Announcement

**Drauko** · December 16, 2009, 19:29

Re: New Communiy Member Looking for Insight

Well....

I stumbled into AgentDarkApple's post that falls along the same lines, so I think I'll start in there, but anything someone happens to feel like adding here would still be greatly appreciated.

D

**xor** · December 16, 2009, 19:38

Re: New Communiy Member Looking for Insight

Originally posted by Drauko View Post

Hey all.

I'm new to this community and I am also a newly enrolled (older) college student. Long story short, I have to come up with a topic (read: issue/problem in the IT area) for an IT Research Paper/Project that is in my area of interest. Since I'm going for a BS in IT, leaning toward the side of Information Assurance, I decided to search the 'net. Unfortunately all I get is a slew of blah.

Since most of the community here works in the industry, I figured the best place to get insight on the IT/Information Security field and the problems it faces would e here.

I was wondering if anyone had some pointers on where to search or even some reasonable thoughts on the subject of Information Assurance. My searches have only brought hits on articles that simply point out that IT is a necessary part of business, but not what any current issues in that area are.

Help??

Thanks to any and all who read this and many more thanks to any who respond. :)

D

What have you gotten so far?

xor

Are you focusing on government or commercial?

**AgentDarkApple** · December 16, 2009, 20:26

Re: New Communiy Member Looking for Insight

When I have a research paper or project, I often use Safari Online to find relevant books. Depending on the specific focus of your research, there is a lot out there - books, reports to Congress, documentation of government and military info assurance standards, Master's thesis papers that can lead you to good sources, etc. Also, try looking for information security books, as most of them have a chapter (or several) dedicated to information assurance principles.

If you are looking for specific problems and how to apply info assurance principles to those problems, then I may be able to help. I'm guessing you already know that the major principles of information assurance are the "CIA triad" - confidentiality, integrity, availability. As for "issues", one of the big ones right now is network-centric information warfare and cyber terrorism (my favorite area of study). Other big issues as of late are wireless security, online banking security (two part authentication has proven to not be enough), and issues that surround developing more stringent info assurance standards for government and critical infrastructure systems.

Here are a few sites I read to keep up with what is going on with IT security and IT in general:

http://news.cnet.com/
http://www.sans.org/
http://darkreading.com/index.jhtml
http://www.wired.com/
http://www.wired.com/threatlevel/

Often articles from those sites end up in my research papers.

**TheCotMan** · December 16, 2009, 22:21

Re: Research on Information Assurance

A thread topic of "New Communiy Member Looking for Insight" is useless to people looking at thread titles to determine the topic of discussion.

Title of thread changed to "Research on Information Assurance"

Carry on...

**Drauko** · December 17, 2009, 04:10

Re: Research on Information Assurance

Thanks, to TheCotMan for the title edit.

Xor - I have no real research completed to date as I'm still trying to pin down a topic.

AgentDarkApple - Thanks for the lengthy response. My professor is requiring us to address a 'problem/issue' in the IT field. I want to go the route of Information Assurance as it is the specialization I'm going for as well. Just from what I've seen here, it looks like a very wide ranging topic. I'll start with what you guys have provided so far and try to narrow down a problem to go deeper with.

You guys are awesome, and prompt, but I knew you were awesome when I registered here. :P

**xor** · December 17, 2009, 05:28

Re: Research on Information Assurance

First, and just to be clear I'm not trying to be a dick.

What books have you read? What are the texts you guys are using in your classroom? I'm sure they didn't start off with Information Assurance. When I do a search on Information Assurance I get a lot of relevant information. Do you know how to use google? Do you know how to use the [site:] directive? You realize we can't write your paper for you, right? Well that is, unless you offer us sexual favors first

.

Just FYI, I'm not an enforcer of the rules, but reading the forum rules it like reading the manual. You should really do it to stay out of trouble.

It would really help if you could narrow down your topic.

xor

**Club81** · December 17, 2009, 05:50

Re: Research on Information Assurance

Here's where I start every morning: http://pauldotcom.com/ I also encourage all my students to check it out, too.

I would strongly urge you to pick a VERY specific idea that interests you. It may be something in software (web or system), networking, operating systems, hardware/infrastructure, or others, but they are all part of IT. Once you have the general area that you want to work in, then zero in on an exact security problem within that area.

For example, if you are interested in web software and are just starting out, I think a really good starting paper is to look at the issue of client-side vs. server-side validation routines. This investigation will lead you to looking at web proxies (BurpSuite, Paros, Tamper Data, and all the rests) and how you can monkey with input after it leaves your browser, but hasn't reached the server application. The goal of a web application is to make sure that it validates everything when it reaches the server and to NOT rely on client-side validation because it can be bypassed so trivially. So the gist of your paper becomes a "Defensive Programming for Web Applications"-type vibe. Web Software is obviously a big part of IT and you get to take the security angle with something as simple as looking at how proxies work, what they are capable of, and what that actually means for your server application.

That's just one example. The point is to find one general area that you want to explore and find one detailed problem.

From the professorial point of view: PLEASE PLEASE PLEASE don't give me the general, "Security is hard to measure. Security is vital to IT. Security is really important. Security has to be considered right away on projects" and other related general statements. Dive deep into one issue that interests you right now.

**AgentDarkApple** · December 17, 2009, 06:00

Re: Research on Information Assurance

Drauko, if you are stuck, then read my Information Warfare paper to get an idea of selecting an issue and applying information assurance principles to remedy the issue. I am not saying it is the best example, but it was written for my information assurance class last semester. You should pick a problem or issue, explain it in as much detail as necessary, then apply both general and specific information assurance and security measures to the problem. My topic was a bit broad, but Information Warfare is an ongoing area of research and interest for me, so I try to incorporate it into my term papers when possible. If nothing else, check the bibliography to see if there are any sources that may be of use to you.

**noid** · December 17, 2009, 14:00

Re: Research on Information Assurance

Here's a suggestion that I know I have personally wanted to see addressed:

How do you architect, deploy, and maintain a secure network infrastructure while addressing the issue of increasingly complex and undefined security boundaries?

In the good 'ol days you had a network. That network had ingress and egress points, usually along its perimeter that you controlled. Sure you had some things like modems and RAS, but you knew about them and kept that shit in check.

Now, you have networks that have no defined edge. Users have corporate network access on their mobile phones, corporate data is stored off-site 'in the cloud', corporate data walks around every day in pockets on solid state media, and users want to be able to access corporate resources anytime, anywhere, from any device. The ingress/egress points for your network are now virtually impossible to catalog and monitor.

So far the best solution I have seen to address the issue it to place your index fingers in your ears and loudly shout 'LALALALALALALALALALALALALALAICANTHEARYOULALALALAL ALA'

So riddle me this, Batman...how would you propose to fix that problem? (this should get you going..or at least thinking hard..)

**xor** · December 17, 2009, 14:40