20810140 - CYBERSECURITY

The Cybersecurity course intends to provide the student with competencies needed for understanding and tackling cybersecurity problems for ICT systems and complex organizations, to design networks and computing systems with a certain level of security, and to planning e manage activities related to cybersecurity. The course provides competences about attacks, countermeasures, cryptographic tools, applications, and methodologies in the cybersecurity field. Advanced topics in data integrity are also addressed.

Curriculum

scheda docente | materiale didattico

Programma

• Course introduction
• Introduction to computer security and terminology
• Vulneability and threats
◦ Software vulnerabilities. Trusted and untrusted input, input validation. Vulnerabilities of applications written with interpreted languages, code injection. Injection into web pages: XSS. Cross site request forgery. OWASP.
▪ Example of web site that is vulnerable to sql injection
◦ buffer overflow attacks. Exploitation: privilege excalation, intrusions through opens services, intrusions through untrusted documents (email, web, etc).
▪ Example of vulnerable code, buffer overflow and related exploit
◦ Vulnerabilities of networks: sniffing, mac flood, ARP poisoning, vulnerability of DNS, Kaminsky attack. TCP session hijecking, MitM attack, DoS and Distributed DoS, Route hijacking.
• Security planning : security plan content, risk analysis.
• Countermeasures
◦ Design principles of policies and mechanisms.
◦ Models: AAA, confinement, DAC, MAC, access control matrix 
◦ Cryptographic techniques:
▪ critptography basics (hash, symmetric c., asymmetric c., MAC, digital signature), birthday attack, rainbow, key quality, pseudo-random number generators.
▪ Authentication protocols and key exchange. replay and reflection attacks. Nonces. Perfect Forward Secrecy. Diffie-Helman. 
▪ Certificates, certification authority, public key infrastructures and their vulnerabilities.
▪ Applications: Protocols ssl, tls, ssh, virtual private networks, ipsec, etc. Autnetication protocols wan and lan. radius and vulnerabilities. Other applications.
◦ Anomaly detection systems.
◦ System security:
▪ general principles: passwords and their vulnerabilities, hardening, assessment and auditing
▪ unix: discertionaly access control, file system security, authentication, PAM, syslog
◦ Network security:
▪ Firewalling:stateless and statefull firewall, connections, syn-proxy and syn-cookies, load balancing and high availability, linux netfilter and configuration examples.
▪ Network siecurity at level 1 and 2.
▪ Applicative proxies and network intrusion detection systems .
• Authenticated Data Structures
• Distributed Ledger Technologies and Bitcoin
• Smart contracts
• Cybersecurity in big organizations.


Testi Adottati

Course handouts


Bibliografia Di Riferimento

M. Bishop, "Computer Security: Art and Science", Addison-Weslesy. C. Kaufman, R. Perlman, M. Speciner, "Network Security: Private Comunication in a Public World (second edition)", Prentice Hall. C. Pfleeger, S. Pfleeger, "Security in Computing", Pearson - Prentice Hall. A. Antonopoulos, Mastering Bitcoin, 2nd Edition, O'Reilly, ,2017 A. Antonopoulos, G, Wood, Mastering ethereum: building smart contracts and dapps. O'Reilly Media, 2018

Modalità Erogazione

Lectures

Modalità Frequenza

Students are encouraged to attendo to classes. However, it is possible, but discouraged, to take the exams without attending classes.

Modalità Valutazione

Students will be evaluated on the basis of a written exam (for about 66% of the final grade) and of practical exam in laboratory (for about 33% of the final grade).

scheda docente | materiale didattico

Programma

• Course introduction
• Introduction to computer security and terminology
• Vulneability and threats
◦ Software vulnerabilities. Trusted and untrusted input, input validation. Vulnerabilities of applications written with interpreted languages, code injection. Injection into web pages: XSS. Cross site request forgery. OWASP.
▪ Example of web site that is vulnerable to sql injection
◦ buffer overflow attacks. Exploitation: privilege excalation, intrusions through opens services, intrusions through untrusted documents (email, web, etc).
▪ Example of vulnerable code, buffer overflow and related exploit
◦ Vulnerabilities of networks: sniffing, mac flood, ARP poisoning, vulnerability of DNS, Kaminsky attack. TCP session hijecking, MitM attack, DoS and Distributed DoS, Route hijacking.
• Security planning : security plan content, risk analysis.
• Countermeasures
◦ Design principles of policies and mechanisms.
◦ Models: AAA, confinement, DAC, MAC, access control matrix 
◦ Cryptographic techniques:
▪ critptography basics (hash, symmetric c., asymmetric c., MAC, digital signature), birthday attack, rainbow, key quality, pseudo-random number generators.
▪ Authentication protocols and key exchange. replay and reflection attacks. Nonces. Perfect Forward Secrecy. Diffie-Helman. 
▪ Certificates, certification authority, public key infrastructures and their vulnerabilities.
▪ Applications: Protocols ssl, tls, ssh, virtual private networks, ipsec, etc. Autnetication protocols wan and lan. radius and vulnerabilities. Other applications.
◦ Anomaly detection systems.
◦ System security:
▪ general principles: passwords and their vulnerabilities, hardening, assessment and auditing
▪ unix: discertionaly access control, file system security, authentication, PAM, syslog
◦ Network security:
▪ Firewalling:stateless and statefull firewall, connections, syn-proxy and syn-cookies, load balancing and high availability, linux netfilter and configuration examples.
▪ Network siecurity at level 1 and 2.
▪ Applicative proxies and network intrusion detection systems .
• Authenticated Data Structures
• Distributed Ledger Technologies and Bitcoin
• Smart contracts
• Cybersecurity in big organizations.


Testi Adottati

Course handouts


Bibliografia Di Riferimento

M. Bishop, "Computer Security: Art and Science", Addison-Weslesy. C. Kaufman, R. Perlman, M. Speciner, "Network Security: Private Comunication in a Public World (second edition)", Prentice Hall. C. Pfleeger, S. Pfleeger, "Security in Computing", Pearson - Prentice Hall. A. Antonopoulos, Mastering Bitcoin, 2nd Edition, O'Reilly, ,2017 A. Antonopoulos, G, Wood, Mastering ethereum: building smart contracts and dapps. O'Reilly Media, 2018

Modalità Erogazione

Lectures

Modalità Frequenza

Students are encouraged to attendo to classes. However, it is possible, but discouraged, to take the exams without attending classes.

Modalità Valutazione

Students will be evaluated on the basis of a written exam (for about 66% of the final grade) and of practical exam in laboratory (for about 33% of the final grade).

scheda docente | materiale didattico

Programma

• Course introduction
• Introduction to computer security and terminology
• Vulneability and threats
◦ Software vulnerabilities. Trusted and untrusted input, input validation. Vulnerabilities of applications written with interpreted languages, code injection. Injection into web pages: XSS. Cross site request forgery. OWASP.
▪ Example of web site that is vulnerable to sql injection
◦ buffer overflow attacks. Exploitation: privilege excalation, intrusions through opens services, intrusions through untrusted documents (email, web, etc).
▪ Example of vulnerable code, buffer overflow and related exploit
◦ Vulnerabilities of networks: sniffing, mac flood, ARP poisoning, vulnerability of DNS, Kaminsky attack. TCP session hijecking, MitM attack, DoS and Distributed DoS, Route hijacking.
• Security planning : security plan content, risk analysis.
• Countermeasures
◦ Design principles of policies and mechanisms.
◦ Models: AAA, confinement, DAC, MAC, access control matrix 
◦ Cryptographic techniques:
▪ critptography basics (hash, symmetric c., asymmetric c., MAC, digital signature), birthday attack, rainbow, key quality, pseudo-random number generators.
▪ Authentication protocols and key exchange. replay and reflection attacks. Nonces. Perfect Forward Secrecy. Diffie-Helman. 
▪ Certificates, certification authority, public key infrastructures and their vulnerabilities.
▪ Applications: Protocols ssl, tls, ssh, virtual private networks, ipsec, etc. Autnetication protocols wan and lan. radius and vulnerabilities. Other applications.
◦ Anomaly detection systems.
◦ System security:
▪ general principles: passwords and their vulnerabilities, hardening, assessment and auditing
▪ unix: discertionaly access control, file system security, authentication, PAM, syslog
◦ Network security:
▪ Firewalling:stateless and statefull firewall, connections, syn-proxy and syn-cookies, load balancing and high availability, linux netfilter and configuration examples.
▪ Network siecurity at level 1 and 2.
▪ Applicative proxies and network intrusion detection systems .
• Authenticated Data Structures
• Distributed Ledger Technologies and Bitcoin
• Smart contracts
• Cybersecurity in big organizations.


Testi Adottati

Course handouts


Bibliografia Di Riferimento

M. Bishop, "Computer Security: Art and Science", Addison-Weslesy. C. Kaufman, R. Perlman, M. Speciner, "Network Security: Private Comunication in a Public World (second edition)", Prentice Hall. C. Pfleeger, S. Pfleeger, "Security in Computing", Pearson - Prentice Hall. A. Antonopoulos, Mastering Bitcoin, 2nd Edition, O'Reilly, ,2017 A. Antonopoulos, G, Wood, Mastering ethereum: building smart contracts and dapps. O'Reilly Media, 2018

Modalità Erogazione

Lectures

Modalità Frequenza

Students are encouraged to attendo to classes. However, it is possible, but discouraged, to take the exams without attending classes.

Modalità Valutazione

Students will be evaluated on the basis of a written exam (for about 66% of the final grade) and of practical exam in laboratory (for about 33% of the final grade).

scheda docente | materiale didattico

Programma

• Course introduction
• Introduction to computer security and terminology
• Vulneability and threats
◦ Software vulnerabilities. Trusted and untrusted input, input validation. Vulnerabilities of applications written with interpreted languages, code injection. Injection into web pages: XSS. Cross site request forgery. OWASP.
▪ Example of web site that is vulnerable to sql injection
◦ buffer overflow attacks. Exploitation: privilege excalation, intrusions through opens services, intrusions through untrusted documents (email, web, etc).
▪ Example of vulnerable code, buffer overflow and related exploit
◦ Vulnerabilities of networks: sniffing, mac flood, ARP poisoning, vulnerability of DNS, Kaminsky attack. TCP session hijecking, MitM attack, DoS and Distributed DoS, Route hijacking.
• Security planning : security plan content, risk analysis.
• Countermeasures
◦ Design principles of policies and mechanisms.
◦ Models: AAA, confinement, DAC, MAC, access control matrix 
◦ Cryptographic techniques:
▪ critptography basics (hash, symmetric c., asymmetric c., MAC, digital signature), birthday attack, rainbow, key quality, pseudo-random number generators.
▪ Authentication protocols and key exchange. replay and reflection attacks. Nonces. Perfect Forward Secrecy. Diffie-Helman. 
▪ Certificates, certification authority, public key infrastructures and their vulnerabilities.
▪ Applications: Protocols ssl, tls, ssh, virtual private networks, ipsec, etc. Autnetication protocols wan and lan. radius and vulnerabilities. Other applications.
◦ Anomaly detection systems.
◦ System security:
▪ general principles: passwords and their vulnerabilities, hardening, assessment and auditing
▪ unix: discertionaly access control, file system security, authentication, PAM, syslog
◦ Network security:
▪ Firewalling:stateless and statefull firewall, connections, syn-proxy and syn-cookies, load balancing and high availability, linux netfilter and configuration examples.
▪ Network siecurity at level 1 and 2.
▪ Applicative proxies and network intrusion detection systems .
• Authenticated Data Structures
• Distributed Ledger Technologies and Bitcoin
• Smart contracts
• Cybersecurity in big organizations.


Testi Adottati

Course handouts


Bibliografia Di Riferimento

M. Bishop, "Computer Security: Art and Science", Addison-Weslesy. C. Kaufman, R. Perlman, M. Speciner, "Network Security: Private Comunication in a Public World (second edition)", Prentice Hall. C. Pfleeger, S. Pfleeger, "Security in Computing", Pearson - Prentice Hall. A. Antonopoulos, Mastering Bitcoin, 2nd Edition, O'Reilly, ,2017 A. Antonopoulos, G, Wood, Mastering ethereum: building smart contracts and dapps. O'Reilly Media, 2018

Modalità Erogazione

Lectures

Modalità Frequenza

Students are encouraged to attendo to classes. However, it is possible, but discouraged, to take the exams without attending classes.

Modalità Valutazione

Students will be evaluated on the basis of a written exam (for about 66% of the final grade) and of practical exam in laboratory (for about 33% of the final grade).