Security and privacy

A.Y. 2019/2020
Overall hours
Learning objectives
The aim of the course is to introduce the students to the conceptual and practical bases of Information Security and Privacy, placing a certain emphasis on the more implemented aspects of the discipline. The reference domain will be represented by the systems with particular emphasis on the Linux system and networks.
Expected learning outcomes
At the end of the course the student will be able to: evaluate the main vulnerabilities present in a given system; exploit some of these vulnerabilities to gain unauthorized access to information or systems; identifying the best countermeasures to be adopted in the face of the most common attacks, assessing the main threats to privacy deriving from the use of specific IT technologies, designing a computer security system for small realities.
Course syllabus and organization


Lesson period
Second semester
Course syllabus
The course is divided into a part of theory and a part of laboratory. The theory part is divided into 4 parts.
Part 1: Introduction to ICT security
· Fundamentals
· Access Control
· Elementary cryptography
· Implementation and usability isssues
· Physical Security
o Locks and safe
o Authentication Technologies
o Physical Attacks to computer
o Tamper Proof systems
Parte 2: Logical Security
· Operating System Security
o Processes' Security
o Memory Protection Mechanisms
o File system Protection mechanisms
o Application security
o Malware
· Web e network security
o Attacks to the ARP protocol
o Attacks to the IP protocol
o Attacks to the TCP protocol
o DNS Attacks
o Firewall
o Wi-fi security: WEP/WPA
Parte 3: Information Security Management Systems
· Security planning
· Risk Analysis
· Security Policies
· ISO27001: a brief introduction
Part 4: Legal, Privacy and Ethical issues in Computer security
· Ethics and Computer Security
· Privacy
· Legal aspects of Computer Security
· GDPR: a brief introduction

In the laboratory part the student will have to familiarize himself with some of the techniques and tools illustrated during the theoretical hours through the use of tools that allow to simulate cyber attacks and the configuration of protection tools. In particular, the topics covered are:
· PGP and a mail client
· File system access control mechanisms in linux/windows
operating systems
· Simulation of a buffer overflow attack
· Simulation of an ARP poisoning attack
· Simulation of a cross site scripting attack
· Simulation of a defacing attack
· Introduction to Wireshark
· Introduction to Snort
· Computer Ethics: case studies
A detailed list of the topics covered, lesson by lesson, is published and updated on the course website.
Prerequisites for admission
Programming using at least an imperative programming language ( best choice C) and using a web scripting language.
Installing and managing the Linux operating system, configure a local area network and its main services.

Passing the Programming exam is preparatory to the teaching of Security and Privacy. It is also strongly recommended to pass the exams of Operating Systems and Computer Networks.
Teaching methods
The theory part is carried out through lectures. The laboratory part alternates lectures with exercises and practical activities carried out individually.
Teaching Resources

The textbook adopted for parts 1, 2 and for the laboratory part is:
M. Goodrich, R. Tamassia, "Introduction to Computer Security", Pearson New Internation Edition, 2014.

For parts 3 and 4 of the course, supplementary material will be made available on the teaching website.
Assessment methods and Criteria
The exam consists of a laboratory test and an oral test.
In the 3-hour laboratory test, exercises are assigned that require 1) to analyse a system or a service in order to identify its vulnerabilities (if any) 2) write a program that can exploit these vulnerabilities 3) demonstrate the effectiveness of such a program to access confidential information or compromise a service.

The exam ends with the oral test, which is accessed after passing the laboratory test. The oral exam focuses on the discussion of some topics covered in teaching.
At the end of the oral exam the overall evaluation is expressed, expressed in thirtieths,
taking into account the following parameters: degree of knowledge of the topics, ability to apply
knowledge to solve concrete problems, critical reasoning skills, clarity
exhibition and language properties.
INF/01 - INFORMATICS - University credits: 6
Lessons: 48 hours
send an email to danilo[dot]bruschi[at]unimi[dot]it
Room P115, Via Comelico