Information and Organizational Security 2019/2020

This subject belong to the 3rd year of the LEI degree, following the description present at the official webpage

This edition will be lectured by professor João Paulo Barraca (email: jpbarraca@ua.pt), with the support of professor Vitor Cunha (email: vitorcunha@ua.pt). Both professors will both be available by email and Slack channel #security-inf-org, especially during the allocated tutoring slots. The use of the Slack platform for direct communication is highly recommended. Official course information will be available in this page, or through the Elearning platform.

Classes will be lectured in the Portuguese language, unless there is a foreign student attending. In this case English will be used. All content is developed in the Portuguese and English languages.

As requirements for this subject, students should be aware that this subject requires a reasonable knowledge and comprehension of several networking, software and operating system topics, such as: the Python/C/Java languages, Linux administration and Linux console usage (mostly Debian and Arch), virtual machines, sockets, HTTP and HTML, asynchronous applications, hardware architectures.

Important Dates

  • T1: November 15th, 14.30, Anf V
  • T2 and E1: January 14th, 10.00, Anf IV and Anf V
  • ES and PS: January 31st, 15.00, Anf IV
  • EE and PE: September 18th

Theoretical Component

  1. Introduction: Slides-PT, Slides-EN

  2. Vulnerabilities: Slides

  3. Cryptography: Slides

  4. Management of Asymmetric Keys: Slides

  5. SmartCards - PTEID: Slides

  6. Authentication: Slides

  7. Security in IEEE 802.11 WN: Slides

  8. Network Filtering with Firewalls: Slides

  9. Security in Operating Systems: Slides

  10. Secure and Redundant Storage Slides

Practical Component

Applied Security Assignments

These assignments will focus on the content of the practical classes, assessing the analytical and programming aspects of security in information systems. Each assignment will contribute with 2.5 points to the final grade.

Students will have a total grace period of 96 hours after the deadline of the assignments. As an example, returning the first assignment at 7 AM will discount 7 hours from each student in the same team. In the following assignment, the students will only have 89 hours available.

After the grace hours are over, each hour will incur in 0.083 penalty points.

  1. Vulnerability Assessment and Exploitation: guide, VM
    • Deadline: October 18th, 23.59
  2. Applied Cryptography: guide
    • Deadline: November 17th, 23.59
  3. Authentication and Access Control: guide
    • Deadline: December 13th, 23.59
  4. Forensics Analysis: guide
    • Deadline: January 3rd, 23.59

Laboratory guides

  1. Vulnerabilities - SQL Injection

  2. Vulnerabilities - XSS. CORS and CSF

  3. Cryptography

  4. Validation of X.509 Certificates

  5. Smartcards and the Portuguese eID

  6. Secure Communications with SSL

  7. Secure Communications with SSH

  8. Attacks to Wireless Networks

  9. Linux Firewalls

  10. Privilege Escalation and Confinement

  11. Secure Encrypted Storage (to be done autonomously)

Useful Content

Software

  • AirCrackNG: A complete suite of tools to assess WiFi network security.
  • Bettercap: The Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks.
  • Wireshark: The most popular packet sniffer application
  • WebGoat: A deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
  • Kali Linux: A popular Penetration Testing Distribution
  • John the Ripper: A password Cracker
  • Hashcat: Advanced Password Recovery tool, especially tailored at OpenCL
  • nmap: Probably the most famous port scanner and recognaissance tool
  • Pwnagotchi: Deep Reinforcement Learning for Wifi Pwning

Websites

Books

Misc Resources

Planning

According to the UA academic schedule classes start at September 16th, and end on December 20th. The subject is composed by a 2 hours theoretical lectures, 2 hours of practical laboratories, and 1 hour of tutoring making, a total of 5 hours per week of contact hours. It is expected the students to spend an additional 2 hours per week exploring the concepts presented during the lectures. It is also expected them to make use of the tutoring times. Theoretical classes will present key concepts related to the application of security to modern information systems, and its application to organizations. The practical classes will be focused in the exploration of these concepts, and in the exploration and analysis of popular security attacks.

The topics lectured in each class should be as presented in the next table. Changes may happen, so please check it frequently.

# Date Theoretical class Practical class
1 Sep 23 Introduction Vulnerabilities: SQL Injection
2 Sep 30 Vulnerabilities Vulnerabilities: XSS and CORS
3 Oct 7 Applied Cryptography Cryptography - Stream Ciphers
4 Oct 14 Applied Cryptography Cryptography - Block Ciphers and Digests
5 Oct 21 Applied Cryptography Cryptography - Asymmetric ciphers
6 Oct 28 Management of Asymmetric Keys Certification Chains
7 Nov 4 Smartcards: PTEID SmartCards and PKCS #11
8 Nov 11 Authentication Secure communications with SSL
9 Nov 18 Authentication Secure Communications with SSH
10 Nov 25 Security in IEEE 802.11 WN Security in IEEE 802.11
12 Dec 2 Network Filtering with Firewalls Firewalls with iptables
13 Dec 9 Security in Operating Systems Privilege Escalation and Confinement
14 Dec 16 Secure and Redundant Storage Secure Encrypted Storage

Grading

Grades will be posted the elearning page. All partial grades presented will be rounded to the hundredths (X.XX).

Attendance Rules

Students can choose to attend the theoretical classes, and is highly recommended they do so every week as it correlates with a good outcome. Attendance to practical classes is mandatory and faults will be recorded.

According to the University rules, students must be present at (at least) 80% of the practical classes. For this edition that results in a maximum of 2 unjustified faults. If a student exceeds the number of faults allowed, he will automatically fail the subject and won’t be allowed at any other evaluation during the current academic year.

Grading rules

Grading will be composed by two components, each contributing with 10 points over 20 (50%) to the final grade.

  1. Theoretical Component: Relates to the contents lectured during the theoretical lectures and laboratories.
    • Option 1: 1 (One) intermediate test (T1), and 1 (One) final test (T2), each contributing with 5 points.
    • Each test will cover half of the contents lectured.
    • Students may access the intermediate test without actually returning it for grading.
    • Returning the intermediate test signals the choice of following Option 1.
    • Option 2: 1 (One) exam (E1) that covers all contents lectured, and contributing to 10 points.
    • This option is available for students that do not return the intermediate test.
    • Dates:
      • Intermediate Test (T1): November 15th, 2019, Anf V, 14:30h-15:30, including questions that address all contents until Smartcards (including).
      • Final Test (T2): January 14th, Anf IV and Anf V, 10:00h, addressing all contents since Authentication Protocols.
      • Final Exam (E1): January 14th, Anf IV and Anf V, 10:00h, addressing all contents lectured
    • Final Theoretical Grade: (T1 + T1) or (E1)
    • Minimum grade of this component: 3.5 in 10
      • i.e. $t1 + t1 >= 3.5 \text{ or } e1 >= 3.5$
  2. Practical Component:
    • Development of practical projects by a group of 2 students. Exceptionally, 3 students may be allowed after explicit authorization by the professors.
      • groups with more than 2 members will have a penalty of 10%.
      • groups with one member will not have any bonus.
    • Minimum grade of this component: 3.5 in 10
      • i.e. $practical >= 3.5$

The following table summarizes the points of each component:

Component Item Points
P Assignment 1 2.5
P Assignment 2 2.5
P Assignment 3 2.5
P Assignment 4 2.5
T Intermediate Test- T1 (option 1) 5
T Final Test - T2 (option 1) 5
T Final Exam - E1 (option 2) 10

Supplementary season

The supplementary season usually takes place in the end of January, and is available for all students that did not obtained at least 9.50 points during the normal season. The remaining students may also access this season, but the University requires an additional administrative. Grading will be composed by two components, each contributing with 10 points (50%) to the final grade.

  1. Theoretical Component : Optional exam (ES)

    • Theoretical exam covering all contents lectured in theoretical classes or laboratories.
    • Returning this exam will replace the theoretical grade obtained in the normal season, if this grade is higher than the previous one.
    • Minimum grade of this component: 3.5 in 10.

  2. Practical Component: Optional practical project (PS)

    • Development of a practical project by one or two students.
    • Minimum grade of this component: 3.5 in 10.

Special season

The special season usually takes place in September and is available to students in specific cases. Accessing this season will require an additional administrative process.

Grading will be composed by two components, each contributing with 10 points (50%) to the final grade.

  1. Theoretical Component : Optional exam (EE)

    • Theoretical exam covering all contents lectured in theoretical classes or laboratories.
    • Minimum grade of this component: 3.5 in 10.

  2. Practical Component: Optional practical project (PE)

    • Development of a practical project by one student.
    • Minimum grade of this component: 3.5 in 10.