COMP6441: Security Engineering
COMP6441 is a course all about security engineering and cyber security. Here is my set of notes made throughout the semester! For more information, see https://sec.edu.au/.

COMP6441: Security Engineering


1. Introduction to Security Engineering

An introduction to Security Engineering, including how we think in this area, and how case studies help us develop a coherent way of thinking. We also look at the history of hacking.

2. Security Literacy and Thinking

A primer on how humans are unreliable when it comes to emotions and trust. Confidentiality, Integrity and Authentication are three key aspects to security, and we discuss how old ciphers let us have some confidentiality.

3. Risk and Key Cryptography

Risk is a large part of security, especially events that have high risk and low probability. We also observe Merkle's public key cryptography and the Diffie-Hellman Key Exchange.

4. Human Weakness, Physical Security and Hashes

We highlight again the weaknesses of humans, and how training and drilling is key to preventing human error. Message integrity from hashing is discussed, and pre-image, collision and second pre-image attacks show how they are weak.

5. Vulnerabilities and Assets

We look at vulnerabilities, bugs and exploits and examples of various types of them. Assets form a key part in determining what level of security we want in a system.

6. Ciphers and Stack Vulnerabilities

This week, more awesome ciphers like the Feistal network, and guest speaker Finbar speaks about red teaming and different types of stack vulnerabilities.

7. Top Men, RSA and Misdirection

Information about how 'top men' should never be trusted, and different ways of attacking - side-channel attacks and how information leaks very easily. We also discuss how RSA works.

8. Identity and Authentication

We now look at how people can authenticate themselves - through something we have, something we are, and something we know. We also look at two authentication protocols - S/Key and SKID.

9. More Authentication and Trust

We continue our conversation on authentication for the larger community, and the use of Certificate Authorities and the Web of Trust. We also look at time of check/time of use errors, and perfect forward secrecy.

10. WannaCry, Time and Knowledge

A case study on WannaCry, followed by more on time and knowledge. We propose the Zero Knowledge Protocol - a way of convey a prover possess some knowledge, without sharing that knowledge.

11. Incident Response, Privacy and Red Teaming

A look into how we respond to incidents, followed by the benefits and risks to personal privacy. It is followed by notes from two guest speakers: the Privacy Commissioner and her role in working with companies to prevent privacy breaches, and three Westpac Red-Teamers, who discuss their attack strategies.

12. Whistleblowers and Bug Bounties

Finishing off the semester with information about whistleblowers and sharing internal secrets. We then had two guest speakers who shared their thoughts on bug bounties and vulnerability disclosure.