Charles E. Frank

Evaluation of Google hacking

Google Hacking uses the Google search engine to locate sensitive information or to find vulnerabilities that may be exploited. This paper evaluates how much effort it takes to get Google Hacking to work and how serious the threat of Google Hacking is. The paper discusses the countermeasures that can be used against Google Hacking.

Secure software engineering teaching modules

We are designing a course in secure software engineering that will teach students how to incorporate security throughout the software development lifecycle. The class will serve as a capstone for a new graduate certificate in secure software engineering. This paper describes the class goals, the design for the class, and the materials that we will develop to teach secure software engineering. We are creating ten modules to cover the core topics in software security. Each module will cover one or more class goals and will consist of both explanatory materials and assignments to give students the opportunity to apply their learnings in a small context. The modules will be developed over the Summer and Fall of 2006, and the class will be first offered in Spring 2007. The class will also incorporate a team-based web development project that students will work on throughout the semester to gain experience applying security principles to a large-scale project.

Profiling file repository access patterns for identifying data exfiltration activities

Studies show that a significant number of employees steal data when changing jobs. Insider attackers who have the authorization to access the best-kept secrets of organizations pose a great challenge for organizational security. Although increasing efforts have been spent on identifying insider attacks, little research concentrates on detecting data exfiltration activities. This paper proposes a model for identifying data exfiltration activities by insiders. It uses statistical methods to profile legitimate uses of file repositories by authorized users. By analyzing legitimate file repository access logs, user access profiles are created and can be employed to detect a large set of data exfiltration activities. The effectiveness of the proposed model was tested with file access histories from the subversion logs of the popular open source project KDE.

The usability of end user cryptographic products

Cryptography is an indispensable tool for securing data and for ensuring the privacy of communications such as web browsing and email. Although there are many practical utilities which can encrypt disks, file systems, and emails, these utilities are still not widely adopted by end users. One intention of cryptographic utilities is to enhance the confidentiality of information. From the security practitioners point of view, cryptography is a must for protecting sensitive data. System administrators and technical savvy people not only think many existing cryptography products are useful but also usable, at least to some extent. However, when viewed by majority of end users who do not have the technical background on cryptography, key and password management, authentication, and the complexity for using cryptography products can be the hurdles for making these utilities usable. This paper studies free and low-cost cryptographic products including encrypted flash drives, hard drives, file systems, and email systems to assess their usability. We also make recommendations for usable end-user cryptography.

Information assurance in the undergraduate curriculum

Information assurance and systems security are important topics that compel the attention of future computer scientists. Typically, undergraduate students in computer science programs today are exposed to these concepts at the end of their education in stand-alone courses on information security. As information assurance (IA) educators, we perceive the need to incorporate IA topics throughout the undergraduate CS curriculum. In this panel, we will first present the goals, challenges, and current state of progress made at our respective institutions. Then we will solicit feedback and suggestions from the audience for better integrating IA topics across the undergraduate curriculum.