MSE Module IT Security - Detailed Module Description
Teachers / Locations
Main Topics and Subtopics Detailed Contents # Lessons Available Documents Be La Zh
Security Goals and Overview of Current This topic should serve as the motivation for the remainder of the module. It 2 Po Li Gr
Threats should primarily describe the problems but not yet give (detailed) solutions.
Definition of IT Security, Security Goals What is IT Security 0.5 ISO 27001, Slides of several involved professors (e.g. Li, Re, St)
Security Goals: CIA (Confidentiality, Integrity, Availability), AAA
(Authentication, Authorization, Accounting)
Typical Attacks Malware in its various forms: viruses, worms, trojans... 1.5 The regularly published Symantec Threat Report
Passwords and Problems (Dictionary/Brute-Force Attacks)
Phishing
What to do with a compromised system: spying on users (e.g. keylogger), spam-
robot, zombie in a subsequent (D)DoS attack...
(D)DoS attacks and why defending is virtually impossible
Web application attacks (today, approx. 60% of all reported vulnerabilities are
web application security vulnerabilities): XSS, SQL Injection...
Buffer Overflow attacks
Organised cybercrime: what we could expect in the future (more specifically
targeted attacks for financial gain)
This topic serves to repeat the most important fundamentals we expect the
Wrap-Up of Fundamental Security Technologies 4 Po Li Gr
students to know as a prerequisite for this course.
Cryptography Secret-key cryptography, block/stream ciphers, cipher modes (ECB, CBC, OFB, 2 Slides of several professors
COUNTER)
Public-key cryptography (RSA, Diffie-Hellman)
Hash functions (MD5, SHA-1, SHA-2), message authentication codes (HMAC)
Digital signatures based on public-key cryptography
Basic Security Protocols/Technologies Challenge-Response Mechanism 2 Slides of several professors
Layer 2 security: IEEE 802.1x, WLAN (IEEE 802.11i)
Layer 3 security: IPsec, IKE
Layer 4 security: SSL/TLS
Firewalls (packet filtering, stateful inspection)
Digital certificates (X.509, PGP web of trust?)
PKI: registration, enrollment (PKCS#7, SCEP) and revocation (CRLs and Delta
CRLs, OCSP)
Introduction to Information Security A brief introduction to risk assessment and legal aspects 2 Po Bu Gr
Management and Legal Aspects
Risk Assessment How to carry out a Risk Assessment (use one concrete example) 1 ISO 27000, BSI Grundschutzhandbuch
Guidelines
Legal Aspects Compliance, Basel-II, SOX, Signaturgesetz 1
Security Technologies As Advanced Security Technologies, we consider technologies beyond the 8 Ba Sc St
basic technologies that we consider as a prerequisite. We should distinguish
between mandatory (core) topics and optional topics. The optional topics can
be freely chosen by the individual professors
Core Security Technologies Access Control Mechanisms and their Applications (mandatory/discretionary 6 Slides of several professors
access control, RBAC)
System Security (operating system security, system hardening, minimal
installation, least privilege, update management)
Application Firewalls (primarily entry servers/reverse proxies)
Intrusion Detection/Prevention Systems (Organisation, Misuse/Anomaly-based
detection)
Security Event Management (integrating several security systems/logs into a
single system)
Anti-spam/virus/phishing Technologies
Advanced Security Technologies (Optional) Electronic Payment Systems (Paypal etc.) 2 Slides of several professors
E-Voting
Trusted computing concepts
Advanced Cryptography Topics (ECC-Cryptography, true random numbers…)
Anonymization technologies
Honeypots
Forensics
VoIP Security, Skype Security
Security of Ad-Hoc Networks
Secure Software and System This topic deals with secure software programming concepts, first in a generic 8 Ni Bu Re
Development way and then more concrete with the example of web applications and web
services, because they belong to the most dominant and most frequently
attacked system types of today. Java should be used as the primary language
in this chapter. There's again room for an optional topic that can be freely
determined by the individual professors.
General Secure Programming Concepts Obstacles 2 http://www.sans-ssi.org
Security Patterns
Secure/Robust Programing Techniques
Web Applications and Web Services Web Application Security Obstacles (OWASP Top Ten: XSS, SQL Injection, OWASP guides (www.owasp.org), Slides of several professors
Security Session Management...) 4
Securing Web Applications (Techniques, Frameworks such as Commons
Validator)
Web Services Security (SAML, XML encryption/signature…)
Advanced Secure Software Concepts More details on secure programming concepts Slides of several professors
(Optional) 2
Understanding Buffer Overflows and HW/SW solutions to prevent them (no-
execute flag, stack canaries, address space randomization…), using C as the
example language
Code obfuscation and disassembling
DRM-Mechanisms, general SW protection mechanisms
Software and System Security Testing This topic should teach about the possibilities to test systems with respect to 4 Ni Li Re
security and the corresponding testing tools. Testing is a wide spectrum and we
should focus on one topic as a concrete example: Penetration Testing a Web
Application
Software Secuity Testing Concepts Black-/Grey-/White-Box Testing 1 OWASP guides, ISO 27000, OCTAVE, Slides of several professors
What to test: design specification, code-review, system configuration,
application security
How to test: conceptual audit, vulnerability scanning, penetration test…
Example of a Security Test: Penetration Different Phases of a Penetration Test (Preparation, Information Gathering, 3 OWASP guides, Project/Diploma Theses (Re)
Testing a Web Application Information Assessment, Active Attack Attempts, Reporting)
Manual Methods and Tool Assistance (Whois, nmap, Nessus, local proxies,
Paros, WebScarab, Suru, Google Hacking…)
28