Information Security Management | Readings

By Drs. Dave Eargle and Anthony Vance


Authentication and Passwords

  • The reading covers Anderson, either 2nd edition or 3rd edition:

    If you read the 3rd edition, please also read this excerpt from the 2nd edition:”Regardless of how well passwords are managed, there can be absolute limits imposed by the design of the platform. For example, Unix systems used to limit the length of the password to eight characters (you could often enter more than this, but the ninth and subsequent characters were ignored). The effort required to try all possible passwords — the total exhaust time, in cryptanalytic jargon — is 96^8 or about 2^52, and the average effort for a search is half of this” (p. 58).

Cryptography - Asymmetric Encryption


Cryptography – Digital Certificates and PKI

Cryptography – Hashes & Symmetric

  • Anderson, Ch. 5, pp. 129-149 (2nd ed.); pp. 138–156 (3rd ed.)
  • “Secrets & Lies”, Chapters 6 & 7 (library link available)


  • Creating the ECB Penguin
  • [Demystifying Web Authentication (Stateless Session Cookies) Information Security Stack Exchange](
  • [Does “Shattered” actually show SHA-1-signed certificates are “unsafe”? Cryptography Stack Exchange](
    • Includes timeline of laggard response to moving away from MD5

Information Privacy

Introduction to Computer Networking

  • “Secrets & Lies”, Chapters 11 & 12 (library link available)

Malware Analysis

  • Introduction and Chapter 0 of “Practical Malware Analysis” by Sikorski and Honig. (library link available)

Network Security Monitoring

  • Bejtlich, “The Practice of Network Security Monitoring”, Chapter 1 (library link available)

Physical Security

Threat Modeling

  • Read the beginning and skim the rest of each of the following chapters: “Threat Modeling,” by Adam Shostack.
    • Introduction
    • Chapter 1
    • Chapter 4
  • “Secrets & Lies”, Chapters 19 and 21 (library link available)


  • G. Conti and J. Caroland, “Embracing the Kobayashi Maru: Why You Should Teach Your Students to Cheat,” in IEEE Security & Privacy, vol. 9, no. 4, pp. 48-51, July-Aug. 2011, doi: 10.1109/MSP.2011.80. (pdf)

Web Application Security -- XSS

  • Stuttard and Pinto, “The Web Application Hacker’s Handbook” (library link available), Chapter 12, sections ‘Varieties of XSS’ and ‘XSS Attacks in Action’

Web application security -- SQLi