# Security of Information and Organizations 2021/2022

## Important Items

• T1: December 3rd 2021, 18:00-19:30, at Anf. IV, Anf. V, Anf. 5.2.22, and 5.3.4.

• T2 and E1: Februrary 10th 2022, 09:00, at ANF. IV, ANF. V, ANF. 5.2.22, 5.3.3

• ES and PS: Feburary 24th 2022, 09:00, at 2.3.12, 2.3.17, 2.3.18

• EE and PE: TBD (September)

• Project 1 - November 12th 2021, 23:59

• Project 2 - January 2nd 2022, 23:59

• Project 3 - January 31st, 23:59

Most laboratory guides will require a specific Virtual Machine available here. The file is compressed. The username and password are user. It runs best in VirtualBox added as a disk.

## Planning

According to the UA academic schedule, classes will be lectured from October 11th, until January 25th. The subject is composed by a 2 hours of theoretical lectures, 2 hours of practical laboratories, and 1 hour of tutoring, making a total of 5 hours per week of contact hours.

It is expected the students to spend an additional 2 hours per week exploring the concepts presented during the lectures. It is also expected them to make use of the tutoring times if they have questions or require some assistance.

Theoretical classes will present key concepts related to the application of security to modern information systems, and its application to organizations. The practical classes will be focused in the exploration of these concepts, and in the exploration and analysis of popular security attacks.

The topics lectured in each class should be as follow. Changes may happen, so please check it frequently.

Week Theoretical Practical
Oct 11 - Oct 15 T1: No classes
T2: Introduction to Security
P1,P2,P5-P9: No classes
P3,P4: SQL Injection
Oct 18 - Oct 22 T1: Introduction to Security
T2: Vulnerabilities
P1,P2,P5-P9: SQL Injection
P3,P4: XSS and CORS
Oct 25 - Oct 29 T1: Vulnerabilities
T2: Invited Talk: Ricardo Martins (GCS-UA)
P1-P9: XSS and CORS

Nov 1 - Nov 6 T1: No classes
T2: Applied Cryptography
P1,P2,P5-P9: No classes
P3,P4: Symmetric Cryptography
Nov 8 - Nov 12 T1,T2: Applied Cryptography P1,P2,P5-P9: Symmetric Cryptography
P3,P4: Asymmetric Cryptography
Nov 15 - Nov 19 T1,T2: Applied Cryptography P1,P2,P5-P9: Asymmetric Cryptography
P3,P4: Hash Functions
Nov 22 - Nov 26 T1: Applied Cryptography
T2: Management of Asymmetric Keys
P1,P2,P5-P9: Hash Functions
P3,P4: X509 Certificates
Nov 29 - Dec 3 T1: Management of Asymmetric Keys
T2: Smartcards and PTeID
P1,P2,P5-P9: X509 Certificate
P3,P4: Transport Layer Security
Dec 6 - Dec 10 T1: Smartcards and PTeID
T2: Authentication
P1,P2,P5-P9: Transport Layer Security
P3,P4: Smart Cards: PTeID
Dec 13 - Dec 17 T1: Authentication
T2: Authentication
P1,P2,P5-P9: Smart Cards: PTeID
P3,P4: Linux Authentication
Dec 20 - Dec 22 T1: Authentication
T2: Authentication in Devices and Systems
P1,P2,P5-P9: Linux Authentication
P3,P4: No classes
Dec 23 - Jan 9 No classes
Jan 10 - Jan 14 T1: Authentication in Devices and Systems
T2: OS Security Mechanisms
P1-P9: Firewalls
Jan 17 - Jan 21 T1 OS Security Mechanisms, T2 Secure Storage P1-P9: Linux Security Mechanisms
Jan 24 - Jan 28 T1: Secure Storage
T2: IEEE 802.11
P1,P2,P5-P9: Encrypted Storage
P3,P4: Encrypted storage
Jan 31 T1: IEEE 802.11 P1,P2,P5-P9: Encrypted Storage

## Rules

### Faculty and Lectures

This edition will be lectured by professors João Paulo Barraca, André Zúquete, Catarina Silva and Vitor Cunha. Teaching staff will be available by email and MS Teams, especially during the allocated tutoring slots. The use of the MS Teams platform for direct communication is highly recommended. Official course information will be available in this page, or through the Elearning platform.

Classes will be lectured in the Portuguese language, unless there is a foreign student attending. In this case English will be used. All lecture notes will be made available in both Portuguese and English. Laboratory guides will be provided in English.

Prospecting students should be aware that this subject some knowledge and comprehension of several topics in the areas of networking, software and operating systems, such as: the Python/C/Java languages, Linux administration and Linux console usage (mostly Debian), virtual machines, sockets, HTTP and HTML, asynchronous applications, hardware architectures.

### Attendance

Students can choose to attend the theoretical classes, and is highly recommended they do so every week as it correlates with a good outcome. Attendance to practical classes is mandatory and faults will be recorded.

According to the University rules, students must be present at (at least) 70% of the practical classes. For this edition that results in a maximum of 3 unjustified faults. If a student exceeds the number of faults allowed, he will automatically fail the subject and won’t be allowed at any other evaluation during the current academic year.

Grading will be composed by two components. Both are mandatory and have a minimum threshold.

1. Theoretical Component: Relates to the contents lectured during all classes, mostly focusing on the theoretical lectures.

• Option 1: 1 (One) intermediate test (T1), and 1 (One) final test (T2), each contributing with 5 points to the component.
• Each test will cover half of the contents lectured.
• Students may access the intermediate test without actually returning it for grading.
• Returning the intermediate test opts the student to follow Option 1.
• Option 2: 1 (One) exam (E1) that covers all contents lectured, and contributing with 10 points to the component.
• This option is available for students that do not return the intermediate test.
• Dates:
• Intermediate Test (T1): December 3rd, including questions that address all contents until Public Key Infrastructures (PKI) (including)
• Final Test (T2): addressing all contents since Smartcards (including).
• Final Exam (E1): ddressing all contents lectured
• Final Theoretical Grade: (T1 + T1) or (E1)
• Minimum points of this component: 3.5 pt
• i.e. $t1 + t2 >= 3.5 \text{ or } e1 >= 3.5$
2. Practical Component:

• Development of practical projects by a group of 4 students. Exceptionally, 3 students may be allowed after explicit authorization by the professors.
• assignments may be awarded a maximum bonus +10% due to the addition of added innovation.
• In the practical projects, each student will have a pool of 96 hours to allocate as required. This pool can be used to return assignments after the deadline without penalty. After the pool is exausted, a standard penalty of 0.1 points per hour applies up to 2 days. After the 2 days (48h), the assignment will not be accepted.
• Minimum points of this component: 3.5
• i.e. $practical >= 3.5$

The following table summarizes the points of each component:

Component Item Points
P Project 1 3
P Project 2 4
P Project 3 3
T Intermediate Test- T1 (option 1) 5
T Final Test - T2 (option 1) 5
T Final Exam - E1 (option 2) 10

### Supplementary season

The supplementary season usually takes place in the beginning of February, and is available for all students that did not obtained at least 9.50 points during the normal season. The remaining students may also access this season, but the University requires an additional administrative process. Grading will be composed by two components, each contributing with 10 points to the final grade.

1. Theoretical Component : Optional exam (ES)

• Theoretical exam covering all contents lectured, with focus on the contents lectured in the theoretical lectures.
• The final grade will be the maximum between the points obtained in this exam, and the points obtained in the previous exam.
• Minimum points of this component: 3.5.
2. Practical Component: Optional practical project (PS)

• Development of a practical project by one or two students.
• The final grade will be the maximum between the points obtained in this project, and the points obtained in the previous assignments.
• Minimum grade of this component: 3.5.

### Special season

The special season usually takes place in September and is available to students in specific cases. Accessing this season will require an additional administrative process.

Grading will be composed by two components, each contributing with 10 points to the final grade. It follows the same rules used in the Supplementary season.

Students that wish to access this season should contact the faculty staff as soon as possible (e.g July).

#### Software

• AirCrackNG: A complete suite of tools to assess WiFi network security.
• Bettercap: The Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks.
• Wireshark: The most popular packet sniffer application.
• WebGoat: A deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
• Kali Linux: A popular Penetration Testing Distribution.
• John the Ripper: A password Cracker.