shade Values to Entropy Using Block Embedding Probabilities”; Dr. Jeffrey Duffany presented a review conference paper titled: “Information Assurance in Emergency and Vehicular MANETs”.

Information Security Workshop. Date: June 2008. The information security workshop was a one-day activity offered at PUPR in June 2008 that was given to high school students to introduce them to the world of information security. The workshop covered an introduction to Internet laws such as copyright protection and criminal statutes that pertain to computer crimes. Additional material presented students on what are the necessary security precautions when connecting to wireless networks. Additional talks where given to highlight risks to privacy from dissemination of information in social networks and a presentation by the FBI Cyber Crime Division Director Agent Luis Rivera. Finally the students were exposed to different possibilities within the information security profession. A total of 20 high school senior students attended this activity.

Close of the ATUL Activity. Date: July 2008. The activity hosted by the Polytechnic ATUL was a one day activity is geared towards new students entering the Polytechnic University. The activity was focused on providing new students with information on computer security. The program featured talks about Internet law and what students is acceptable behavior in the information technology world. Additional talks where given to highlight risks to privacy from dissemination of information in social networks and a presentation by the FBI Cyber Crime Division Director Luis Rivera. More than 180 new incoming students from different disciplines attended this activity.

Security Awareness. Date: December 13, 2008. The activity was hosted by Polytechnic. The seminar was given as part of the annual “Awareness Day” activities. The main speaker was Mr. Jose Arroyo, President and founder of the company “Talk to an IT”. Students that attended were mostly from the Computer Science and Computer Engineering programs.

Information Assurance and Security Incorporated in Non-Technical Disciplines

In the Business School a series of courses provide IA topics as modules to non-IA students from non-technical disciplines:

The MBA provides courses on:

CIS 6715 E-commerce and Web information systems

Enterprises thrive on receiving, creating and disseminating information. The Internet has emerged as the dominant server for academic organizations and network hosts. This course will study the structure, organization, and use of the Internet. Internet technologies and their potential applications are examined including electronic commerce, database connectivity, and security. An emphasis will be placed on evaluating, organizing, and developing efficient models of electronic transactions.

CIS 6713 Internet Marketing

This course is intended to introduce students to the marketing aspects of the Internet. The student will learn traditional and online marketing strategies, as well as the analysis of Internet business situations in which duties, ethics, and laws are put to the test.

The BBA provides courses on:

ISYS 3510 Management Information Systems

This course is an introduction to the concepts of management information systems. Emphasis is on the management of system design (service and manufacturing environment will be of special interest). The course analyzes the organization in terms of its structure and information requirements. It identifies major subsystems of the organization such as requirements planning, production function, personnel function, marketing, finance, and other applications.

It includes the discussion of the ethical and legal implications of using information technology, and covers other IA topics such as information security and control, and the ethical and social impact of information systems.

ISYS 3590 Electronic Commerce>

This course emphasizes on techniques to plan and design a platform-independent commerce Web site. Content focuses on web business strategies and the necessary hardware and software tools for Internet commerce, including: comparison and selection of e-commerce architecture; installation and configuration; security considerations, and planning of a complete business-to-consumer and business-to-business site.

The course shows students how to develop an E-business security plan that includes electronic payment and e-commerce security.

ISYS 4520 Computer Security & Audit

This course is an introduction to EDP auditing, with emphasis on audit, effectiveness, control, and security. Other topics include audit techniques and their effect on information system development. It covers an examination of security measures as they apply to protecting information over communication lines and various preventive techniques.

Thesis, Publications & Research Papers/Projects

Thesis and Projects in Information Assurance

 

The following projects have been developed in the last five years:

  • “The Role of Policies and Authentication in the Electronics Banking Fraud” by Arlene Perez, 2008
  • “Database Security Project: SQL Injection” by Raquel Forester, Jeniffer Sanchez, and Eddalis Batista, 2008
  • “Encryption in Database Systems: Demonstration Using a Medical Insurance Database” by Jose Medina, Jose Pagan, and Osvaldo Fraticelli, 2008
  • “Electronic Voting System” by Raquel Bonilla, Milton Morales, and Jorge Salgado, 2008
  • “Object-Oriented Database Security” by Jan Flores, 2008
  • “Moving ARBIMON’S Information Systems to Cloud-Computing: Organizational Plan and Security Measures” by Hector R. Rodriguez, 2009
  • “Finding Patterns of Terrorist Groups in Iraq: A Knowledge Discovery Analysis” by Steven Nieves, 2009
  • “Development of a U-Site for Creating Categories and Topics for a Search Engine”, by Jonathan A. Martínez Vázquez, 2009
  • “Review and Enhancement of a U-Site for Creating Categories and Topics for a Search Engine” by Angel I. Valentín Bruno, 2009
  • “An Overview of Digital Forensics Tools” by Waldemar Blakely, 2010
  • “Improving the Classification of Terrorist Attacks by Perpetrator in Iraq: A Study on Data Preprocessing for Mining the Global Terrorist Database (GTD)” by Jose Pagan, May 2010
  • Information Prioritizing: Ranking Transactions to Detect Anomalies” by Jan Flores Guzmán, October, 2010
  • “Biometría en Récord Médico Electrónico” (Biometry in Electronic Medical Record) by Brendaliz Román Cardona, 2011
  • “Crimen Cibernético: Realidad Digital en el área Bancaria de Puerto Rico” (Cibernetic Crime: Digital Reality in the Banking Industry of Puerto Rico) by Gerán Vicil Anaya, 2011
  • “Response Time Minimization of a Business Continuity Plan Implementation by Means of an Android Mobile Phone Application” by Jehú Torres, 2011
  • “Wireless Local Area Networks: Standards, Threats and Vulnerabilities, Intrusion Detection and Response” by Angel L. García, 2011
  • “Computer Forensic Laboratory Design for the Polytechnic University of Puerto Rico” by Carlos J. González Acevedo 2012
  • “Computer Forensics Tutorial: Disk File Systems (FAT16, FAT32, NTFS)” by José M. Rodríguez Justiniano 2012
  • “Security Issues Present in Cloud Computing” by Paulino Santos, 2012
  • What Kinds of Various Wireless Attacks Can Occur in Mobile and Wireless-Driven Devices? by Manuel Sanabria Andrade, 2012
  • Evaluation of Different Steganalysis Methods” by Jesús Vélez, 2012
  • “A Study on Wireless Attacks and its Tools”, José Flores, September 2012
  • “Multithreading & Sequence Validation Algorithm Solving Cryptarithmetic Problems” by Orlando Diaz, June 2012
  • “A Forensic Memory Image Acquisition Protocol Based on Windows Memory Analysis” by José R de la Cruz, 2012
  • “Introduction to Forensics and the use of the Helix free Forensic Tool” by Michele Maldonado, 2012
  • “An Overview to BackTrack Penetration Tools” by Keiny Grau Ortiz, 2012
  • “Tutorials of how to use Metasploit, Nessus and Nmap” by Obed Adames Mendez, 2012
  • “Hacking Facebook Privacy and Security” by Omar Galban, March 2012
  • “Introduction to Forensics and the use of the Helix free Forensic Tool” by Michelle Maldonado, June 2012
  • “Steganography and Steganalysis in Digital Images”, Marcus D. Cruz Velez, 2012
  • “Detection of Music Piracy Using Audio Fingerprinting that Robust Against Pitch Scaling by Yesenia Diaz, 2013
  • “Implementing DNSSEC under the .pr ccTLD” by Luis Alberto Medina, 2013
  • “Social Mining Harvester, using Twitter” by Alberto Jové, 2013
  • “Static and Dynamic Analysis of Android Mobile Malware” by Patricia Becerra, 2013
  • “Data Mining Terroristic Events” by Jose Pou (in progress).

The following Master Thesis work has been developed in the last five years:

  • “Combining Phones, Syllable and Phonological Features in Speech recognition using Neural Networks” by Arturo Geigel. December, 2008
  • “Data Mining Clustering Hybrids: Genetic Algorithm Applied to K-means and Fuzzy C-means” by Julio Cesar Olaya, May, 2008
  • “Periphery Phonemes as Discriminate Features in Speaker Recognition” by Luis Vega, October, 2009
  • “Extending the Linux Firewall for High Performance” by Victor Jimenez, 2009
  • “A Web-Based Courseware for the Learning of Database Security” by Luis Janiel Maldonado, May 2010
  • “A Methodology for Accessing and Securing an Infrastructure from SQL Injection” by Juan Moreno, May 2011
  • “P2P Botnet’s Life Cycle Identification Based on the Optimal Set of Detection & Tracking Tools” by Jose Matos, May 2011
  • “Data Mining Social Media Networks for Terrorist Events Indicators” by Nathaniel Gonzalez June 2012
  • “Development of a Curriculum Model For a Master Degree in Information Assurance and Designation as a National Center of Academic Excellence in Information Assurance and Education (CAE/IAE)” by Sandra Bonilla, June 2012
  • “Case Studies for the Feasibility of a MANET in Different Scenarios Using NS-3” by Oscar Perez Cruz, May 2013
  • “Digital Forensics: Data Carving” by Fabian del Valle, May 2014
  • “Cloud Computing Security and Privacy” by Celedonio Arroyo (ongoing research)
  • “Genetic Algorithms for Cryptoanalysis of the Vigenere Cipher” by Jose Nieves (ongoing research)
  • “Apache’s Input and Output Process: Empirical Analysis on Writev and Sendfile Functions” by David Rivera (ongoing research)
  • “Solid State Hard Drive Performance and Risks From the Security Standpoint” by Samuel Bonilla (ongoing research)
  • “Wireless Security” by Diana Darabi, (in progress)
  • “Steganalysis Detection Using Entropy” by Eduardo Melendez (ongoing research).

 

Important Peer Reviewed Papers Published in the Last Three Years:

Jeffrey Duffany: “Information Assurance in Emergency and Vehicular MANETs”, 12th Annual Security Conference, Las Vegas, Nevada, April, 2013.

Dr. Aury M. Curbelo, Dr. Alfredo Cruz: “Faculty Attitudes Toward Teaching Ethical Hacking to Computer and Information Systems Undergraduate Students”, 11th Latin American and Caribbean Conference for Engineering and Technology. August, 2013

Jose J. Flores, Dr. Alfredo Cruz: “A Study in Wireless Attacks and its Tools”, 11th Latin American and Caribbean Conference for Engineering and Technology, August, 2013.

Alfredo Cruz, Dr. Jeff Duffany: “Lessons Learned in the Development of a a Graduate Certificate in Information Assurance and Security (GCIAS)”, 11th Latin American and Caribbean Conference for Engineering and Technology, August, 2013.

Jeffrey Duffany, and Alfredo Cruz, “Information Assurance in Mobile Ad Hoc Networks” Hawaii International Conference on System Sciences, Hawaii, January 7-10, 2013.

Duffany, Jeffrey “Cloud Computing: Security and Privacy” LACCEI 2012, Panama, SA, July 23-27. 2012.

Jeffrey Duffany, Alfredo Cruz, “Design of a Computer Security Teaching and Research Laboratory”, Submitted for presentation, SIGCSE 2012. Raleigh, North Carolina, February 29-March 3, 2012.

Alfredo Cruz, Sandra Bonilla “Creating a Common Body of Knowledge (CBK) for Information Assurance and Security Academic Programs and Certificates”, 3rd International Conference on Education, Training and Informatics: ICETI 2012. Orlando Florida, March 25-28, 2012.

Alfredo Cruz, Jeff Duffany, “Development of a Graduate Certificate Program in Computer Forensics” LACCEI 2012, Panama, SA, July 23-27.

Alfredo Cruz, Sandra Bonilla, “Experience Learned in obtaining the CNSS IA Course Certification and the CAE/IAE designation at Polytechnic University of Puerto Rico” LACCEI 2012, Panama, SA, July 23-27, 2012.

Alfredo Cruz, Jan Flores, “Information Prioritizing: Ranking Transactions to Detect Anomalies”, LACCEI-2011, Colombia, SA, August, 2011.

Alfredo Cruz, Steven Nieves “Finding Patterns of Terrorist Groups in Iraq: A knowledge Discovery Analysis”, LACCEI-2011, Colombia, SA, August, 2011.

Oscar Pérez, Alfredo Cruz, “Evolutionary SAT Solver (ESS)”, LACCEI-2011, Colombia, SA, August, 2011.

Information Assurance Laboratories

Facilities, Equipment, and Other Resources

PUPR has modern equipment for research and education in IA. Facilities currently available to IA students at the ECECS Department include six laboratories. These laboratories have been established in the last four years with grants from the DoD, NSF, and the Puerto Rico Industrial Development Company (PRIDCO). Some are used for classroom activities and others for graduate research and studying. The basic goal of these laboratories is to support IA research and education in computer science and engineering. These laboratories also support research in other basic sciences requiring sophisticated computing facilities as part of PUPR’s goal to provide IA students and faculty with state-of-the-art infrastructure for their academic endeavors in research and education. All of these resources are key components for the CDFIL as they will be used to interact with the proposed equipment in the realization of the activities. They will also provide participating faculty and students with the necessary infrastructure to successfully complete the proposed research projects.

The established laboratories are:

  • 1. The Data Communication Laboratory and Advanced Network Laboratory
  • 2. The High Performance Computing Laboratory (HPC) that includes three PC Clusters and an Altix 350 Supercomputer.
  • 3. The Windows to the Caribbean Laboratory.
  • 4. The Turing Laboratory for Graduate Studies.
  • 5. Information Assurance Wireless Laboratory (IAW Lab)
  • 6. The Cyber Digital Forensics Investigation Laboratory (CDFIL). The lab was inaugurated by Mr. Dickie George from the NSA on March 10, 2010. PUPR was also recently approved a grant of $100,000.00 from the NSA to improve the Forensics Laboratory.

The basic goal of these laboratories is to support research and education in computer science and engineering. These laboratories also support research in other basic sciences requiring sophisticated computing facilities. PUPR owns valuable High Performance Computing (HPC) equipment such as the 2 Beowulf Clusters of 64 processors each, and the Altix 350 supercomputer of four processors. A third PC Cluster with 256 processors sponsored by a grant from the NSF was installed in the HPC Laboratory in December 2007. A very important laboratory is the Information Assurance Wireless Laboratory (IAW Lab) sponsored by a DoD grant of $196,800 in 2007.

Our computer laboratories are described below:

  • 1. Data Communications and Advanced Network Laboratories: NSF funding has been previously provided to establish a network laboratory consisting of 20 PC’s and two servers, Additionally various equipment for networking such as firewalls and wireless communication have also been installed. This lab connects with the wireless IA network to support research projects and education in security issues such as: steganography, watermark, firewalls, intrusion detection, cryptography, and VPN technologies, among others.
  • 2. The High Performance Computing Laboratory (HPC) is mainly sponsored with a grant obtained from a proposal awarded by the DoD (proposal No. 46760-RT-ISP) in 2004. Under this grant a PC Cluster of 32 node dual processors to support scientific and engineering research at graduate and undergraduate levels was acquired. A state-of-the-art PC Cluster with 256 processors sponsored by a grant from the NSF was installed in the HPC Laboratory in December 2007. We acquired an Altix 350 supercomputer with four processors that has been used for the development and optimization of IA and Security applications, Visualization, Data Mining, among others.
  • 3. The Windows to the Caribbean Laboratory (funded by a DoD project grant awarded in 2005) can utilize a setup of three smart rooms to employ speech technology to enable cross-cultural and cross-lingual remote access to the international research and teaching community. The infrastructure provides a valuable platform to allow researchers in speech recognition to obtain data from multi-media environments with access to rich data of multi-modal, multilingual corpora of natural speech. Our students and faculty benefit greatly from the learning experiences that are shared through this important infrastructure.
  • 4. The Turing Laboratory for Graduate Studies , has been mainly sponsored with funds obtained through a proposal submitted to PRIDCO (a local government agency) for $450,000.00 in 2003. These funds are being used to support research at the graduate level and to obtain incentives to attract and retain PhD faculty in the Computer Science and Engineering areas. The facilities are used for education and research.
  • 5. The Information Assurance Wireless Laboratory (IAW). The IAW laboratory merges real hardware elements with software and virtual technologies. These two allow for the creation of a multitude of different environments that allows hands-on experiences on a broad range of security techniques and attacks. The lab provides for demonstrations of the different kinds of attacks/defense that can be performed on a system. It allows the instructor to setup the environment to emulate different real world scenarios, utilizing different network topologies, operating systems and connections (e.g. Ethernet, wireless, Bluetooth). The laboratory environment allows students to practice, and experiment with their skills in areas such as network security, virus and worms, cryptography, control and audit, logical security and physical security, secure software/systems development, software testing, configuration management, assess risks, and many others. Also, it provides access to the latest trends and technologies in the IAS field. Students are able to be in contact with all the areas that may affect the security of a computerized system. This lab is a key component in the establishment of the Center for Information Assurance and Education of Puerto Rico, with the CAE/IAE designation.
  • 6. The Cyber Digital Forensics Investigation Laboratory (CDFIL) is used for analyzing financial frauds, telecommunication frauds, cyber crime, and terrorism investigation, among other activities. Success of this laboratory will encourage other institutions to adopt similar models that provide high quality training and further increase the available supply of practitioners prepared in this critical discipline. The laboratory provides real and simulated analysis by gathering digital evidence from dead computer systems using legally established procedures of computer forensic science. The activities done include: ensuring evidence is not altered, impacting learning of how investigations in forensically sterile environments can be conducted, documenting chains of custody, and logging investigative actions. In addition, this equipment stimulates students to develop new research in computer forensic science.

Funding and Scholarships

We continue to attract and retain high-profile researchers in Computer Science and Engineering by obtaining grants to increase the participation of underrepresented groups in IA/CD education and research. This increases the number and quality of Hispanic student and faculty participation by fostering the integration of research and education in IA. The following research, thesis and projects in IA/CD have been funded by the DoD HBCU, NRC, and DoD IASP:

Thesis and projects in the areas of information assurance, computer forensics, data mining, and cryptoanalysis, data mining, steganography, mobile ad hoc networks (MANET), among others:

  • Eduardo Melendez – DoD Research Assistant (RA). Ongoing thesis research: “Steganographic Detection Method Using Point Adjacent Entropy Values, Multivariate Analysis and Montecarlo Methods”.
  • Jose Ramon De la Cruz – DoD Research Assistant (RA). Final Project: “A Forensic Memory Image Acquisition Protocol Based on Windows Memory Analysis”.
  • Oscar Perez Cruz – NRC Fellow. Thesis: “Case Studies for the Feasibility of a MANET in Different Scenarios Using NS-3”.
  • Patricia Becerra, finished her Master of Science Degree in Computer Engineering. Her final project was in the area of Mobile Malware.
  • Yesenia Diaz – NRC Fellow. “Detection of Music Piracy Using Audio Fingerprinting that Robust Against Pitch Scaling”
  • Jose Pou – DoD HBCU Research Assistant. Data Mining Project: “Terrorist Activity Pattern Detection in Afghanistan: A Knowledge Discovery and Data Mining Approach for Counter-Terrorism”.
  • Jesus Velez Torres – DoD HBCU Research Assistant. Steganography Project: “How do Statistical Detection Methods Compare to Entropy Measures.
  • Angel N. Sierra – DoD HBCU Research Assistant. Steganography Project: “Steganography: LSB Methodology”.
  • Jose Nieves – DoD Research Assistant (RA). Ongoing thesis: “Genetic Algorithm for Cryptanalysis on Substitution Ciphers”.
  • Celedonio Arroyo – DoD Research Assistant (RA) and NRC Fellow. Project: “Computer Forensics and Cloud Computing”.
  • Fabian Del Valle – DoD Research Assistant (RA) and NRC Fellow Project: “Digital Forensics”
  • Lyan Lugo- DoD HBCU Research Assistant (RA). “Approximate String Matching in Digital Forensics”.
  • Zuleyka Lopez – DoD HBCU Research Assistant (RA) – “Mobile Attacks and Countermeasures”.

Related Links on Information Assurance

IA Links

National Institute of Standards and Technology was founded in 1901. NIST is a non-regulatory federal agency within the U.S. Department of Commerce . NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. http://nist.gov .

The NIST Computer Security Division provides guidelines and policies for IA awareness.The site can be accessed at: http://csrc.nist.gov/index.html.

Guidelines can be found to build an information technology security awareness and training program at: http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

Virus Bulletin started in 1989 as a magazine dedicated to providing PC users with a regular source of intelligence about computer viruses, their prevention, detection and removal, and how to recover programs and data following an attack. Virus Bulletin quickly became the leading specialist publication in the field of viruses and related malware. http://www.virusbtn.com/index

NIATEC is a consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information Assurance. As the federally designated cornerstone for essential education and training components of a strong Information Assurance initiative, the mission is to establish an effective Information Assurance infrastructure for academic, industry and government organizations. http://niatec.info/ViewPage.aspx?id=0

Academic institutions with the CAE/IAE designation

http://www.defenselink.mil/cio-nii/iasp/schoolsCAEList.htm

Conferences in IA

http://www.concise-courses.com/security/conferences-of-2014/

http://www.conference-service.com/conferences/information-security.html

http://www.security-conference.org/wp/

http://www.fbcinc.com/

http://www.ias09.org/

http://iauserconference.com/index2.php

http://www.sersc.org/ISA2008/

Government Sites in Information Assurance

http://apec.isu.edu/govtlinks_2.htm

http://www.cabinetoffice.gov.uk/csia/ia_review.aspx

http://www.nist.gov/

http://www.cnss.gov/

http://niccs.us-cert.gov/

http://www.fbi.gov/

http://www.secretservice.gov/

http://www.nsa.gov/

Workshops, training, and certification in Information Assurance

https://ia.gordon.army.mil/workshops.asp

http://www.esu.edu/compusec/training.html

http://cfia.memphis.edu/

http://www.isaca.org/

https://www.isc2.org/

https://www.cissp.com/

Information Assurance News

http://www.infosecurity-magazine.com/news/070703_infoassurance_cw.html

http://www.yourindustrynews.com/news_item.php?newsID=7415

http://www.mitre.org/news/events/tech03/info_assurance.html

IBM Antivirus Research

http://www.research.ibm.com/antivirus/

Homeland Security resources

http://www.dhs.gov/

Software Assurance Education, Training, & Certification Web Guide

http://faculty.ist.unomaha.edu/rgandhi/swa/SwAPGWET/Home.html

Resources for Ethical Hacking courses

http://www.dummies.com/how-to/content/ethical-hackers-guide-to-tools-and-resources.html

Free Computer Forensics On-line Courses

http://open-site.org/computer-forensics/

Belare and Rogaway

http://cseweb.ucsd.edu/users/mihir/cse207/classnotes.html

William Stallings

http://williamstallings.com/Crypto/Crypto4e.html

Simon Singh Black Chamber

http://www.simonsingh.net/The_Black_Chamber/home.html

Tom Dunigan’s Security Page

http://www.csm.ornl.gov/~dunigan/security.html

Tools

The application CrypTool is a free e-learning application for Windows. You can use it to apply and analyze cryptographic algorithms. The current version of CrypTool is used all over the world. It supports both contemporary teaching methods at schools and universities as well as awareness training for employees. http://www.cryptool.com/

Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. http://www.wireshark.org/

Mitmproxy is a console tool that allows interactive examination and modification of HTTP traffic. It differs from mitmdump in that all flows are kept in memory, which means that it’s intended for taking and manipulating small-ish samples http://mitmproxy.org/doc/mitmproxy.html

Information Assurance FAQ

These are the most common Frequently Asked Questions (FAQs) on Information Assurance:

1. What is Risk Management?

Risk Management is the process of assessing and discovering the risks to an organization’s operations and determining how those risks can be controlled or mitigated. By identifying the vulnerabilities in an organization’s information systems and taking steps to assure that the losses experienced by the systems are within the risk appetite of the organization, we can implement or repair controls to assure the confidentiality, integrity and availability of the organization’s information. There is no such thing as a 100% secure environment. Every environment has a certain degree of vulnerabilities. The skill is in identifying these threats, assessing the probability of them actually occurring, and the damage they can cause, and then taking the right steps to reduce the overall level of risk in the environment up to where the organization considers acceptable.

2. What two things must be achieved to secure information assets successfully?

According to Sun Tzu an organization should know itself and know its enemy. This means that all managers from the three communities of interest in an organization must know how its information is processed, stored and transmitted, and identify what resources are available, in order to know itself. This will help to implement an in-depth risk management program by implementing safeguards, controls, and other mechanisms which should be maintained and kept current. This also implies that an organization should locate the weaknesses of the organizations operations, and recognize them as the potential enemy. By discovering and assessing the risks of the organization, operations managers can determine how those risks can be controlled or mitigated. The levels of risk should be identified and assessed.

3. In risk management strategies, why must periodic review be part of the process?

Periodic review must be part of the risk management strategies because risks from security threats create competitive disadvantage to organizations. It is a constant process for safeguards and controls to be devised and implemented, and not to be install-and-forget devices.

4. What are four risk control strategies?

There are four basic strategies that control the risks that arise from the vulnerabilities:

• Avoidance – Applying safeguards that eliminate or reduce the remaining uncontrolled risks. • Transference – Shifting the risks to other areas or to outside entities. • Reducing the impact should an attacker successfully exploit the vulnerability • Acceptance – Understanding the consequences and acknowledging the risk without any attempts at control or mitigation.

5. What is the strategy of risk avoidance?

Risk avoidance is the risk control strategy that attempts to prevent the exploitation of the vulnerabilities. It is the preferred approach, as it seeks to avoid risk rather than deal with it after it has been realized. Avoidance can be accomplished through the following techniques:

  • Application of policy
  • Application of training and education
  • Countering threats
  • Implementation of technical security controls and safeguards

6. What is the strategy of risk transference?

Transference is the control approach that attempts to shift risk to other assets, other processes, or other organizations. This goal may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers.

7. How many categories should a data classification scheme include? Why?

Corporate and military organizations may use a variety of data classification schemes. Some as the military are more complex, while corporations could have more simple schemes with fewer categories. Private enterprise schemes may have only three categories: Confidential, Internal, and External. Another scheme has four categories: Public, For Official Use Only, Sensitive, and Classified. On the contrary, the Military has the most complex data scheme, with five categories: Unclassified, Sensitive But Unclassified (SBU), Confidential, Secret, and Top Secret. To properly implement data classification schemes a company must first decide upon the sensitive scheme its going to use. One company may choose to use only two layers of classification, while another company may choose to use more. Some classifications are used for commercial and business, while others are for the military. It is important to not go overboard and come up with a long list of classifications, which will only cause confusion and frustration for the individuals who are going to use the system. The classification should not be too restrictive and detail-oriented either, because many types of data may need to be classified. Each classification should be unique and separate from the other so as to not have an overlapping effect. Each organization should select the most appropriate for their data classification.

8. What is IP spoofing and social engineering?

IP spoofing is a technique used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forged IP address indicating that the message is coming from a trusted host. The target host may accept the packet and act upon it. It will allow the attacker to access the target system. The attacker can use tools such as hping2 and nessuss, among others, to initialize the attack. Hping2 is notable because it contains a host of other features besides OS fingerprinting, such as TCP, UDP, ICMP, and a raw of IP ping protocols, traceroute mode, and the ability to send files between the source and the target system. Hping2 can be used to traceroute hosts behind a firewall that blocks attempts using the standard traceroute utilities. Also, hping2 can use the TCP to verify if a host is up even if ICMP packets are being blocked. Hping2 has the ability to camouflage the last step of a three-way handshake. This kind of scan is known as a SYN or stealth scan (also known as a halt-upon scan). It is stealthy because a full TCP connection is not opened. The advantage of the SYN stealth attack is that fewer IDS systems log this as an attack or connection attack. Social Engineering is the art of tricking someone into giving you something that they are not supposed to. Social Engineering is one of the most potentially dangerous attacks, as it does not directly target technology. An organization can have the best firewalls, IDS, network design, authentication system, or access control and still be successfully attacked by a social engineer. Detection of IP spoofing: IP spoofing can be controlled by monitoring packets using Network-monitoring software. There are some tips that should be used to detect spoofing. A packet on an external interface that has both its source and destination IP addresses in the local domain is an indication of IP spoofing. This attempt of intrusion is known as a LAND attack, resulting in a Denial of Service (DoS).

Prevention of IP spoofing: To prevent IP spoofing in your network, the following common practices should be taken into consideration:

  • Avoid using the source address authentication. Implement cryptographic authentication system-wide.
  • Configure your network to reject packets from the net that claim to originate from a local address.
  • Implement ingress and egress filtering on the border routers and implement an ACL (Access Control List) that blocks private IP addresses on your downstream interface. If outside connection of trusted hosts is allowed, enable encryption session at the router.

There are a few good ways to defer and prevent social engineering. The best means are user awareness, policies and procedures. User training is important as it helps build awareness levels. The best defense against social engineering attacks is an information security policy addressing such attacks and educating the user about these types of attacks:

  • For policies to be effective, they must clarify information access controls, details of the rules for setting up accounts, and define access approval for changing passwords.
  • User training must cover what types of information a social engineer will typically be after, and what types of questions should trigger employees to become suspicious.

9. How is the application layer firewall different from a packet filtering firewall? Why an application layer firewall is sometimes called a proxy server?

The packet filtering firewall is a router used as the first generation firewall. These are simple devices that filter by examining every incoming and outgoing packet header. They can selectively filter packets based on values in the packet header, accepting or rejecting packets as needed. These devices can be configured to filter based on an IP address, type of packet, port request, and/or other elements present in the packet. The filtering process examines packets for compliance with or violation of rules configured into the firewalls database. The rules most commonly implemented in packet filtering firewalls are based on a combination of IP source and destination address, direction (inbound or outbound) and/or source and destination port requests. The second generation of firewalls is known as application-level firewalls. These often consist of dedicated computers kept separate from the first filtering router (called an edge router); they are commonly used in conjunction with the second or internal filtering router. This second router is often called a proxy server, because it serves as a proxy, authorizing external service requests to internal services. Because packet filtering looks only at the header information, it is not application dependent, as many proxy firewalls are.

Pros and cons of Proxy firewalls:

Pros:

    • Provide a better security than packet filtering
    • Breaks the connection between trusted and un-trusted systems

Cons:

  • Some proxy firewalls support only a limited number of applications
  • Degrades traffic performance

10. What is the key difference between symmetric and asymmetric encryption. Which can the computer process faster? Which lowers the costs associated with key management?

Symmetric encryption systems use a single key both to encrypt and decrypt a message, while the asymmetric encryption uses two differential keys; either key can be used to encrypt or decrypt the message. The computer can process the symmetric encryption faster because it does not require so much of the CPU’s resources when performing the extensive mathematical calculations as does the asymmetric encryption. As the number of organizations in the conversation or message exchange continues to grow, asymmetric encryption provides a mayor burden to the CPU when performing the extensive mathematical calculations. Symmetric encryption lowers the costs associated with key management.

11. What are the general criteria for selecting information security personnel?

By standardizing job descriptions an organization can increase the degree of professionalism in the field of information security. Information security positions can be classified into three areas: Those that define- these are usually the more senior personnel that provide the policies, guidelines, and standards by consulting and doing risk assessment. They develop the product and technical architectures. Example: Chief Information Security Officer (CISO). The most common qualification for the CISO is the CISSP.

The Builders- these are the more technical personnel that create and install the security solutions. Example: Security Technician. Technical qualifications vary, IT technician experience is usually necessary. Usually pursues GIAC certifications or a SCP.

Operators and administrators of Security Tools- these are in charge of the security monitoring function, and continually improve the process. They are usually trained to do a specific task. Example: Security Manager. It is not uncommon for security managers to have a CISSP

By dividing information security personnel into these three groups they can be recruited more effectively for the different security positions.

Some criteria are within the control of the organization, others like supply and demand of varied skills and experience levels is not. Many organizations use work experience, security education and professional certifications from recognizable sources to identify the level of proficiency of a candidate associated to a security position.

12. What are some of the factors that influence an organization’s hiring decisions?

Some of the factors that influence an organization’s hiring decisions are the law of supply and demand, and the company budget that can affect contracts and employment. Organizations need to pay a premium for these security skills until the new supply of skilled professionals entering the job market can meet the demand. Then the organization can be more selective and pay less for the position, or create more positions. This all depends on the real economy. Others that concern the selection process are the candidate interviews, results of the background checks, candidate education, certifications that document the qualifications through a professional association’s assessment of skills and knowledge, work experience, and the level of proficiency the candidate demonstrates towards a standard job description that describes the position to be filled.

13. What attributes do organizations seek in a candidate when hiring information security professionals?

In most cases, organizations look for a technically qualified information security generalist with a solid understanding of how organizations operate. Also considered is security education and experience in security.

Organizations frequently look for individuals able to (in order of ranking):

  • Perceive the threats facing an organization, understand how these threats can become transformed into attacks, and safeguard the organization from information security attacks. This is the most important part of the IT security role in an organization.
  • Understand how organizations are structured and operated. Only in this way can a security professional know itself and the enemy, as Sun Tuz once said.
  • Work well with people in general, including users, and communicate effectively using both strong written and verbal communication skills. Communication is an important part in the role of security professionals.
  • Acknowledge the role of policy in guiding security efforts. The implementation of policies should be one of the priorities in the organization, once the security program is in place.
  • Understand how technical controls (Firewalls, IDS, and antivirus software) can be applied to solve specific information security problems. Technical skills are very important to implement security tools.
  • Understand the essential role of information security education training. Life-long learning and educational training is a must for security professionals.
  • Understand IT and Info Sec terminology and concepts. Terminology and concepts are important to keep up with the new technologies and security forums.

14. What do National Security Agency (NSA) computer scientists do?

In NSA Computer Scientists work in two major categories: development and support. Within these two categories, a multitude of jobs are available with NSA. Computer Scientists at NSA solve the Nation’s most difficult Information Assurance and Signals Intelligence challenges:

Information Assurance

Network Vulnerability Analysis; Public Key Infrastructure (PKI); Security Testing/Red Teaming; Firewalls; Intrusion Detection; Security Software Design/Development; (object oriented programming: C++/JAVA); Security Hardware Design/Development; Customer Support; Defense Information Operations (DIO); Special Processing Laboratory (SPL); Microelectronics Research Laboratory (MRL).

Research Associate

Mathematics Research; Information Assurance Research; Cryptology Research; Secure Network Technology; Biometrics; Intrusion Detection; Wireless Security; High Speed Networking Security; Secure Systems Research; Laboratory for Physical Sciences; Electronics Research; Physics Research; Laboratory for Telecommunications Sciences; SIGINT Research; Scientific Linguists; Algorithm Research and Development.

There are also career paths for Computer/Electrical Engineering Design of special-purpose computers and antenna systems

  • Pattern recognition technologies
  • Signals analysis
  • Optics
  • Design, development, and testing of electronic communications

The following technical skills are needed throughout NSA:

  • Network Engineering – Design/Analysis of LANs/WANs, Routers, Switches, Firewalls, Protocol.
  • Software Engineering – JAVA, C++, XML, HTML, Web Applications, Object Oriented Analysis and Design, Rapid Prototyping, Algorithm Development.
  • Communications – Digital and Analog, Fixed and Mobile Wireless, Satellite, Antenna Design.
  • Systems Engineering – End-to-End Realtime Operating Systems, Signals Processing, VHDL/Hardware Development.
  • Microelectronics – VHDL, FPGA, Microelectronic Manufacturing and Testing (MCM, SOC), Electronic Packaging, VLSI.

15. What would be a generic job description for a Security Manager Position?

Security Manager Job description and Qualifications

The Security Manager will report to the CISO and assist in the drafting of security policies and plans, and identified objectives. The candidate will accomplish the day to day operations of the information security program resolving issues identified by technicians, administrators, analysts or staffers whom the position will supervise. The Security Manager should have experience working with the components of the security program, especially those that are defined in the SP 800-12 and the NIST 800 -14 documents, and other NIST publications. The candidate should also have knowledge of the SecSDLC model, and ISO/IEC security management models. Have full knowledge of information security policies such as the EISP, ISSP, and SSSP, and know how to develop and maintain the guidelines for effective policy. This includes policy distribution, compliance and enforcement methods and security awareness programs.

The candidate must have:

  1. Five years of information security work experience, with at least three years of proved experience in information security management in three or more of the defined areas of practice such as
    • a. Information Security Governance
    • b. Risk Management
    • c. Information Security Programs Management
    • d. Information Security management
    • e. Response Management
  2. Preferably, but not necessarily have the CISM certification.
  3. Preferably be a CISSP, or be willing to certify once hired and complete the ISSMP concentration for additional knowledge in the area of information security management.
  4. Should have experience in budgeting and project management.
  5. Must be able to draft middle and lower level policies as well as standards and guidelines.
  6. Experience with Business Continuity Planning is a must.

Responsibilities include but are not limited to:

  1. Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations
  2. Identify and manage information security risks to achieve business objectives
  3. Design , develop and manage an information security program to implement the information security governance framework
  4. Oversee the direct information security activities to execute the information security program
  5. Develop and manage a capability to respond to and recover from disruptive and destructive information security events.
  6. Design of physical security
  7. Supervise operational and tactical planning for the security function.

16. What is the difference between the CISSP and the SSCP standards?

The SSCP is considered more technically oriented than its bigger brother the CISSP. CISSP Common Body of Knowledge (CBK) has 10 domains as presented in the web-site
https://www.isc2.org/cgi-bin/index.cgi :

  1. Access Control
  2. Application Security
  3. Business Continuity and Disaster Recovery Planning
  4. Cryptography
  5. Information Security and Risk Management
  6. Legal, Regulations, Compliance and Investigations
  7. Operations Security
  8. Physical (Environmental) Security
  9. Security Architecture and Design
  10. Telecommunications and Network Security

The SSCP Common Body of Knowledge (CBK) has 7 domains as presented in the web-site
https://www.isc2.org/cgi-bin/index.cgi :

  1. Access Controls
  2. Analysis and Monitoring
  3. Cryptography
  4. Malicious Code
  5. Networks and Telecommunications
  6. Risk, Response, and Recovery
  7. Security Operations and Administration