My graduate school experience at East Carolina University - ICTN6823 Information Security Management

ICTN 6823 - Information Security Management.


Finally, by the time I started this course, I was finished with my core courses and ready to start into my concentration. (Note: Click http://www.tecs.ecu.edu/departments/technology_systems/graduate_programs/MS_technology_systems/information_security.html

to go to the course catalog.)



ICTN 6823 was the first course in my concentration. I took this course in the Summer of 2007 and had the great Dr. Phil Lunsford as my professor (http://www.tecs.ecu.edu/departments/technology_systems/faculty_and_staff/lunsford.html)



We used the textbook Management of Information Security by Whitman & Mattord http://www.amazon.com/Readings-Cases-Management-Information-Security/dp/0619216271/ref=pd_rhf_shvl_1

This class was a combination of book reading, assignments and a final paper submitted to a place for publishing.

A lot of the assignments involved using cryptography to hide files within another file. We used a tool called TrueCrypt. Since my class, TrueCrypt has released a major version - 6.0 - that's supposed to be a lot better. I need to check that out.

The book's topics were very high level on information security. It talks of planning at the CIO level and the security software development life cycle. We looked at risk analysis and contingency planning from a CIO level point of view. One of the important topics that seem to follow me through the course was of the organization's security policy.

Our class "met" in text chat along with the professor. Dr. Lunsford never really required us to show for class but we could attend in case we had questions. Dr. Lunsford usually let us lead the class discussion but if it got slow, he would throw some security topics out there for us.

We had to write a term paper for the class and submit it for publication. My paper was on the topic of Blueprint for Web Application Security. This paper was destined to be a how to guide on guiding a software development team on considering secure ways of programming to shore up defenses. In addition, creating a security awareness training program for developers was an idea on getting developers thinking about what things can creep into a web application and how to stop them. This was a high level paper and I will have to admit, not a very good paper. I guess the more that I know now, I can look back at this paper and spot the inconsistencies.

Needless to say, my paper didn't get published!

My graduate school experience at East Carolina University: ITEC 6200 Project Management

My last core course was ITEC 6200 Project Management in my fourth semester. This was a study in project management in it's purist sense: we got into what qualities make a good project manager and how a project manager spends most of their day. This was my second class taught by professor Charles Coddington whom I took my first introductory course. http://www.tecs.ecu.edu/departments/technology_systems/faculty_and_staff/coddington.html

The text we used was: Project Management: The Managerial Process (Mcgraw-Hill/Irwin Series Operations and Decision Sciences)


A project manager's main responsibility is to marshal resources in order to complete projects on time, within budget and according to customer's expectations. Other responsibilities can be nailed down to 4: Plan, Schedule, Motivate and Control. A project manager must have a good sense of efficiency and cannot get bogged down in emails and other extraneous activities.

A lot of the semester, we were presented case studies that we had to read and answer. One case study involved how Disney Corporation evaulates new ideas for movies. They listed their must and want objectives, relative importance of each objective and how they developed a scorecard that weighted each movie. Disney's objectives were things like generate profits over 18%, raise environmental concerns, be nominated for best picture and ability to generate additional merchandising opportunities.

Our midterm instructed each student to read a case study about a company called Jarvis Communication Corporation. The first problem was to develop the mission statement: Jarvis Communication Corporation is a small growing company that provides high quality telecommunications products and services and is a market leader in the innovations of new communication technology. The next step was to develop 3 long range goals and objectives for Jarvis.

We were assigned a group project. I got in with a really good group of guys again and we had to build a project schedule using Microsoft Project. We identified resources, activites and other important information about a project based around a company that was building a type of razor scooter called Silver Zuma.

Other items that we studied were:

1. Discussed advantages and disadvantages of the different types of approaches to managing projects: functional, matrix, virtual and dedicated.
2. Using Microsoft Project to develop work breakdown structures for projects and how WBS aid in project management.
3. Calculating cost estimates for projects using M. Project.
4. Calculating project critical paths
5. Determining activites that have the greatest amount of slack time.
6. Analyzing and determining when to deliver on a milestone.
7. Determining how sensitive a network is.
8. Determing under and over allocated resources.
9. How to readjust resources to still meet a project deadline in case of shortages.

A really good class. The only pitfalls were that this class failed to mention other types of project management out there today like the Agile Methodology. http://agilemanifesto.org/

My graduate school experience at ECU - 3rd semester: ITEC6406 Cost Analysis for Technology

All I can say is Wow! This was probably my most difficult class. Matter of fact, I ended up dropping it the first time that I took it. In the end, I suffered through it and made out with an A.

My instructor was Dr. Paul Petersen: http://www.tecs.ecu.edu/departments/technology_systems/faculty_and_staff/petersen.html

Dr. Petersen was one of the most debated professors in my program so far. Some students loved him and a lot had problems with his methods. What stood Dr. Petersen out in the program was his willingness to record every classroom lecture and post on ECU's Global Classroom site. He taught an undergraduate level course on the same subject which is the lectures that he recorded. What was hilarious was that in the recorded lectures he often spoke of his graduate class with some less than flattering remarks. I can't remember any specifics but they were funny. Some of the students in my class took exception to these comments. I believe these were the students who didn't do so well.

This the text book that we used: Canada, John R., William G. Sullivan, John A. White, and Dennis Kulonda. Capital Investment Analysis for Engineering and Management, 3rd Edition. Pearson Education, 2005. ISBN 0-13-143408-X

Funny thing about this was that John Canada either taught or was a student at NC State. A guy that I used to work with went to classes with Canada. This book was not well received from some of the comments in Amazon. I found the book hard to follow - it was not well written in my opinion. It made the course even more difficult.

We also were required to download case studies from Harvard Business Online: one was Destin Brass Products case study and the other was The Super Project. Each case study counted towards 20% of the final grade.

We also had a few take home exams and a final group project. I was lucky enough to get in with a good group. I had a smart guy who worked in Wilmington for a chemical laboratory. We did a cost analysis of 3 different vendor's mass spectrometer instruments with the goal of recommending one.

Here is a breakdown of the rest of the topics we studied:

1) Costs - incremental versus fixed costs. Direct and indirect costs.
2) Compounding interest - finding out when you will triple your investments, continuous compounding
3) Calculating capital recovery for purchased equipments - MARR
4) Calculating internal rate of return and external rates of return
5) Calculating inflation - speaking in terms of today's dollars versus future dollars
6) Determining how much money you will have to invest to pay for expansions.
7) Activity based costing

This is the class that I will need to review very hard for my comp. exam.

My graduate school experience: 2nd semester - ITEC 6000: Statistical Applications In Industry

The second of the core courses was my statistics class that I took in Spring of 2006. It was a tough class but it was also a great course. My instructor Dr. Paul Kauffman, ECU's department of engineering chair, http://www.tecs.ecu.edu/alumni/TECS_newsletter/nexus/nexusVol2no6.htm#4 was one of the most organized professor. He knew exactly how to conduct a distance education course. What he did was record lectures that had himself explaining the stat subject we were studying at the time. This helped a great deal to understand the tougher concepts. He also created and made available for download good PowerPoint presentations.

Another cool thing is that we used Excel to build alot of our homework submissions. I learned many of the built in Excel functions and the book usually had a section for each chapter that showed you how to build a spreadsheet.

Here is a snapshot of what we studied:

1) Data collection using surveys - Good interesting start to the semester. I actually used this information to help my team create a user survey to get input on how they liked our software.

2) Analyzing large data sets using frequency distributions and displaying histograms.

3) Measures of central tendency (mean, median, quartile ranges).

4) Data variation and shape using box and whisker plots.

5) Coefficient of correlation to measure strength of linear relationship

6) Probability.

There are a few more things that I need to look up. Plus the book, I will post the book title when I get back to work.

My graduate school experience so far....(Overview) - First course - A Program Introduction

Currently, I am enrolled in graduate studies at East Carolina University in Greenville for a Master in Information Security. Part of graduate requirements dictate that each student must take and pass a comprehensive exam in order to receive a degree. Part of preparing for this, I'm going back through all of my previous classes and reviewing the information. I thought "This would be a great blog posting" Maybe future students or someone who is thinking of taking this same program would benefit from this information.

So, here is the first part in a series of blog postings "What to expect in Masters of Information Security program at East Carolina University.".

First of all here is a link to the program: http://www.tecs.ecu.edu/departments/technology_systems/graduate_programs/MS_technology_systems/information_security.html

You will see that the program requires 30 hours of classroom instruction broken up into 10 different courses. The first four courses are what is considered "core courses", then a student launches into a "concentration." Since my concentration is Information Security, I go ahead and take those courses. My program coordinator is Kelly Bass and she is terrific! Very helpful.

Looking at the link above, the first of the four core courses is ITEC 6050 - Program Introduction.

ITEC6050 - Program Introduction. Fall 2005.

My professor for my first course was Dr. Charles Coddington: http://www.tecs.ecu.edu/departments/technology_systems/faculty_and_staff/coddington.html

I really like Dr. Coddington personally as he was very fair and organized professor. The first course to me was very easy. It was a program introduction so we went over some of the following:

1) How to use the Internet to do research including using the online library at ECU and how to sign up to IEEE Explore database using your ECU credentials. This has been very useful throughout the rest of my academic career at ECU.
2) Listserv - What are they, where are they and how to sign up and use listservs.
3) Yahoo Groups - How to sign up and use to the full extent Yahoo groups for online collaboration.
4) mIRC - We used mIRC chat to hold weekly class sessions. Dr. Coddington set up a mIRC chat server on one of ECU's servers that we used to interact in class.
5) Group project - our class divided up into groups and were assigned a team project. Our team learned how to use a wiki and built a collaborative wiki that simulated a fictitious medical office. The cool thing about this was that I then brought this knowledge back to my company. We had a series of loosely connected homegrown HTML pages for our project data. I was able to download
the wiki software and build a wiki for our team to use. It was a major hit!
6) Secure FTP - We studied and learned how much safer secure FTP was from a regular FTP server.
7) Midterm and final exams - not too difficult as this was mostly research using the Internet.
8) Required textbook? - no required textbook for this course.

Next - stay tuned for a review of core course: ITEC 6000- Statistics for Business Managers.

Web application security.

I'm in the middle of two technologies - software development and information security. In my grad school classes, my professors usually require us to write a term paper relating to security on each semester. My first paper dealt with creating an web application security plan for a software team. Looking back, I'm not sure if it was written with the best of knowledge - I went over things such as cross site scripting, buffer overflows, etc. but I really didn't know how to stop them - I was just listing common attacks.

So, when I found a video on www.csoonline.com that details Application Security from the experts at Gartner group, I decided to sign up to view the video.

Here are some highlights:

1) Even if your manager decides that security for your application is important, with the crappy economy for 2009, don't expect to receive any additional funding. Do with what you have.

2) Who's responsibility is it to do the application security testing? The development staff, outside security team? Then, where do you start? From the outside going in or starting on the inside of the application?

3) Should you be trying to break your application's security by testing against your production applications? Most organizations are scared to do this because customers are using the application and if you manage to break it, customers are affected. Using virtualization could be the answer to this problem: use virtualization to take a snapshot of your production application and test against that copy - not your actual production application.

4) Are there any automated testing tools, like JUnit, that is geared toward automating security tests?

5) How can you find an expert in the field of application security that will help you identify and isolate vulnerabilities? Over 150 new vulnerabilities are discovered each week so you need someone that knows how to be on top of these.

6) Trends include certifications from websites that they are secure - for example, PCI certifications from credit card companies.

7) White box or source code scanning for security issues only can catch about 5% of known attacks. It's good to do but don't rely on just this method.

8) Security software as a service - finally, companies trying to save money can use security testing and other software from the services cloud. Of course, you also have to worry about their security.

Amazon Web Services - Cloud computing and security

Cloud computing is a buzzword gaining traction especially in today's tough economic conditions. Cloud computing is a way to offer software as a service (SaaS). For example, I was reading an article recently that appeared in one of the leading money magazines that boldly predicted that Apple was going to be in trouble soon (of course telling everyone to dump their Apple stocks). Apple's big money maker is their IPod line. And for a user to use their IPod they have to do these things in order:

1. Burn the CD to a list of MP3 files or download from ITunes.
2. Plug in your IPod to the computer.
3. Launch ITunes and sync your music to the IPod.
4. Listen and enjoy.

The author was asking why listeners have to go through all of this stuff just to enjoy their favorite music? And what if the listener wanted to listen to something that they didn't physically own?

The author explained that services like Rhapsody offers music "in the clouds". All a listener has to do is log into their account and for $15 a month or so, you can listen to anything, at any time or day whether or not you have bought the actual album.

Apple has been slow to catch onto this concept and therefore the days of the IPod are numbered.

Amazon now offers "Amazon Web Services" - a cloud computing platform that offers users a wide variety of applications. Since cloud computing is one of the new things and security for traditional methods of software delivery are still a work in progress, how does security work in the clouds? If you go to http://aws.amazon.com on the right hand side of the page will be a link to the Security Whitepaper for AWS.

AWS breaks down security concerns for its cloud within this whitepaper. Here are the major areas and my comments for each section:

1. Physical security. AWS's physical security plan involves using non descript data centers with extensive secure access for all employees. Audit logs show who enters and exits the facilities. [Fred: this makes good sense. A company does not have to worry about salaries of security personnel around their server farm. Backups and fire alarms also are controlled by a cloud service. ]
2. Host operating system security. - AWS uses specially designed bastion hosts that log AWS employees access.
3. Guest operating system security - AWS creates virtual OS's that guests have full access control over but AWS employees do not. AWS recommends that guest admins disable the password based access and use token or key based authentication to gain access.
4. Firewalls - AWS configures the firewall to be default deny all and the customer admin has to open ports to allow inbound traffic. Traditional web application configurations can be configured like Port 80 and 443 for http and https traffic for example.
5. API calls - calls to API to AWS services or client created APIs use X.509 certificates for digital signatures. Calls can be encrypted using SSL and customers are advised to make their endpoints SSL protected.
6. Network security - AWS uses the same security infrastructure that has been implemented by their main website so attacks such as DDoS, man in the middle, and IP spoofing are not possible by AWS endpoints.

All in all, pretty interesting stuff.