Subject description - A4M36BIS

Summary of Study | Summary of Branches | All Subject Groups | All Subjects | List of Roles | Explanatory Notes               Instructions
A4M36BIS Information and System Security Extent of teaching:2+2c
Guarantors:  Roles:V Language of
teaching:
Teachers:  Completion:Z,ZK
Responsible Department:13136 Credits:6 Semester:Z

Anotation:

The goal of the course is to give the students a basic gasp of information/system security problems and solutions. Rather than teaching specific current technologies and vulnerabilities/threats, we will introduce general problems, formalize them if appropriate and illustrate them with a wide range of examples, both with current and legacy technologies. We put emphasis on problems that will be encountered by most programmers and developers through their careers.

Course outlines:

1. Introduction, Security models, threat models (Anderson, Ch.1)
a. Security properties: confidentiality, integrity, non-repudiation, availability, ?
b. Methods: Authorization, Authentication, ciphering, replication?
c. Attacker/threat models: sophistication, resources, time
d. Assumptions
e. Security by obscurity vs. guaranteed system properties
2. Protocols and Access Control (I) (Anderson, Ch. 3)
a. Importance of protocol, assumptions
b. Why protocols, their properties
c. Attack surface, Attacks on protocols
d. API
3. Cryptography (I) (Anderson, Ch. 5)
a. Ciphering basics and terms - invertibility, key, plaintext, ciphertext...
b. Block/Stream ciphers
c. Vernam
d. DES, AES
e. Cipher modes, practicalities, side-channel attacks
4. Cryptography (II) (Anderson, Ch. 5)
a. Asymmetric cryptography (DH,EG,RSA)
b. Cryptographic hash functions
c. Electronic signatures
d. Certificates
e. WEP failures, A4/A8 failures
5. Protocols and Access Control (II) (Anderson, Ch. ¾, GSM/3GPPS spec,?)
a. Kerberos
b. Protocols for authorization, authentication, integrity, non-repudiation
c. GSM login, UMTS3G login
d. Banking, electronic transactions
6. Protocols and Access Control (III) (Anderson, Ch. 3/4/6)
a. SSL, MITM attacks, phishing
b. Key distribution, key distribution in wireless networks
c. Access control
d. Rights management - satellite broadcasts use-case
7. Multi-Level Security (Anderson, Ch. 8)
a. Bell-La Padua model
b. Technical solutions and implementations
c. Networking in MLS
d. Data pumps
e. SE Linux, security policies, access controls, policies and modifiers?
8. Multi-Lateral Security, Inference Security, Privacy (Anderson, Ch. 9)
a. Census data security
b. Workplace home pairs as a practical example
c. Location based services security
d. Social network mining
9. Steganography, Information hiding, covert channels (TBD)
a. Steganography introduction and motivation
b. Current problems
c. Steganography
d. Steganalysis
10. Economic Considerations (Anderson, Ch.7)
a. Game theory
b. Electronic marketplaces
c. Botnet economic model, e-crime economic models
d. Reputation systems, their strengths, attacks-on, misuse
11. Network Security (I) (Northcutt: Inside Network Perimeter Security)
a. Threat analysis
b. Attacks (vulnerabilities: e.g. buffer overflows, weak passwords,)
c. Transmission vectors,
d. Rootkits, malware
12. Network Security (II)( Northcutt: Network Intrusion Detection: An Analyst's Handbook)
a. Host security
b. Firewalls, network policies, routers, VPN, tunnels
c. Network monitoring, Intrusion detection
13. Monitoring and Attacks on Monitoring (Anderson, Ch.12)
a. Importance of monitoring
b. Monitoring phases: observation, data processing, recognition, decision, feedback action
c. Attacks on sensors
d. Attacks on cognition, misleading, confusion,?
e. Disinformation

Exercises outline:

1. Threat models and security analysis [1/2 labs]
2. Cryptography and protocols: [4/5 labs]
a. SSL connection bit-by bit, vulnerabilities, key management, algorithms and other issues
b. Protocols: GSM/3G networks, MITM, API security, access control
3. Multi-level security: SELinux, BLP model, defense in depth [3 labs]
4. Student`s choice [4 labs]:
a. Steganography
b. Network security

Literature:

Ross Anderson, Security Engineering 2nd/1st edition (major part available online), chapter numbers refer to second edition Northcutt: Inside Network Perimeter Security Northcutt: Network Intrusion Detection: An Analyst's Handbook

Requirements:

no formal requirements, basic knowledge of operating systems, basics of discrete mathematics and introductory cryptography course

Webpage:

http://agents.felk.cvut.cz/wiki/doku.php?id=teaching:bis

Subject is included into these academic programs:

Program Branch Role Recommended semester
MPIB Common courses V
MPOI1 Artificial Intelligence V
MPOI5NEW Software Engineering V
MPOI4NEW Computer Graphics and Interaction V
MPOI5 Software Engineering V
MPOI4 Computer Graphics and Interaction V
MPOI3 Computer Vision and Image Processing V
MPOI2 Computer Engineering V


Page updated 18.6.2019 09:53:02, semester: Z,L/2020-1, L/2018-9, Z,L/2019-20, Send comments about the content to the Administrators of the Academic Programs Proposal and Realization: I. Halaška (K336), J. Novák (K336)