国外信息安全教学情况调研课件

1、 引言 国外信息安全相关课程设置情况 总体情况 有代表性的大学 办学特点 国外信息安全知识体系相关情况 NSTISSI（National Security Telecommunications and Information System Security I） ISC(2) 的信息安全共同知识体系CBK 2002年 设立信息安全专业的课程调研 2004年 清华大学出版社 信息安全知识点总结 2007年 教指委 信息安全教学规范 调研方式：INTERNET 调研范围： 美英等知名高校20余所 所发布的相关课程教学大纲、教学内容等 调研范围 Purdue University Cornell U

2、niversity Stanford University MIT CMU Oxford University New York University Rice University Florida State University Princeton University UC Davis University of London George Mason University Oslo university,Norway Florida Atlantic University Georgia Institute of Technpology Portland State Universit

3、y 等学校 引言 国外信息安全相关课程设置情况 总体情况 有代表性的大学 国外信息安全知识体系相关情况 NSTISSI（National Security Telecommunications and Information System Security I） ISC(2) 的信息安全共同知识体系CBK 办学特点总体情况：总体情况： 1995年，美国国家安全局National Security Agency委任CMU成立信息安全学术人才中心，提高高校信息安全人才培养能力 至2003年9月，有50多所教育机构被认定为这种中心，包括44所高等院校和4所国防院校，如CMU，Geogia Insti

4、tute of Technology, Flarida State University,Purdue University,George Mason University 4所学校设立信息安全专业本科专业，13所学校设立以信息安全为主的本科专业；在10所学校设立信息安全硕士专业，30所学校设立信息安全研究方向；半数以上学校开设课程与NSTISSI的CNSS4011水平相当,20所学校开展了NSTISSI的CNSS4011-4-15认证 有代表性的大学 Purdue university: 信息安全渗透到很多已有学科 University of London：10门课程，PROJECT Flo

5、rida State University：始于2000，高质量 Oxford University：计算机安全课程体系 CC-getech: 2个选修课系列 在研究生阶段设置信息安全专业Departments across Purdue offer classes that address information security, privacy, and risk management topics from various perspectives.Information Security Courses Computer Sciences, Computer and Informat

6、ion Technology，Homeland Security, Industrial Technology , Management, Computer & Information Technology (IUPUI), Computer Information Systems & Information Technology (Purdue Calumet); Information Security Courses Computer Sciences CS 355 Intro to Cryptography CS 426 Computer Security CS 471

7、 Intro to Artificial Intelligence CS 478 Introduction to Bioinformatics CS 490S Secure Network Programming CS 526 Information Security CS 555 Cryptography CS 591S Information Security and Cybercrime Seminar CS 626 Advanced Information Assurance CS 655 Advanced Cryptology CS 690S Privacy Online Compu

8、ter and Information Technology C&IT 227 Introduction to Bioinformatics C&IT 420 Basic Cyber Forensics C&IT455 Network Security C&IT 499C Cyber Forensics: Advanced Technical Issues C&IT 499D Small Scale Digital Device Forensics C&IT 499F Introduction to Computer Forensics C&am

9、p;IT 499N Wireless Network Security and Management C&IT 528 Information Security Risk Assessment C&IT 556 Intro to Cyber Forensics C&IT 581A Advanced Topics in Cyberforensics C&IT 581B Biometric Data Analysis C&IT 581C Applied Cryptography C&IT 581F Expert Witness & Scien

10、tific Testimony C&IT 581S Information Security Management C&IT 581V Special Topics in Cyberforensics C&IT 581Z Web Services Security Computer Security：A survey of the fundamentals of information security. Risks and vulnerabilities, policy formation, controls and protection methods, datab

11、ase security, encryption, authentication technologies, host-based and network-based security issues, personnel and physical security issues, issues of law and privacy. Information Security: Basic notions of confidentiality, integrity, availability; authentication models; protection models; security

12、kernels; secure programming; audit; intrusion detection and response; operational security issues; physical security issues; personnel security; policy formation and enforcement; access controls; information flow; legal and social issues; identification and authentication in local and distributed sy

13、stems; classification and trust modeling; and risk assessment Communications Security And Network Controls: This course will provide students with an overview of the field of information security and assurance. Students will explore current encryption, hardware, software, and managerial controls nee

14、ded to operate networks and computer systems in a safe and secure manner Advanced Network Security: This course provides students with the in-depth study and practice of advanced concepts in applied systems and networking security, including security policies, access controls, IP security, authentic

15、ation mechanisms and intrusion detection and protection. Systems Assurance: This course covers the implementation of systems assurance with computing systems. Topics include confidentiality, integrity, authentication, non-repudiation, intrusion detection, physical security, and encryption. Extensive

16、 laboratory exercises are assigned Disaster Recovery And Planning : This course covers risk management and business continuity. Topics include disaster recovery strategies, mitigation strategies, risk analysis and development of contingency plans for unexpected outages and component failures. Extens

17、ive laboratory exercises are assigned . Information Assurance Risk Assessment : This course covers industry and government requirements and guidelines for information assurance and auditing of computing systems. Topics include risk assessment and implementation of standardized requirements and guide

18、lines Software Assurance : This course covers defensive programming techniques, bounds analysis, error handling, advanced testing techniques, detailed code auditing, and software specification in a trusted assured environment. Extensive laboratory exercises are assigned . Computer Forensics : This c

19、ourse covers the techniques used in the forensic analysis of computerized systems for gathering evidence to detail how a system has been exploited or used. Extensive laboratory exercises are assigned Secure Programming : Shell and environment,Buffer overflows, Integer overflows ,Format strings ,Meta

20、-character vulnerabilities (code injection) and Input Validation ,Web Application issues (including cross-site scripting vulnerabilities) ,Race conditions , issues ,Randomness Department of Computer Science Security and Assurance in Information Technology Lab Since May 2000 FSU is a NSA Center of Ex

21、cellence in Information Security Education and FSU attended a reception at the White House in honor of these centers The courses in information security in Computer Science at Florida State University satisfy the National Security Telecommunications and Information Systems Security (NSTISSC) trainin

22、g standard for Information Security Specialists Network Security Class 1. Fundamentals of network security. Class 2 and 3. Secure channels via encryption. Class 4 and 5. Block ciphers and encryption modes. Class 6. Message Authentication Codes. Class 7. Stream ciphers. Class 8. Authentication mechan

23、isms. Class 9. The birthday paradox and applications.Class 10. Kerberos. Classes 11, 12, 13 and 14. Public key cryptography. Class 15. Public key infrastructure.Class 16. Exam review. Class 17. Midterm Class 18. RSA scheme. Class 19. SSL scheme. Class 20. IPSEC scheme. Class 21. IPSEC-IKE scheme. Cl

24、asses 22, 23, and 24. Student presentations. Class 25. Internet protocols review, and introduction to packet filtering. Class 26. Building Internet firewalls. Class 27. Intrusion detection systems. Class 28. Final review. 开设了10门课程，包括： Security management An introduction to cryptography and security

25、mechanisms Network security Computer security Secure electronic commerce and other applications Standards and evaluation criteria Advanced cryptography Database security Information crime Projec Security management 690IC01 ： This module will emphasise the need for good security management. Its aims

26、are to identify the problems associated with security management and to show how various (major) organisations solve those problems. An introduction to cryptography and security mechanisms 690IC02 : The approach of this module is non-technical. The main objective is to introduce the students to the

27、main types of cryptographic mechanism, to the security services which they can provide, and to their management, including key management. The mathematical content of this module is minimal. Support materials for the elementary mathematics needed for this module will be provided. Network security 69

28、0IC03 ： This module is concerned with the protection of data transferred over commercial information networks, including computer and telecommunications networks. After an initial brief study of current networking concepts, a variety of generic security technologies relevant to networks are studied,

29、 including user identification techniques, authentication protocols and key distribution mechanisms. This leads naturally to consideration of security solutions for a variety of types of practical networks, including LANs, WANs, proprietary computer networks, mobile networks and electronic mail. Com

30、puter security 690IC04 ： This course deals with the more technical means of making a computing system secure. This process starts with defining the proper security requirements, which are usually stated as a security policy. Security models formalise those policies and may serve as a reference to ch

31、eck the correctness of an implementation. The main security features and mechanisms in operating systems will be examined as well as security-related issues of computer architecture. Specific well-known operating systems are then studied as case studies. Other areas investigated include the security

32、 of middleware, software protection and web security.Secure electronic commerce and other applications 690OPT5 ： This module aims to put the role of security into perspective and demonstrate how it forms part of a security system within an application. The aim is to illustrate, usually by the use of

33、 case studies, how a particular situation may make certain aspects of security important and how an entire system might fit together. Standards and evaluation criteria 690OPT7 ： Over the last few years, a variety of security-related standards have been produced by international standards bodies. Thi

34、s module examines some of the most important of these standards in detail. In doing so it illustrates how international standards now cover many aspects of the analysis and design of secure systems. The material covered also puts certain other aspects of the degree course in a more structured settin

35、g. The module also covers existing security evaluation criteria, the current process for evaluating secure systems, and guidelines for managing IT security Advanced cryptography 690OPT8 ： This module follows on from the introductory cryptography module. In that module cryptographic algorithms were i

36、ntroduced according to the properties they possessed and how they might fit into a larger security architecture. In this unit we look inside some of the most popular and widely deployed algorithms and we highlight design and cryptanalytic trends over the past twenty years. This course is, by necessi

37、ty, somewhat mathematical and some basic mathematical techniques will be used. However, despite this reliance on mathematical techniques, the emphasis of the module is on understanding the more practical aspects of the performance and security of some of the most widely used cryptographic algorithms

38、. Database security 690OPT9： This module covers several aspects of database security and the related subject of concurrency control in distributed databases. We will discuss methods for concurrency control and failure recovery in distributed databases and the interaction between those methods and se

39、curity requirements. We will also examine how access control policies can be adapted to relational and object-oriented databases. Information crime 690OPT10 ： This module complements other modules by examining the subject from the criminal angle and presenting a study of computer crime and the compu

40、ter criminal. We will discuss its history, causes, development and repression through studies of surveys, types of crime, legal measures, and system and human vulnerabilities. We will also examine the effects of computer crime through the experiences of victims and law enforcement and look at the mo

41、tives and attitudes of hackers and other computer criminals. Project 6900011 ： The project is a major individual piece of work. It can be of academic nature and aim at acquiring and demonstrating understanding and the ability to reason about some specific area of Information Security. Alternatively,

42、 the project work may document the ability to deal with a practical aspect of Information Security Security Lab in the Computer Science Department Courses: CS155: Computer and Network Security.CS255: Introduction to Cryptography and Computer Security. CS259: Security Analysis of Network Protocols CS

43、355: Topics in Cryptography.CS99J: Sophomore seminar: Computer security and privacy. CS55N: Freshman seminar: Ten Ideas in Computer Security and Cryptography. （讲座） Computer Security：融入计算机系统的：融入计算机系统的设计开发，形成实践能力设计开发，形成实践能力 Security Principles (SPR) This course combines a treatment of the fundamental

44、principles of cryptography and security protocols with a practical treatment of current best practice. It explains the need for computer security, and the scope of the available technical solutions; presents techniques for evaluating security solutions; and provides an overview of the current leadin

45、g technologies and standards in the security arena. Security Risk Analysis and Management (RIS) Security is a property of an entire system in context, rather than of a software product, so a thorough understanding of system security risk analysis is necessary for a successful project. This course in

46、troduces the basic concepts and techniques of security risk analysis, and explains how to manage security risks through the project lifecycle. Participants should have a basic understanding of topics in security, as provided by the Security Principles (SPR) course. People and Security (PAS) A very h

47、igh proportion of failures in security can be attributed to misunderstanding, mis-information, or failure to grasp the importance of the processes individuals are expected to follow. This course draws on work from human-computer interaction, and more widely from psychology, relating the issues raise

48、d back to hard technical implementation decisions. Familiarity with basic security principles and standard mechanisms, as covered in Security Principles (SPR), is assumed. Design for Security (DES) Capability in the design of systems which will meet security goals is an increasingly important skill.

49、 This course will explore how suitable levels of assurance can be achieved through combining architectural detail, operating system and middleware platforms, and application security measures. Central to these considerations is concern for which requirements are met with well-established tools, whic

50、h risks can be addressed though novel technologies, and which must be mitigated by other means. Participants should have a basic understanding of topics in security, as provided by the Security Principles (SPR) course. Platforms for Security (PLA) In order to build secure systems, appropriate method

51、ologies must be used throughout the lifecycle, not least in the detailed implementation stage. This course takes a case study approach to topics such as buffer overflows, cryptographic libraries, sandboxing, code signing, network security, and code correctness, to build towards a toolkit of sound pr

52、inciples. Participants should have a basic understanding of topics in security, as provided by the Security Principles (SPR) course. Information Security Fixed Core Courses (23 semester hours):Introduction to Information SecurityApplied CryptographySecure Computer SystemsNetwork SecurityInformation

53、Security LaboratoryInformation Security Strategies and PoliciesPracticum/Project/Research (5 credit hours) Concentration I (Technology Centric- 9 Credit Hours) ，Choose three courses from the following Introduction to Number TheoryTheory IIAdvanced Operating SystemsComputer NetworksFormal Models and

54、Methods for Information AssuranceSoftware Development ProcessDatabase Systems Concepts adn DesignInternetworking Architecture and Protocols Concentration II (Policy Centric - 9 Credit Hours) Choose three courses from the following.Technology Forecasting and AssessmentScience, Technology and Public P

55、olicyCost and Benefit AnalysisManagement Information SystemsBusiness Process Analysis & Design (SAP)Security and Privacy of Information & Information Systems (GSU) 办学思路方面：办学思路方面：信息安全信息安全科研活跃科研活跃的高效设立相关课程、但体系性不强的高效设立相关课程、但体系性不强信息安全知识信息安全知识渗透渗透到已有各个专业到已有各个专业讲解讲解细致细致、事例丰富、事例丰富低年级涉及专业的目的意义，并通过动手

56、实践能力的培养激低年级涉及专业的目的意义，并通过动手实践能力的培养激发学生兴趣发学生兴趣宾州大学的一年级的课程，（Undergraduate Research /Independent Study ，Information Technology and Its Impact on Society）芝加哥大学的 Web Design: Aesthetics/lang1.高年级注重学生知识面的拓展，开办讲座（约高年级注重学生知识面的拓展，开办讲座（约2小时），研小时），研究方向研讨会等究方向研讨会等课程方面：课程方面：基本课程基本课程计算机安全、密码、网络安全、安全管理、数据库安全、计计算机安全、

57、密码、网络安全、安全管理、数据库安全、计算机算机/网络取证网络取证特色课程特色课程人员安全、安全编程（人员安全、安全编程（PU）、无线网络安全（）、无线网络安全（PU）、）、PROJECT、信息犯罪、网络协议安全性分析、讲座、信息犯罪、网络协议安全性分析、讲座/专题、专题、网络攻防（网络攻防（NYU）成绩评分方式成绩评分方式平时作业（平时作业（30-50%）、工程实践（）、工程实践（30-50%）、期中期末考）、期中期末考试试(30-40%)、出勤、出勤(5%左右左右)等等教学方式方面：教学方式方面：网络成为师生沟通的桥梁，在教学中起重要作用，相关网络成为师生沟通的桥梁，在教学中起重要作用，相

58、关信息在网上都查得到，包括：每学期各专业的开课情况、信息在网上都查得到，包括：每学期各专业的开课情况、课程介绍、任课教师、参考书目、教师要求、评分方式、课程介绍、任课教师、参考书目、教师要求、评分方式、教师的讲义（教师的讲义（ppt）等等。）等等。聘请外校专家讲授课程或课程的部分章节。聘请外校专家讲授课程或课程的部分章节。多名教师或研究生共同教授同一门课，各有分工。多名教师或研究生共同教授同一门课，各有分工。布置学生阅读大量参考文献并讨论（布置学生阅读大量参考文献并讨论（stanford），一定），一定的交流讨论课时（的交流讨论课时（1/3） 引言 国外信息安全相关课程设置情况 总体情况 有代

59、表性的大学 国外信息安全知识体系相关情况 NSTISSI（National Security Telecommunications and Information System Security I） ISC(2) 的信息安全共同知识体系CBK 办学特点 NSTISSI（National Security Telecommunications and Information System Security I）的CNSS4011-4015CNSS 4011：国家信息系统安全专业人才培训标准National Training Standard for Information Systems Se

60、curity(INFOSEC) ProfessioinalsCNSS 4012: 国家高级系统管理员信息安全培训标准National Information Assurance Training Standard for Senior Systems ManagersCNSS 4013: 国家系统管理员信息安全培训标准National Information Assurance Traning Standard for System AdministratorsCNSS 4014: 国家信息系统安全官员安全培训标准Information Assurance Training Standard for Information Systems Security OfficersCNSS 4015: 国家系统证书培训标准National Train