The manuscript for the second edition will be available for use for beta testing in Spring and Summer semester courses beginning in March 2008.
If you are interested in being a beta tester, please contact Ray at Ray@Panko.com
| Chapter Number | Title | Comments |
| 1 | The Threat Environment | To create defenses, you must know your enemies. This chapter surveys the major security threats facing corporations. |
| 2 | The Legal Environment and Ethics | Computer attacks are computer crimes, and IT security professionals need a general understanding of law and a strong sense of ethics. |
| 3 | Planning | Now that students understand the environment, they can begin developing defenses. The chapter introduces the plan-protect-respond cycle that forms the framework for the rest of the book. The chapter then focuses on planning. It introduces students to planning and compliance frameworks, such as COSO, CobiT, ITIL, FISMA, and PCI-DSS. It focuses heavily on policies. |
| 4 | Elements of Cryptography | Encryption is not the only protection, but most security defenses rely on cryptographic protections. |
| 5 | Cryptographic Systems | Cryptographic systems package a set of cryptographic elements to provide protection to information in transit and at rest. This chapter surveys some major cryptographic systems, including IPsec, SSL/TLS, Kerberos, and wireless LAN cryptographic security system. |
| 6 | Access Control and Site Security | The basic tool for defense is access control. This chapter surveys access control techniques that rely on cryptography and those that do not. Passwords, biometrics, smart cards, tokens, and so forth. It also looks at physical security to protect unauthorized access. |
| 7 | Firewalls | One of the most important access control tools if firewalls, and every security student needs to understand firewall basics. This chapter focuses on stateful inspection firewalls and firewall policies. It also surveys older filtering methods and newer methods, such as intrusion prevention systems (IPSs) and unified threat management (UTM). |
| 8 | Host Security | Some attacks inevitably get past firewalls. This chapter shows students how to harden host hardware and operating systems, including servers, desktop client PCs, mobile devices, and other devices such as routers and switches. |
| 9 | Application and Data Security | Once, attackers primarily attacked hosts through operating system exploits. Today, most hacks are made by taking over application programs. Companies need to protect their applications and the data they contain. |
| 10 | Human and Operational Controls | Organizational processes primarily involve people, and security is no exception. This chapter discusses human controls such as the segregation of duties, training, and other personal controls. It also considers how to examine business functions for human and organizational controls. |
| 11 | Incident and Disaster Response | Protections inevitably break down. This chapter covers appropriate responses to various incidents ranging from minor security compromises through natural disaster. |
| Module Letter | ||
| --- | CAUTION | The 11 chapters form a full security course. Covering one or more modules probably means dropping other information from the course. Covering the book front to back is usually not a good idea. |
| A | Review of Networking Concepts | To work in security, students need a strong understanding of networking concepts. Although my own students have almost all had networking before taking my security course, I always cover this module. (In the second edition, I cover it after Chapter 2) |
| B | More on Cryptography | Some teachers want to cover more crypto. This module goes into more detail on how to create a cipher (which corporate security professionals should never do) and a bit on quantum cryptography. |
| C | Access Models for Classified Data | The military has multilevel security, characterizing information as nonclassified, secret, top secret, and the apocryphal, "burn before reading." Although this is irrelevant to corporate computing, some teachers wish to cover it because it may appear on certification exams. |