Teaching Information Security

This post is to help professors trying to teach information security, a subject typically studied by seniors earning a Bachelor’s in Information Technology. Information Security covers how to protect information from all of the bad things that might happen to it. Example problems include at least the following:

  • loss due to backup failure plus hardware failure, flood, or fire
  • theft by hackers and/or competitors
  • encryption followed by a ransom demand from hackers
  • corruption due to human or software error
  • service becomes unavailable due to hardware or network failures, hackers, etc.

The textbooks on this subject, and most of the materials published on the Web, including from ISO and NIST, are abstract and all about the process rather than the substance. Remember the old saying about ISO 9000 that it would be possible to certify a life preserver made out of lead. You would just need sufficient paperwork. So that you don’t have to pay ISO, see NIST 800-100 to get a flavor. The textbooks might be good resources for those working as Chief Information Security Officers at Fortune 500 companies, but young people just getting their first degree aren’t going to have jobs like that. Our textbook, chosen by a previous professor, was Management of Information Security, 6th edition, by Whitman and Mattord.

In order to make sure that the students developed some real capabilities, I decided to make all the assignments applications of the high-level principles to simple concrete scenarios. They were all open-ended essay assignments, with reviews in class and chances to revise. This part actually didn’t go over that well with students, who are accustomed to multiple-choice quizzes and fill-in-the-blanks questions. I don’t see how IT graduates can be useful to employers without becoming competent writers. If they’re not being trained to be hands-on technicians, e.g., Cisco Certified router admins, then what role can they have in a company other than developing the policies and plans that the technicians will follow?

I built all of the assignments around three concrete scenarios:

  • a hangar leasing operation in which a waiting list is maintained as a spreadsheet and active tenants are recorded in QuickBooks Desktop. All work is done by a single employee on a single desktop PC connected through a network-address translating router to the Internet (“HangarSys”)
  • a 1990s-style web site offering custom-cut khaki pants for sale (mustering all of my imaginative powers, I picked iKhakis, a site that I had actually built much of, back in 1998)
  • a T shirt shop that sells online and in person with all IT outsourced to Shopify and QuickBooks Online (Pop Ts of Delray)
  • a 50-employee law firm (“KWA”) with a classic Microsoft intranet in which almost everything hinges off a single Windows Server machine

Summary of the assignments:

  • apply the NIST standards to develop an Information Security Plan for HangarSys
  • develop an Information Security Plan for iKhakis
  • develop an Information Security Policy for HangarSys
  • develop an Information Security Program for Pop Ts of Delray
  • explain the differences among and between Information Security Plan vs. Program vs. Policy
  • develop a risk management process for HangarSys
  • develop a risk treatment plan (via transference) for HangarSys
  • develop a disaster recovery plan for HangarSys (desktop PC destroyed)
  • risk treatment plan for iKhakis source code only
  • protect investors and founders so the source code is kept secret, but flows to the investors if the founders die or run away
  • plan for hiring a temp to fill in for the HangarSys worker (the worst information security problems these days are related to people)
  • contingency plan for the KWA law firm (earthquake destroys office)
  • report on a network access breach at the KWA law firm (coffee shop customers got the WiFi WPA password)

By the time they’re done, the students will probably hate you, but they’ll have a portfolio of documents demonstrating practical skill in applying abstract principles. They can use these to show to employers. As discussed below, it may be smarter to assign these projects to groups of 2 or 3 students.

HangarSys

  • Microsoft Windows desktop computer (easy to train replacement if Robin quits)
  • Microsoft Excel as waitlist DBMS (only one user updating)
  • Quickbooks Desktop for accounting (bank statement integration)
  • Microsoft Outlook as e-mail system (merge Word doc with Excel list)
  • Second internal hard drive as destination for Windows File History
  • Microsoft OneDrive as off-site backup in cloud (Dropbox or Crashplan would also work)
  • Internet connection through network address-translating (NAT) router

Robin works at the F45 airport, owned by Palm Beach County and part of that organizational structure. There are 300 Tee hangars occupied by tenants who pay rent monthly. There are 175 people on a waiting list. Robin checks to make sure that the tenants have paid up by matching payments to accounts in QuickBooks Desktop (not QuickBooks Online, a different product). She periodically sends out mass emails to either everyone on the waiting list or everyone who is a tenant. When someone vacates a hangar, Robin invites the person at the top of the waiting list to move in.

If students need more detail to complete a plan, they can make it up, e.g., by positing a directory structure for the files in OneDrive or on the hard disk.

iKhakis

iKhakis, a startup within a big company, has the following:

  • Factory in Tennessee that can produce custom-cut khaki pants; Oracle RDBMS-based information system to support manufacturing and shipping
  • Web server to take orders from customers; Oracle RDBMS behind the Web server
  • Desktop access by developers in Massachusetts to Web server
  • Desktop access for operations from acquired startup in Masschusetts to Web server
  • Data warehouse for senior management in San Francisco to see reports on what is selling
  • All of the software for the public ecommerce site is on the Web server and edits go live immediately
  • The Internet Service Provider makes a backup of the SSD every Sunday morning at 3:00 am

Pop Ts of Delray

A pop-up T-shirt shop (“Pop Ts of Delray”) in Delray Beach is selling shirts both in-person (point of sale) and online via a web site. To minimize IT spending, the shop uses Shopify for its online presence, processing online orders, fulfillment of online orders, and also for point-of-sale payment processing.

Pop Ts has six employees:

  • the founder/owner, who works in the store most days and from home sometimes (devices: Windows 11 laptop and iPhone running iOS 15)
  • three retail clerks, who work from iPads in the store, but also bring their own smartphones and use Instagram for personal and promotional purposes
  • a merchandising expert, who works from home from a laptop running MacOS
  • an operations manager, who makes sure that inventory is maintained, bills are paid, etc. Works from home on a Windows 10 desktop connected to QuickBooks Online and Shopify. Also works from a Windows 10 laptop in the store sometimes and checks Shopify from an Android smartphone.

All locations are provisioned with Internet via AT&T fiber, with an AT&T-supplied router/WiFi base station.

KWA Law Firm

The 50-employee law firm of Kirkland, Watkins, and Austin (“KWA”) has an office in San Francisco. Everyone works primarily in person in the office, except when in court, out with a client, home sick, etc.

  • Core information systems:
  • shared filing cabinets for physical documents
  • central server running Windows Server 2016 (set up when the firm moved to Windows 10)
  • Windows shared drive (server with mirrored disks in an IT closet) for PDFs and TIFFs (documents from discovery) and Microsoft Office documents (work product)
  • Microsoft Active Directory for single sign-on to all of the Microsoft applications as well as PCLaw and Time Matters
  • Microsoft Exchange Server 2016 on the local server; Microsoft Outlook on the laptops
  • PCLaw 16 and Time Matters 16 on the local server for accounting
  • Microsoft SQL Server 2016 to support PCLaw and Time Matters
  • Central phone number and Cisco 7800-series IP phones on desks (shares network/wiring with the PCs, contrary to Cisco recommendations, due to limited Cat 5 wiring in the building)
  • Every attorney has a Windows 10 laptop computer that plugs into a dock (hard-wired via Cat 5), but can also be used in conference rooms via WiFi
  • Working when away from the office: VPN into the firm’s network (otherwise protected by a firewall)
  • The IT department consists of two employees: IT Manager and IT Helper. The manager selects equipment, sets up and administers systems, hires contractors, and supervises the helper (who can solve individual users’ problems). The manager has already engaged a part-time Cisco-certified network engineer for configuring the routers and firewall as well as dealing with the phone system.

KWA has a Managing Partner, but otherwise a fairly flat management structure. There is an Office Manager who supervises most of the general administrative functions and a Finance Manager who makes sure that accounts receivable and accounts payable are current. The firm relies on PCLaw for billing and accounting and Time Matters for recording attorney hours. These applications rely on the Windows share drive server and can be used only from within the firm’s network. Payroll is handled by ADP and does not rely on any KWA systems.

(Fun to share with students who are dreaming of the California lifestyle, a 2018 response from a young colleague when I asked him where in San Francisco I should stay: “The review location is a cubicle inside of WeWork Civic Center on Mission between 7th and 8th wedged between a homeless encampment and emergency heroin detox center. I would recommend picking a hotel in another part of town. … I’ve actually found taking the train to the Civic Center stop and walking the rest of the way to be the best approach. Specifically walking down 7th street and crossing to the far side of Mission then turning right. Due to the layout and direction of the one way streets and traffic I’ve found cabs/Uber to work fairly poorly and often take longer than BART. I stopped using cars when junkies started trying to open my door at stop lights.”

Just a couple of blocks from my luxury hotel:

and on the same trip, I happened to get a picture of the In-N-Out Burger that was later shut down for refusing to check customers’ vaccine papers:

)

Checklist for the Students

For each document in your portfolio, use the following checklist

  • filename makes sense, e.g., “20211103-meetfish-source-code-version-control-and-escrow-plan-joe-smith” (YYYYMMDD at the beginning enables the documents to sort chronologically if displayed in a typical file system browser; add your own name (not “joe smith”!) at the end so that if the document ends up in a folder with others’ work it will be clear how to find yours)
  • only one version of each plan at the top level (create a “Drafts” subfolder if desired and put the obsolete versions in there)
  • contains author’s name, email, and phone number
  • contains date created and date of last revision
  • contains the full text of the original assignment either at the beginning or the end (so that your document, if printed, can be read and understood without reference to any other material)
  • does not contain any “plan for making a plan” material (e.g., cut and paste from textbook-type materials designed to cover a broad range of scenarios)
  • does not contain any conditionals (“if the system is using a VPN, then…”) since your assignments always reference a concrete scenario (fill in additional details if designed)
  • is in Microsoft Word format if at all possible (makes it easy for me and others to add comments and Track Changes)

The “plan for making a plan” bullet point is critical. Students struggled with these assignments at first. A standard technique for American college students is to take every 7th paragraph of the textbook chapter and submit that as their essay. If there is a guide to writing a plan, therefore, what is submitted is a condensed guide to writing a plan, not an actual plan. Until this has been pointed out to them at least three times, they don’t realize that they’re submitting the wrong category of material. In other words, that they cannot leave the actual planning as an exercise for the reader.

Midway through the semester, for example, as a disaster recovery plan for HangarSys, a single-PC information system, students submitted the following:

Disaster Recovery Procedure: The step-by-step procedures for disaster recovery include: Disaster recovery formation; Vendor contact list; Use of alternate sites; Off-site storage [but no step-by-step procedure for reinstalling a PC with Robin’s data and applications!]

Restoring IT Functionality: Should a disaster actually occur and HangarSys need to exercise this plan, this section will be referred to frequently as it will contain all of the
information that describes the manner in which HangarSys’s information system will be recovered. [no further information provided]

A disaster recovery plan (DRP) is a set of instructions that explains how to respond to an unplanned incident that affects a business’s IT infrastructure to resume work as quickly as possible. the DRP is meant to diminish the occurrence of penalties that stem from compliance standard error.

Data Availability vs Data Durability: Data availability refers to system uptime. More specifically, system uptime is understood by how quickly the storage system can fully operate. Data durability refers to the protection of data long-term, i.e., the focus of protecting data from bit rot, degradation, or any attempt at data corruption. [no information in the document that was specific to poor Robin and her destroyed PC]

The concept that a tutorial on how to build a plan might result in a plan that contained no copy/pasted content from the tutorial was an alien one. Similarly, despite having been presented with a concrete situation, they pulled in generic material that was full of conditions (since the generic material was written with a wide range of readers and IT systems in mind). So in any assignment calling for handling just one kind of problem, the submissions would include a lot of IF statements regarding other possible problems. In any assignment with a specific configuration, the submissions would include IF statements regarding a wide range of configurations.

Students struggled with challenges that you might not expect college seniors to struggle with, e.g., including their name within the document or putting a title at the top, so stressing this checklist is essential if they’re going to finish the semester with documents that can be shown to employers. They were unfamiliar with the Track Changes capability within Microsoft Word. It was rare to find consistent examples of standard English spelling, grammar, plural/possessive indication, etc. Microsoft’s red underlining for misspelled words did not attract attention. I was generally unable to persuade students that demonstrating attention to detail, e.g., by clicking right when Microsoft Word flags a misspelled word or capitalizing proper nouns, was relevant in the world of IT. Rather than appreciating an opportunity to learn how to write standard English, students took the position that only the underlying content should be considered. Best summary of student reaction to teacher review: “Every editor should have a pimp for a brother so that he can have someone to look up to”.

Also, don’t assume a significant technical background. A textbook publisher’s slide described equipment required for customer service. It included 25 personal computers and 25 “Cat 5e drops”. In a classroom of 20 students, not a single one knew what a Cat 5e drop was. Some guessed that it had something to do with WiFi. One theorized that “drop” meant something was broken (though, from context, how would something broken be part of the required equipment?). Nobody knew what a “Cat 5 cable” was. Students are similarly unfamiliar with the built-in capabilities of Microsoft Windows, e.g., for file sharing among multiple users, for auditing user access to directories, for backing up via File History, etc. No student knew about SNMP. No student knew anything about TCP/IP (which makes it hard to explain firewalls). No student had a clear understanding of one-way hashing or public-key encryption and the role of certificate authorities.

The general principle that students had learned over the preceding three years seemed to be “more is better.” It wouldn’t make sense to consider using the built-in Windows firewall and anti-malware tools because it is possible to buy and install third-party desktop firewall and anti-malware software. Every system’s security can be improved with a VPN. Every password should be long and complex enough that users will have to write it down on a Post-It.

Apply the NIST Information Security Plan Standards to HangarSys

Review NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems, and NIST SP 800-53, Risk Management Framework and apply them to HangarSys.

(This provides a window into how much students read of assigned documents. Only about 1 in 10 will get to page 28 of NIST SP 800-18, where NIST provides an Information System Security Plan Template for them to use. 9 out of 10 will struggle to come up with a format, complain that no template was provided and therefore the assignment was too hard, etc. You might want to remind them to check page 28 and use that template.)

The goal here is for them to pick out the NIST standards that might be relevant to a simple IT system, reference those, and explain why they’ve chosen them.

Apply the NIST Information Security Plan Standards to iKhakis

Essentially the same problem as above, but for a more complex information system that has multiple components.

Develop an Information Security Policy for HangarSys

You can assume that Robin works inside a larger organization that will set up her Windows machine, set up her router, and can at least bring in consultants to handle IT challenges, even if the internal IT department is not big. To make your life easier, remember not to try to write documents for additional hypotheticals, e.g., Robin is part of a big group, Robin wants to work from home, etc. You’ve got one worker at one desktop computer and she never works from any other location.

Please build a one-file information security policy, in Microsoft Word .docx format, under the simplifying assumption that Robin is the only person in the enterprise who uses a computer (i.e., the IT department exists just to serve her!).

Start with the Enterprise Information Security Policy (the one referenced in the PowerPoint deck for the Massachusetts state government is 8 pages long, so that should be max page count for this part; maybe you can get this done in 3 pages).

Then include a page, with one or two sentences per item, regarding which templates from https://www.sans.org/information-security-policy/ (Links to an external site.) that you’ve chosen to use.

Use the Track Changes facility in Microsoft Word to show all the modifications that you’ve made to the templates from SANS (i.e., turn on Track Changes before you start editing/deleting; ideally, since this is a simple one-employee situation, you’re mostly deleting stuff that doesn’t fit the HangarSys scenario).

So when you’re done maybe you have 30-50 pages, 90 percent of which is unmodified content from SANS.

[This was a tough one. Most students apparently didn’t read the assignment carefully. They would, for example, just skip the part about including the Enterprise Information Security Policy and the page regarding template choices and dive right into one or more templates, neglecting even to include a title page indicating for what company or information system these policies applied.]

Develop an Information Security Policy for Pop Ts of Delray

Write an Information Security Program for Pop Ts of Delray and upload here in Microsoft Word format. Also add it to your portfolio directory.

The examples I found on the public Internet and included in the main module as “Readings” might be helpful:

Don’t forget to put your name and contact info up at the top or somewhere else in the document where it makes sense to attribute authorship. Feel free to cut and paste these assignment conditions in as the past plans, so that people can see what the goal was.

[This one resulted in very rough solutions at first. The students completely failed to appreciate that Pop Ts was living in the modern world of software as a service. So they cut and pasted generic material that would be applicable for a 1990s intranet/extranet-type IT system. Many students wanted Pop Ts of Delray to run a VPN, though none could articulate why and none could answer when I asked “What difference does it make if they’re accessing Shopify from a home network rather than from the store’s broadband connection?” Students would not use Google to look up Shopify’s or QuickBooks Online documentation. The typical student solution actually did not include the words “Shopify” or “QuickBooks” despite those being the only two information systems that the enterprise used.]

Explain Plan vs. Program vs. Policy

So far in this class we’ve seen the following:

  • Information Security Plan
  • Information Security Policy
  • Information Security Program

Explain in your own words what each of these is and what the differences among these are.

[The textbook wasn’t all that clear on the above, nor is any of the standards material that I found. Some reasonable explanations submitted: “An information security plan is the starting point of an information security program, where info sec policies are put to describe the things that are necessary to keep assets secure. The info sec plan is the step where you determine which policies would fit to have the best possible info sec program. The info sec program is the implementation of the policies that were described in the info sec plan.” (my favorite) “If Security Policy and Security Plan were states, then Security Program would be the United States. It is the organization of all the activities that fall under security. Through a security program you can manage the security practices of a businesses.”]

Develop a Risk Management Process and then implement it for HangarSys

Considering Chapter 6 of the textbook and any models that you can find online, please develop a Risk Management Process and then implement it for HangarSys.

If you found some good online models, please cite them. Remember that people will be happier with your work if you’ve followed standards and established conventions.

At a minimum, your document should contain a list of all of the hardware, software, and information assets and then the risks to these.

Risk Treatment by Transference for HangarSys

In last week’s assignment you identified risks to the HangarSys operation. Please develop a Risk Treatment plan that addresses the important risks that you identified via Transference (“shift risk to another entity”).

Your risk treatment plan is not constrained by the infrastructure that we specified previously. Robin is still there and still working from the office, but she need not use Windows, QuickBooks, Excel, OneDrive, etc., if you can think of a superior alternative that accomplishes your risk treatment goals.

Make sure to identify any residual risk that would remain even after the entire transference treatment was implemented.

[In class we talked about shifting to an online spreadsheet, e.g., Google Sheets, and to QuickBooks Online. Students were already familiar with these concepts from the Pop Ts of Delray assignment. Nonetheless, more than half apparently had forgotten the suggestion from the lecture. They would suggest hiring $1 million/year in consultants to take over various IT responsibilities instead of paying $200/year to QuickBooks Online. So you’ll want to stress that in the cloud age they should always be thinking about subscription services.]

Develop a Disaster Recovery Plan for HangarSys

Write a plan that explains what to do if a hurricane blows out the windows of Robin’s office, picks up her PC, and blows it out into the swamp adjacent to the airport, where an alligator chews it in half. None of the hardware or data on the PC is recoverable.

[Terrified at the idea of starting from a blank Word doc, students would generally try to find a template out there on the Internet that was designed for vastly more complex information systems and a wide range of bad events. So the solutions came back with a lot of material about damage assessment, despite the fact that the assignment specified exactly what damage had occurred and that there was no way to salvage the PC hardware or data from it (i.e., that recovery would have to be from OneDrive). Students did not use the Internet to search and learn that QuickBooks Desktop keeps everything in a single .qbw “company file”, so you’ll probably have to give them some URLs to read. Students did not independently come to the conclusion that they needed to posit a file system structure in order to have a specific recovery plan. I ultimately gave them the following:

OneDrive\WaitingList\
OneDrive\WaitingList\MassEmails\
OneDrive\WaitingList\CorrespondenceOneDrive\Tenants\
OneDrive\Tenants\MassEmails\ (Word docs for merging)
OneDrive\Tenants\Accounting

Very few students, despite the textbook telling them that they needed this, included any kind of test or periodic retest for their plan.]

Risk Treatment Plan for iKhakis (source code only)

None of the fundamentals of the system structure can be changed, but you are tasked with treating risks to the software, an important asset for the company since nobody else has a similar product/service. Remember that all of the software for the site is on the Web server and edits go live immediately. Also that the Internet Service Provider makes a backup of the SSD every Sunday morning at 3:00 am.

  1. How can you protect the software from hardware failure?
  2. How can you protect the software from hackers?
  3. How can you protect the software from mistakes by your own programmers?

[This assignment came right after a lecture in which the assignment itself was discussed. Students were told that version control was the conventional solution for protecting software from a variety of hazards and that an off-server repository, such as github, was the easiest way to deal with a wide range of failures and disasters on the primary server. They were also briefed on how to use version control with development, staging, and production servers (maybe just software running on the same physical machine) so that changes could be tested before going live. Despite having essentially been told what the solution should be, nearly every student had forgotten all of the foregoing. The result was turning in solutions that were derived from a variety of Internet sources, e.g., dealing with the possibility of a server suffering hardware failure or network disconnection.]

Protecting Investors from an Information Security Disaster

https://www.pareto20.com/ (Links to an external site.) has incubated a Miami-based startup company that runs a web-/app-based social network for fishing enthusiasts, MeetFish. There are 5 programmers and they’re fond of heading out together to the Juno Beach Pier to fish and also sometimes they charter boats and head out towards Bimini to catch marlin. So far they have an Amazon EC2 instance (https://aws.amazon.com/ec2/  (Links to an external site.)) reading from Amazon Elastic Block Storage (EBS; https://aws.amazon.com/ebs/). This is backed up by the creation of the occasional Amazon Machine Image (AMI; see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html (Links to an external site.) ). Due to the fact that the software is changing as fast as the fishing conditions, there is only one version of the software, i.e., the live version, and all changes are made live.

The code includes a SQL data model for the MySQL RDBMS, HTML, CSS, JavaScript (Node.js) for both the Linux-based server and Web browser client, Java for a traditional Android app, and Swift for the iOS app.

Jon Oringer is preparing to invest $2 million of his personal funds into MeetFish in exchange for 20 percent of the company’s shares. Oringer is concerned that the entire company could be killed simultaneously by a rogue wave washing over the Juno Beach Pier or a hurricane sinking the charter boat from which the programmers are fishing. If Oringer does not have a copy of the source code, the investment will go down with the ship, so to speak, but the MeetFish founders don’t want to give Oringer a copy of their treasured code.

Write a plan that will (1) increase the information security of the source code against hardware failure, natural disaster afflicting Amazon Web Services, and programmer mistakes, (2) enable the MeetFish founders to feel confident that their code won’t be available to Oringer as long as they’re still alive and doing what they promised to do, and (3) enable Oringer to feel confident that the source code can be set up as a functional web-/app-based service in the event the entire MeetFish staff is killed by a storm. Your plan can include a trusted third party (i.e., someone or some organization other than Oringer and MeetFish). Your plan should include a test procedure that will give Oringer confidence that the MeetFish service can be built from the source code that becomes available with the verified sinking of the MeetFish programmers.

[Students were pre-briefed in lecture regarding this assignment, i.e., that the solution would turn out to be a version control system and then some sort of escrow arrangement. (It was left up to them to find an escrow system that would automatically pull from github.) Mostof this advice was either not understood or forgotten a week later when they scrambled to throw something together. Most tried to deal with hardware failure, minimizing server downtime, etc., based on material copy/pasted from the Internet. It turned out that students had no understanding of what it means to be an Amazon EC2 customer. They would include material about turning off the hardware every evening, checking the hardware, replacing hard drives, ensuring reliable and clean power, etc. All stuff that only Amazon would be able to do if one’s server is a VM at Amazon AWS. The proper solution turns out to be quite short. GitHub + https://codekeeper.co/ + a test procedure where an agent of the investor gets to watch a programmer build the site from whatever is on Codekeeper (the escrow agent).]

Temporary Staff Plan for HangarSys

Robin has always wanted to travel and she hates airplanes. She has a lot of saved up vacation time and is going on a cruise from Miami through the Panama Canal, out to the South Pacific, through Indonesia, and ending up in Mumbai. The trip will take 8 weeks and possibly 2 additional weeks if Robin tests positive for COVID-19 and needs to be quarantined before returning to the U.S. Write a plan for continuing the above-described IT operations when Robin goes away for 8-10 weeks. Remember that some hangars will become vacant as planes move out and therefore some people on the waiting list in Excel will need to move into the QuickBooks system. Some current hangar tenants will neglect to pay and they’ll need to be identified via bank statements/QuickBooks and then nagged via email and phone. A temporary worker will need to do everything that Robin ordinarily does. Let’s assume that this happens in June and July so it would be easy to find, for example, a schoolteacher.

Your plan should include at least the following:

  • a description of screening steps to take before hiring the temporary worker
  • a description of the training that the temporary worker will need, e.g., regarding information security policies and practices
  • a description of how the temporary worker will be able to gain access to all of the software and systems that Robin is using, but without getting access to Robin’s password
  • a description of what happens when Robin comes back from her vacation and the temporary worker is let go (how is the temporary worker’s access to electronic information terminated, for example)

[Despite some previous lectures on configuring Microsoft Windows for multi-user sharing of files and being told explicitly that this assignment would require coming up with a way for Robin and the temp to share access to, e.g., the QuickBooks company file, none of the solutions included anything about how to configure the PC. You’ll want to point them to QuickBooks Desktop documentation. It turns out that QuickBooks Desktop can have multiple users even when running on a single machine. This has to be configured, though.]

Contingency Plan for Law Firm

Using what you learned from reading the textbook chapter, write a contingency plan for a 50-employee law firm to handle the physical destruction of the office from an earthquake (fortunately it happens at 2:30 am when nobody is in the building). The law firm is Kirkland, Watkins, and Austin (“KWA”).

To keep this streamlined, make sure not to try to solve problems that aren’t related to the physical destruction of the office and the computers inside the office. Don’t waste space on definitions. Don’t talk about the firm’s goals or policies (they’re lawyers; they want to solve problems for clients and make money). Also, make sure that you use the checklist in the portfolio update assignment.

Here’s a suggestion for the outline of your Contingency Plan:

1) title page explaining what it is, who wrote it, how to contact the author, when it was written, and when it was last updated

2) copy/pasted assignment text (small headline to indicate that this is the assignment then indented and smaller font than the main body of the report)

3) table of contents (use Word heading styles so that you can build this automatically)

4) business impact analysis (what is interrupted after the office and servers within the office are destroyed? What is the cost per day of downtime?): 1/2 page.

5) preparation (backup schedule, any cloud or off-site backup systems used, any changes to the systems above; whatever it takes to ensure that the business can continue after office destruction): 1 page

6) incident response plan (who will do it; what will they do; how will they do it (can’t rely on the office or the servers in the office anymore!)): 1 page. At a minimum, this should include contacting all clients and then all employees.

7) disaster recovery plan (get systems back up and running): 2 pages (actionable steps, which presumably will include “find and lease new office space”)

8) business continuity plan (make sure work can proceed before DR plan is fully executed): 2 pages

Note that the page counts assume that no space is wasted on definitions, plans for making plans, etc. This is an estimate of how much space would be occupied by step-by-step instructions for people trying to the law firm back in business.

[A reasonable solution is pretty simple. Prep section starts out with keep some critical information, such as client contact info and employee contact info, in a Google spreadsheet. It then says to scan all of the physical documents so that there is an electronic backup. Also to use a system such as Acronis to back up the Windows server to the cloud and finally a periodic test procedure to make sure that everything can be recovered into a Windows server rented from Amazon AWS. The Incident Response Plan: Call the phone company and redirect the phone line into a virtual PBX. Have everyone work from home, just like we know they can because lawyers did this during coronapanic. Business Continuity is to rent a Windows server from Amazon AWS and reload from the backup. Disaster Recovery starts with looking for a new office space to lease.]

Network Access Breach at a Law Firm

Once again, we look at the 50-employee law firm of Kirkland, Watkins, and Austin (“KWA”). Because it was rare for clients to visit the office, only a single WiFi network was configured. This has been password-protected via the WPA2 standard and, for maximum security, the password is random: “O6+X{BjM4En8BRk-5_)C”. Visitors could not be expected to type this from memory and therefore were provided with a printout of the password. It was supposed to be changed every week, but the practice fell by the wayside after attorneys complained that they didn’t want to type a new password into phones and laptops every week. The password has been the same for 14 months.

You are brought in to audit the network and looked at the MAC addresses of devices connected to WiFi and found that, at any given time, 2 or 3 connected devices could not be accounted for. It turned out that a visitor had left the password printout at a coffee shop downstairs. One of the baristas began using it for a personal iPhone and, finding the network speed impressive, began sharing the password with customers. Fortunately, the WiFi router was configured to log the MAC address for every new DHCP lease. From these logs, after filtering out log entries for MAC addresses associated with firm-owned devices, you infer that the network access breach began approximately 11 months ago, i.e., on January 15, 2021.

Unfortunately, in an effort to preserve disk space, all of the server-based applications on the central Windows Server were configured to delete logs older than 30 days.

The Managing Partner requests a report that answers the following questions:

  1. were confidential documents stored on the Windows Server and/or on attorney desktop and laptop computers accessible to people outside the firm?
  2. could any of the people who connected from the coffee shop have read attorney-client emails?
  3. could any of the people who connected from the coffee shop have listened to attorney-client phone calls?
  4. could coffee shop people have obtained PCLaw and/or Time Matters data by snooping on WiFi traffic? Could a lawyer from an opposing firm, for example, see who was working on a case and how many hours were being logged?
  5. should clients be informed about the network breach and the possibility that private data were compromised?
  6. what should be done going forward? (the password has already been changed to “,+r7usbSw!\<$qTz>vRp”)


Feel free to reference online Microsoft documentation or other technical articles that you find online.

Expected length, excluding cover page and copy/paste of this assignment text, is 3-4 pages. Considering starting with half a page devoted to the question of whether a connected user on a WPA-protected WiFi network can, in fact, read packets of information sent to/from other devices that use the same WPA password to connect to the same WiFi network. After that, go system by system through the law firm’s systems. Figure out if each system uses end-to-end encryption or not. If an application uses encryption then it shouldn’t matter who can see the packets (you can do online banking from your home and technicians at AT&T, Verizon, or Xfinity can see the packets, but they can’t log into your bank account).

[Solutions to this were rough. Instead of hitting Google to figure out Outlook/Exchange communications or Cisco desktop phones use encryption, students would simply guess and sometimes admit that they were guessing. For them, the Internet simply does not exist as a research tool. They start with a Hollywood view of security. If someone can get anywhere near a network, it is guaranteed that the person can break into every system, read every file, listen to every VoIP call, read every email, etc. I asked “Could these standard Microsoft and Cisco tools be sold to a 5,000-person company? The company hires a new receptionist or mailroom clerk, possibly planted by a competitor, and this junior new-hire who has network access can immediately see every file, every email, and listen to every phone call?” Students mostly failed to see the connection. “But the people surfing from the coffee shop weren’t employees.” It would have been smarter to precede this assignment with 30 minutes on the security systems that are built into the various packages that the law firm is using.]

Critique another student’s work.

[I should have done more of these. This assignment seemed to motivate people to spruce up their portfolios and also the students often did a better-than-expected job.]

Note that this assignment cannot be turned in late, since that would be unfair to your classmate who would have been counting on receiving the constructive criticism. The idea of this assignment is that you will also get some good ideas for your own portfolio by looking carefully at someone else’s.

For at least 6 documents in your classmate’s portfolio, please do the following (from easy to hard):

1) review the document against the checklist in Update your portfolio (again)

2) check for spelling, grammar, and formatting errors (could be as simple as headline orphaned at the bottom of the preceding page due to a failure to use “Keep with Next”)

3) check to make sure that all of the required components of the assignment are present (e.g., if there are four questions in the assignment, are all four answered)

4) look for “plan for making a plan” passages, in which the author fails to do the work assigned and instead leaves it for the reader (with instructions on how to do planning that maybe the reader will try to follow)

5) look for conclusory statements that need to be explained and justified, e.g., a simple “Yes” in response to an assignment question.

6) look for statements or analysis that should be supported by links to Internet sources, e.g., official software manufacturer’s documentation pages

7) look for material that is not actionable, e.g., a recovery plan that does not contain concrete steps to perform and/or the steps are vague and you wouldn’t know what to do after reading them

8) determine whether the document actually fulfills the assignment (i.e., is a useful guide to solving whatever problem was set forth)

Write this up in a single Word document. There should be at least 1/2 to 1 page per classmate’s paper (so at least 4-6 pages total). There should be a headline at the top of each section saying which assignment you’re reviewing plus an overall title page at the top giving the name and contact information for your classmate as well as your name and contact information.

Conclusion

Given open-ended assignments like the above is a lot of work. I figured that when three or four solutions were discussed in a class and their common problems identified, the rest of the students would then be able to transfer those criticisms back to their own papers. But this seldom happened. Quite a few students would take no action to revise a paper unless the teacher downloaded their Word doc, marked it up, told them exactly what to do/change, and sent it back. Thus, if you assign the above problems you need to be prepared to edit every student’s paper every week. Consequently, it may be smarter to do these as group assignments, with 2 or 3 students per group, so that you don’t have to mark up paper after paper with the same issues.

Even if you spent 60 hours per week reviewing and editing, the students who are there for the credential will simply resent that they were assigned an open-ended writing project, especially one that cannot be accomplished purely by reference to the textbook. Except perhaps in some elite universities, the idea that college students would have to write and revise is an outrageous imposition. The handful who are curious about how information systems work and who want to develop good planning, system design, and communication skills will be grateful and ask whether you’re teaching any classes next semester.

So you’ve been warned and I hope that the above material is useful somehow!

29 thoughts on “Teaching Information Security

  1. Just because you think data was backed up, doesn’t actually mean it was backed up – or was the right data, or can actually be restored, or can be restored without nuking other data. Every backup plan needs a recovery plan, and the recovery plan needs to be tested (every 90 days? or whatever period of data you are comfortable losing).

  2. Here it is. Philip called internet a research tool. After rightfully complaining in one of the previous posts that looking up statistic is not a research. Could not resist to nitpick. Doing #science when typing words into google.
    But agree with overall point. And yes, need to add recovery testing to the action plan and actually design process with hardware/software for it.
    Real useful plan writing is a significant amount of work that could take a week of time, and more in real life to be done properly. I assume that students thought that based on previous lecturer the course was easy 3 credits as part of their 15 – 18 credit semester work. Probably they are already working on their senior thesis or other projects and just coding if they are good. It should be rebranded as special IT operations concentration as a major class.

    • LSI: It is not “scientific research” to use the Internet to see if Microsoft Outlook uses end-to-end encryption to talk to Microsoft Exchange, but it is “research” in the sense of “library research” or “please research for me what colors the 2022 Corvette is available in.”

    • Philip, I always try to escape of newspeak meaning of word “research” and remove it form my writings while talking about mundane or well – developed and researched by some one issues. I do not like newspeak because of its subversive goal and guard again it. In my mind and how I remember from the pre – hot bot search era, “Research is a process of systematic inquiry that entails collection of data; documentation of critical information; and analysis and interpretation of that data/information, in accordance with suitable methodologies set by specific professional fields and academic disciplines.” I found it at https://www.hampshire.edu/dof/what-is-research after quick internet search, not research how newspeak – compliant web dictionaries would suggest.
      When I do even slightest research, I read available info on it and do my own experimental data collection or at least working prototypes and mock-ups.

    • Regardless of the word used to describe the process, I was surprised to find that students, even after I’d told them that the F45 airport was a real airport and had shown them a web page about it, didn’t use the available tools on their own computers to, e.g., look up the correct street address for the airport when an NIST form called for a street address. The consequences for an unwillingness to use a web browser and search engine could go beyond these minor details. They’d forgot what I’d said in class or what was on the assignment and simply assume that the airport was owned by the federal government and subject to federal regulations so the documents would have references to various laws that apply only to federal agencies.

  3. The “plan for making a plan” method is very popular in academia, bureaucracy and big corporations. It is similar to hermeneutics, which allows one to speculate about methodologies for understanding something instead of actually understanding something (which is more difficult).

    I must say that for a Linux/BSD person this curriculum might be hard to follow, since he/she/ze/they would not be interested in Microsoft at all.

    > So you’ll want to stress that in the cloud age they should always be thinking about subscription services.

    Yes, but be aware that you are a sharecropper and Amazon etc. can destroy your business for any reason, including hate speech like publicly using the wrong pronouns. It is still safer to have one’s own IT.

    • Linux (and I assume BSD for those who use them) based servers too requires recovery and business continuity planning. I do consider recovery planning and procedures mundane and yaky but it is critical for business survival.

    • Anon: I used Windows because I thought the students would be most familiar with that system, because the documentation is readily available on the Web in non-technical language, and because it is the backbone of IT at mid-sized enterprises where graduates might get their first jobs.

      I think Linux would have been several bridges too far. Even by the end of the semester, there were some students who did not carefully distinguish between servers and desktop computers, between Windows Server and Windows 10, etc. I guess Linux as the server has the advantage that it can’t be confused with Windows the desktop client.

    • @Philip,

      > I think Linux would have been several bridges too far.

      How can someone learn about Information Security and yet know nothing about Linux?!

      I have interviewed a lot of candidates and I have always picked the lesser qualified candidate if x/s/he has exposure to Unix.

      You be surprise how many college candidates I interviewed that didn’t know about CMD shell on Windows. And those were candidates with Java programming skills (and some had M.S. degree)!

      Gone the days where in college you wrote code in LISP or write C socket APIs and dealing with TCP/UDP. What about malloc()/free()? How about the meaning of heap/stack memory?

  4. Under the section “Network Access Breach at a Law Firm”, a paragraph appears out of place:

    “`
    To keep this streamlined, make sure not to try to solve problems that aren’t related to the physical destruction of the office and the computers inside the office. Don’t waste space on definitions. Don’t talk about the firm’s goals or policies (they’re lawyers; they want to solve problems for clients and make money). Also, make sure that you use the checklist in the portfolio update assignment.
    “`

    I think it was copied from the section “Contingency Plan for Law Firm”.

  5. That’s a lot softer & higher level than MIT’s fundamentals of algorithm design & machine learning. Since Greenspun is the leading indicator of the universe, it makes lions wonder if the CONUS jobs are heading back towards management while the programming jobs move back to Asia, since we’re all working remotely.

  6. Some form of vendor risk analysis should have been included – perhaps of Shopify or of some unlisted Legal 3rd party system.

    • Fair point – but most graduates are going to end up in SaaSland not anywhere with any bare metal, so knowing how to piece together a report like “they claim SOC-2, PCI-DSS and GDPR compliance that would cover us, but won’t let us see their most recent BCP test results”, is something I wish new hires could do.

  7. Regarding the teacher’s age-old lament about the disappointing capabilities of his students, I wonder if there’s some adverse selection at work: students who are interested in computing and have the intelligence, academic preparation, and self-discipline to succeed in CS or EE choose (and remain in) those majors, leaving programs such as IT with the others.

    • CS is not IT, EE is not IT, EE is not CS even though CS majors work in IT and EE majors work in CS.

    • Ao: In my mind, IT is more properly part of business than “computing.” People learn to manage a critical function at a company (though it should be abolished as a department, says this guy: https://www.wsj.com/articles/get-rid-of-the-it-department-11637605133 ). A brilliant IT person wouldn’t become a computer programmer, but rather the COO or CEO of the whole company.

      Also, I’m never disappointed in a student’s capabilities. What disappoints me is someone who won’t try. I saw a biker wearing a T-shirt the other day:
      “Crawling is acceptable, falling is acceptable, puking is acceptable, blood is acceptable, sweat is acceptable, pain is acceptable, quitting is not”

      (I read it as “failing is acceptable” and agreed with the sentiment. It shouldn’t matter how many time someone fails at a task as long as he/she/ze/they eventually succeeds. That’s what we do in flight instruction. The typical student does not have great capabilities on the first flight. What matters is the checkride at the end!)

  8. @Philg: I understand that this is a bit of a tricky question, but have you gotten a sense that your students in Florida appreciate the academic rigor you’re asking of them? If I didn’t know who you were or who wrote this post, the first thing I’d think when I read it is: “This guy is from MIT.” In other words, are you encountering some “academic culture shock?”

    • Alex: About 3 in 20 do. About 5 in 20 have explicitly said that they don’t. Those 5 have said that they are there to pass the course and get a degree and just want me to tell them exactly what to do in order to pass.

      The experience reinforces my belief that the typical American university or college is set up completely wrong. The structure that was developed for Harvard and Yale (or their European forbears) doesn’t make sense for the average learned and it doesn’t even make sense for the Harvard and Yale students now that there are so many electronic distractions at home. College should be a 9-5 effort in an office-style environment with TAs milling about for help as necessary. Students shouldn’t be expected to do work outside this 9-5 window. Having a weekly lecture and then expecting students to manage their own time before the next lecture means that only the most organized students will learn anything.

    • My father has told me (on endless repeat) that one of the most difficult and challenging courses he took at {Elite but not Ivy League] University while pursuing an EE degree was a course in English Essay Writing. Every week the students had to produce a 1,000 or more word essay on some subject matter and when he began, he almost gave up in frustration. However, he put he put his nose to the grindstone, etc., and got a B+, at a time when that meant something. He’s partially dyslexic and left-handed, and reading/writing were always a challenge for him, but to this day he’s very glad he kept going. You cannot function in a business environment without good writing skills. Or is that an anachronism now also?

  9. I think this is a repeat comment for me, but if you really want to get discouraged, read a stack of $BigCo job applications (If that is even a thing now). The vast majority of them are sloppy, incoherent, and truly pathetic. No wonder students expect multiple choice and open book studies. The vast majority have never experienced organized thought.

    • Thanks! Just one review so far. That guy also complained via email about comments being “sassy”. He asked for a portfolio review, but I could see from the last-modified dates on the files in his shared folder that he hadn’t taken any action in response to a critique that he had received from a peer. It was December 3 when I pointed this out and nothing had been touched since November 25 (he got the peer critique on November 29 and there was a class with three hours of discussion of what to do with various documents on December 1). Genuinely confused, I wrote “Why would you ask for a review by me if you haven’t done anything in response to [other student’s] critique?”

      It is ironic that the guy rated that class as impossibly difficult. Everyone who simply showed up, did the assignments, did some substantive revisions in response to comments, and worked at least 2 hours/week outside of class ended up getting an A. (This particular student was unable to turn my feedback or peer feedback into an improvement so he got a B.)

    • philg: The new rules are that anything remotely critical or reproachful, even when justified or provoked, is “sassy” or “harmful” and must be reported! Here is a very short training video on how to adapt:

      https://www.youtube.com/watch?v=Sz0o9clVQu8

      Completely unrelated, but equally prescient, a short documentary on education (it also applies to software development). It was supposed to be a comedy in 2015, but seems quite realistic now:

      https://www.youtube.com/watch?v=iKcWu0tsiZM

Comments are closed.