Università Roma Tre

- Course introduction
- Introduction to cybersecurity and terminology
- Software vulnerabilities. Trusted and untrusted input, input validation. Vulnerabilities of applications written in interpreted languages.
Code injection. Injection into web pages: XSS. Cross site request forgery. OWASP. An example of a site vulnerable to sql injection.
- Buffer overflow attacks. Exploitation: privilege escalation, intrusions by open ports, intrusions by untrusted documents (email, web, etc.).
An example of code with buffer overflow vulnerability and its exploit.
- Network vulnerability: sniffing, mac flood, ARP poisoning, DNS vulnerability, Kaminsky attack. TCP session hijacking, MitM attacks, DoS and distributed DoS. Route hijacking.
- Cybersecurity planning: content of a security plan, risk analysis.
- Design Principles of policies and mechanisms.
- Models: AAA, confinement, DAC, MAC, access control matrix.
- Considerations about automatic anomaly detection systems
- System security: general principles (passwords vulnerabilities, hardening methodology, assessment, auditing). Unix, discretionary access control, filesystem security, authentication, PAM, syslog)
- Network security: Level 1 and 2 security, stateless and stateful firewalls, linux netfilter with configuration examples, proxies and their vulnerabilities. Load balancing and full high-availability. Network intrusion detection systems.
- Cryptographic techniques: cryptographic basics (hash, symmetric, asymmetric, MAC, digital signature), birthday attacks, rainbow, key quality, pseudo-random number generators.
- Authentication and key exchange protocols. Replay and reflection attacks. Nonces. Perfect Forward Secrecy. Diffie-Helman.
- Certificates, certification authority, public key infrastructures and their vulnerabilities. Applications: protocols ssl, tls, ssh, virtual private networks, ipsec, etc. Authentication protocols point-to-point and in local area network. Radius and its vulnerabilities. Other applications.
- Authenticated Data Structures
- Distributed Ledger Technologies and Bitcoin
- Smart contracts
- Cybersecurity in large organisations.

Course handouts.