Security of Information and Organizations 2024/2025

Important Dates

  • T1: November 15th, 16.30
  • T2 (and T1): January 13th, 10.00, in ANF.IV, ANF.V, ANF.5.2.22, 5.1.46
  • ES and PS: January 29th, 10.00, in ANF. IV, ANF. V
  • EE and PE: TBD

Most laboratory guides will require a specific Virtual Machine available here. The file is compressed. The username and password are sio. It runs best in VirtualBox added as a disk, and with 2GB of RAM.

Planning

According to the UA academic schedule, classes will be lectured from September 16th, until December 20th. The subject is structured as 2 hours of theoretical lectures, 2 hours of practical laboratories, and 1 hour of tutoring hours (optional).

Theoretical classes will present key concepts related to the application of security to modern information systems, and organizations. The practical classes will be focused in the exploration of security mechanisms, and in the exploration and analysis of common security attacks.

The topics lectured in each class should be as follows. Changes may happen, so please check it frequently.

Week Theoretical Practical
Sep 16 - Sep 20 T1: No classes
T2: Introduction to Security
P1-2,P5-11: No classes
P3-4: Security Self Evaluation
Sep 23 - Sep 27 T1: Introduction to Security
T2: Attacks and Vulnerabilities
P1-2,P5-11: Security Self Evaluation
P3-4: XSS vulnerabilities and CORS
Sep 30 - Oct 4 T1: Attacks and Vulnerabilities
T2: Incident Response in a Organization
P1-2,P5-11: XSS vulnerabilities and CORS
P3-4: XSS vulnerabilities and CORS
Oct 7 - Oct 11 T1: Incident Response in a Organization
T2: Modern Symmetric Cyphers
P1-2,P5-11: SQL Injections
P3-4: Symmetric Cryptography
Oct 14 - Oct 18 T1: Modern Symmetric Cyphers
T2: Digests and Asymmetric Cryptography
P1-2,P5-11: Symmetric Cryptography
P3-4: Asymmetric Cryptography
Oct 21 - Oct 25 T1: Digests and Asymmetric Cryptography
T2: Management of Asymmetric Keys
P1-2,P5-11: Asymmetric Cryptography
P3-4: Certificate Validation
Oct 28 - Nov 1 T1: Management of Asymmetric Keys
T2: Authentication Protocols and Methods
P1-2,P5-11: Certificate Validation
P3-4: Authentication in SSH
Nov 4 - Nov 8 T1: Authentication Protocols and Methods
T2: Authentication Protocols and Methods
P1-2,P5-11: Authentication in SSH
P3-4: Authentication with FIDO2
Nov 11 - Nov 15 T1: Authentication Protocols and Methods
T2: Access Control Models
P1-2,P5-11: Authentication with FIDO2
P3-4: Access Control
Nov 18 - Nov 22 T1: Access Control Models
T2: Secure Application Development
P1-2,P5-11: Access Control
P3-4: Secure Development
Nov 25 - Nov 29 T1: Secure Application Development
T2: Security in Operating Systems
P1-2,P5-11: Secure Development
P3-4: Linux Security
Dec 2 - Dec 6 T1: Security in Operating Systems
T2: Secure Communications
P1-2,P5-11: Linux Security
P3-4:
Dec 9 - Dec 13 T1: Secure Communications
T2: Secure and Resilient Storage
P1-2,P5-11:
P3-4:
Dec 16 - Dec 20 T1: Secure and Resilient Storage
T2: Secure and Resilient Storage
P1-2,P5-11:
P3-4:

Rules

Faculty and Lectures

The theoretical classes will be lectured by professors João Paulo Barraca, André Zúquete. The practical classes will be lectured by Paulo Bartolomeu, Vitor Cunha, Alfredo Matos, Pedro Escaleira and Catarina Silva. Teaching staff will be available especially during the allocated tutoring slots. Official course information will be available on this page, or through the Elearning platform.

Classes will be lectured in the Portuguese language, unless there is a foreign student attending. In this case English will be used. All lecture notes will be made available in English. Laboratory guides will be provided in English.

Prospecting students should be aware that this subject require some basic knowledge of several topics in the areas of networking, programmimg and operating systems, such as: the Python/C/Java languages, Linux, and Linux console usage (mostly Debian/Ubuntu), and virtual machines.

Attendance

Students can choose to attend the theoretical classes, and is highly recommended they do so every week as it correlates with a good outcome. Attendance to practical classes is mandatory and faults will be recorded.

According to the University rules, students must be present at (at least) 70% of the practical classes. For this edition that results in a maximum of 4 (Monday classes) or 3 (Thursday classes) unjustified faults. If a student exceeds the number of faults allowed, he will automatically fail the subject and won’t be allowed at any other evaluation during the current academic year.

Grading

Grading will be composed by two components. Both are mandatory and have a minimum threshold.

  1. Theoretical Component: Relates to the contents lectured during all classes, mostly focusing on the theoretical lectures.

    • 1 (One) exam (E1), composed by 2 (two) parts (T1 and T2), covering all contents lectured, and contributing with 10 points to the component.

      • An opportunity will be given to perform the first part (T1) in mid November.
      • If T1 is returned, it will be considered for grading, otherwise an equivalent test can be done in the Exam season.
      • The second part (T2) will be available in the Exam season.
    • Dates:

      • T1: November 15th or in the exam Season, including questions that address all contents until Management of Asymmetric Keys (including).
      • T2: During the exam season, addressing all contents since Authentication Protocols and Methods (including).
    • Final Theoretical Grade: (T1 + T2)

    • Minimum points of this component: 3.5 pts (0-10)

      • i.e. $ T1 + T2 >= 3.5$
  2. Practical Component:

    • Development of practical project by a group of X students. Exceptionally, less students may be allowed after explicit authorization by the professors.
      • assignments may be awarded a maximum bonus +10% due to the addition of additional innovations. Additional innovations is a bonus and can be discussed with the professores before returning the project.
      • In the practical projects, each student will have a pool of 96 hours to allocate as required in their deliveries. This pool can be used to return assignments after the deadline without any penalty. After the pool is exausted, a standard penalty of 0.1 points per hour applies up to 2 days. After 2 days (96h+48h), the assignment will not be accepted.
      • Projects will need to be presented and defended.
    • Minimum points of this component: 3.5
      • i.e. $practical >= 3.5$

The following table summarizes the points of each component:

Component Item Points
P Project - Delivery 1 3
P Project - Delivery 2 3
P Project - Delivery 3 4
T T1 5
T T2 5

Supplementary season

The supplementary season takes place from January 26th until February 8th. It is available for all students that failed to obtain at least 9.50 points during the normal season, or 3.5 and one of the components. The remaining students may also access this season, but the University requires an additional administrative process. Grading will be composed by two components, each contributing with 10 points to the final grade.

Rules for this season will be updated at a later time

Special season

The special season usually takes place in September and is available to students in specific cases. Accessing this season will require an additional administrative process.

Grading will be composed by two components, each contributing with 10 points to the final grade. It follows the same rules used in the Supplementary season.

Rules for this season will be updated at a later time

Additional Content

Software

  • AirCrackNG: A complete suite of tools to assess WiFi network security.
  • Bettercap: The Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks.
  • Wireshark: The most popular packet sniffer application.
  • WebGoat: A deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
  • Kali Linux: A popular Penetration Testing Distribution.
  • John the Ripper: A password Cracker.
  • Hashcat: Advanced Password Recovery tool, especially tailored at OpenCL.
  • nmap: Probably the most famous port scanner and recognaissance tool.
  • Pwnagotchi: Deep Reinforcement Learning for Wifi Pwning.

Websites

Books

Next