Applied Security Laboratory

Overview

This course emphasizes applied aspects of Information Security. The students will study a number of topics in a hands-on fashion and carry out experiments in order to better understand the need for secure implementation and configuration of IT systems and to assess the effectivity and impact of security measures. This part is based on an extensive script and virtual machines that include example applications, questions, and answers.

The students will also complete an independent project: based on a set of functional requirements, they will design and implement a prototypical IT system. In addition, they will conduct a thorough security analysis and devise appropriate security measures for their systems. Finally, they will carry out a technical and conceptual review of another system. All project work will be performed in teams and must be properly documented.

The Applied Security Laboratory addresses three major topics:

• operating system security (hardening, vulnerability scanning, access control, logging);
• application security with an emphasis on web applications (web server setup, common web exploits, authentication, session handling, code security);
• Risk analysis and risk management.

Schedule

• Mandatory introduction lecture: Thursday, Sept 22, 2011 09:15-11:00, Location: CAB  E 87.1;
• Note: there will be no other lectures during the semester. This allows flexible working;
• Lab location: CAB E 87.1;
• Assisted lab hours: Thursdays, 10:00-11:00, Location: CAB E 87.1;
• Open lab hours: Rest of the week, CAB E 87.1.

Project schedule:

• Register project groups: Oct 6, 2011, (e-mail);
• Hand in system description and risk analysis overview / concept: Oct 20, 2011, (e-mail);
• Feedback to your overview / concept: Oct 27, 2011, 10:00-12:00, (CAB E 87.1);
• Hand in final system description and risk analysis: Nov 24, 2011, (e-mail);
• Hand in final system reviews: Dec 15, 2011, 09:00 (e-mail) / presentation of main results: Dec 15, 2011, 09:15-12:00, (CAB E 87.1).

Semester end exam:

• Written, closed-books, 90 minutes: Dec 22, 2011, 10:15-11:45, (LFW B 1)

Requirements

• The lab covers a variety of different techniques. Thus, participating students should have a solid foundation in the following areas: information security, operating system administration (especially Unix/Linux), and networking. Students are also expected to have a basic understanding of HTML, PHP, JavaScript, and MySQL because several examples are implemented in these languages;
• Students must be prepared to spend more than three hours per week to complete the lab assignments and the project. This applies particularly to students who do not meet the recommended requirements given above. Successful participants of the course receive 8 credits as compensation for their effort;
• All participants must agree and sign the lab's charter and usage policy during the introduction lecture.

Exam

There will be a written exam at the end of the semester. In addition, all participating students will take part in a longer-term project. This project will contribute to the overall grade.

Longer-term Project

The project will involve the installation, configuration, and implementation of a small IT system that must comply with a given set of functional and security requirements. Students will work in small teams to complete the project. Every student team will afterwards review another team's IT system. Each team will write a report that documents their own IT system as well as the results from their review. The report will be graded. Since it is a team project, the grade will be identical for all members of the team.