Security Engineering

Security Engineering (218 - 13893)
Study: Bachelor in Informatics Engineering
Semester 2/Spring Semester
3rd Year Course/Upper Division

Students are expected to have completed:

Cryptography and Computer Security
Computer Networks

Compentences and Skills that will be Acquired and Learning Results:

The main goal of this subject is to make students aware of the complexity of ensuring security principles in today IT systems and architectures. Only by understanding IT security from an engineering point view, as a multidisciplinary subject, we can design and develop secure IT systems needed in modern societies. The student will acquire the necessary skills to design and plan global security solutions. Students will also become familiar with the different security mechanisms, their life cycle and cost. Finally, students must know the main laws and regulations that govern this matter.

In order to achieve these goals, students must acquire specific knowledge, capacities and attitudes:
Regarding knowledge, at the end of the course the student will be able to:
- Understand the concept of security as a complex process covering different areas and disciplines, aware of the fact that a system is as secure as its weakest component.
- Know in depth the security evaluation norms and certification procedures.
- Understand the specific risks regarding distributed systems and in particular the Internet.
- Identify physical threats and the corresponding countermeasures.
- Identify the different components of a security plan.
- Get to know the life cycle of a security plan and the feedback-based paradigms used.
- To learn the legal regulation of information security on the national, European and international scales.

With regard to capacities, the students will acquire specific and generic capacities.
Regarding specific capacities, the student will be able to:
- Analyze security protocols and manage security risks, mainly concerning distributed systems. (PO: a,b)
- Evaluate the possibility to implement one or another security mechanism depending on the security risk assessment. (PO: b, c, e)
- Create a complete security plan managing all the appropriate security measures. (PO: a, c, e, f)

Regarding generic capacities and skills, the student will be given the opportunity:
- To work on a specific system, in a particular environment, to investigate vulnerabilities and possible threats. (PO: b, e)
- To study and identify the necessary information to solve a particular security problem. (PO: b, c, e)
- Apply multi-disciplinal knowledge (technical, organizational and legal) for the resolution of a particular problem. (PO: c, e, f)
Regarding attitudes, the student will be encouraged to:
- Adopt a critical view over traditional, ad-hoc security systems based on the accumulation of security equipment, without ever conducting a formal analysis for the development of a global solution. (PO: i, j, k)
- Develop the collaborative skills to be able to obtain, from security IT managers, the necessary information about a system to analyze and assess risk, and to communicate the proposed solutions. (PO: d, f, g)
- A positive attitude towards team working, to coordinate different points of view and opinions, in search of global secure systems. (PO: d, f)
- A positive attitude towards the laws that affect the implementation of systems and security products.

Description of Contents: Course Description

The course consists of five main parts:
FIRST PART
This first module introduces principles and prudent practices for the development of secure systems, together with the main classes of information system vulnerabilities and attack tools and tactics. It concludes with an overview of security measures and mechanisms and their applicability.
SECOND PART
The second module covers the malware and types. Finally introduce the current malware: ransomware, APT´s...
THIRD PART
This module covers access control models and systems, including multilevel and multilateral security systems, using a number of real-world systems as examples. It concludes with an introduction to ISO standards for the security assessment and certification of information systems and products.
FOURTH PART
Introduces threats to distributed systems and countermeasures, both at the service and mechanism level. A number of established security protocols are then studied in detail, including SSL/TLS, IPsec, and Kerberos.
FIFTH PART
This part covers physical threats against information systems, including floodings, fires, blackouts, and electromagnetic emanations, and also protection measures against them.
SIXTH PART
This module present, at first, the standardisation institutions at international, european and national level. Then, covers the security information management (ISO/IEC 27000 family) and the development of security plans, giving a detail account of all their phases, requirements and design guidelines. It also introduces methodologies for risk analysis and management, mainly MAGERIT
SEVEN PART
This final module presents the regulatory framework associated with information security, with a special emphasis on laws related to privacy rights and protection of personal data.

Learning Activities and Methodology

The applied methodology will include:
(1) Magisterial lectures, where the main theoretical concepts of the subject will be described and explained. The students will be able to follow these lectures using the appropriate printed course material as well as the corresponding intranet tools and bibliography. The given references will help the students to further elaborate on any topic of their interest. (PO: a, b, c, e, f, h, j)
(2) Discussion of real cases and best security practices which will illustrate the theoretical concepts. (PO: c, f, g, k)
(3) Lab sessions in computer labs where the student will work with the implementations of security protocols. (PO: a, b, d, k)
(4) Practical lectures where the students will have to resolve exercises and answer self-assessment tests. (PO: a, b, g, k)

Assessment System:

The final qualification will depend on the following criteria:
- The resolution, during the lab sessions, of a lab assignment: 40%. (PO: a, b, d, g, k). These lab exercises are compulsory, and are collectively marked by assessing each of the individual assignments.
- Mid-term exam (continuous assessment compulsory): 10%. (PO: a, c, e, f, g, h, i, k).
- Final exam: 50%. (PO: a, c, e, f, g, k). Attending the final exam is compulsory, and the student should get at least 50% of the maximum marks in the exam to be able to pass the unit.

There will be a special examination session where the student who has not followed or has failed the continuous assessment scheme described above will be able to hand-in, if he so whishes, all the related coursework (including lab assignments), to get a mark along the lines described above. He can, alternatively, chose to seat the final exam and in this case the exam will account for 100% of the final marks.

In all other circumstances not covered above, the procedure established by the University on the 31st of May, 2011, will be followed.

Basic Bibliography:

Anderson, Ross. SECURITY ENGINEERING: A GUIDE TO BUILDING DEPENDABLE DISTRIBUTRED SISTEMS (2nd edition). Wiley. 2008
C.M. Fernández Sánchez y M. Piattini Velthuis. Modelo para el gobierno de las TIC basado en las normas ISO. AENOR. 2012
Gómez Fernández; P.P. Fernández Rivero. Como implantar un SGSI según UNE-ISI/IEC 27001:2014 y su aplicación en el ENS. AENOR. 2015
Pfleeger, Charles. Pfleeger, Shari L. SECURITY IN COMPUTING (4ª edition). Prentice Hall. 2007
William Stallings. NETWORK SECURITY ESSENTIALS: Applications and Standards. Fourth edition. Prentice Hall. 2011

Additional Bibliography:

ISO/IEC. 27000:2013/27001:2013/27002:2013. JTC1 ISO/IEC. 2013
Vacca, John R. (Editor).. COMPUTER AND INFORMATION SECURITY HANDBOOK.. Elsevier (The Morgan Kaufmann Series in Computer Security).. 2009.