Applied Security Laboratory

Application course held by Prof. Dr. David Basin, Dr. Christoph Sprenger and Michael Schläpfer. The course is part of the Information Security Laboratory.

Overview

This course emphasizes applied aspects of Information Security. The students will study a number of topics in a hands-on fashion and carry out experiments in order to better understand the need for secure implementation and configuration of IT systems and to assess the effectivity and impact of security measures. This part is based on an extensive script and virtual machines that include example applications, questions, and answers.

The students will also complete an independent project: based on a set of functional requirements, they will design and implement a prototypical IT system. In addition, they will conduct a thorough security analysis and devise appropriate security measures for their systems. Finally, they will carry out a technical and conceptual review of another system. All project work will be performed in teams and must be properly documented.

The Applied Security Laboratory addresses four major topics:

  • operating system security (hardening, vulnerability scanning, access control, logging);
  • application security with an emphasis on web applications (web server setup, common web exploits, authentication, session handling, code security);
  • Risk analysis and risk management;
  • Computer Forensics.

Schedule

  • Mandatory introduction lecture: Thursday, Sept 19, 2013 09:15-10:00, Location: CAB  E 87.1;
  • Note: there will be no other lectures during the semester. This allows flexible working. Occasionally there may be some talks of external experts;
  • External Talk given by Steffen Göhrlich of the Zurich Cantonal Police about computer forensics: Thursday, Dec 5, 2013 10:15-11:15, Location: tba;
  • Lab location: CAB E 87.1;
  • Assisted lab hours: Thursdays, 09:00-11:00, Location: CAB E 87.1;
  • Open lab hours: Rest of the week, CAB E 87.1.

Project schedule:

  • Register project groups: Oct 3, 2013, (e-mail);
  • Hand in system description and risk analysis overview / concept: Oct 13, 2013, (e-mail);
  • Feedback to your overview / concept: Oct 17, 2013, 09:00-12:00 (individual schedule), (CAB E 87.1);
  • Hand in final system description and risk analysis: Nov 21, 2013, (e-mail);
  • Hand in final system reviews: Dec 12, 2013, 09:00 (e-mail) / presentation of main results: Dec 12, 2013, 09:15-12:00, (CAB E 87.1).

Semester end exam:

  • Written, closed-books, 90 minutes: Dec 19, 2013, 10:15-11:45, (CAB H 52).

Requirements

  • The lab covers a variety of different techniques. Thus, participating students should have a solid foundation in the following areas: information security, operating system administration (especially Unix/Linux), and networking. Students are also expected to have a basic understanding of HTML, PHP, JavaScript, and MySQL because several examples are implemented in these languages;
  • Students must be prepared to spend more than three hours per week to complete the lab assignments and the project. This applies particularly to students who do not meet the recommended requirements given above. Successful participants of the course receive 8 credits as compensation for their effort;
  • All participants must agree and sign the lab's charter and usage policy during the introduction lecture.

Exam

There will be a written exam at the end of the semester. In addition, all participating students will take part in a longer-term project. This project will contribute to the overall grade.

Longer-term Project

The project will involve the installation, configuration, and implementation of a small IT system that must comply with a given set of functional and security requirements. Students will work in small teams to complete the project. Every student team will afterwards review another team's IT system. Each team will write a report that documents their own IT system as well as the results from their review. The report will be graded. Since it is a team project, the grade will be identical for all members of the team.

Course Material and Literature

The course is based on the Book "Applied Information Security - A Hands-on Approach" by Prof. Dr. David Basin, Dr. Patrick Schaller, and Michael Schläpfer.

Additional course material

  • Course Material
  • Virtual Machines and Chapter on Computer Forensics

Additional recommended reading

  • Pfleeger, Pfleeger: Security in Computing, Third Edition, Prentice Hall, available online from within ETH
  • Garfinkel, Schwartz, Spafford: Practical Unix & Internet Security, O'Reilly & Associates.
  • Various: OWASP Guide to Building Secure Web Applications, available online
  • Huseby: Innocent Code -- A Security Wake-Up Call for Web Programmers, John Wiley & Sons.
  • Scambray, Schema: Hacking Exposed Web Applications, McGraw-Hill.
  • O'Reilly, Loukides: Unix Power Tools, O'Reilly & Associates.
  • Frisch: Essential System Administration, O'Reilly & Associates.
  • NIST: Risk Management Guide for Information Technology Systems, available online as PDF
  • BSI: IT-Grundschutzhandbuch, available online (german), PDF in english
  • BSI: Risk analysis based on IT-Grundschutz, available online as PDF (german), english version
JavaScript has been disabled in your browser