Logo ČVUT
CZECH TECHNICAL UNIVERSITY IN PRAGUE
STUDY PLANS
2019/2020

Information and System Security

The course is not on the list Without time-table
Code Completion Credits Range Language
A4M33BIS Z,ZK 6 2P+2C Czech
Lecturer:
Tutor:
Supervisor:
Department of Computer Science
Synopsis:

The goal of the course is to give the students a basic gasp of information/system security problems and solutions. Rather than teaching specific current technologies and vulnerabilities/threats, we will introduce general problems, formalize them if appropriate and illustrate them with a wide range of examples, both with current and legacy technologies. We put emphasis on problems that will be encountered by most programmers and developers through their careers.

Requirements:

no formal requirements, basic knowledge of operating systems, basics of discrete mathematics and introductory cryptography course

Syllabus of lectures:

1.Introduction, Security models, threat models (Anderson, Ch.1)

a.Security properties: confidentiality, integrity, non-repudiation, availability, ?

b.Methods: Authorization, Authentication, ciphering, replication?

c.Attacker/threat models: sophistication, resources, time

d.Assumptions

e.Security by obscurity vs. guaranteed system properties

2.Protocols and Access Control (I) (Anderson, Ch. 3)

a.Importance of protocol, assumptions

b.Why protocols, their properties

c.Attack surface, Attacks on protocols

d.API

3.Cryptography (I) (Anderson, Ch. 5)

a.Ciphering basics and terms - invertibility, key, plaintext, ciphertext...

b.Block/Stream ciphers

c.Vernam

d.DES, AES

e.Cipher modes, practicalities, side-channel attacks

4.Cryptography (II) (Anderson, Ch. 5)

a.Asymmetric cryptography (DH,EG,RSA)

b.Cryptographic hash functions

c.Electronic signatures

d.Certificates

e.WEP failures, A4/A8 failures

5.Protocols and Access Control (II) (Anderson, Ch. ¾, GSM/3GPPS spec,?)

a.Kerberos

b.Protocols for authorization, authentication, integrity, non-repudiation

c.GSM login, UMTS3G login

d.Banking, electronic transactions

6.Protocols and Access Control (III) (Anderson, Ch. 3/4/6)

a.SSL, MITM attacks, phishing

b.Key distribution, key distribution in wireless networks

c.Access control

d.Rights management - satellite broadcasts use-case

7.Multi-Level Security (Anderson, Ch. 8)

a.Bell-La Padua model

b.Technical solutions and implementations

c.Networking in MLS

d.Data pumps

e.SE Linux, security policies, access controls, policies and modifiers?

8.Multi-Lateral Security, Inference Security, Privacy (Anderson, Ch. 9)

a.Census data security

b.Workplace home pairs as a practical example

c.Location based services security

d.Social network mining

9.Steganography, Information hiding, covert channels (TBD)

a.Steganography introduction and motivation

b.Current problems

c.Steganography

d.Steganalysis

10.Economic Considerations (Anderson, Ch.7)

a.Game theory

b.Electronic marketplaces

c.Botnet economic model, e-crime economic models

d.Reputation systems, their strengths, attacks-on, misuse

11.Network Security (I) (Northcutt: Inside Network Perimeter Security)

a.Threat analysis

b.Attacks (vulnerabilities: e.g. buffer overflows, weak passwords,)

c.Transmission vectors,

d.Rootkits, malware

12.Network Security (II)( Northcutt: Network Intrusion Detection: An Analyst's Handbook)

a.Host security

b.Firewalls, network policies, routers, VPN, tunnels

c.Network monitoring, Intrusion detection

13.Monitoring and Attacks on Monitoring (Anderson, Ch.12)

a.Importance of monitoring

b.Monitoring phases: observation, data processing, recognition, decision, feedback action

c.Attacks on sensors

d.Attacks on cognition, misleading, confusion,?

e.Disinformation

Syllabus of tutorials:

1.Threat models and security analysis [1/2 labs]

2.Cryptography and protocols: [4/5 labs]

a.SSL connection bit-by bit, vulnerabilities, key management, algorithms and other issues

b.Protocols: GSM/3G networks, MITM, API security, access control

3.Multi-level security: SELinux, BLP model, defense in depth [3 labs]

4.Student`s choice [4 labs]:

a.Steganography

b.Network security

Study Objective:

Introductory course for network security. The goal is to acquaint the students with the elements of secure system design.

Study materials:

Ross Anderson, Security Engineering 2nd/1st edition (major part available online), chapter numbers refer to second edition

Northcutt: Inside Network Perimeter Security

Northcutt: Network Intrusion Detection: An Analyst's Handbook

Note:
Further information:
http://agents.felk.cvut.cz/wiki/doku.php?id=teaching:bis
No time-table has been prepared for this course
The course is a part of the following study plans:
Data valid to 2019-10-18
For updated information see http://bilakniha.cvut.cz/en/predmet1286706.html