Portale della Didattica

Information systems security

01TYMOV, 01TYMSM

A.A. 2024/25

Course Language

Inglese

Degree programme(s)

Master of science-level of the Bologna process in Ingegneria Informatica (Computer Engineering) - Torino
Master of science-level of the Bologna process in Data Science And Engineering - Torino

Course structure

Teaching	Hours
Lezioni	36
Esercitazioni in aula	9
Esercitazioni in laboratorio	15

Lecturers

Teacher	Status	SSD	h.Les	h.Ex	h.Lab	h.Tut	Years teaching
Berbecaru Diana Gratiela	Ricercatore L240/10	IINF-05/A	36	18	15	0	2

Co-lectures

Espandi

Teacher	Status	SSD	h.Les	h.Ex	h.Lab	h.Tut
Bruno Giacomo	Assegnista di Ricerca		0	0	15	0

Context

SSD	CFU	Activities	Area context
ING-INF/05	6	C - Affini o integrative	Attivit� formative affini o integrative

Statistiche superamento esami

Anno accademico di inizio validit�

2023/24

Presentazione
Course description

This course deals with security issues in modern networked computer systems, paying special attention to data security and protection of computer networks and networked computer applications, in a closed (Intranet) or open (Internet) environment. The course aims to teach the skills needed to perform both the analysis and the high-level design of the security features of IT components and systems.

Information security is a general term increasingly used to refer to many aspects related to the security of systems. Today, various types of devices and architectures are interconnected via multiple networking protocols, and users are accessing services transparently from different platforms thanks to digital identity and authentication techniques. While faster and easier access to services is granted and more complex use cases are built, at the same time more sophisticated cyberattacks occur affecting individual systems, organizations, or even critical infrastructures. This course aims to teach the skills needed to perform both the analysis and the high-level design of security solutions for systems, devices, or infrastructure protection. Specific terminology and terms in the information security area will be presented, and the most widely encountered cybersecurity attacks will be introduced, with the help of famous security incidents. The security properties of components and information systems will be extensively discussed through practical examples. Since not every single component in a system can be protected, the risk analysis process will be addressed to identify the possible vulnerabilities, threats, and countermeasures that could be adopted for the protection of the assets. After the high-level presentation of the security problems, the main cryptographic algorithms (staying at the basis of the design in any security solution) will be studied. The methods used for the implementation of the security properties, such as authentication, authorization, integrity, and non-repudiation will be explained, as well as the architectures put in place for trust establishment and keys distribution (e.g., public key infrastructures), and commonly used secure data formats, e.g., the X.509 public key certificates. Specific lectures will cover the most widely used security protocols or architectures in wired networks, like Transport Layer Security (TLS) or IPSec, or in wireless environments, like Wi-Fi Protected Access II (WPA2). Security solutions for the application level will be explained as well, including the protection of e-mail (via S/MIME security formats), security of remote access channels, and security of web applications. Technical mechanisms are not sufficient in today�s interconnected systems, but administrative procedures and regulations are meant to indicate compulsory or forbidden behaviors. Thus, national and international regulations in force will be addressed, and some techniques for forensic analysis.

Risultati attesi
Expected Learning Outcomes

Knowledge of the main categories of attack against IT systems. Knowledge and critical evaluation of the main concepts (encryption and digest) and technologies (PKI, firewall, VPN, TLS, S/MIME, e-documents) for IT security. Knowledge and critical evaluation of the security architectures for authentication and access control and ability to tailor them to the protection of IT systems. Ability to analyse the risks of a network application and design a solution for its protection.

At the end of the course, the students will: � achieve awareness of the significant security problems and the most difficult challenges in an increasingly interconnected and globalized scenario, knowledge of the main categories of attacks against information systems and vulnerabilities exposed by information systems; � understand the various types of security incidents and attacks, the motivations behind their occurrence, and the available techniques to defend against security attacks. � have knowledge of the security requirements, abstract properties, and fundamental principles of information security, and the ability to recognize, interpret and contextualize them at the company level; � understand the IT risk analysis methodologies, acquire the ability to identify threats and estimate the risks affecting the assets in IT systems and, consequently, evaluate and choose the most appropriate mitigations among those offered by security controls; � understand the main cryptographic techniques and their applications, the critical evaluation of the fundamental components used for information security purposes (e.g., encryption, digest, digital signatures), and the ability to choose appropriate algorithms, implementations, methods of use, and parameters; � acquire knowledge of the authentication methods, access control techniques, X.509 certificates, public key infrastructures (PKI), and mechanisms for single sign-on; � understand the functionality and acquire the ability to classify the main preventive defense technologies (firewall, VPN), security protocols (TLS), or secure formats (S/MIME, electronic documents), as well as the ability to use them for the protection of information systems; � have a fundamental knowledge of the activities, the best practices related to the corporate management of information security, and the regulations in force at the Italian and European levels.

Prerequisiti
Pre-requirements

Foundations of telecommunication systems. Local and wide area networks, wired and wireless (Ethernet, ADSL, WiFI, GSM, IP, routing, ...). TCP/IP networks and applications. High-level programming (C, C++, or Java) and web programming (JS, PHP). Operating systems and database.

For the correct use of the course, the following knowledge and skills are required: � knowledge of local and geographic networks, wired and wireless (Ethernet, ADSL, WiFi, GSM, IP, routing, ...); � knowledge of operating systems (and basic command line skills), databases, and virtualization systems (creation, configuration, and interconnection of virtual machines or containers); � knowledge of TCP/IP networks and related basic configuration skills; � knowledge of the main application protocols (HTTP, SMTP, FTP, �); � sufficient programming skills using high-level languages (in C, C++, or Java) and basic knowledge of web programming techniques and languages (such as JS, PHP, and Python).

Programma
Course topics

(1 CFU) Computer systems (in)security: problems and attacks (sniffing, spoofing, DOS, �), risk analysis. (1 CFU) Basic protection techniques: steganography, cryptography, digest, X.509 certificates, certification authorities (CA) and public-key infrastructures (PKI). (1 CFU) Authentication techniques (password, challenges, Kerberos) and related hardware devices (token and smart-card). (1 CFU) Network security: the IPsec standard to protect IP networks; security of the network configuration and management protocols; firewall and IDS to create protected subnets; virtual private networks (VPN); security of wireless networks. (1 CFU) Application security: e-mail protection (PGP, S/MIME), web security (SSL, TLS) and remote access protection (SSH, TLS), securing web applications. (1 CFU) Secure document workflow and e-commerce; national and international legislation about IT security; digital signature, electronic documents, GDPR (General Data Protection Regulation), forensic analysis.

(1 CFU) Information systems (in)security: security vulnerabilities, and attacks (sniffing, spoofing, Denial of Service, �), risk analysis. (1 CFU) Basic protection techniques: symmetric and asymmetric cryptography, digest, X.509 certificates, Merkle trees, and public-key infrastructures (PKI). (1 CFU) Authentication techniques (password, symmetric or asymmetric challenge, multiple factors), basic techniques, and protocols for single sign-on and digital identities. (1 CFU) Network security: the IPsec standard to protect IP networks; security of the network configuration and management protocols; firewall and IDS to create protected subnets; virtual private networks (VPN); security of wireless networks. (1 CFU) Application security: e-mail protection (PGP, S/MIME), web security (TLS), and remote access protection (SSH), securing web applications. (1 CFU) national and international legislation about IT security; GDPR (General Data Protection Regulation); digital signatures and electronic documents, forensic analysis, and security management in the enterprise environment.

Sustainable development goals

Costruire un'infrastruttura resiliente e promuovere l'innovazione ed una industrializzazione equa, responsabile e sostenibile

Note
Additional information

Organizzazione dell'insegnamento
Course structure

The course consists of lectures (36 hours), classroom exercises (9 hours), and laboratory (15 hours). The laboratory includes the development and analysis of several security solutions. There will be 5 different laboratory subjects.. The classroom exercises will analyse some security solutions, including those tested in the laboratory.

The course consists of lectures, classroom exercises, and laboratories. The lessons will present the main theoretical concepts about cyberattacks, risk analysis, and security mechanisms and protocols at different layers, including network and application. Moreover, they will introduce some tools and cryptographic libraries aimed for the design, analysis and validation of security solutions and their application to protocols, internetworked systems or various application contexts (like wired vs. wireless, desktop-based vs. mobile, embedded devices, or Internet of things). The classroom exercises will be held in an interactive manner, in order to deepen and further exemplify the theoretical concepts presented throughout the lectures with use cases and practical exercises. They may also consist in the design of custom solutions for specific use cases, e.g., selection and analysis of specific authentication methods for web-based scenarios, or performing a risk analysis for a chosen system. The laboratory includes the development and analysis of some security solutions. There will be five (5) different laboratory subjects. It will be shown how (a selected set of) network attacks can be performed in practice, how to use widely available crypto libraries and/or tools for basic cryptographic operations and digital signatures, how to employ tools for the configuration of VPNs, set up of secure channels, or firewalls.

Bibliografia
Reading materials

Handouts of the instructor�s foils and manuals for laboratory coursework. All learning stuff is available at the instructor�s web site. An auxiliary textbook, covering many but not all the topics, is: - W. Stallings, 'Cryptography and Network Security - principles and practice', Prentice-Hall

Handouts of the instructor�s slides, support material for classroom exercises, and manuals for laboratory coursework. All learning materials will be available at the teaching portal. An auxiliary textbook, covering many but not all the topics, is: - W. Stallings, 'Cryptography and Network Security - Principles and practice', Prentice-Hall Other useful materials (e.g. papers published in renowned journals, reports, or books) could be recommended throughout the course for specific course topics.

Materiale di supporto allo studio
Study materials

Slides; Esercizi; Esercitazioni di laboratorio; Video lezioni dell�anno corrente;

Lecture slides; Exercises; Lab exercises; Video lectures (current year);

Criteri, regole e procedure per l'esame
Assessment and grading criteria

Modalit� di esame: Prova scritta (in aula); Elaborato scritto individuale;

Exam: Written test; Individual essay;

... Written test (2 hours) with up to 10 open questions about the analysis and design of security solutions. The written test is a �closed book� one and the maximum grade is 30/30. Alternatively, the student can develop an individual homework about one of the course's topics, delivering a written report, optionally followed by an oral presentation. The report is evaluated up to 27/30 while the oral presentation is worth up to 3/30, for a total grade up to 30/30.

Gli studenti e le studentesse con disabilit� o con Disturbi Specifici di Apprendimento (DSA), oltre alla segnalazione tramite procedura informatizzata, sono invitati a comunicare anche direttamente al/la docente titolare dell'insegnamento, con un preavviso non inferiore ad una settimana dall'avvio della sessione d'esame, gli strumenti compensativi concordati con l'Unit� Special Needs, al fine di permettere al/la docente la declinazione pi� idonea in riferimento alla specifica tipologia di esame.

Exam: Written test; Individual essay;

Written test (90 minutes) with up to 10 open or multiple choice questions about the analysis and design of security solutions. The written test is a �closed book� one and the maximum grade is 30/30. In addition, students are required to return a report for each lab. The lab reports will be graded, for the five (5) lab reports returned the maximum grade is 3/30. The final grade is calculated based on the written test and the lab reports, the maximum final grade is 30 lode. If lab reports are not returned, the final grade is calculated solely on the written test and the maximum final grade is 30/30. Alternatively, the teacher may propose possible (specific) homeworks related to the course topics. Only upon approval of the teacher, the student can develop an individual homework, delivering a written report (of about 30 pages), optionally followed by an oral presentation. The report is evaluated up to 27/30 while the oral presentation is worth up to 3/30, for a total grade up to 30/30. The oral presentation consists of a presentation (of about 20 minutes) about the design and/or development of the individual homework. Also, in this case, the students must return a report for each lab. The lab reports will be graded, and the five (5) lab reports returned are worth up to 3/30. In this case, the final grade is calculated based on the written report, the oral presentation, and the lab reports, the maximum final grade is 30 lode. If lab reports are not returned, the final grade is calculated solely on the written report and the oral presentation, and the maximum final grade is 30/30.

In addition to the message sent by the online system, students with disabilities or Specific Learning Disorders (SLD) are invited to directly inform the professor in charge of the course about the special arrangements for the exam that have been agreed with the Special Needs Unit. The professor has to be informed at least one week before the beginning of the examination session in order to provide students with the most suitable arrangements for each specific type of exam.