Degree Requirements

Foundations of Information Security provides the framework and language to understand what is considered an information security problem. This includes understanding the essential properties of information security -- confidentiality, integrity, and availability -- as well as ways to implement controls that ensure the application of those properties. There are several control frameworks in use around the world that provide easy starting places to ensure protections are in place. This course will help students evaluate those control frameworks for applicability in their environments. (3 credits)

The threat landscape in the world today is poorly understood, often being diluted to easy and pithy words and phrases that do not adequately explain what is happening or who the attackers are. This course is about clearly identifying threat actors and their motivations, including the geopolitical and economic reasons for their actions. Misunderstanding the adversary can lead to missing the best approaches to circumventing attacks, as well as opportunities to think more broadly about how to address security-related issues globally rather than using only local controls at each individual business. (3 credits)

Information security is all about people. People are the first, last, and best line of defense. Attackers regularly make use of this understanding, spending a lot of time thinking about how to best manipulate people into performing actions against their best interests. Too often, security practitioners believe they can require people to behave in certain, tightly circumscribed ways. They miss that humans will continue to be humans, so it is best to work with them rather than against them. Understanding not only the attacker mindset but also the diverse mindsets of people within the organization can help identify the best controls to implement. (3 credits)

Appropriate security must start with business needs, since the business defines what essential resources they can invest in that effort. This begins with policies but continues through standards and processes. None of these can be developed in isolation, however, nor can they remain stagnant since attacker techniques are continuing to evolve to counter controls in place. This is why threat intelligence and effective communication with staff and external stakeholders are both essential. (3 credits)

A common approach to identifying defensive strategies is to go on the offensive. The theory is, if a friendly entity identifies vulnerabilities, they can be remediated before an attacker can identify them. However, some of these practices simply result in a false sense of security for organizations. Students will come away from this course with an understanding of what types of offensive security practices would be best for their organization. (3 credits)

Offensive security can be helpful to identify vulnerabilities that need to be addressed, but you can’t protect against everything. Organizations need to be vigilant and have the necessary visibility to notice when attackers are attempting to compromise systems. This requires appropriate architectures that enable extensive logging and the ability to consume and act on those logs. Again, this requires threat intelligence to know what is happening in the world with respect to threat groups and their activities, as well as an understanding of business requirements to identify attempts to compromise critical information assets. (3 credits)

Logging and alerting are important to get visibility into activities within the business systems but as soon as an alert happens, the organization needs to be able to respond. Often, there is a focus on the purely technical investigation when people look at incident response. This entirely misses the planning that is required when building the incident response plan and framework, since there are a variety of legal, management, regulatory, and communications considerations. These are not the types of considerations that should be considered in the middle of a crisis when an attacker is in the environment, as that is a luxury of time that no organization has at that moment. (3 credits)

Learning to program is an essential practice, since it forces a structured, logical way of thinking, while also encouraging a level of creativity in problem solving. Languages like C have been used to teach programming for decades, but C has been enabling very bad programming practices since the late 1960s. Newer languages like Rust encourage better programming practices, focusing on solid exception handling, in addition to good memory management techniques. This course is a primer on programming in Rust, without the expectation of anyone coming out an expert in programming but having had an understanding of the approach to problem solving necessary for programming tasks. (3 credits)

Vulnerabilities often start in software. This is not entirely true, since the biggest source of vulnerabilities is the human element, but to the extent possible, vulnerabilities can be controlled with solid software testing and validation. This course will build on the programming skills from the Programming in Rust course, introducing testing practices and principles used against software, including native as well as web-based applications. (3 credits)

The software industry is undergoing a major shift in the delivery of functionality to the end user. Many traditional native applications (applications that run on a local system) are moving to a web-based delivery model, where a uniform interface is used regardless of the application -- the web browser. This shift has put a lot more control back in the hands of the company developing the software and has the potential to enhance security, by reducing vulnerabilities and enabling better resilience in a more cost-effective way. This course introduces security early in the software development lifecycle, identifying ways to inject security practices in the requirements, development, testing and deployment phases. Understanding how to protect information from the start of the development process all the way through deployment of software will go a long way to making it harder to get to information assets. (3 credits)