Unit CYBERSECURITY WITH LABORATORY
- Course
- Informatics
- Study-unit Code
- A004744
- Curriculum
- Cybersecurity
- Teacher
- Stefano Bistarelli
- CFU
- 15
- Course Regulation
- Coorte 2024
- Offered
- 2024/25
- Type of study-unit
- Obbligatorio (Required)
- Type of learning activities
- Attività formativa integrata
mod. 1: THEORY AND ADVANCED PRINCIPLES
| Code | A004746 |
|---|---|
| CFU | 9 |
| Teacher | Stefano Bistarelli |
| Teachers |
|
| Hours |
|
| Learning activities | Caratterizzante |
| Area | Discipline informatiche |
| Academic discipline | INF/01 |
| Type of study-unit | Obbligatorio (Required) |
| Language of instruction | Inglese. Se richiesto in Italiano. |
| Contents | 1 Introduction 2 ACM curriculum guidelines per IAS 3 Storia della Sicurezza 4 IAS/Foundational Concepts in Security 5 IAS/Principles of Secure Design 6 IAS/Defensive Programming 7 IAS/Threats and Attacks 8 IAS/Network Security 9 IAS/Cryptography 10 laboratory activity 11 Capture the Flag competition (CTF) ------------------- The course offers the student elements of advanced security mainly concerning Defensive Programming, Identity Management, Security of OS and Containers (Docker), and Security of smart contracts in Solidity language |
| Reference texts | Hand notes given by the professor, and books suggested during the lessons Computer Security by Dieter Gollmann Introduction to Computer Security by Matt Bishop COMPUTER SECURITY by WILLIAM STALLINGS and Lawrie Brown Principles of Information Security by Michael E. Whitman and Herbert J. Mattord Security in Computing by Charles P. Pfleeger and Shari Lawrence Pfleeger ---------------------- Secure Coding in C and C++ Author: Robert Seacord Series: SEI Series in Software Engineering Paperback: 600 pages Publisher: Addison-Wesley Professional; 2 edition (April 12, 2013) Language: English ISBN-10: 0321822137 ISBN-13: 978-0321822130 Title: Container Security: Fundamental Technology Concepts that Protect Containerized Applications 1st Edition. O'Reilly Media; 1st edition (April 28, 2020). Paperback 200 pages. ISBN-10 : 1492056707 ISBN-13 : 978-1492056706 Title: Mastering Ethereum: Building Smart Contracts and DApps Author: Andreas M. Antonopoulos, Gavin Wood Ph. D. Paperback: 424 pages Publisher: O'Reilly Media; 1 edition (December 23, 2018) Language: English ISBN-10: 1491971940 ISBN-13: 978-1491971949 Solving Identity Management in Modern Applications: Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0. Publisher: Apress; 1st ed. edition (December 19, 2019). Paperback: 337 pages. ISBN-10 : 148425094X ISBN-13 : 978-1484250945 |
| Educational objectives | To understand the meaning of Information Security and of the Confidentiality, Integrity, and Availability attributes. Understand the problem of connecting secure systems over insecure networks. Understand the basic notions of Information Security, Computer Security, and Network Security. Be able to recognize and handle attacks and be able to build countermeasures, for attacks on systems, networks, and mobile devices |
| Prerequisites | Knowledge of TCP / IP protocol (mandatory) knowledge of C programming and procedure and function calls (important), knowledge of SQL (mandatory) Have successfully passed the examination of Programming, Networking, Operating Systems, and Databases (important) |
| Teaching methods | Face-to-face and laboratory. possibility of seminars by different guests |
| Other information | The frequency of the lessons is strongly suggested |
| Learning verification modality | An oral interview lasting an average of 30 minutes on topics covering all the program of the course. Possibility of specific projects or seminars. At the request of the student examination can 'be done in Italian or English. |
| Extended program | 1 Introduction Introduction, prerequisites, books, exam 2 ACM curriculum guidelines for IAS from the ACM curricular guidelines, with references to contents and parts of textbooks where to find information 3 History of Security 4 IAS/Foundational Concepts in Security CIA (Confidentiality, Integrity, Availability): RIF. Gollmann cap. 3, Bishop cap. 1, Stallings cap. 1, Whitman cap. 1, Pfleeger cap. 1, Anderson cap. 1 slides Concepts of risk, threats, vulnerabilities, and attack vectors: RIF. Gollmann cap. 2, Bishop cap. 1e18e23, Stallings cap. 1e14, Whitman cap. 1e2(e4), Pfleeger cap. 1 CH01-CompSec3e-note ... rif a security risk analysis, attack trees and indexes Authentication and authorization, access control (mandatory vs. discretionary): RIF. Gollmann cap. 4e5, Bishop cap. 4(e5-8)e12, Stallings cap. 3e4, Whitman cap. 6prima_parte Policies: Ch. 4 Bishop Bell-LaPadula: Ch. 5 bishop cascade problem, secure reconfiguration (slides) Biba e Clarck-Wilson: Ch. 6 bishop, Chinese Wall Model, ORCON, RBAC: Ch. 7 bishop, Crittografia, firma digitale, pki e certificati, authentication protocols (Needham-Schroeder, Woo-Lam): Ch. 8,9,10 bishop, diffie-hellman Authetication methods, Kerberos: Ch. 9,11 bishop, Concept of trust and trustworthiness: RIF. Gollmann cap. 13, Bishop cap. 18e19, Stallings cap. 13, Pfleeger Ch. 5 Ethics (responsible disclosure): Stallings cap. 19, Whitman cap. 3ultima_parte, Pfleeger cap. 9ultima_parte 5 IAS/Principles of Secure Design (RIF Bishop cap. 13) Least privilege and isolation, Fail-safe defaults, Open design, End-to-end security, Defense in depth (e.g., defensive programming, layered defense), Security by design, Tensions between security and other design goals, Complete mediation, Use of vetted security components, Economy of mechanism (reducing trusted computing base, minimize attack surface), Usable security , Security composability Prevention, detection, and deterrence 6 IAS/Defensive Programming Input validation and data sanitization, Choice of programming language and type-safe languages, Examples of input validation and data sanitization errors Buffer overflows documentazione di riferimento Integer errors SQL Injection, documentazione di riferimento XSS vulnerability, documentazione di riferimento Race conditions Correct handling of exceptions and unexpected behaviors Correct usage of third-party components Effectively deploying security updates 7 IAS/Threats and Attacks Attacker goals, capabilities, and motivations Examples of malware (e.g., viruses, worms, spyware, botnets, Trojan horses or rootkits) Denial of Service (DoS) and Distributed Denial of Service (DDoS) Social engineering (e.g., phishing) Whitman cap. 2, Gollmann: cap 10, bishop: cap 22, 26, stalling: 6, 7, 10, 11, pfledger: cap 3 8 IAS/Network Security RIF: Whitman cap. 2, Gollmann: cap 17, bishop: cap 29, stalling: 8, 9 , pfledger: cap 7 Network specific threats and attack types (e.g., denial of service, spoofing, sniffing and traffic redirection, man-in-the-middle, message integrity attacks, routing attacks, and traffic analysis) Use of cryptography for data and network security Architectures for secure networks (e.g., secure channels, secure routing protocols, secure DNS, documentazione di riferimento VPNs, anonymous communication protocols, isolation ) Defense mechanisms and countermeasures (e.g., network monitoring, intrusion detection, firewalls, slides e materiale spoofing and DoS protection, honeypots, tracebacks 9 IAS/Cryptography Basic Cryptography Terminology covering notions pertaining to the different (communication) partners, secure/insecure channel, attackers and their capabilities, encryption, decryption, keys and their characteristics, signatures Cipher types (e.g., Caesar cipher, affine cipher) together with typical attack methods such as frequency analysis Public Key Infrastructure support for digital signature and encryption and its challenges ----------------------- Defensive programming taxonomy Stack overflows Heap overflows Shellcode Input validation and data sanitization Mitigation Operating system support (e.g., address space randomization, canaries) Integer errors Concurrency and race conditions Static and dynamic analysis Program Verification Fuzz Testing Identity management OAuth2.0 OpenID Connect SAML File rights management in Linux Cgroup, Namespace, Chroot Container security Introduction to Ethereum Smart Contract Security in Solidity |
mod. 2: PRACTICE AND LABORATORY
| Code | A004747 |
|---|---|
| CFU | 6 |
| Teacher | Francesco Santini |
| Teachers |
|
| Hours |
|
| Learning activities | Caratterizzante |
| Area | Discipline informatiche |
| Academic discipline | INF/01 |
| Type of study-unit | Obbligatorio (Required) |
| Language of instruction | English |
| Contents | Hardening of an operating system, concepts and examples. Network security assessment, tools and their use. Group simulation of a defense BlueTeam in a CybeRange. |
| Reference texts | - Mastering Linux Security and Hardening - Third Edition by Donald A. Tevault Released February 2023 Publisher(s): Packt Publishing ISBN: 9781837630516 - Network Security Assessment, 3rd Edition by Chris McNab Released December 2016 Publisher(s): O'Reilly Media, Inc. ISBN: 9781491910955 - The Ubuntu Documentation and Security Guide (https://ubuntu.com/security/certifications/docs) - Linux hardening checklists and tips, and other online material |
| Educational objectives | The goal is to familiarize students with the issues and solutions related to securing an operating system (Linux) across various areas including user management, certificate management, and firewall management. Students will directly implement the examples discussed in the class. Additionally, they will be introduced to and utilize various network security assessment tools in a controlled laboratory setup. Finally, students will have the opportunity to gain hands-on experience in analyzing network attacks using the Cyberange platform. |
| Prerequisites | Fundamentals of Networking and Operating Systems |
| Teaching methods | Lectures and laboratory exercises. |
| Other information | Attendance of lectures is strongly suggested. Website: www.unistudium.unipg.it For the exam schedule, see: www.informatica.unipg.it |
| Learning verification modality | Assignment of a project and oral exam on the program carried out in class. For information on support services for students with disabilities and/or DSA visit the page http://www.unipg.it/disabilita-e-dsa |
| Extended program | Linux hardening (26 hours): Securing Administrative User Accounts, Securing Normal User Accounts, Securing Your Server with a Firewall, SSH Hardening, Encryption Technologies (GPG, eCryptfs, VeraCrypt, OpenSSL and the Public Key Infrastructure), Access Control Lists and Shared Directory Management, Kernel Hardening and Process Isolation, Scanning, Auditing, and Hardening (antivirus, autd, ausearch and aureport, OpenSCAP), Logging and Log Security, Vulnerability Scanning and Intrusion Detection (IPFire, Snort and Security Onion, Lynis), Ubuntu security compliance and certifications (FIPS 140, CIS, DISA-STIG, Common Criteria). Network Security Assessment (16 hours): tools (nmap, metasploitable, OpenVAS, Nikto, Hydra) and their use, Local Network Discovery, Service Fingerprinting, Assessing Common Network Services (FTP, SSH, Telnet, etc), Assessing Web Servers, Assessing Mail Services, Assessing VPN Services, Assessing Data Stores. Playing Blue Team in a CyberRange with different cases (10 hours). |