CS406: Information Security

This course covers information security principles, an area of study that engages in protecting the confidentiality, integrity, and availability of information. Information security continues to grow with advancements in technology – as technology advances, so do threats, attacks, and our efforts to mitigate them. In this course, we discuss the modes of threats and attacks on information systems. We also discuss an important area of threat mitigation that saw rapid development in the twentieth century: cryptography. Information security is concerned with user identification and authentication and access control based on individual or group privileges. The basic access control models and the fundamentals of identification and authentication methods are included in this course.

Without networks, our focus would primarily be on controlling unauthorized physical access. Instead, networks are the way we keep data in motion, making information security a more complex task. We discuss methods to design secure networks using firewalls, tunneling, and encryption, and we describe some tools to secure networks, such as honeypots, network sniffers, and packet capturing. Operating systems that connect to a network must be hardened to prevent unauthorized disclosure. Methods and tools such as patching, logging, antivirus, and antimalware tools are discussed.

The last topic in this course is global privacy laws. When unauthorized disclosure or a breach of information occurs, there are adverse effects and penalties placed on individuals or organizations depending on the area of jurisdiction. Laws are diverse and vary greatly throughout the world, and we are still trying to develop laws that will protect privacy globally.

In this course, you will learn the fundamentals of information security, security threats, modes of attack, and cryptographic models. Access control, identification, and authentication are also addressed. Network security and operating system (OS) hardening are explained, along with intrusion detection and prevention. The course concludes with global privacy laws.

First, read the course syllabus. Then, enroll in the course by clicking "Enroll me". Click Unit 1 to read its introduction and learning outcomes. You will then see the learning materials and instructions on how to use them.

This course begins with an overview of information security and its evolution. This first section introduces the core goals of information security; the CIA triad. Some common information security terms and processes used in the information security industry are defined and outlined. Types of controls and their function are categorized so the learner can comprehend the design of a defense-in-depth system. The unit concludes with a justification of why humans are known as the weakest link in information security and describes how security awareness training can serve to mitigate this risk. The topics in this unit are in preparation for the more detailed security topics in the following units.

Completing this unit should take you approximately 6 hours.

This unit introduces common threats and attack modes on information systems. The unit begins by differentiating between threats, attacks, and attack agents, and continues with a description of access control, spoofing, social engineering, application, web application, malware, and denial of service attacks. Understanding the method of an attack is instrumental to understand mitigation efforts used in information systems, and is a segway into the next unit on cryptographic models used to protect information from these attacks.

Completing this unit should take you approximately 10 hours.

One of the earliest ways to encrypt a message was with a substitution cipher developed by Julius Caesar, known as the Caesar cipher. Today, in the information age, cryptology involves the use of computers to create complex algorithms. In this unit, we examine various symmetric and asymmetric key algorithms, as well as hashing algorithms. Encryption is a tool that can be used to support all three tenets of the CIA triad, the goal of information security.

Completing this unit should take you approximately 8 hours.

The main goal of information security is to protect data from unauthorized disclosure. Access control models are used in an organization to provide the appropriate access to users based on individual or group privileges.

Privileges can be granted based on clearance levels, discretion, roles, or rules. The types of access control models used to restrict access that will be reviewed in this unit are mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and rule-based access control (RB-RBAC).

Completing this unit should take you approximately 2 hours.

As users or systems attempt to access secured data, their identities must be verified. The fundamentals of system access consist of both identification and authentication. A user identifies with a username and an authentication method to prove their identity. Authentication methods can be simple or more complex, depending on the desired level of security. Today, banks are requiring two-factor authentication, or two ways to authenticate a member's identity. With so many passwords to remember, users want the technology to log in with one password and to authenticate across all systems, or the capability of a single sign-on. This unit will discuss identification, types of authentication, human authentication factors, authentication forms, authentication protocols, methods for single sign-on (SSO), and public-key infrastructure (PKI).

Completing this unit should take you approximately 7 hours.

This unit will discuss the security of networks, the mode for data in motion. As data is transferred across networks, it becomes another point of potential information insecurity. Networks can be designed to secure data in motion, and firewalls can improve security when placed appropriately in a network. Wireless networks are more insecure, but that insecurity can be mitigated via encryption and tunneling. In this unit, we will discuss several methods for protecting networks, including designing secure networks, using firewalls, protecting wireless networks, and other preventive methods like honeypots, network sniffers, and packet capturing.

Completing this unit should take you approximately 5 hours.

Any operating system (OS) connected to a network is considered at risk of unauthorized disclosure. Networks have security systems in place, but an OS should still be hardened in case of unauthorized access. This unit addresses the methods used to harden an OS, protection methods such as antivirus and antimalware software, and OS firewalls and security tools that can provide OS security.

Completing this unit should take you approximately 2 hours.

Even though networks and hosts have security methods in place, hackers continue to attempt to intrude upon systems and sometimes and are successful at gaining access. Intrusion detection systems (IDS) are used to track these attempts or intrusions and have the ability to stop an intruder from gaining access to information thereby keeping the information secure. This unit will discuss the different types of intrusion detection and intrusion prevention systems and will differentiate between network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). Tools for system information and event management (SIEM) such as scanners, network scanners, and web applications are also discussed.

Completing this unit should take you approximately 4 hours.

As information security evolves, laws designed to secure information are also evolving. Whether in the workplace or on social networking sites, individuals around the world want their privacy protected. Countries are enacting laws to protect the privacy of their citizens, and organizations with a successful data breach are finding a breach to be costly not only monetarily but to their reputation as well. This unit will discuss the importance of electronic data privacy protection, global privacy laws, some areas and issues of online privacy, and the penalties and adverse effects of a data breach on organizations.

Completing this unit should take you approximately 3 hours.

This study guide will help you get ready for the final exam. It discusses the key topics in each unit, walks through the learning outcomes, and lists important vocabulary. It is not meant to replace the course materials!

Please take a few minutes to give us feedback about this course. We appreciate your feedback, whether you completed the whole course or even just a few resources. Your feedback will help us make our courses better, and we use your feedback each time we make updates to our courses.

If you come across any urgent problems, email contact@saylor.org or post in our discussion forum.

Take this exam if you want to earn a free Course Completion Certificate.

To receive a free Course Completion Certificate, you will need to earn a grade of 70% or higher on this final exam. Your grade for the exam will be calculated as soon as you complete it. If you do not pass the exam on your first try, you can take it again as many times as you want, with a 7-day waiting period between each attempt.

Once you pass this final exam, you will be awarded a free Course Completion Certificate.