The course aims to provide an up-to-date survey of developments and practice in computer security. It covers the central problems that confront security designers and security administrators: defining the threats to computer systems, evaluating the relative risks of these threats, and developing cost-effective and user-friendly countermeasures.
Required Textbook: Computer Security: Principles and Practice (4th ed.) - William Stallings, Lawrie Brown - Pearson (2018).
Additional teaching material (made available by the teacher):
- slides presented during the course;
- published research papers and technical reports on specific relevant topics.
Learning Objectives
Upon completing this course, the student should acquire knowledge and understanding of computer security basics, and some related skills.
In particular, they should
[Knowledge and understanding] know and understand: the theory and practice used to attain security of computer systems; risk assessment and security management; technological bases for secure systems; human factors and personnel, legal and ethical issues.
[Applying knowledge and understanding] be able to: identify the theoretical and practical problems of computer systems; recognize security issues concerning cyber infrastructures; propose appropriate countermeasures by applying the main security mechanisms to mitigate vulnerabilities.
[Making judgments] be able to: assess the severity of threats to fundamental security properties and the security posture of a computer system; compare solutions to computer security problems in a critical way.
[Communication skills] be able to present computer security concepts, problems, and solutions to others in a clear and competent way.
[Learning skills] be able to autonomously integrate their know-how and keep up to date with computer security by studying topics, methods, and techniques not dealt with during the course.
Prerequisites
Courses on computer architecture, operating systems and computer networks are recommended.
Teaching Methods
Class lectures, based on slides. Classroom presentations made by students with the support of the teacher.
Further information
The course takes place at the Centro Didattico Morgagni (Viale Morgagni 40-44, Firenze), according to the scheduled lesson timetable (https://kairos.unifi.it/agendaweb/). Attendance at class lectures is not mandatory but is strongly recommended. The course website is available on the University platform (https://e-l.unifi.it/). Office Hours: usually on Thursday from 2.00pm to 4.00pm, make an appointment by e-mail (rosario.pugliese@unifi.it).
Type of Assessment
Learning outcomes are assessed using two different tests:
1. a classroom presentation or a detailed written report, focusing on a specific topic concerning computer security (the topic must be agreed upon by the teacher and the student);
2. an oral exam, consisting of questions that may cover all the topics presented during the course.
The evaluation of each test is expressed with a mark out of thirty, with possible laude. A test is successfully passed if the assigned mark is at least eighteen. Having successfully passed the first test is a prerequisite to accessing the second test. Provided both tests are sufficient, the final mark will be determined by a weighted average of the marks on the presentation/report (with a weight of 1/4) and the oral exam (with a weight of 3/4).
Each learning outcome is assessed in at least one of the two tests composing the exam.
The presentation/report, which must contain relevant technical details and citations to the bibliographic sources, aims to evaluate the student's capability to autonomously study and understand a new computer security issue or deepen the study of a specific issue, and to present computer security issues to others in a clear and competent way. Its mark is also determined by the complexity of the topic dealt with and the accuracy of the presentation/report.
The oral exam aims to evaluate the student's acquisition of the topics covered during the lessons, their ability to deal critically and in-depth with these topics, and to know how to put them into practice, possibly using examples. Its mark is also determined by the clarity of the exposition, the appropriate use of specialized vocabulary, and the ability to relate different issues to each other.
Course program
Computer Security Concepts (Threats, Attacks, and Assets); Fundamental Security Design Principles; Attack Surfaces and Attack Trees; Cryptographic Tools; User Authentication; Access Control Principles; Database and Data Center Security; SQL Injection Attacks; Malicious Software; Denial-of-Service Attacks; Intrusion Detection Systems; Firewalls and Intrusion Prevention Systems; Software Security; Operating System Security; IT Security Management and Risk Assessment; Human Factors; Social Engineering; Legal and Ethical Issues.