Security of Information and Organizations 2024/2025

Important Dates

T1: November 15th, 16.30
T2 (and T1): January 13th, 10.00, in ANF.IV, ANF.V, ANF.5.2.22, 5.1.46
ES and PS: January 29th, 10.00, in ANF. IV, ANF. V
EE and PE: TBD

Most laboratory guides will require a specific Virtual Machine available here. The file is compressed. The username and password are sio. It runs best in VirtualBox added as a disk, and with 2GB of RAM.

Planning

According to the UA academic schedule, classes will be lectured from September 16th, until December 20th. The subject is structured as 2 hours of theoretical lectures, 2 hours of practical laboratories, and 1 hour of tutoring hours (optional).

Theoretical classes will present key concepts related to the application of security to modern information systems, and organizations. The practical classes will be focused in the exploration of security mechanisms, and in the exploration and analysis of common security attacks.

The topics lectured in each class should be as follows. Changes may happen, so please check it frequently.

Week	Theoretical	Practical
Sep 16 - Sep 20	T1: No classes T2: Introduction to Security	P1-2,P5-11: No classes P3-4: Security Self Evaluation
Sep 23 - Sep 27	T1: Introduction to Security T2: Attacks and Vulnerabilities	P1-2,P5-11: Security Self Evaluation P3-4: XSS vulnerabilities and CORS
Sep 30 - Oct 4	T1: Attacks and Vulnerabilities T2: Incident Response in a Organization	P1-2,P5-11: XSS vulnerabilities and CORS P3-4: XSS vulnerabilities and CORS
Oct 7 - Oct 11	T1: Incident Response in a Organization T2: Modern Symmetric Cyphers	P1-2,P5-11: SQL Injections P3-4: Symmetric Cryptography
Oct 14 - Oct 18	T1: Modern Symmetric Cyphers T2: Digests and Asymmetric Cryptography	P1-2,P5-11: Symmetric Cryptography P3-4: Asymmetric Cryptography
Oct 21 - Oct 25	T1: Digests and Asymmetric Cryptography T2: Management of Asymmetric Keys	P1-2,P5-11: Asymmetric Cryptography P3-4: Certificate Validation
Oct 28 - Nov 1	T1: Management of Asymmetric Keys T2: Authentication Protocols and Methods	P1-2,P5-11: Certificate Validation P3-4: Authentication in SSH
Nov 4 - Nov 8	T1: Authentication Protocols and Methods T2: Authentication Protocols and Methods	P1-2,P5-11: Authentication in SSH P3-4: Authentication with FIDO2
Nov 11 - Nov 15	T1: Authentication Protocols and Methods T2: Access Control Models	P1-2,P5-11: Authentication with FIDO2 P3-4: Access Control
Nov 18 - Nov 22	T1: Access Control Models T2: Secure Application Development	P1-2,P5-11: Access Control P3-4: Secure Development
Nov 25 - Nov 29	T1: Secure Application Development T2: Security in Operating Systems	P1-2,P5-11: Secure Development P3-4: Linux Security
Dec 2 - Dec 6	T1: Security in Operating Systems T2: Secure Communications	P1-2,P5-11: Linux Security P3-4: Linux Firewalls
Dec 9 - Dec 13	T1: Secure Communications T2: Secure and Resilient Storage	P1-2,P5-11: Linux Firewalls P3-4: Secure Storage
Dec 16 - Dec 20	T1: Secure and Resilient Storage T2: Secure and Resilient Storage	P1-2,P5-11: Secure Storage P3-4: Secure Storage

Rules

Faculty and Lectures

The theoretical classes will be lectured by professors João Paulo Barraca, André Zúquete. The practical classes will be lectured by Alfredo Matos, Catarina Silva, Paulo Bartolomeu, Pedro Escaleira, and Vitor Cunha. Teaching staff will be available especially during the allocated tutoring slots. Official course information will be available on this page, or through the Elearning platform.

Classes will be lectured in the Portuguese language, unless there is a foreign student attending. In this case English will be used. All lecture notes will be made available in English. Laboratory guides will be provided in English.

Prospecting students should be aware that this subject require some basic knowledge of several topics in the areas of networking, programmimg and operating systems, such as: the Python/C/Java languages, Linux, and Linux console usage (mostly Debian/Ubuntu), and virtual machines.

Attendance

Students can choose to attend the theoretical classes, and is highly recommended they do so every week as it correlates with a good outcome. Attendance to practical classes is mandatory and faults will be recorded.

According to the University rules, students must be present at (at least) 70% of the practical classes. For this edition that results in a maximum of 4 (Monday classes) or 3 (Thursday classes) unjustified faults. If a student exceeds the number of faults allowed, he will automatically fail the subject and won’t be allowed at any other evaluation during the current academic year.

Grading

Grading will be composed by two components. Both are mandatory and have a minimum threshold.

Theoretical Component: Relates to the contents lectured during all classes, mostly focusing on the theoretical lectures.
- 1 (One) exam (E1), composed by 2 (two) parts (T1 and T2), covering all contents lectured, and contributing with 10 points to the component.
  - An opportunity will be given to perform the first part (T1) in mid November.
  - If T1 is returned, it will be considered for grading, otherwise an equivalent test can be done in the Exam season.
  - The second part (T2) will be available in the Exam season.
- Dates:
  - T1: November 15th or in the exam Season, including questions that address all contents until Management of Asymmetric Keys (including).
  - T2: During the exam season, addressing all contents since Authentication Protocols and Methods (including).
- Final Theoretical Grade: (T1 + T2)
- Minimum points of this component: 3.5 pts (0-10)
  - i.e. $ T1 + T2 >= 3.5$
Practical Component:
- Development of practical project by a group of X students. Exceptionally, less students may be allowed after explicit authorization by the professors.
  - assignments may be awarded a maximum bonus +10% due to the addition of additional innovations. Additional innovations is a bonus and can be discussed with the professores before returning the project.
  - In the practical projects, each student will have a pool of 96 hours to allocate as required in their deliveries. This pool can be used to return assignments after the deadline without any penalty. After the pool is exausted, a standard penalty of 0.1 points per hour applies up to 2 days. After 2 days (96h+48h), the assignment will not be accepted.
  - Projects will need to be presented and defended.
- Minimum points of this component: 3.5
  - i.e. $practical >= 3.5$

The following table summarizes the points of each component:

Component	Item	Points
P	Project - Delivery 1	3
P	Project - Delivery 2	3
P	Project - Delivery 3	4
T	T1	5
T	T2	5

Supplementary season

The supplementary season takes place from January 26th until February 8th. It is available for all students that failed to obtain at least 9.50 points during the normal season, or 3.5 and one of the components. The remaining students may also access this season, but the University requires an additional administrative process. Grading will be composed by two components, each contributing with 10 points to the final grade.

Rules for this season will be updated at a later time

Special season

The special season usually takes place in September and is available to students in specific cases. Accessing this season will require an additional administrative process.

Grading will be composed by two components, each contributing with 10 points to the final grade. It follows the same rules used in the Supplementary season.