Institute of Information Security

Applied Information Security - A Hands-on Approach

Zurich Information Security Center

We are affiliated with the Zurich Information Security Center (ZISC)

Events & News

This book explores fundamental principles for securing IT systems and illustrates them with hands-on experiments that may be carried out by the reader using accompanying software. The experiments highlight key information security problems that arise in modern operating systems, networks, and web applications.

The Book


David Basin
Patrick Schaller
Michael Schläpfer

The authors explain how to identify and exploit such problems and they show different countermeasures and their implementation. The reader thus gains a detailed understanding of how vulnerabilities arise and practical experience tackling them.

After presenting the basics of security principles, virtual environments, and network services, the authors explain the core security principles of authentication and access control, logging and log analysis, web application security, certificates and public-key cryptography, and risk management. The book concludes with appendices on the design of related courses, report templates, and the basics of Linux as needed for the assignments.

The authors have successfully taught IT security to students and professionals using the content of this book and the laboratory setting it describes. The book can be used in undergraduate or graduate laboratory courses, complementing more theoretically oriented courses, and it can also be used for self-study by IT professionals who want hands-on experience in applied information security. The authors' supporting software is freely available online and the text is supported throughout with exercises.
Table of Contents

Chap. 1, Security Principles.- Chap. 2, The Virtual Environment.- Chap. 3, Network Services.- Chap. 4, Authentication and Access Control.- Chap. 5, Logging and Log Analysis.- Chap. 6, Web Application Security.- Chap. 7, Certificates and Public-Key Cryptography.- Chap. 8, Risk Management.- App. A, Using This Book in a Lab Course.- App. B, Report Template.- App. C, Linux Basics and Tools.- App. D, Answers to Questions.- References.- Index.


8 November 2012: The book is an editor's pick and the current highlight of ACM's Computing Reviews:

"This book is a good way for newcomers to the security field, or those who want an overview of a goodly sampling of security issues, to start understanding both the issues and possible defenses. It is very much a workbook, with numerous in-line problems to work on and a nice set of questions and exercises for each chapter; answers appear in an appendix. Many of the exercises involve using specific software to look at events as they occur. ... It is very readable and well organized, and the questions and exercises are generally very good. It is an excellent introduction to the subject and would make a good upper-level undergraduate text. It would also be quite useful as a self-study text for someone new to the field." (Jeffrey Putnam, ACM Computing Reviews, August 2012)

The full review is available here: Review

Get the Book

Errata and Improvements:

Virtual Machines Download

With the new versions of VirtualBox it is now possible to export all necessary configurations. For your convenience, first try to simply import the appliances below. If this fails, you may follow the installation and configuration instructions using the virtual disks as described in the book.

VirtualBox Appliances (v1.1, 14 March 2012):

* After extracting the zip-file, choose "File->Import Appliance..." to install the virtual machine (ova-file). Do not reassign new hardware MAC-addresses!

Virtual Machine Disks (v1.1, 14 March 2012):

* If the import of the above appliances fails, please follow the instructions in the book to install and configure the virtual machines!


Project Files:

Lab Extensions

In this section we provide some links to extensions of the lab environment and the book in different topics. We would like to thank the authors of these extensions to share them here. If you would like to be listed here, please contact Michael Schläpfer.

Computer Forensics

This chapter extends the book by introducing Computer Forensics and was developed by Lukas Limacher as part of his Bachelor thesis (v1.0, 17 September 2012):


Wichtiger Hinweis:
Diese Website wird in älteren Versionen von Netscape ohne graphische Elemente dargestellt. Die Funktionalität der Website ist aber trotzdem gewährleistet. Wenn Sie diese Website regelmässig benutzen, empfehlen wir Ihnen, auf Ihrem Computer einen aktuellen Browser zu installieren. Weitere Informationen finden Sie auf
folgender Seite.

Important Note:
The content in this site is accessible to any browser or Internet device, however, some graphics will display correctly only in the newer versions of Netscape. To get the most out of our site we suggest you upgrade to a newer browser.
More information

© 2014 ETH Zurich | Imprint | Disclaimer | 10 December 2012