Topic Name Description
Course Introduction Page Course Syllabus
Page Course Terms of Use
Unit 1: Computer Security Concepts Page Unit 1 Learning Outcomes
1.1: Introduction to Information Security Page The Open University: "An Introduction to Information Security"

Read these sections, which introduce information security.

1.2: Introduction to Data and Network Security Page George Mason University: Paul A. Strassman's "Information Assurance for Defense Security"

Watch this lecture to learn about the methods for managing risks to information assets. IT practitioners seek to protect the confidentiality, integrity, and availability of data and their delivery systems - whether the data are in storage, in processing, or in transit, and whether threatened by malice or accident.

1.3: Confidentiality, Integrity, and Availability URL University of Miami School of Medicine: "Confidentiality, Integrity, and Availability"

Read this page for an overview of the basic security concepts of confidentiality, integrity, and availability.

1.4: NIST FIPS 199 Standard File National Institute of Standards and Technology: "Standards for Security Categorization of Federal Information and Information Systems"

Read this document to gain a better understanding of the security objectives of confidentiality, integrity, and availability.

1.5: Assets and Threats URL Robert J. Shimonski's "Threats and Your Assets: What Is Really at Risk?"

Read this article for an introduction to the types of information assets and associated threats.

Unit 2: Basic Cryptographic Concepts Page Unit 2 Learning Outcomes
2.1: Basic Cryptography Concepts: Symmetric Encryption Algorithms Page Steve Weis' "Theory and Practice of Cryptography"
Watch this video about the basics of information security and cryptographic concepts related to symmetric encryption algorithms like DES, Triple DES, and AES.
2.2: Purpose of Cryptography URL Gary C. Kessler's "An Overview of Cryptography: The Purpose of Cryptography"

Read section 2 about basic cryptographic concepts.

2.3: Data Encryption Standard (DES) URL Gary C. Kessler's "An Overview of Cryptography: Some of the Finer Details of DES, Breaking DES, and DES Variants"

Read section 5.4 about DES symmetric key cryptography algorithm.

2.4: Triple DES URL Tropical Software: "Triple DES Encryption"

Read this page about how Triple DES makes use of DES to improve on encryption-based security.

2.5: Advanced Encryption Standard (AES) URL Gary C. Kessler's "An Overview of Cryptography: The Advanced Encryption Standard and Rijndael"

Read section 5.9 about the advanced encryption standard (AES) algorithm.

Unit 3: Public-Key Encryption Page Unit 3 Learning Outcomes
3.1: Introduction to Public-Key Cryptography Page Whitfield Diffie's "Before, During, and After Public-Key Cryptography"

Watch this video about the origins of cryptographic concepts. Whitfield Diffie, a key figure in the discovery of public-key cryptography, traces the growth of information security through the 20th century and into the 21st. In the 1970s, the world of information security was transformed by public-key cryptography, the radical revision of cryptographic thinking that allowed people with no prior contact to communicate securely. Public-key solved security problems born of the revolution in information technology that characterized the 20th century and made Internet commerce possible. Security problems rarely stay solved, however. Continuing growth in computing, networking, and wireless applications have given rise to new security problems that are already confronting us.

3.2: Public-Key Encryption Algorithms URL Naval Postgraduate School: "Public Key Cryptography"

Watch these videos about cryptographic concepts related to public-key algorithms, such as the RSA algorithm and the Diffie-Hellman algorithm and how they are used in network security.

3.3: Public-Key Cryptography URL Gary C. Kessler's "An Overview of Cryptography: Public-Key Cryptography"

Read section 3.2 about the key concepts behind public-key cryptography. After reading this section, explain the history of public-key cryptography, the factorization problem, and describe how RSA works.

3.4: RSA Public-Key Algorithm URL Gary C. Kessler's "An Overview of Cryptography: Some of the Finer Details of RSA Public-Key Cryptography"

Read section 5.3 about the steps in the RSA Public-Key Algorithm. After reading, you should be able to describe a simple example of generating public/private keys for RSA systems and describe the process of encrypting and decrypting a message.

3.5: Diffie-Hellman Algorithm URL Gary C. Kessler's "An Overview of Cryptography: Some of the Finer Details of Diffie-Hellman"

Read section 5.2 about the steps in the Diffie-Hellman Public-Key Algorithm.

3.6: Cryptography in Practice URL CrypTool: http://www.cryptool.org/

Download this software, try to use different methods to encrypt messages, and then try to use the analysis tools to analyze the entropy such as floating frequency, histogram, N-Gram, autocorrelation, and periodicity, etc. Also try to use symmetric key ciphers such as DES and asymmetric ciphers such as RSA, DH, etc.

Unit 4: Access Control Mechanisms Page Unit 4 Learning Outcomes
4.1: Authentication URL Open Web Application Security Project: "Authentication"

Read this chapter about authentication, a process of determining if a user or entity is who he/she claims to be.

4.2: Access Control and Authorization URL Open Web Application Security Project: "Access Control and Authorization"

Read this chapter about discretionary access control (DAC) and role-based access control (RBAC), a technical means for controlling access to computer resources.

4.3: Role-Based Access Control URL National Institute of Standards and Technology: "An Introduction to Role-Based Access Control"

Read this page about role-based access control (RBAC), a technical means for controlling access to computer resources.

4.4: Role-Based Access Control and Role Graph Model Page Purdue University: Sylvia Osborn's "The Role Graph Model and Its Extensions"

Watch this video about techniques used in context of Role-Based Access Control mechanism.

Unit 5: Security Solutions Page Unit 5 Learning Outcomes
5.1: Security Protocols and Solutions Page Indian Institute of Technology, Kharagpur: Indranil Sengupta's "Basic Cryptographic Concepts"

Watch this video about cryptographic concepts related to Secure Sockets Layer (SSL), Secure Shell (SSH), and Internet Protocol Security (IPSec).

5.2: Internet Protocol Security URL Gary C. Kessler's "An Overview of Cryptography: IP Security (IPSec) Protocol"

Read section 5.6 about Internet Protocol for securing communications. After reading this section, describe the two modes for IPSec: AH and ESP. Also try to explain how to use AH and ESP to build VPN (tunnel mode and transport mode).

5.3: Secure Sockets Layer URL Gary C. Kessler's "An Overview of Cryptography: The SSL Family of Secure Transaction Protocols for the World Wide Web"

Read section 5.7 about the SSL family of protocols for securing transactions over the Internet. When reading this section, please pay special attention to the diagram in Figure 5. You need to be able to explain the message flows in Figure 5 for SSL/TLS.

5.4: Pretty Good Privacy URL Gary C. Kessler's "An Overview of Cryptography: Pretty Good Privacy (PGP)"

Read section 5.5 about Pretty Good Privacy (PGP), one of today's most widely used public-key cryptography programs.

Unit 6: Firewalls, Intrusion Detection, and Intrusion Prevention Page Unit 6 Learning Outcomes
6.1: Security Protocols and Solutions Page Indian Institute of Technology, Kharagpur: Indranil Sengupta's "Intranet, Extranet, Firewall"

Watch this video. Following a brief introduction to intranets and extranets used frequently today by businesses, Sengupta explains cryptographic concepts related to securing communication using firewalls.

6.2: Firewall Page The Open University: "Firewalls - An Overview"

Read this page.

URL Jeff Tyson's "How Firewalls Work”

Read this page.

6.3: Host-Based IDS vs. Network-Based IDS URL Ricky M. Magalhaes' "Host-Based IDS vs. Network-Based IDS"

Read this article about host-based and network-based intrusion detection systems.

6.4: Network Attacks and Defense URL University of Cambridge: Ross Anderson's "Network Attack and Defense"

Read this chapter. While you read, try to explain various attacks, the skills that are needed for carrying out these attacks, and how to defend your system against these attacks.

Unit 7: Physical Security Page Unit 7 Learning Outcomes
7.1: Physical Security URL University of Cambridge: Ross Anderson's "Monitoring Systems"

Read this chapter.

URL University of Cambridge: Ross Anderson's "Physical Protection"

Read this chapter. After reading these chapters, explain the relationship between threat models and attacks. Take the communication examples in the chapters and try to explain different attacks based on different assumption of threat models.

7.2: NASA's Physical Security Program URL National Aeronautics and Space Administration: "Physical Security Program"

Read this page about NASA's physical security program. Physical security in IT context requires most of the ideas discussed here, even though they were developed in the context of NASA's requirements.

7.3: Types of Attacks URL Sarah Granger's "Social Engineering Fundamentals, Part I: Hacker Tactics"

Read this page. After you read, explain how the attacker identifies the target/victim and how to carry out social engineering via various approaches (phones, online chatting, Dumpster diving, reverse engineering etc.).

Unit 8: Malicious Software and Software Security Page Unit 8 Learning Outcomes
8.1: Malicious Web Page University of Washington: Giovanni Vigna's "From Badware to Malware: Taming the Malicious Web"

Watch this video to learn about how malicious actors leverage legitimate websites for the delivery of attacks that target vulnerabilities in client-side software.

8.2: Internet Security Issues Page Talks at Google: "Vint Cerf"

Watch this video to learn about security issues on the Internet, and what could have been done differently had we realized this was going to be the global information exchange infrastructure of the 21st century.

8.3: Types of Internet Security Issues URL Carnegie Mellon University: "Denial of Service"

Read this page. While you read, try to explain the modes of DoS attacks, such as consumption of scarce resources, configuration information alternation, and physical destruction. For DDoS attacks, describe the tools that are used for DDoS, why the DDoS attacks are possible, and the protocol vulnerabilities that are used in DDoS attacks.

URL Bennett Todd's "Distributed Denial of Service Attacks"

Read this page.

8.4: Secure Coding URL Carnegie Mellon University: Robert Seacord's "Top Ten Secure Coding Practices"

Read this page. After you read, describe the top 10 best practices for secure coding and describe the principles for secure coding (e.g., separation of duties, least privilege).

URL Open Web Application Security Project: "Secure Coding Principles"

Read this page.

8.5: Electronic and Information Warfare URL University of Cambridge: Ross Anderson's "Electronic and Information Warfare"

Read this chapter. After you read, describe the different attacks on communication systems and how one could use these attacks to carry out information warfare (in particular, based on the interaction between civil and military uses).

Unit 9: Security Risk Management Page Unit 9 Learning Outcomes
9.1: How Much Security Do You Really Need? URL Open Web Application Security Project: "How Much Security Do You Really Need?"

Read this page to learn about the basics of risk assessment.

9.2: Risk Management URL Purdue University: Jack Jones' "Shifting Focus: Aligning Security with Risk Management"

Watch this video about security and the risk management process.

9.3: Information Security Risk Assessment Case Studies File U.S. Government Accountability Office: "Information Security Practices of Leading Organizations"

Read the introduction to this report. After you read, describe the recommended process for risk assessment including the different roles involved. Then, read each of the case studies. As you read, try to map these two case studies to the risk assessment processes in the introduction.

9.4: Risk Assessment in Practice URL Microsoft Security Assessment Tool

Download and install this program. Use some simple cases to carry out a business risk profile assessment and defense in depth assessment.

Optional Course Evaluation Survey URL Optional Course Evaluation Survey

Please take a few moments to provide some feedback about this course. Consider completing the survey whether you have completed the course, you are nearly at that point, or you have just come to study one unit or a few units of this course.

Your feedback will focus our efforts to continually improve our course design, content, technology, and general ease-of-use. Additionally, your input will be considered alongside our consulting professors' evaluation of the course during its next round of peer review. As always, please report urgent course experience concerns to [email protected] and/or our discussion forums.