Course Objective
The main objective of this course is to avail a strong basis for information security and identify various aspects of information security breaches in an enterprise. After the successful completion of the course the one will be able to identify the security posture of an organization, identify various risks and design and develop systems that conform with acceptable security. One shall also be able to conduct research on security domains.
1. Overview of information security-6 hrs
Introduction to information security, Confidentiality, Integrity, Availability, Authentication, Non-Repudiation, Access control, threats, vulnerabilities, exploits. Risk, risk analysis, risk management cycle.
2. Information and Network Security Policies – 8 hrs
Security policies and objectives, types of policies, confidentiality policies, integrity policies, hybrid policies, Bell-Lapadula model, Biba integrity model, Clark Wilson integrity model, Chinese Wall model, clinical information systems
3. Cryptography and PKI – 6 hrs
Encryption, symmetric key encryption, common symmetric key algorithms including DES, 3DES, a-symetric key encryption, RSA elliptic key encryption, Deffie hellman algorithm for key exchange, Session vs Interchange key, Hash functions, digital signatures, cryptographic key infrastructure, certificates, X.509, Storing and revoking keys, key escrow
4. Network security applications -6hrs
OSI architecture review, Authentication applications, IP security, VPN, Network management security, email security, web security, SSL, TLS, Security in mobile devices, security in virtual environments and the cloud
5. Design Principles – 6hrs
Overview, principle of least privilege, principle of fail-safe defaults, principle of economy of mechanism, principle of complete mediation, principle of open design, principle of separation of privilege, principle of least common mechanism, principle of psychological acceptability
6. Compliance, Evaluation system and Law – 8hrs
Compliance and regulations, PCI DSS, SOX, HIPPA, evaluating systems, goals of evaluating systems, TCSEC, ITSEC, FIPS, Common Criteria, SSE-CMM, Law and information security, historical evolution of computer related law in the US. Privacy law and its significance to information security, the UK DPA and the EU GDPR, ETA of Nepal
7. Malicious logic and attacks 4hrs
Malicious logic, Trojan horses, viruses and types, worms, logic bombs, common attacks and examples, defenses
8. Vulnerability analysis and IT Audit 8 hrs
Introduction, vulnerability assessment tools, penetration testing and objectives, black-box, grey-box and white-box tests, Information technology audit, objectives, the IT Audit process, the audit report and its significance
9. Intrusion detection and log analysis 8hrs
Intrusion definition, detection systems, prevention systems, log auditing, log management, incident handling, SIEM, UEBA
REFERENCES
• Matt Bishop, “Computer Security, Art and Science”, Second Editions, Pearson education
• Mark Merkew, James Breithaupt, “Information Security: Principles and Practices” First Edition
• Neal Krawetz, Introduction to Network Security,
• William Stallings, “Network Security Essentials” Third Edition