CS406: Information Security (2018.A.01)

Read these sections, which introduce information security.

Watch this lecture to learn about the methods for managing risks to information assets. IT practitioners seek to protect the confidentiality, integrity, and availability of data and their delivery systems - whether the data are in storage, in processing, or in transit, and whether threatened by malice or accident.

Read this page for an overview of the basic security concepts of confidentiality, integrity, and availability.

Read this document to gain a better understanding of the security objectives of confidentiality, integrity, and availability.

Read this article for an introduction to the types of information assets and associated threats.

Read section 2 about basic cryptographic concepts.

Read section 5.4 about DES symmetric key cryptography algorithm.

Read this page about how Triple DES makes use of DES to improve on encryption-based security.

Read section 5.9 about the advanced encryption standard (AES) algorithm.

Watch this video about the origins of cryptographic concepts. Whitfield Diffie, a key figure in the discovery of public-key cryptography, traces the growth of information security through the 20th century and into the 21st. In the 1970s, the world of information security was transformed by public-key cryptography, the radical revision of cryptographic thinking that allowed people with no prior contact to communicate securely. Public-key solved security problems born of the revolution in information technology that characterized the 20th century and made Internet commerce possible. Security problems rarely stay solved, however. Continuing growth in computing, networking, and wireless applications have given rise to new security problems that are already confronting us.

Watch these videos about cryptographic concepts related to public-key algorithms, such as the RSA algorithm and the Diffie-Hellman algorithm and how they are used in network security.

• Cryptography Basics
• Symmetric and Public Key Cryptography
• Network Authentication through Cryptography
• PKI

Read section 3.2 about the key concepts behind public-key cryptography. After reading this section, explain the history of public-key cryptography, the factorization problem, and describe how RSA works.

Read section 5.3 about the steps in the RSA Public-Key Algorithm. After reading, you should be able to describe a simple example of generating public/private keys for RSA systems and describe the process of encrypting and decrypting a message.

Read section 5.2 about the steps in the Diffie-Hellman Public-Key Algorithm.

Download this software, try to use different methods to encrypt messages, and then try to use the analysis tools to analyze the entropy such as floating frequency, histogram, N-Gram, autocorrelation, and periodicity, etc. Also try to use symmetric key ciphers such as DES and asymmetric ciphers such as RSA, DH, etc.

Read this chapter about authentication, a process of determining if a user or entity is who he/she claims to be.

Read this chapter about discretionary access control (DAC) and role-based access control (RBAC), a technical means for controlling access to computer resources.

Read this page about role-based access control (RBAC), a technical means for controlling access to computer resources.

Watch this video about techniques used in context of Role-Based Access Control mechanism.

Watch this video about cryptographic concepts related to Secure Sockets Layer (SSL), Secure Shell (SSH), and Internet Protocol Security (IPSec).

Read section 5.6 about Internet Protocol for securing communications. After reading this section, describe the two modes for IPSec: AH and ESP. Also try to explain how to use AH and ESP to build VPN (tunnel mode and transport mode).

Read section 5.7 about the SSL family of protocols for securing transactions over the Internet. When reading this section, please pay special attention to the diagram in Figure 5. You need to be able to explain the message flows in Figure 5 for SSL/TLS.

Read section 5.5 about Pretty Good Privacy (PGP), one of today's most widely used public-key cryptography programs.

Watch this video. Following a brief introduction to intranets and extranets used frequently today by businesses, Sengupta explains cryptographic concepts related to securing communication using firewalls.

Read this page.

Read this page.

Read this article about host-based and network-based intrusion detection systems.

Read this chapter. While you read, try to explain various attacks, the skills that are needed for carrying out these attacks, and how to defend your system against these attacks.

Read this chapter.

Read this chapter. After reading these chapters, explain the relationship between threat models and attacks. Take the communication examples in the chapters and try to explain different attacks based on different assumption of threat models.

Read this page about NASA's physical security program. Physical security in IT context requires most of the ideas discussed here, even though they were developed in the context of NASA's requirements.

Read this page. After you read, explain how the attacker identifies the target/victim and how to carry out social engineering via various approaches (phones, online chatting, Dumpster diving, reverse engineering etc.).

Watch this video to learn about how malicious actors leverage legitimate websites for the delivery of attacks that target vulnerabilities in client-side software.

Watch this video to learn about security issues on the Internet, and what could have been done differently had we realized this was going to be the global information exchange infrastructure of the 21st century.

Read this page. While you read, try to explain the modes of DoS attacks, such as consumption of scarce resources, configuration information alternation, and physical destruction. For DDoS attacks, describe the tools that are used for DDoS, why the DDoS attacks are possible, and the protocol vulnerabilities that are used in DDoS attacks.

Read this page.

Read this page. After you read, describe the top 10 best practices for secure coding and describe the principles for secure coding (e.g., separation of duties, least privilege).

Read this page.

Read this chapter. After you read, describe the different attacks on communication systems and how one could use these attacks to carry out information warfare (in particular, based on the interaction between civil and military uses).

Read this page to learn about the basics of risk assessment.

Watch this video about security and the risk management process.

Read the introduction to this report. After you read, describe the recommended process for risk assessment including the different roles involved. Then, read each of the case studies. As you read, try to map these two case studies to the risk assessment processes in the introduction.