IT4070 trains students to design, implement, and troubleshoot security infrastructure by applying the core principles of cyber defense. The course covers cryptographic fundamentals, encryption standards, Public Key Infrastructure (PKI), digital signatures, and perimeter security techniques. Students move beyond theoretical awareness and learn to evaluate countermeasure effectiveness against real-world threat scenarios. Every assignment reinforces a single priority: building layered defenses that protect organizational assets while accounting for legal, ethical, and policy constraints. This course is a cornerstone of Capella's Information Assurance and Cybersecurity specialization.
Defense technologies: comparing core countermeasure approaches
| Technology | Function | Deployment Context | Limitation |
|---|---|---|---|
| Symmetric encryption (AES) | Encrypts data using a single shared key for confidentiality | Disk encryption, VPN tunnels, database field-level encryption | Key distribution problem: both parties must securely share the same key |
| Asymmetric encryption (RSA/ECC) | Uses public-private key pairs for secure key exchange and authentication | TLS handshakes, email encryption (S/MIME, PGP), digital signatures | Computationally expensive; typically used to exchange symmetric keys, not bulk data |
| Public Key Infrastructure (PKI) | Manages digital certificates to bind identities to public keys | HTTPS certificates, code signing, enterprise authentication | Requires trusted Certificate Authorities; compromised CAs undermine the entire trust chain |
| Firewalls (stateful / next-gen) | Filter network traffic based on rules, state, and application awareness | Network perimeter, internal segmentation, cloud security groups | Cannot inspect encrypted traffic without TLS interception; rule misconfigurations create gaps |
| Intrusion Prevention Systems (IPS) | Detect and block malicious traffic in real time using signatures and anomaly detection | Inline behind the firewall, integrated into next-gen firewalls | Signature-based detection misses zero-day attacks; false positives can block legitimate traffic |
Cryptography fundamentals: the backbone of cyber defense
IT4070 devotes significant attention to cryptographic principles because every modern defense mechanism relies on them. Students study symmetric algorithms such as AES (Advanced Encryption Standard) and understand why AES-256 replaced older standards like DES and 3DES. The course traces the evolution from simple substitution ciphers to block ciphers operating in modes like CBC (Cipher Block Chaining) and GCM (Galois/Counter Mode), explaining how each mode addresses different security requirements. AES-GCM, for instance, provides both confidentiality and integrity verification in a single operation, making it the preferred choice for TLS 1.3 and IPsec. Students also study hashing algorithms (SHA-256, SHA-3), learning to distinguish between encryption (reversible with a key) and hashing (one-way). Hash functions play a critical role in password storage, file integrity verification, and digital signatures.
Asymmetric cryptography introduces a fundamentally different model. RSA relies on the computational difficulty of factoring large prime numbers, while Elliptic Curve Cryptography (ECC) achieves equivalent security with shorter key lengths by exploiting the difficulty of the elliptic curve discrete logarithm problem. IT4070 requires students to evaluate these tradeoffs in practical scenarios: RSA-2048 remains widely deployed, but ECC-256 provides comparable security with significantly less computational overhead, making it preferred for mobile devices and IoT endpoints. Digital signatures combine hashing with asymmetric encryption to provide authentication, integrity, and non-repudiation. The signer hashes the message and encrypts the hash with their private key. The recipient decrypts with the signer's public key and compares the hash to verify the message has not been altered. PKI ties this system together by providing a framework of Certificate Authorities (CAs), certificate revocation lists (CRLs), and the Online Certificate Status Protocol (OCSP) that organizations use to validate identities at scale.
Working on a PKI implementation plan, encryption analysis, or perimeter security assessment?
Our cybersecurity writers deliver technically rigorous coursework aligned with Capella's IT4070 rubric standards.
Key topics in IT4070
- Symmetric encryption: AES-128/256, block cipher modes (CBC, CTR, GCM), key generation and management, performance considerations for bulk data encryption
- Asymmetric encryption: RSA key pair generation, ECC (Elliptic Curve Cryptography), Diffie-Hellman key exchange, hybrid encryption schemes combining symmetric and asymmetric methods
- Public Key Infrastructure (PKI): Certificate Authorities, certificate lifecycle management, certificate revocation (CRL and OCSP), X.509 certificate format, trust hierarchies and cross-certification
- Digital signatures: signing and verification processes, non-repudiation, code signing, document signing standards (PKCS#7, XML-DSig), timestamping services
- Perimeter security: firewall architectures (packet filtering, stateful inspection, application-layer gateways), DMZ design, network segmentation, proxy servers, and bastion hosts
- Intrusion detection and prevention: signature-based vs. anomaly-based detection, IDS/IPS deployment topologies, SIEM integration, alert tuning and false positive management
- Defense-in-depth strategy: layered security controls across network, host, application, and data layers, combining preventive, detective, and corrective controls into a unified posture
- Legal and ethical considerations: Computer Fraud and Abuse Act (CFAA), Electronic Communications Privacy Act (ECPA), data breach notification laws, responsible disclosure, and ethical obligations of security professionals
- Risk assessment and countermeasure selection: threat modeling, vulnerability analysis, cost-benefit analysis of security controls, residual risk acceptance criteria
Defense-in-depth: layered security controls IT4070 students must understand
- Network layer: firewalls, IDS/IPS, network segmentation (VLANs), VPN tunnels, and network access control (NAC) prevent unauthorized traffic from reaching internal resources. Each control addresses a different attack vector, so a single failure does not expose the entire network
- Host layer: endpoint protection platforms, host-based firewalls, application whitelisting, and patch management reduce the attack surface on individual systems. Hardening guides from CIS Benchmarks provide actionable configuration baselines
- Application layer: secure coding practices, input validation, web application firewalls (WAF), and regular vulnerability scanning protect the software that processes user data. OWASP Top 10 maps the most common application-level weaknesses
- Data layer: encryption at rest and in transit, database activity monitoring, data loss prevention (DLP) tools, and access controls ensure that even if outer defenses fail, the data itself remains protected and unusable to attackers
- Administrative controls: security policies, access reviews, employee training, incident response plans, and separation of duties provide the governance framework that ties technical controls together and ensures humans do not become the weakest link
Get Help With IT4070
Encryption analyses, PKI deployment plans, firewall architecture designs, risk assessments. Cybersecurity coursework built on defense-in-depth principles.
Place Your OrderView All ServicesRelated courses
Frequently asked questions
Symmetric encryption uses a single shared key for both encrypting and decrypting data. AES is the dominant standard, and it processes data quickly, making it ideal for encrypting large volumes such as disk partitions or database backups. The challenge is key distribution: both the sender and receiver must possess the same key, and transmitting that key securely requires a separate channel. Asymmetric encryption solves this by using a mathematically related key pair. The public key encrypts data, and only the corresponding private key can decrypt it. RSA and ECC are the primary algorithms. However, asymmetric encryption is computationally expensive and much slower than symmetric encryption. In practice, IT4070 teaches students that modern systems use a hybrid approach: asymmetric encryption secures the initial key exchange (such as during a TLS handshake), and then symmetric encryption handles the bulk data transfer using the exchanged session key.
PKI creates a hierarchical trust model anchored by Certificate Authorities (CAs). A root CA issues its own self-signed certificate, which operating systems and browsers include in their trusted certificate stores. The root CA signs intermediate CA certificates, which in turn sign end-entity certificates for websites, servers, or individuals. When your browser connects to an HTTPS site, it receives the server's certificate and traces the chain of signatures back to a trusted root. If every signature verifies and the certificate has not been revoked (checked via CRL or OCSP), the browser accepts the connection. IT4070 assignments frequently require students to design a PKI hierarchy, define certificate policies, and explain what happens when a CA is compromised. The key concept is that PKI does not guarantee that the other party is trustworthy in a general sense. It guarantees that the identity claimed in the certificate was validated by a CA whose verification procedures you trust.
Defense-in-depth is a security strategy that deploys multiple layers of controls so that no single point of failure compromises the entire system. The concept originates from military doctrine and translates to IT security by placing preventive, detective, and corrective controls at every architectural layer: network, host, application, and data. A firewall blocks unauthorized network traffic (preventive). An IDS detects suspicious patterns that bypass the firewall (detective). An incident response plan contains and remediates a breach once detected (corrective). IT4070 requires students to map these control types across layers and justify why redundancy matters. A common assignment involves designing a defense-in-depth architecture for a given organization, identifying which controls operate at each layer, and explaining how the layered approach limits the blast radius of a successful attack compared to relying on a single perimeter firewall.
Cyber defense professionals operate within a complex legal landscape that governs what they can and cannot do, even in defense of their own networks. The Computer Fraud and Abuse Act (CFAA) criminalizes unauthorized access to computer systems, which means that active countermeasures like "hacking back" against an attacker violate federal law regardless of the defender's intent. Data breach notification laws vary by state and require organizations to notify affected individuals within specific timeframes. Industry regulations such as PCI-DSS (payment cards), HIPAA (healthcare), and GLBA (financial services) mandate specific security controls and reporting procedures. IT4070 covers these frameworks because security professionals must design defenses that protect the organization while maintaining legal compliance. Ethical considerations extend to privacy: monitoring employee network activity for threats must balance security needs against employee privacy expectations, and security researchers who discover vulnerabilities must follow responsible disclosure processes rather than publicizing exploits.