国内外信息安全学科发展.ppt

国外信息安全教学情况调研 哈尔滨工业大学张宏莉2007 11 17 报告提纲 引言国外信息安全相关课程设置情况总体情况有代表性的大学办学特点国外信息安全知识体系相关情况NSTISSI NationalSecurityTelecommunicationsandInformationSystemSecurityI ISC 2 的信息安全共同知识体系CBK 引言 2002年设立信息安全专业的课程调研2004年清华大学出版社信息安全知识点总结2007年教指委信息安全教学规范调研方式 INTERNET调研范围 美英等知名高校20余所所发布的相关课程教学大纲 教学内容等 调研范围PurdueUniversityCornellUniversityStanfordUniversityMITCMUOxfordUniversityNewYorkUniversityRiceUniversityFloridaStateUniversity PrincetonUniversityUCDavisUniversityofLondonGeorgeMasonUniversityOslouniversity NorwayFloridaAtlanticUniversityGeorgiaInstituteofTechnpologyPortlandStateUniversity等学校 报告提纲 引言国外信息安全相关课程设置情况总体情况有代表性的大学国外信息安全知识体系相关情况NSTISSI NationalSecurityTelecommunicationsandInformationSystemSecurityI ISC 2 的信息安全共同知识体系CBK办学特点 总体情况 1995年 美国国家安全局NationalSecurityAgency委任CMU成立信息安全学术人才中心 提高高校信息安全人才培养能力至2003年9月 有50多所教育机构被认定为这种中心 包括44所高等院校和4所国防院校 如CMU GeogiaInstituteofTechnology FlaridaStateUniversity PurdueUniversity GeorgeMasonUniversity4所学校设立信息安全专业本科专业 13所学校设立以信息安全为主的本科专业 在10所学校设立信息安全硕士专业 30所学校设立信息安全研究方向 半数以上学校开设课程与NSTISSI的CNSS4011水平相当 20所学校开展了NSTISSI的CNSS4011 4 15认证 有代表性的大学Purdueuniversity 信息安全渗透到很多已有学科UniversityofLondon 10门课程 PROJECTFloridaStateUniversity 始于2000 高质量OxfordUniversity 计算机安全课程体系CC getech 2个选修课系列 PurdueUniversity www cerias purdue edu education graduate program special在研究生阶段设置信息安全专业DepartmentsacrossPurdueofferclassesthataddressinformationsecurity privacy andriskmanagementtopicsfromvariousperspectives InformationSecurityCoursesComputerSciences ComputerandInformationTechnology HomelandSecurity IndustrialTechnology Management Computer PurdueUniversity InformationSecurityCoursesComputerSciencesCS355IntrotoCryptographyCS426ComputerSecurityCS471IntrotoArtificialIntelligenceCS478IntroductiontoBioinformaticsCS490SSecureNetworkProgrammingCS526InformationSecurityCS555CryptographyCS591SInformationSecurityandCybercrimeSeminarCS626AdvancedInformationAssuranceCS655AdvancedCryptologyCS690SPrivacyOnline PurdueUniversity ComputerandInformationTechnologyC IT227IntroductiontoBioinformaticsC IT420BasicCyberForensicsC IT455NetworkSecurityC IT499CCyberForensics AdvancedTechnicalIssuesC IT499DSmallScaleDigitalDeviceForensicsC IT499FIntroductiontoComputerForensicsC IT499NWirelessNetworkSecurityandManagementC IT528InformationSecurityRiskAssessmentC IT556IntrotoCyberForensicsC IT581AAdvancedTopicsinCyberforensicsC IT581BBiometricDataAnalysisC IT581CAppliedCryptographyC IT581FExpertWitness ScientificTestimonyC IT581SInformationSecurityManagementC IT581VSpecialTopicsinCyberforensicsC IT581ZWebServicesSecurity PurdueUniversity ComputerSecurity Asurveyofthefundamentalsofinformationsecurity Risksandvulnerabilities policyformation controlsandprotectionmethods databasesecurity encryption authenticationtechnologies host basedandnetwork basedsecurityissues personnelandphysicalsecurityissues issuesoflawandprivacy InformationSecurity Basicnotionsofconfidentiality integrity availability authenticationmodels protectionmodels securitykernels secureprogramming audit intrusiondetectionandresponse operationalsecurityissues physicalsecurityissues personnelsecurity policyformationandenforcement accesscontrols informationflow legalandsocialissues identificationandauthenticationinlocalanddistributedsystems classificationandtrustmodeling andriskassessment PurdueUniversity CommunicationsSecurityAndNetworkControls Thiscoursewillprovidestudentswithanoverviewofthefieldofinformationsecurityandassurance Studentswillexplorecurrentencryption hardware software andmanagerialcontrolsneededtooperatenetworksandcomputersystemsinasafeandsecuremannerAdvancedNetworkSecurity Thiscourseprovidesstudentswiththein depthstudyandpracticeofadvancedconceptsinappliedsystemsandnetworkingsecurity includingsecuritypolicies accesscontrols IPsecurity authenticationmechanismsandintrusiondetectionandprotection PurdueUniversity SystemsAssurance Thiscoursecoverstheimplementationofsystemsassurancewithcomputingsystems Topicsincludeconfidentiality integrity authentication non repudiation intrusiondetection physicalsecurity andencryption ExtensivelaboratoryexercisesareassignedDisasterRecoveryAndPlanning Thiscoursecoversriskmanagementandbusinesscontinuity Topicsincludedisasterrecoverystrategies mitigationstrategies riskanalysisanddevelopmentofcontingencyplansforunexpectedoutagesandcomponentfailures Extensivelaboratoryexercisesareassigned PurdueUniversity InformationAssuranceRiskAssessment Thiscoursecoversindustryandgovernmentrequirementsandguidelinesforinformationassuranceandauditingofcomputingsystems TopicsincluderiskassessmentandimplementationofstandardizedrequirementsandguidelinesSoftwareAssurance Thiscoursecoversdefensiveprogrammingtechniques boundsanalysis errorhandling advancedtestingtechniques detailedcodeauditing andsoftwarespecificationinatrustedassuredenvironment Extensivelaboratoryexercisesareassigned PurdueUniversity ComputerForensics Thiscoursecoversthetechniquesusedintheforensicanalysisofcomputerizedsystemsforgatheringevidencetodetailhowasystemhasbeenexploitedorused ExtensivelaboratoryexercisesareassignedSecureProgramming Shellandenvironment Bufferoverflows Integeroverflows Formatstrings Meta charactervulnerabilities codeinjection andInputValidation WebApplicationissues includingcross sitescriptingvulnerabilities Raceconditions Filesystemissues Randomness FloridaStateUniversity DepartmentofComputerSciencewww cs fsu eduSecurityandAssuranceinInformationTechnologyLabwww sait fsu eduSinceMay2000FSUisaNSACenterofExcellenceinInformationSecurityEducationandFSUattendedareceptionattheWhiteHouseinhonorofthesecentersThecoursesininformationsecurityinComputerScienceatFloridaStateUniversitysatisfytheNationalSecurityTelecommunicationsandInformationSystemsSecurity NSTISSC trainingstandardforInformationSecuritySpecialists FloridaStateUniversity NetworkSecurityClass1 Fundamentalsofnetworksecurity Class2and3 Securechannelsviaencryption Class4and5 Blockciphersandencryptionmodes Class6 MessageAuthenticationCodes Class7 Streamciphers Class8 Authenticationmechanisms Class9 Thebirthdayparadoxandapplications Class10 Kerberos Classes11 12 13and14 Publickeycryptography Class15 Publickeyinfrastructure Class16 Examreview Class17 MidtermClass18 RSAscheme Class19 SSLscheme Class20 IPSECscheme Class21 IPSEC IKEscheme Classes22 23 and24 Studentpresentations Class25 Internetprotocolsreview andintroductiontopacketfiltering Class26 BuildingInternetfirewalls Class27 Intrusiondetectionsystems Class28 Finalreview UniversityofLondon www londonexternal ac uk prospective students postgraduate holloway info security syllabus shtml centcontent开设了10门课程 包括 SecuritymanagementAnintroductiontocryptographyandsecuritymechanismsNetworksecurityComputersecuritySecureelectroniccommerceandotherapplicationsStandardsandevaluationcriteriaAdvancedcryptographyDatabasesecurityInformationcrimeProjec UniversityofLondon Securitymanagement 690IC01 Thismodulewillemphasisetheneedforgoodsecuritymanagement Itsaimsaretoidentifytheproblemsassociatedwithsecuritymanagementandtoshowhowvarious major organisationssolvethoseproblems Anintroductiontocryptographyandsecuritymechanisms 690IC02 Theapproachofthismoduleisnon technical Themainobjectiveistointroducethestudentstothemaintypesofcryptographicmechanism tothesecurityserviceswhichtheycanprovide andtotheirmanagement includingkeymanagement Themathematicalcontentofthismoduleisminimal Supportmaterialsfortheelementarymathematicsneededforthismodulewillbeprovided UniversityofLondon Networksecurity 690IC03 Thismoduleisconcernedwiththeprotectionofdatatransferredovercommercialinformationnetworks includingcomputerandtelecommunicationsnetworks Afteraninitialbriefstudyofcurrentnetworkingconcepts avarietyofgenericsecuritytechnologiesrelevanttonetworksarestudied includinguseridentificationtechniques authenticationprotocolsandkeydistributionmechanisms Thisleadsnaturallytoconsiderationofsecuritysolutionsforavarietyoftypesofpracticalnetworks includingLANs WANs proprietarycomputernetworks mobilenetworksandelectronicmail UniversityofLondon Computersecurity 690IC04 Thiscoursedealswiththemoretechnicalmeansofmakingacomputingsystemsecure Thisprocessstartswithdefiningthepropersecurityrequirements whichareusuallystatedasasecuritypolicy Securitymodelsformalisethosepoliciesandmayserveasareferencetocheckthecorrectnessofanimplementation Themainsecurityfeaturesandmechanismsinoperatingsystemswillbeexaminedaswellassecurity relatedissuesofcomputerarchitecture Specificwell knownoperatingsystemsarethenstudiedascasestudies Otherareasinvestigatedincludethesecurityofmiddleware softwareprotectionandwebsecurity UniversityofLondon Secureelectroniccommerceandotherapplications 690OPT5 Thismoduleaimstoputtheroleofsecurityintoperspectiveanddemonstratehowitformspartofasecuritysystemwithinanapplication Theaimistoillustrate usuallybytheuseofcasestudies howaparticularsituationmaymakecertainaspectsofsecurityimportantandhowanentiresystemmightfittogether Standardsandevaluationcriteria 690OPT7 Overthelastfewyears avarietyofsecurity relatedstandardshavebeenproducedbyinternationalstandardsbodies Thismoduleexaminessomeofthemostimportantofthesestandardsindetail Indoingsoitillustrateshowinternationalstandardsnowcovermanyaspectsoftheanalysisanddesignofsecuresystems Thematerialcoveredalsoputscertainotheraspectsofthedegreecourseinamorestructuredsetting Themodulealsocoversexistingsecurityevaluationcriteria thecurrentprocessforevaluatingsecuresystems andguidelinesformanagingITsecurity UniversityofLondon Advancedcryptography 690OPT8 Thismodulefollowsonfromtheintroductorycryptographymodule Inthatmodulecryptographicalgorithmswereintroducedaccordingtothepropertiestheypossessedandhowtheymightfitintoalargersecurityarchitecture Inthisunitwelookinsidesomeofthemostpopularandwidelydeployedalgorithmsandwehighlightdesignandcryptanalytictrendsoverthepasttwentyyears Thiscourseis bynecessity somewhatmathematicalandsomebasicmathematicaltechniqueswillbeused However despitethisrelianceonmathematicaltechniques theemphasisofthemoduleisonunderstandingthemorepracticalaspectsoftheperformanceandsecurityofsomeofthemostwidelyusedcryptographicalgorithms UniversityofLondon Databasesecurity 690OPT9 Thismodulecoversseveralaspectsofdatabasesecurityandtherelatedsubjectofconcurrencycontrolindistributeddatabases Wewilldiscussmethodsforconcurrencycontrolandfailurerecoveryindistributeddatabasesandtheinteractionbetweenthosemethodsandsecurityrequirements Wewillalsoexaminehowaccesscontrolpoliciescanbeadaptedtorelationalandobject orienteddatabases UniversityofLondon Informationcrime 690OPT10 Thismodulecomplementsothermodulesbyexaminingthesubjectfromthecriminalangleandpresentingastudyofcomputercrimeandthecomputercriminal Wewilldiscussitshistory causes developmentandrepressionthroughstudiesofsurveys typesofcrime legalmeasures andsystemandhumanvulnerabilities Wewillalsoexaminetheeffectsofcomputercrimethroughtheexperiencesofvictimsandlawenforcementandlookatthemotivesandattitudesofhackersandothercomputercriminals UniversityofLondon Project 6900011 Theprojectisamajorindividualpieceofwork ItcanbeofacademicnatureandaimatacquiringanddemonstratingunderstandingandtheabilitytoreasonaboutsomespecificareaofInformationSecurity Alternatively theprojectworkmaydocumenttheabilitytodealwithapracticalaspectofInformationSecurity Stanford http theory stanford edu seclab courses htmlSecurityLabintheComputerScienceDepartmentCourses CS155 ComputerandNetworkSecurity CS255 IntroductiontoCryptographyandComputerSecurity CS259 SecurityAnalysisofNetworkProtocolsCS355 TopicsinCryptography CS99J Sophomoreseminar Computersecurityandprivacy CS55N Freshmanseminar TenIdeasinComputerSecurityandCryptography 讲座 Oxford ComputerSecurity 融入计算机系统的设计开发 形成实践能力 Oxford SecurityPrinciples SPR Thiscoursecombinesatreatmentofthefundamentalprinciplesofcryptographyandsecurityprotocolswithapracticaltreatmentofcurrentbestpractice Itexplainstheneedforcomputersecurity andthescopeoftheavailabletechnicalsolutions presentstechniquesforevaluatingsecuritysolutions andprovidesanoverviewofthecurrentleadingtechnologiesandstandardsinthesecurityarena Oxford SecurityRiskAnalysisandManagement RIS Securityisapropertyofanentiresystemincontext ratherthanofasoftwareproduct soathoroughunderstandingofsystemsecurityriskanalysisisnecessaryforasuccessfulproject Thiscourseintroducesthebasicconceptsandtechniquesofsecurityriskanalysis andexplainshowtomanagesecurityrisksthroughtheprojectlifecycle Participantsshouldhaveabasicunderstandingoftopicsinsecurity asprovidedbytheSecurityPrinciples SPR course PeopleandSecurity PAS Averyhighproportionoffailuresinsecuritycanbeattributedtomisunderstanding mis information orfailuretograsptheimportanceoftheprocessesindividualsareexpectedtofollow Thiscoursedrawsonworkfromhuman computerinteraction andmorewidelyfrompsychology relatingtheissuesraisedbacktohardtechnicalimplementationdecisions Familiaritywithbasicsecurityprinciplesandstandardmechanisms ascoveredinSecurityPrinciples SPR isassumed Oxford DesignforSecurity DES Capabilityinthedesignofsystemswhichwillmeetsecuritygoalsisanincreasinglyimportantskill Thiscoursewillexplorehowsuitablelevelsofassurancecanbeachievedthroughcombiningarchitecturaldetail operatingsystemandmiddlewareplatforms andapplicationsecuritymeasures Centraltotheseconsiderationsisconcernforwhichrequirementsaremetwithwell establishedtools whichriskscanbeaddressedthoughnoveltechnologies andwhichmustbemitigatedbyothermeans Participantsshouldhaveabasicunderstandingoftopicsinsecurity asprovidedbytheSecurityPrinciples SPR course PlatformsforSecurity PLA Inordertobuildsecuresystems appropriatemethodologiesmustbeusedthroughoutthelifecycle notleastinthedetailedimplementationstage Thiscoursetakesacasestudyapproachtotopicssuchasbufferoverflows cryptographiclibraries sandboxing codesigning networksecurity andcodecorrectness tobuildtowardsatoolkitofsoundprinciples Participantsshouldhaveabasicunderstandingoftopicsinsecurity asprovidedbytheSecurityPrinciples SPR course CC getech InformationSecurityFixedCoreCourses 23semesterhours IntroductiontoInformationSecurityAppliedCryptographySecureComputerSystemsNetworkSecurityInformationSecurityLaboratoryInformationSecurityStrategiesandPoliciesPracticum Project Research 5credithours CC getech ConcentrationI TechnologyCentric 9CreditHours ChoosethreecoursesfromthefollowingIntroductiontoNumberTheoryTheoryIIAdvancedOperatingSystemsComputerNetworksFormalModelsandMethodsforInformationAssuranceSoftwareDevelopmentProcessDatabaseSystemsConceptsadnDesignInternetworkingArchitectureandProtocols CC getech ConcentrationII PolicyCentric 9CreditHours Choosethreecoursesfromthefollowing TechnologyForecastingandAssessmentScience TechnologyandPublicPolicyCostandBenefitAnalysisManagementInformationSystemsBusinessProcessAnalysis Design SAP SecurityandPrivacyofInformation InformationSystems GSU 国外办学特色总结 办学思路方面 信息安全科研活跃的高效设立相关课程 但体系性不强信息安全知识渗透到已有各个专业讲解细致 事例丰富低年级涉及专业的目的意义 并通过动手实践能力的培养激发学生兴趣宾州大学的一年级的课程 UndergraduateResearch IndependentStudy InformationTechnologyandItsImpactonSociety 芝加哥大学的WebDesign Aesthetics lang高年级注重学生知识面的拓展 开办讲座 约2小时 研究方向研讨会等 课程方面 基本课程计算机安全 密码 网络安全 安全管理 数据库安全 计算机 网络取证特色课程人员安全 安全编程 PU 无线网络安全 PU PROJECT 信息犯罪 网络协议安全性分析 讲座 专题 网络攻防 NYU 成绩评分方式平时作业 30 50 工程实践 30 50 期中期末考试 30 40 出勤 5 左右 等 教学方式方面 网络成为师生沟通的桥梁 在教学中起重要作用 相关信息在网上都查得到 包括 每学期各专业的开课情况 课程介绍 任课教师 参考书目 教师要求 评分方式 教师的讲义 ppt 等等 聘请外校专家讲授课程或课程的部分章节 多名教师或研究生共同教授同一门课 各有分工 布置学生阅读大量参考文献并讨论 stanford 一定的交流讨论课时 1 3 报告提纲 引言国外信息安全相关课程设置情况总体情况有代表性的大学国外信息安全知识体系相关情况NSTISSI NationalSecurityTelecommunicationsandInformationSystemSecurityI ISC 2 的信息安全共同知识体系CBK办学特点 NSTISSI NationalSecurityTelecommunicationsandInformationSystemSecurityI 的CNSS4011 4015CNSS4011 国家信息系统安全专业人才培训标准NationalTrainingStandardforInformationSystemsSecurity INFOSEC ProfessioinalsCNSS4012 国家高级系统管理员信息安全培训标准NationalInformationAssuranceTrainingStandardforSeniorSystemsManagersCNSS4013 国家系统管理员信息安全培训标准NationalInformationAssuranceTraningStandardforSystemAdministratorsCNSS4014 国家信息系统安全官员安全培训标准InformationAssuranceTrainingStandardforInformationSystemsSecurityOfficersCNSS4015 国家系统证书培训标准NationalTrainingStandardforSystemCertifiers CNSS4011培训标准 培训课程采用信息安全综合模型 向受培训者提供两个层面的相关知识认知层面 对于国家信息信息系统威胁和弱点 要建立起敏感的认知 认识到保护数据 信息和信息处理手段的需求及意义 具有从事信息安全工作的原理和实践知识实践层面 培训INFOSEC安全过程和实践的设计 执行和评估技能 对这个层面的理解可以确保学员有能力对他们在实践过程中遇到的安全概念加以应用 CNSS4011培训标准 教学计划 1 通信基础 认知层面 教学内容 现代通信系统的演化过程 传输介质学习成果 通信系统发展年代表 匹配传输特性和描述符主要内容 历史和当前方法对比 各种通信系统的能力和局限性2 自动化信息系统AIS基础 认知层面 教学内容 提供AIS语言 结合AIS实例描述AIS环境 综述AIS中硬件 软件 固定组件结合后文中信息系统安全外貌 行为学习成果 AIS术语解释 可执行功能解释 描述AIS组件间相互关系主要内容 历史和当前技术对比 硬件 软件 存储器 介质 网络 CNSS4011培训标准 教学计划 3 安全基础 认知层面 教学内容 应用信息系统安全广泛模型 提出重要信息属性 信息状态 安全测量标准学习成果 学生应列出并表述AIS安全中的要素 对保护系统AIS的安全训练进行总结 能举例说出重要信息的决定性主要内容 INFOSEC概述 操作安全OPSEC 信息安全INFOSEC4 NSTISS基础 认知层面 教学内容 组件描述 包括国家策略 威胁和弱点 对策 风险管理 系统生命周期管理 信任 操作模式 组织单元角色 NSTISS各方面等实例学习成果 概括出国家NSTISS策略 验证AIS弱点和潜在威胁 举例说明NISS策略 国产和实践的代理实现主要内容 国家策略和指导 系统弱点和威胁 法律要素 对策 风险管理 系统生命周期管理 信任 运行模式 多种组织人员的角色 NSTISS各方面 CNSS4011培训标准 教学计划 5 系统运行环境 认知层面 教学内容 勾画出机构的具体自动信息系统和通信系统 描述机构的控制点 以便购买和维护自动信息系统和通信系统 评论自动信息系统和通信系统的安全策略学习成果 总结出机构中自动信息系统和通信系统 给出淡青机构的自动信息系统或通信系统和配置的示例 和维护的可操作点主要内容 自动信息系统 通信系统 各机构具体的安全策略 各机构具体的自动通信系统或通信系统的策略6 NSTISS计划和管理 实践层面 教学内容 讨论涉及安全措施和编码过程中的实际行动 介绍常见的安全计划指南 文档学习成果 针对教师提供的自动信息系统和通信系统建立安全计划主要内容 安全计划 风险管理 系统生命周期管理 意外事故计划 灾难恢复 CNSS4011培训标准