Caricamento in corso...
Information systems security
01TYMOV, 01TYMSM
A.A. 2024/25
Course Language
Inglese
Degree programme(s)
Master of science-level of the Bologna process in Ingegneria Informatica (Computer Engineering) - Torino
Master of science-level of the Bologna process in Data Science And Engineering - Torino
Course structure
| Teaching | Hours |
|---|---|
| Lezioni | 36 |
| Esercitazioni in aula | 9 |
| Esercitazioni in laboratorio | 15 |
Lecturers
| Teacher | Status | SSD | h.Les | h.Ex | h.Lab | h.Tut | Years teaching |
|---|---|---|---|---|---|---|---|
| Berbecaru Diana Gratiela | Collaboratore Esterno | 36 | 18 | 15 | 0 | 2 |
Co-lectures
Context
| SSD | CFU | Activities | Area context |
|---|---|---|---|
| ING-INF/05 | 6 | C - Affini o integrative | Attività formative affini o integrative |
2023/24
Information security is a general term increasingly used to refer to many aspects related to the security of systems. Today, various types of devices and architectures are interconnected via multiple networking protocols, and users are accessing services transparently from different platforms thanks to digital identity and authentication techniques. While faster and easier access to services is granted and more complex use cases are built, at the same time more sophisticated cyberattacks occur affecting individual systems, organizations, or even critical infrastructures.
This course aims to teach the skills needed to perform both the analysis and the high-level design of security solutions for systems, devices, or infrastructure protection. Specific terminology and terms in the information security area will be presented, and the most widely encountered cybersecurity attacks will be introduced, with the help of famous security incidents. The security properties of components and information systems will be extensively discussed through practical examples. Since not every single component in a system can be protected, the risk analysis process will be addressed to identify the possible vulnerabilities, threats, and countermeasures that could be adopted for the protection of the assets. After the high-level presentation of the security problems, the main cryptographic algorithms (staying at the basis of the design in any security solution) will be studied. The methods used for the implementation of the security properties, such as authentication, authorization, integrity, and non-repudiation will be explained, as well as the architectures put in place for trust establishment and keys distribution (e.g., public key infrastructures), and commonly used secure data formats, e.g., the X.509 public key certificates.
Specific lectures will cover the most widely used security protocols or architectures in wired networks, like Transport Layer Security (TLS) or IPSec, or in wireless environments, like Wi-Fi Protected Access II (WPA2). Security solutions for the application level will be explained as well, including the protection of e-mail (via S/MIME security formats), security of remote access channels, and security of web applications. Technical mechanisms are not sufficient in today’s interconnected systems, but administrative procedures and regulations are meant to indicate compulsory or forbidden behaviors. Thus, national and international regulations in force will be addressed, and some techniques for forensic analysis.
At the end of the course, the students will:
• achieve awareness of the significant security problems and the most difficult challenges in an increasingly interconnected and globalized scenario, knowledge of the main categories of attacks against information systems and vulnerabilities exposed by information systems;
• understand the various types of security incidents and attacks, the motivations behind their occurrence, and the available techniques to defend against security attacks.
• have knowledge of the security requirements, abstract properties, and fundamental principles of information security, and the ability to recognize, interpret and contextualize them at the company level;
• understand the IT risk analysis methodologies, acquire the ability to identify threats and estimate the risks affecting the assets in IT systems and, consequently, evaluate and choose the most appropriate mitigations among those offered by security controls;
• understand the main cryptographic techniques and their applications, the critical evaluation of the fundamental components used for information security purposes (e.g., encryption, digest, digital signatures), and the ability to choose appropriate algorithms, implementations, methods of use, and parameters;
• acquire knowledge of the authentication methods, access control techniques, X.509 certificates, public key infrastructures (PKI), and mechanisms for single sign-on;
• understand the functionality and acquire the ability to classify the main preventive defense technologies (firewall, VPN), security protocols (TLS), or secure formats (S/MIME, electronic documents), as well as the ability to use them for the protection of information systems;
• have a fundamental knowledge of the activities, the best practices related to the corporate management of information security, and the regulations in force at the Italian and European levels.
For the correct use of the course, the following knowledge and skills are required:
• knowledge of local and geographic networks, wired and wireless (Ethernet, ADSL, WiFi, GSM, IP, routing, ...);
• knowledge of operating systems (and basic command line skills), databases, and virtualization systems (creation, configuration, and interconnection of virtual machines or containers);
• knowledge of TCP/IP networks and related basic configuration skills;
• knowledge of the main application protocols (HTTP, SMTP, FTP, …);
• sufficient programming skills using high-level languages (in C, C++, or Java) and basic knowledge of web programming techniques and languages (such as JS, PHP, and Python).
(1 CFU) Information systems (in)security: security vulnerabilities, and attacks (sniffing, spoofing, Denial of Service, …), risk analysis.
(1 CFU) Basic protection techniques: symmetric and asymmetric cryptography, digest, X.509 certificates, Merkle trees, and public-key infrastructures (PKI).
(1 CFU) Authentication techniques (password, symmetric or asymmetric challenge, multiple factors), basic techniques, and protocols for single sign-on and digital identities.
(1 CFU) Network security: the IPsec standard to protect IP networks; security of the network configuration and management protocols; firewall and IDS to create protected subnets; virtual private networks (VPN); security of wireless networks.
(1 CFU) Application security: e-mail protection (PGP, S/MIME), web security (TLS), and remote access protection (SSH), securing web applications.
(1 CFU) national and international legislation about IT security; GDPR (General Data Protection Regulation); digital signatures and electronic documents, forensic analysis, and security management in the enterprise environment.
The course consists of lectures, classroom exercises, and laboratories.
The lessons will present the main theoretical concepts about cyberattacks, risk analysis, and security mechanisms and protocols at different layers, including network and application. Moreover, they will introduce some tools and cryptographic libraries aimed for the design, analysis and validation of security solutions and their application to protocols, internetworked systems or various application contexts (like wired vs. wireless, desktop-based vs. mobile, embedded devices, or Internet of things).
The classroom exercises will be held in an interactive manner, in order to deepen and further exemplify the theoretical concepts presented throughout the lectures with use cases and practical exercises. They may also consist in the design of custom solutions for specific use cases, e.g., selection and analysis of specific authentication methods for web-based scenarios, or performing a risk analysis for a chosen system.
The laboratory includes the development and analysis of some security solutions. There will be five (5) different laboratory subjects. It will be shown how (a selected set of) network attacks can be performed in practice, how to use widely available crypto libraries and/or tools for basic cryptographic operations and digital signatures, how to employ tools for the configuration of VPNs, set up of secure channels, or firewalls.
Handouts of the instructor’s slides, support material for classroom exercises, and manuals for laboratory coursework.
All learning materials will be available at the teaching portal.
An auxiliary textbook, covering many but not all the topics, is:
- W. Stallings, 'Cryptography and Network Security - Principles and practice', Prentice-Hall
Other useful materials (e.g. papers published in renowned journals, reports, or books) could be recommended throughout the course for specific course topics.
Lecture slides; Exercises; Lab exercises; Video lectures (current year);
Exam: Written test; Individual essay;
Written test (90 minutes) with up to 10 open or multiple choice questions about the analysis and design of security solutions. The written test is a “closed book” one and the maximum grade is 30/30. In addition, students are required to return a report for each lab. The lab reports will be graded, for the five (5) lab reports returned the maximum grade is 3/30. The final grade is calculated based on the written test and the lab reports, the maximum final grade is 30 lode. If lab reports are not returned, the final grade is calculated solely on the written test and the maximum final grade is 30/30.
Alternatively, the teacher may propose possible (specific) homeworks related to the course topics. Only upon approval of the teacher, the student can develop an individual homework, delivering a written report (of about 30 pages), optionally followed by an oral presentation. The report is evaluated up to 27/30 while the oral presentation is worth up to 3/30, for a total grade up to 30/30. The oral presentation consists of a presentation (of about 20 minutes) about the design and/or development of the individual homework. Also, in this case, the students must return a report for each lab. The lab reports will be graded, and the five (5) lab reports returned are worth up to 3/30. In this case, the final grade is calculated based on the written report, the oral presentation, and the lab reports, the maximum final grade is 30 lode. If lab reports are not returned, the final grade is calculated solely on the written report and the oral presentation, and the maximum final grade is 30/30.
In addition to the message sent by the online system, students with disabilities or Specific Learning Disorders (SLD) are invited to directly inform the professor in charge of the course about the special arrangements for the exam that have been agreed with the Special Needs Unit. The professor has to be informed at least one week before the beginning of the examination session in order to provide students with the most suitable arrangements for each specific type of exam.