Nice and hands on but feels very early 2000's. Nothing about cloud, AD, limited discourse about vulnerabilities which dominate (at least) the enterprise security space. Given how frequently the cybersecurity shortage is talked about one would think some higher education facilities would adopt a more modern position.
" These lecture notes, at least several of them, made their first appearance on the web in 2006."
Looks like it's a broad and deep foundational course. I'd imagine really appreciating this theory priming, and then taking on more domain-specific courses.
Can you elaborate on what you would add for the cloud, AD, or vulnerability content?
In my perspective what you listed are simply tools and vendor offerings of which reading the documentation or getting a vendor specific certification is the expected process. This course teaches the foundations on which the items you listed were built from. The reason you probably feel that its so dated is because security hasn't changed we just like to keep calling it different things. Classes like this tend to focus on the more permanent area of network protocols as most exploits just ride on top of existing standards which if you understand those you can understand the "latest" vulnerabilities, cloud infrastructure, IAM and so on.
here is a simple example: DDoS is handled on almost every app platform a developer can deploy on, but misconfigured cloud resources (#5 in the newest OWASP top 10) is not described here at all. In fact, the cloud primitives of compute, storage and workloads are not described and instead classic 2000's network security is covered.
The lectures aren't a how-to guide. The items that are explained are to provide reference to the lecture material. For example the apache2 setup could just as easily be nginx, lighttpd on Windows, FreeBSD, Redhat, etc. Its explaining the concept of a DDoS, malware, viruses, spam, cryptography. Cloud primitives? how would that relate to computer and network security instead of being covered in an operating systems course? They are just abstractions of physical hardware properties and would be specific to the implementation you were working on, ie AWS, GCP, Azure, etc. Any specific implementation or security is completely dependent on what the vendor implements and is ephemeral.
The OWASP top 10 is self described as an awareness document[1] it wouldn't be something you teach a college course on.
I haven't found a good modern security guide, it's either incomplete blogspam or dusty tomes like this one. It's not bad but I need recent practical advice, stuff like how to securely set up postgres and a reverse proxy, and not the bare example, something actually realistic, all I get are more firewall advice :(
These are wonderful notes and prof. Avi Kak deserves many thanks for
sharing them. I'm adding them to my huge and ever growing collection
of comp.sec, sec.eng and crypto notes for comparison and examples.
Notably they go back to 2006 and have been lovingly updated. That
tends to yield notes that are carefully checked and refined through
countless lectures and practical sessions.
They integrate well into my own because I also get students doing
exercises with simple Python and Perl (great to see it still being a
workhorse for this sort of thing), along with copious command line
examples, always hexdumping and diffing things to to check results
etc. So I like his (her?) style.
In response to sibling comments.
@sunhester
> In my experience "higher education facilities" are a nightmare of
social extremes that inhibit the growth of "cyber security". But I'm
usually wrong.
You are not wrong. Absolutely YES. That's why I got out of university
teaching and moved into private work. Maybe some forceful and well
connected people can still teach at places like Purdue, Stanford, MIT,
but generally, and especially in the UK, universities have become a
suffocating bureaucratic hellhole in which teaching, learning and
research is no longer possible. They bring in completely inappropriate
corporate CISO's who do not understand the tradeoffs and culture of
the academy. They do not listen and they do not care so long as
everyone uses the lowest common denominator of feculent Microsoft
insecure rubbish. I eventually grew tired of spending all my energy
fighting people whose job is to labour against my principles, sabotage
all my efforts [0], undermine my students [1], and ask me to teach
some people that frankly just felt morally wrong and a threat to
national security [2].
@waihtis
> Nothing about cloud, AD, limited discourse about vulnerabilities
which dominate (at least) the enterprise security space.
This is really a separate layer that falls more under "security
management", "operational security" and "security systems engineering"
and so on. We normally do this after the foundation. The thing with
"enterprise" level is that it's a quite fluid set of practices,
regulations, compliance docs and products that come in and out of
fashion.
Anyway, as for maintaining quality, theoretical depth, and hands-on
practice I am pleased to see a few profs are still "getting away with
it".
1. Maybe you aren't the intended audience for this.
2. They are lecture notes and homework which are typically distilled from a textbook or industry experience topic.
These are helpful items for someone teaching or speaking to these topics, you aren't supposed to directly learn from the notes. Its the equivalent of saying you could learn c++ from a power point presentation.
