Information Security
Course ICI002AS2AE-3004 - Early Spring 2025
Understand adversarial view on security. Recognize key concepts of security. Be able to safely practice hands-on with security tools.
Face-to-face in a real life classroom. In English.
| Course name and code: | Information Security ICI002AS2AE-3004 |
| Timing | 2025 period 3, early spring, w03-w11, not w08 |
| Credits | 5 cr |
| Classes | Tuesdays 11:00 - 13:45, in Pasila pa5001, bring your laptop |
| Max students | 30 |
| Language | English |
| Type | Contact, in physical classroom, mandatory participation [as requested] |
| Feedback | 4.8 / 5 Excellent feedback  * |
| Services | Moodle, Laksu. Optionally Tero's list. |
| First class | 2025-01-14 w03 Tuesday 11:00, Pasila pa5001, physically present with your laptop |
* I'm giving other security courses, too. Penetration testing (challenging course in Finnish) has reached excellent 5.0 /5, with every participant giving feedback and each feedback being 5. And Master level (YAMK) Trust to Blockchain has reached excellent 4.9 /5.
Goals
After completing this course, you will
- Understand adversarial view on security
- Recognize key concepts of security
- Be able to safely practice hands-on with security tools
Hands-on exercises will emphasize environments fully controlled by you, using free open source software in your possession.
Agenda
Tuesdays from 11:00 - 13:45 in Pasila pa5001. Bring your laptop!
| Date | Theme |
|---|---|
| 2025-01-14 w03 Tue | 1. Organizing. Threath modeling. |
| 2025-01-21 w04 Tue | 2. Cyber kill chain. Kristian: USB loading stations. First presentations, reserve by email. |
| 2025-01-28 w05 Tue | 3. Practice environments. |
| 2025-02-04 w06 Tue | 4. Web security. OWASP 10. |
| 2025-02-11 w07 Tue | 5. Encryption. Asymmetric vs symmetric. GPG. SSH. |
| (w08 is winter holiday) | (No classes, no homework deadlines on winter holiday) |
| 2025-02-25 w09 Tue | 6. Passwords. Hashes introduction. Cracking hashes and passwords. |
| 2025-03-04 w10 Tue | 7. Darknet, TOR. |
| 2025-03-11 w11 Tue | 8. Recap. Last presentations. |
Eight security Mondays in Pasila. All classes require active participation. I have changed this course to contact (physically in the class) as requested in the feedback.
There will likely be updates to the contents of the classes as the course advances.
You can reserve a spot for your presentation as soon as on the second class.
Assessment
- Active participation in classes
- Homework and cross evaluation (66%)
- Presentation (33%)
Evaluation of the course is based on totality of the work presented.
Previous courses
- Information Security - ICI002AS2AE-3005 - Early Autumn 2024
- Information Security ICI002AS2AE-3002 2024 Spring
- Information Security ICI002AS2AE-3003
- Information Security 2023 Spring
- Data Security ICT4TF022-3008, 2022 early spring
- Data Security 2022 ict4tf022-3009, 2022 early autumn
Homework
Homeworks are done with a computer and reported at the same time. If some task does not require performing tests with a computer, it's specied writing.
Each homework is returned
- 24 h before start of next lecture
- you can publish your homework report in any website you like
- return a link to Laksu
- cross-evaluate two other homeworks
To save everyone's time, I will remove those from the course who don't return homework, or who don't cross evaluate class mates work.
Github is a convenient place to publish your reports, others are Gitlab and Wordpress.com. I highly recommend publishing your work, it seems to help getting (better) job offers. But if you don't dare or want to publish, you can put your web page behind a password (e.g. in Wordpress.com, same password for all reports), and share this password with your group.
AI and large language models (LLM): You can ask AI or LLM a question and use the answer as facts for your own answer, written in your own words. AI must be marked as a reference, with details such as prompt (and for advanced users system prompts, temperature, jailbreaks...). LLMs tend to hallucinate, so you should check answers from more reliable sources. It's not allowed to generate text with AI or similar technologies. For example, it's not allowed to generate essay answers or summaries with AI, LLM or similar technologies.
The homeworks are official after they are given in the class. Don't start them before, because they might change.
h0 Hello, web!
a) Publish a web page. Show that you can make headings (h1 #, h2 ##...), paragraphs (p, empty line), links (a http://example.com) and code style (code or pre, four spaces at start of line). Markdown recommended.
Tips
Karvinen 2023: Create a Web Page Using Github
h1 Should Tero wear a helmet?
- x) Read / watch / listen and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like. Add some question or idea of your own.)
- Threat modeling
- Braiterman et al 2020: Threat modeling manifesto
- Shostack 2022: Welcome to the Worlds Shortest Threat Modeling Course (12 parts, about 15 min total, audio is enough for all except video 7 "Data flow diagrams")
- OWASP CheatSheets Series Team 2021: Threat Modeling Cheat Sheet
- Infosec scene
- Any episode from Darknet Diaries Podcast. (Try picking an episode that's different from everyone else, e.g. not the latest and not one that's prominently on the front page.)
- Threat modeling
- a) Security hygiene. What basic security practices should everyone follow? Are there some security hygiene practicies that every company or average Joe should follow? (This subtask does not require tests with a computer. A bullet list is enough)
- b) Make-belief boogie-man - a threat model for imaginary company.
- This subtask does not require tests with a computer.
- Create an imaginary company and create threat model.
- Business requirements come from business, technical specialist help with tech. Inlude this in your narrative.
- Your analysis should cover all parts of the four question model (four key questions in Threat modeling manifesto)
- (1) What are we working on?
- Our assets
- Priorization, key assets
- E.g. customer health data is a crown jevel, personel gaming server is probably not
- Security supports business
- Draw a diagram of the company systems
- Customer is the king
- What do we have to do the serve the customer (to keep getting paid)
- How does customer see our systems? Touchpoints?
- Write a description.
- Our assets
- (2) What can go wrong?
- Apply one or more named models: Attack trees, STRIDE, CIA, ATT&CK...
- Give some examples of identified risks - you don't need to find all risks or likely vulnerabilites, as there would be too many for this homework.
- Priorize biggest risks
- High expected value (or other very high risk)
- Expected value = probability * monetary value
- Expected value is a tool for discussion, it's not exact science as we have to guestimate the input numbers
- Are you targetted by specific threat actors? Are there actors that target your geographical or political area or industry?
- Known TTPs? (tactics, techniques, procedures)
- COI - Capability, Opportunity, Intent
- Business continuity
- We have to keep serving the customer to receive money.
- Stakeholders (customer, employees...) trust us. Trust is hard to get and easy to lose.
- Apply one or more named models: Attack trees, STRIDE, CIA, ATT&CK...
- (3) What are we going to do about it?
- Can you: reduce attack surface, limit entry points...
- META: Mitigage, Eliminate, Transfer, Accept.
- (4) Did we do a good enough job?
- Security audits, pentests, assesments, continous threat modeling and evaluation
- Process, not a one time job. It never ends.
- (1) What are we working on?
Tips:
- Reading is for you.
- Read the articles.
- You learn the subject matter required to
- complete the tasks
- understand how the tasks are related to the field of infosec
- You learn the channels to follow the scene after the course
- You learn the subject matter required to
- Don't generate content with AI. Not understanding the arcticle will make it harder and harder to succeed in the future. Generating a lot of useless AI spam for classmates to read is disrespectful of their time.
- You can answer with just a few bullets.
- Read the articles.
- Refer to sources
- Any book, page, video, man-page, report you use for home work task should be listed as a source.
- This task page is of course one source for the report: Karvinen 2024: Information Security Course, https://terokarvinen.com/information-security/
- Work on your own level
- If you have background in security and IT, feel free to challenge yourself.
- If you're just starting, just fumble around - bravely try the models. We will not implement your plan, nothing will happen in real life even if your threat model is not perfect.
- Security hygiene
- No brainer: Wouldn't it be great if you could just recommend some practices - even before conducting laboursome threat modeling?
- Threat modeling
- Think about the moment when you're using this in real life. You sit down on a table. You identify risks and choose how to use your limited resources. You colleagues will trust you can keep company systems safe and running.
- Darknet Diaries
- AntennaPod is convenient Android program for listening podcasts. It's available in F-Droid and Google Play. Of course, there are hundreds if not thousands other programs for podcasts, too.
- Pick any episode. Check descriptions, and pick one that's likely to be suitable here. It's recommended to pick other than the latest or the one on top of the homepage, so we can look at different episodes.
- When cross evaluating
- Give comments
- Use the whole scale (5 is every non-voluntary task solved and reported clearly)
Adminstrivia
I will keep updating this page during and after the course.