The graduate attributes of University of Wollongong include (a) informed; (b) independent learners; (c) problem solvers; (d) effective communicators; (e) responsible; and (f) a flexible approach for faculties.
This individual research report is designed for you to develop the above attributes. To complete it successfully, it requires you to have a sound knowledge of the topic you choose. It requires independent learning and critical thinking about the issues related to information technology security and risk management. Although all relevant topics in the subject area are welcomed, reports that offer strong empirical focus (evidence-based) will be preferred. What must be discouraged is opinion piece without evidence, data or evidence-based arguments.
Select one of the topics from the list below as the topic for your individual research report. You can also select a specific topic of your own interest; however, the suitability of the topic has to be discussed with and to be approved by your tutor. You need to inform your tutor about your selection in the lab session in Week 2.
1. Offshore software development security Increasingly, Australian organizations are outsourcing software development activities to countries like India, Pakistan, China and other emerging economies to gain the benefits of reduced costs and faster turnaround times. But these efforts come at a price. Please analyse: a. What security issues does overseas development of software raise in commercial and custom systems intended for use in Australia? b. What privacy issues are raised? c. How are these issues being addressed? d. What trends can you determine on the future of offshore development? e. What is the IT security industry doing to counter the threats from offshore development? (Hint: Visit www.fdic.gov/regulations/examinations/offshore/ for more information.)
2. Hackers come in many colours Open disclosure of software vulnerabilities is often associated with gray-hat hackers, described as security researchers who aren’t particular about who learns of their findings.
Research the three types of hackers (white hat, gray hat and black hat) and try to determine their typical positions on full disclosure of software problems prior to patches or new versions of the software being made available in the marketplace. Use Google.com or your favourite Internet search engine with a query of “Open Disclosure of Software Vulnerabilities” to help you formulate your answers.
3. Information privacy and information security Information privacy and information security are two sides of the same coin. You can’t have privacy without security. a. Using an Internet search engine, distinguish between those issues related to privacy versus those related to security. b. What overlapping issues do you find? c. Why are U.S. lawmakers seemingly more concerned with privacy controls and protections than requiring U.S. companies to maintain effective IT security programs? d. What are some of the controls being mandated through legislation? e. Do you believe these controls are (will be) effective?
4. Security testing for obvious vulnerabilities a. Research the Internet for several common software vulnerabilities (example: bufferoverflow conditions, cross-site scripting). b. Describe several ways that security testing can uncover the conditions. c. Describe the limitations of security testing. d. To what degree should testing be performed if the software is intended for commercial uses? e. To what degree should testing be performed if the software is intended for commercial, governmental and military uses?
5. Compare off-site services a. Using the Internet, identify two or more off-site companies providing third-party backup services and compare their services and costs. b. What kind of common services do they offer? c. How do their costs compare? d. Does one company offer services that another doesn’t? e. How do you account for this difference?
6. Investigate the complexities of Intellectual Property Law a. Research the topic of intellectual property as related to copyright law. b. What are some of the difficulties in proving a copyright infringement case, such as that brought by the RIAA against those who download free MP3 files? c. What are some of the other recent and famous cases related to copyright, trademark, or trade secret infringements? d. Who should govern the Internet to prevent intellectual property law infringements? e. Can anyone or any one country govern how the Internet is used (and abused)?
7. Smart card access controls a. Research the Internet for information about using smart card for access controls. b. Where are they being used most often? c. What are some of the complications in implementing smart cards for network access? d. Which access control model seems most appropriate for smart cards? e. What changes to infrastructure would be necessary for an enterprise implementation of smart cards for PC access control?
8. Research In-depth Intrusion Detection Systems Intrusion detection systems look for attacks originating from outside and inside the network. a. Visit the distributed intrusion detection system called DShield at www.dshield.org/. b. Which types of attacks are more prevalent at the time of your visit to the site? c. Where is the origin of most of the attacks? d. What is the status of the Internet Storm Center at the time of your visit? e. What is the FightBack program all about?
9. Privacy on the Internet a. What is privacy in information technology context? b. What are some of the conflicting interests between a business and the individual related to privacy matters? c. What privacy concerns do you have as a buyer in e-Bay or Amozon.com? d. What privacy concerns do you have as a seller in e-Bay or Amozon.com?
e. What privacy concerns do you have as a member of social networks such as Facebook or LinkedIn? f. What other privacy concerns general public have related to Internet and Web?
10. Ethics and information security a. What is due care? Why should an organization make sure to exercise due care in its usual course of operation? b. How doe due diligence differ from due care? Why are both important? c. What is a policy? How does it differ from a law? d. What are the three general categories of unethical and illegal behavior? e. What is the best method for preventing an illegal or unethical activity?