This course aims at providing an up-to-date survey of developments and practice in computer security. It covers the central problems that confront security designers and security administrators, that is defining the threats to computer and network systems, evaluating the relative risks of these threats, and developing cost-effective and user-friendly countermeasures. Main arguments are: Computer Security Technology and Principles; Software Security and Trusted Systems; Management Issues.
Required Textbook: Computer Security: Principles and Practice (4th ed.) - William Stallings, Lawrie Brown - Pearson (2017).
Additional teaching material:
- slides presented during the course;
- published research papers and technical reports on specific relevant topics.
Upon successful completion of this course, the student will be able to
- identify the theoretical and practical problems of computer systems and networks security;
- recognize security issues concerning cyber infrastructures;
- understand and assess threats to fundamental security properties;
- propose appropriate countermeasures by applying the main security mechanisms to mitigate vulnerabilities;
- present concepts to others.
Knowledge and understanding:
theory and practice used to attain security on computer systems and networks; risk assessment and security management; technological bases for secure systems; human factor and personnel, legal and ethical issues.
Practical application of knowledge and understanding:
capability to perform a simple risk assessment for some organisation and to utilise the studied approaches to securing computer software and systems.
Courses on computer architecture, operating systems and computer networks are recommended.
Class lectures: 64 (hours).
Seminars by students on specific relevant topics: 8 (hours).
Attendance to lectures: recommended.
Teaching Tools UNIFI E-Learning: https://e-l.unifi.it/.
Office Hours: usually on Tuesday from 2.00pm to 3.30pm, make an appointment by e-mail (email@example.com).
Type of Assessment
The exam consists of two parts:
1. a presentation during the classes or a detailed report, with appropriate technical details and citations to the bibliographic sources, focusing on a specific topic concerning computer security (the topic must be agreed by the teacher and the student);
2. an oral exam covering all the topics presented during the course.
Having passed the first part is a prerequisite to access the second part of the exam.
Provided both are sufficient, the final mark will be determined by a weighted average of the marks on the presentation/report (with weight 1/3) and the oral exam (with weight 2/3).
The presentation/report aims at evaluating the student's capability to apply the acquired knowledge and the studied approaches to securing computer software and systems in order to autonomously deepen the study of a specific topic, and his/her ability to comprehend new concepts and, possibly, to present them to others.
The oral exam aims to evaluate the student's understanding of the threats to computer and network systems, the relative risks of these threats, and the cost-effective and user-friendly countermeasures. In addition to the knowledge of the topics presented in class, the clarity of the presentation, the appropriate use of specialist vocabulary, and the ability to relate different topics of the program to each other will also be assessed.
During the course:
- the main basic principles of computer security will be presented and their application in specific areas of computer security will be studied;
- alternative approaches to meeting specific computer security requirements will be examined;
- related standards, important for the understanding of the current status and future direction of technology, will be comprehensively discussed;
- practical applications to a real-world environment will be analysed.
Computer Security Concepts (Threats, Attacks, and Assets); Fundamental Security Design Principles; Attack Surfaces and Attack Trees; Cryptographic Tools; User Authentication; Access Control Principles; Database and Data Center Security; SQL Injection Attacks; Malicious Software; Denial-of-Service Attacks; Intrusion Detection Systems; Firewalls and Intrusion Prevention Systems; Software Security; Operating System Security; Cloud and IoT Security; IT Security Management and Risk Assessment; Human Factors; Social Engineering; Legal and Ethical Issues.