Budapest University of Technology and Economics, Faculty of Electrical Engineering and Informatics

Basic concepts of IT secuity and security risk management: common security objectives (CIA and AAA); overview of attacker profiles, vulnerabilities, security mechanisms; risk assessment, security engineering, security operations; ethical issues in IT security. (2x45 min)
Cryptography: introduction of basic notions in cryptography via examples from history, main milestones in the history of cryptography. Modern cryptographic algorithms: symmetric and asymmetric key ciphers, hash functions, message authentication codes, digital signature schemes, random number generation, key exchange protocols, PKI. Overview of modern cryptographic applications, common issues with cryptography in practical systems. (6x45 min)
Authentication: concept, methods, applications; authentication based on knowledge, possession, and biometry, advantages and disadvantages; possible attacks and countermeasures; multi-factor authentication; case studies. Standards, frameworks, protocols related to authentication (e.g., OpenID, Kerberos, FIDO). (2x45min)
Authorization: concept, methods, applications; case studies and application examples.  Standards, frameworks, protocols related to authorization (e.g., OAuth, SAML). (2x45min)
Access control: general model and the DAC and MAC approach. Authorization and access control in Linux-based operating systems: users, groups, access rights; POSIX ACLs, SELinux, AppArmor. Authorization and access control in Windows: users, groups, access rights for the file system and for sharing (2x45 min).
Software security: security issues at the design, implementation, testing, and operation phases of software, and possible approaches to solve these issues. Threat modelling in the design phase, secure coding principles. Security analysis and testing of software (code review, risk assessment, software penetration testing, fuzzing), and related tools. Implementation issues in low level programming languages: causes and exploitation of memory corruption vulnerabilities; examples (e.g., buffer overflow, heap overflow, format string, ROP, etc.); countermeasures against memory corruption. Implementation issues in web-based applications: attacks on the client side (e.g., XSS, CSRF) and on the server side (e.g., SQL injection); possible countermeasures (e.g., SOP, CSP, etc.) (8x45 min)
Network security: phases of typical network based attacks (reconnaissance, intrusion, backdoor installation, lateral movement, priviledge escalation), methods and tools used in these phases. Penetration testing (ethical hacking) of networks and network-based systems. Network security mechanisms: perimeter defense with firewalls, types, operation, and configuration of firewalls; network intrusion detection systems (IDS); SIEM systems; virtual private networks (VPNs). (6x45 min)
Malware: concept and operation of malware, types of malware, malware infection, spreading, and evasion techniques. Malware related case studies (cybercrime, botnets, targeted attacks (APT)). Techniques of detecting malware. (2x45 min)
Secure operations of systems: Vulnerability management, patching, updating, back-up. Handling security incidents: detecting and recovering from malware infections, log analysis, basics of memory and disk forensics. (2x45 min)
Privacy: concepts of privacy and data protection, motivating examples; tracking techniques ont he web (e.g., browser fingerprinting, third party cookies); anonymous communication systems and their applications; concept and techniques of query auditing; anonymization of data; psychological  profiling. (2x45 min)
Security of machine learning: Motivating examples for security issues in machine learning (confidentiality, integrity, availability problems); auditing machine learning models; legal background. Confidentiality: model inversion, membership attacks. Integrity: adversarial samples (evasion), poisoning training data (targeted pollution). Availability: sponge samples, untargeted pollution. (4x45 min)
Economics of security and privacy: individual and organizational incentives in information security. Asymmetric information: contraselection, moral hazard, lemon markets. Example for the lack of coordantion of incentives: market of IT security solutions and services. Externalities, security interdependence. Economics of vulnerabilities. Cyber insurance. Economics of privacy, interdependent privacy (e.g., Facebook, Google, location privacy, etc.) (4x45 min)
If a lecture is cancelled due to holidays, then the topic of Economics of Security and Privacy will be shortened and presented in a single lecture.

1.    Using a cryptographic library: creating simple programs that use cryptographic mechanisms (encryption, digital signature) implemented in a cryptographic library.
2.    Input validation: techniques for validating inputs of a program in order to detect and filter potentially harmful inputs.
3.    Software security testing: security testing methods applicable to software developed in various frameworks, with a focus on software developed in low level languages.
4.    Security of web-based systems: trying attack techniques used against web-based applications and identifying and applying appropriate countermeasures.
5.    Incident response and digital forensics: Analyzing logs and recorded network traffic (packet capture); trying tools for memory and disk forensics.
6.    Privacy: development of a query auditor using an appropriate linear algebra library.