Cybersecurity
- Durée : 6 semaines
- Effort : 30 heures
- Rythme: ~5 heures/semaine
Compétences visées
À la fin de ce cours, vous serez capable de :
Acquire a global knowledge of the different areas of IT security:
- Vulnerability and attack
- Security policy
- Access control and flow control
- Cryptography
- Respect for private life
- Authentication
Description
This course aims to provide an overview of cyber security.
Most topics of the cybersecurity are covered (attacks, malwares, security policy, security mechanisms, user authentication, symmetric and asymmetric Cryptography, network security, personal data protection).
In the introduction we present the objectives of cybersecurity (Confidentiality, Integrity, Availability) and we insist on the distinction between the security policy and the security mechanisms.
We define a secure system as a system in which the security policy cannot be violated. We review the main existing cyber-attacks including social engineering attacks. For each type of attack we propose solutions to prevent them. We also study the concept of malware (virus, worm, Trojan horse).
Regarding security policy, we present the Discretionary Access Control (DAC) policy and show how it can be implemented through Access Control Lists (ACL) and access control mechanisms.
Format
We use Unix as a case study.
After highlighting the weakness of DAC systems against Trojan horse attacks, we review several types of Mandatory Access Control (MAC) policy including the multilevel security policy. We introduce the concepts of information flow control and covert channel. We review the main existing tools to control information flows in a network, like firewall, proxy servers, Network Address Translation (NAT) or Virtual Private Network (VPN). We present several ways to authenticate a user like password or two-factor authentication and show some attacks against these authentication systems.
We also present the concept of Single-Sign On (SSO) with Kerberos as a case study. We give a comprehensive overview of the main cryptographic mechanisms for encryption and integrity protection. We show how to build a symmetric cipher and a Message Authentication Code (MAC) We show how asymmetric cryptography can provide us with solutions for symmetric key exchange, to ensure authentication of communicating parties, or to guarantee the non-repudiation property.
We also address the issue of personal data protection. We show that data anonymization cannot be used as a general solution to protect personal data.
We show that personal data can be protected by ensuring that entities handling personal data comply with a set of obligations We illustrate this by presenting the European General Data Protection Regulation (GDPR).
Prérequis
Computer skills at the bachelor's level
Evaluation et Certification
The learner can take an exam at the end of each course.
Plan de cours
- Introduction
Vulnerability and Privilege
Software Attack: Buffer Overflow, SQL injection
Browser Security, Cross Site Scripting Attack
Cross Site Request Forgery Attack
- Social Engineering: Phishing, Baiting, Fake President Fraud
Distributed Denial of Service: DDOS via a botnet, DDOS by amplification
Malware: Virus, Worm, Trojan Horse
- Security Policy,
Security Mechanisms,
Discretionary Access Control policy: Access Control Lists, Capabilities, Unix DAC
- Mandatory Access Control: Multilevel Security, Covert Channels, Multilevel Security for Integrity, Domain and Type Enforcement, Role-Based Access Control, Attribute-Based Access Control
Privacy; Personal Data Protection, General Data Protection Regulation
- Symmetric Cryptography: Stream Cipher, Block Cipher, Feistel Networks, Data Encryption Standard, Nonce-based Encryption, Hash Function, Message Authentication Code, Authenticated Encryption
- Asymmetric Cryptography: Diffie Hellman Key Exchange, Asymmetric Encryption, Digital Signature, Public Key Certificate, Transport Layer Security
- User authentication: Passwords, 2-Factor Authentication, Single-Sign On, Kerberos
Network security: Firewall, Proxy servers, Network Address Translation, Virtual Private Networks
