External Resources

Welcome    Why?    Training    Games    ChangeBlog    External Resources    Submit Content

Open Source & Open Access

MIT 6.858 Computer System Security (videos) (materials) - Dr. James Mickens & Dr. Nickolai Zeldovich - Design and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and techniques for achieving security, based on recent research papers. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware security, and security in web applications. Assignments include labs that involve implementing and compromising a secure web server and web application, and a group final project.

Hack Night - Multiple Instructors - “The current Hack Night curriculum is developed from NYU Poly's old Penetration Testing and Vulnerability Analysis course.  Hack Night is designed to be a sobering introduction to offensive security.  A lot of complex technical content is covered very quickly and students are expected to have a good understanding of all topics and a mastery of at least one topic by the end of the course.  The final project for

this course is a practical and useful application of the skills you learned in class (use our Project Ideas tracker for ideas https://github.com/isislab/Project-Ideas/issues).  The Hack Night curriculum is a work in progress and will go through incremental improvements each semester.”

Application Security and Vulnerability Analysis - Multiple instructors - “These two courses cover more in-depth material than Hack Night, and are designed to prepare students for real security work in industry.

Application Security teaches students the fundamental technical skills required to identify and prevent application vulnerabilities. Vulnerability Analysis is a project-based course that introduces the fundamental technical skills required to analyze and exploit software vulnerabilities.”

Offensive Security - W. Owen Redwood and Prof. Xiuwen Liu - “The primary incentive for an attacker to exploit a vulnerability, or series of vulnerabilities is to achieve a return on an investment (his/her time usually). This return need not be strictly monetary—an attacker may be interested in obtaining access to data, identities, or some other commodity that is valuable to them. The field of penetration testing involves authorized auditing and exploitation of systems to assess actual system security in order to protect against attackers. This requires thorough knowledge of vulnerabilities and how to exploit them. Thus, this course provides an introductory but comprehensive coverage of the fundamental methodologies, skills, legal issues, and tools used in white hat penetration testing, secure system administration, and incident response.”

Open Source

Network and Computer Security (OCW) - MIT, Dr. Ron RIvest - “6.857 is an upper-level undergraduate, first-year graduate course on network and computer security. It fits within the department's Computer Systems and Architecture Engineering concentration. Topics covered include (but are not limited to) the following:

  1. Techniques for achieving security in multi-user computer systems and distributed computer systems;

  2. Cryptography: secret-key, public-key, digital signatures;

  3. Authentication and identification schemes;

  4. Intrusion detection: viruses;

  5. Formal models of computer security;

  6. Secure operating systems;

  7. Software protection;

  8. Security of electronic mail and the World Wide Web;

  9. Electronic commerce: payment protocols, electronic cash;

  10. Firewalls; and

  11. Risk assessment.”

Cryptography and Cryptanalysis (OCW) - MIT - “This course features a rigorous introduction to modern cryptography, with an emphasis on the fundamental cryptographic primitives of public-key encryption, digital signatures, pseudo-random number generation, and basic protocols and their computational complexity requirements.”

Advanced Topics in Cryptography (OCW) - MIT - “The topics covered in this course include interactive proofs, zero-knowledge proofs, zero-knowledge proofs of knowledge, non-interactive zero-knowledge proofs, secure protocols, two-party secure computation, multiparty secure computation, and chosen-ciphertext security.”

Selected Topics in Cryptography (OCW) - MIT, Dr. Ran Canetti - “This course covers a number of advanced "selected topics" in the field of cryptography. The first part of the course tackles the foundational question of how to define security of cryptographic protocols in a way that is appropriate for modern computer networks, and how to construct protocols that satisfy these security definitions. For this purpose, the framework of "universally composable security" is studied and used. The second part of the course concentrates on the many challenges involved in building secure electronic voting systems, from both theoretical and practical points of view. In the third part, an introduction to cryptographic constructions based on bilinear pairings is given.”

Special Topics: Data Security and Privacy: Legal, Policy and Enterprise Issues - U. Mich, Dr. Don Blumenthal - “As data collection and information networks expand (and stories of security breaches and the misuse of personal information abound), data security and privacy issues are increasingly central parts of the information policy landscape. Legislators, regulators, businesses, and other institutions of all kinds are under increasing pressure to draft and implement effective laws, regulations, and security and privacy programs under rapidly changing technological, business, and legal conditions. A strong need is arising for individuals with the training and skills to work in this unsettled and evolving environment. This course examines security issues related to the safeguarding of sensitive personal and corporate information against inadvertent disclosure; policy and societal questions concerning the value of security and privacy regulations, the real-world effects of data breaches on individuals and businesses, and the balancing of interests among individuals, government, and enterprises; current and proposed laws and regulations that govern data security and privacy; private-sector regulatory efforts and self-help measures; emerging technologies that may affect security and privacy concerns; and issues related to the development of enterprise data security programs, policies, and procedures that take into account the requirements of all relevant constituencies, e.g., technical, business, and legal.”

http://www.binary-auditing.com - Dr. Thorsten Schneider - “The training package includes all necessary files to run a complete lecture for Binary Auditing and Reverse Code Engineering at university. All files are well sorted by topics and with increasing difficulty. You need Windows XP, Windows Vista or Windows 7 to use this training package. The training package does NOT include runnable viruses! ”

Hacking Techniques and Intrusion Detection - English - Arabic - Dr. Ali Al-Shemery - “This course covers the most common methods used in computer and network hacking with the intention of learning how to better protect systems from such intrusions. These methods include reconnaissance techniques, system scanning, accessing systems by network and application level attacks, and denial of service attacks. Traffic analysis methods and tools will be studied in this course. Also, it covers techniques for traffic filtering and monitoring, and intrusion detection.”

Open Access

Usable Security - Dr. Jennifer Golbeck- In many systems, human users are a critical part of the security process. They create passwords, follow security protocols, and share information that can maintain or destroy the security of a system. However, many secure systems are designed with little to no attention paid to people's cognitive abilities, workflow, or tasks. As a result, people find ways around the security obstacles that get in the way of their work. This course focuses on how to design and build secure systems with a human-centric focus. We will look at basic principles of human-computer interaction, including the basics of humans' cognitive abilities, principles of usability, design techniques, and evaluation methods. We will then apply these insights to the design of secure systems with the goal of developing security measures that respect human performance and their goals within a system. Through hands-on exercises designing, building, evaluating, and critiquing systems, students will learn how to integrate usability into secure software. The course will specifically focus on authentication mechanisms, browsing security, privacy and social media, and mobile security.

Software Security - Dr. Michael Hicks - This course we will explore the foundations of software security. We will consider important software vulnerabilities and attacks that exploit them -- such as buffer overflows, SQL injection, and session hijacking -- and we will consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques. Importantly, we take a "build security in" mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems.

Cryptography - Dr. Jonathan Katz - Historically, cryptography was used to ensure private communication between two people with some prior relationship. More recently, its scope has expanded to include things as diverse as data integrity, secure internet-wide communication, electronic cash, secure distributed computation, and more. Cryptography has also become ubiquitous. Perhaps unknowingly, we have all encountered applications of cryptography in our daily lives---whether by logging in using a password, making a web purchase over a secure connection, or applying a software update that is digitally signed. This course will introduce you to the foundations of modern cryptography, with an eye toward practical applications. We will learn the importance of carefully defining security; of relying on a set of well-studied “hardness assumptions” (e.g., the hardness of factoring large numbers); and of the possibility of proving security of complicated constructions based on low-level primitives. We will not only cover these ideas in theory, but will also explore their real-world impact. You will learn about cryptographic primitives in wide use today, and see how these can be combined to develop modern protocols for secure communication.

Hardware Security - Dr. Gang Qu - In this course, we will study security and trust from the hardware perspective. Upon completing the course, students will understand the vulnerabilities in current digital system design flow and the physical attacks to these systems. They will learn that security starts from hardware design and be familiar with the tools and skills to build secure and trusted hardware.

Designing and Executing Information Security Strategies - Dr. Mike Simon - This course provides you with opportunities to integrate and apply your information security knowledge. Following the case-study approach, you will be introduced to current, real-world cases developed and presented by the practitioner community. You will design and execute information assurance strategies to solve these cases.

SecurityTube.net Megaprimers - Vivek Ramachandran

- Metasploit Framework

  1. -Wireless LAN Security and Penetration Testing

  2. -Exploit Research

  3. -Windows Assembly Language

  4. -Linux Assembly Language

  5. -Buffer Overflow Exploitation

  6. -Format String Vulnerabilities

  7. -Scenario-based Hacking and Penetration Testing

  8. -Router Hacking

Securing Digital Democracy - Dr. J. Alex Halderman - Computer technology has transformed how we participate in democracy. The way we cast our votes, the way our votes are counted, and the way we choose who will lead are increasingly controlled by invisible computer software. Most U.S. states have adopted electronic voting, and countries around the world are starting to collect votes over the Internet. However, computerized voting raises startling security risks that are only beginning to be understood outside the research lab, from voting machine viruses that can silently change votes to the possibility that hackers in foreign countries could steal an election. This course will provide the technical background and public policy foundation that 21st century citizens need to understand the electronic voting debate. You'll learn how electronic voting and Internet voting technologies work, why they're being introduced, and what problems they aim to solve. You'll also learn about the computer- and Internet-security risks these systems face and the serious vulnerabilities that recent research has demonstrated. We'll cover widely used safeguards, checks, and balances — and why they are often inadequate. Finally, we'll see how computer technology has the potential to improve election security, if it's applied intelligently. Along the way, you'll hear stories from the lab and from the trenches on a journey that leads from Mumbai jail cells to the halls of Washington, D.C. You'll come away from this course understanding why you can be confident your own vote will count — or why you should reasonably be skeptical.

Cryptography I - Dr. Dan Boneh - Cryptography is an indispensable tool for protecting information in computer systems. This course explains the inner workings of cryptographic primitives and how to correctly use them. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption and basic key-exchange. Throughout the course students will be exposed to many exciting open problems in the field.

The course will include written homeworks and programming labs. The course is self-contained, however it will be helpful to have a basic understanding of discrete probability theory.

Cryptography II - Dr. Dan Boneh - Cryptography is an indispensable tool for protecting information in computer systems. This course is a continuation of Crypto I and explains the inner workings of public-key systems and cryptographic protocols. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with constructions for digital signatures and their applications. We will then discuss protocols for user authentication and zero-knowledge protocols. Next we will turn to privacy applications of cryptography supporting anonymous credentials and private database lookup. We will conclude with more advanced topics including multi-party computation and elliptic curve cryptography. Throughout the course students will be exposed to many exciting open problems in the field. The course will include written homeworks and optional programming labs. The material is self-contained, but the course assumes knowledge of the topics covered in Crypto I as well as a basic understanding of discrete probability theory.

Applied Cryptography, Science of Secrets - Dr. David Evans & Shayan Doroudi - Cryptography is present in everyday life, from paying with a credit card to using the telephone. Learn all about making and breaking puzzles in computing. Explore how secrets are written and shared, as well as what can go wrong when cryptography is misused or implemented badly.

Understanding Cryptography - Dr. Christof Paar & Dr. Jan Pelzl - Cryptography has crept into everything, from web browsers and email programs to cell phones, bank cards, cars and even into medical implants. Thus, an increasing number of people have to understand how crypto schemes work and how they can be used in practice. We wanted to create a book that teaches modern applied cryptography to readers with a technical background but without an education in pure mathematics. It is a perfect choice for teaching introductory course in cryptography to engineering and computer science students at the undergraduate or beginning graduate level. Due to its strong focus on practical issues such as standardized ciphers, state-of-the-art security recommendations and implementation issues, the book is also especially useful for practitioners in industry who want to learn about modern security mechanisms.

Internet History, Technology, and Security - Dr. Charles Severance - The impact of technology and networks on our lives, culture, and society continues to increase. The very fact that you can take this course from anywhere in the world requires a technological infrastructure that was designed, engineered, and built over the past sixty years. To function in an information-centric world, we need to understand the workings of network technology. This course will open up the Internet and show you how it was created, who created it and how it works. Along the way we will meet many of the innovators who developed the Internet and Web technologies that we use today.

Malicious Software and its Underground Economy: Two Sides to Every Story - Dr. Lorenzo Cavallaro - Cybercrime has become both more widespread and harder to battle. Researchers and anecdotal experience show that the cybercrime scene is becoming increasingly organized and consolidated, with strong links also to traditional criminal networks. Modern attacks are indeed stealthy and often profit oriented.

Malicious software (malware) is the traditional way in which cybercriminals infect user and enterprise hosts to gain access to their private, financial, and intellectual property data. Once stolen, such information can enable more sophisticated attacks, generate illegal revenue, and allow for cyber-espionage.

By mixing a practical, hands-on approach with the theory and techniques behind the scene, the course discusses the current academic and underground research in the field, trying to answer the foremost question about malware and underground economy, namely, "Should we care?".

Students will learn how traditional and mobile malware work, how they are analyzed and detected, peering through the underground ecosystem that drives this profitable but illegal business. Understanding how malware operates is of paramount importance to form knowledgeable experts, teachers, researchers, and practitioners able to fight back. Besides, it allows us to gather intimate knowledge of the systems and the threats, which is a necessary step to successfully devise novel, effective, and practical mitigation techniques.

Building an Information Risk Management Toolkit - Dr. Barbara Endicott-Popovsky - In this course, you will explore several structured, risk management approaches that guide information security decision-making. Course topics include: developing and maintaining risk assessments (RA); developing and maintaining risk management plans (RM); regulatory and legal compliance issues affecting risk plans; developing a control framework for mitigating risks; risk transfer; business continuity and disaster recovery planning from the information security perspective.

Information Security and Risk Management in Context - Barbara Endicott-Popovsky - Explore the latest techniques for securing information and its systems, from policies and procedures to technologies and audit. Learn from leading experts who share proven practices in areas such as mobile workforce safety, security metrics, electronic evidence oversight and coping with e-crime and e-discovery. Study the protection of Cloud computing information. Discover how to foster the development of future information security leaders.

Topics covered include:

Information security strategies and individual privacy

Legal security implications

Medical health record confidentiality and integrity

Cutting-edge technologies

Foundations of Computer and Information Security - Dr. Matt Bishop - This graduate course taught by UC Davis computer science professor Matt Bishop covers the mathematical foundations of computer security. He asks, "What can we prove is secure, and what can we demonstrate cannot be proved? How can we analyze specific types of systems in order to determine whether they provide the desired security? How do we build systems that do what they are supposed to?" This course presents the basic mathematical models that underlie much of modern computer security and information assurance.

Internet Security, Weaknesses and Targets - Dr. Christoph Meinel - "Internet Security - Weaknesses and Targets" is based on "Internet & WWW Technologies" and gives a detailed introduction on problems concerning Internet and Intranet security. After starting with some remarks on risk analysis and computer crimes, security weaknesses and targets are discussed in detail. Beside others the following topics are discussed in detail: human factor and technical failures, attacks on accounts and passwords, attacks on Internet protocol, misuse of design and programming errors, weaknesses in common operating systems, targets in the WWW, and viruses. The lecture course concludes with a discussion about the possibilities to detect attacks and intrusions and also describes ethical issues.

CISSP Security Certification - Dr. Craig Wright - "The short course will be run over 6 weeks with lectures being delivered via weekly webinars. In between the webinars, you will be asked to do 10-12 hours of study.

The course is free to undertake but it is recommended that you purchase the Official (ISC)2 Guide to the CISSP CBK  – all other reference materials will be free material that can be accessed electronically.