Bezpečnosť IT infraštruktúry [Security of IT Infrastructure]
Rozsah: 2h
Skúška: písomná + projekt
Prednášajúci:
- Jaroslav Janáček
- Richard Ostertág
- Michal Rjaško
- Martin Stanek
Témy:
- WiFi security
- Security of HTML5
- Secure programming
- Availability protection
- VPN
- 802.1X, EAP, RADIUS
- DNSSEC
- Access control in operating systems
Slides in 2024:
- Introduction - what, why, how
- Secure Programming
- Access Control in Operating Systems
- Availability Protection
- 802.1X, EAP, RADIUS
- Web Application Security
- DNSSEC
- Virtual private networks (VPN)
- WiFi Security
- Security of HTML5
Projekty:
Výstupom projektu bude dokument, popisujúci riešenie projektu
(vo formáte pdf). Výsledky projektov budú prezentované na záverečných prednáškach. Projekty budú na základe dokumentu a prezentácie hodnotené na škále:
- 2 (projekt splnil zadanie úplne),
- 1 (projekt splnil zadanie čiastočne),
- 0 (projekt nesplnil zadanie).
Hodnotenie projektu predstavuje 50% celkového hodnotenia predmetu.
Tabuľka hodnotenia testu:
minimum | známka |
0 | E |
3 | D |
8 | C |
14 | B |
18 | A |
Tabuľka výsledného hodnotenia:
test \ projekt | 0 | 1 | 2 |
FX | FX | FX | E |
E | FX | E | C |
D | FX | D | B |
C | FX | D | B |
B | FX | C | A |
A | E | C | A |
Na projekt sa prihláste mailom u konkrétneho prednášajúceho.
- Application Sandboxing (Stanek) - Hlaváč
- describe, experiment, and compare various methods to application sandboxing (e.g., Windows Sandbox, Firejail + AppArmor, containers)
- use at least three solutions and focus on this use case: running potentially untrusted application or application accessing untrusted data in an isolated environment
- describe how they work, show them in practice, compare them with respect to the security provided and user experience
- Email security in .sk TLD (Stanek) - Jurčák
- statistically evaluate SPF, DKIM, DMARC, and STARTTLS (for SMTP) in .sk TLD (% of domains, types of policies, key lengths etc.)
- list of .sk domains is available here: https://sk-nic.sk/subory/domains.txt
- describe how are these technologies work, and what security problems they try to solve
- compare results with available statistics
- Greenbone Community Edition (Stanek) - Revúcky
- install Greenbone OpenVAS vulnerability scanner
- prepare at least two different VM (Linux and Windows, both with some software packages installed) containing known vulnerabilities
- configure and run unauthenticated and authenticated scans and evaluate findings (true positives, false positives, missing detections etc.)
- summarize your experience (pros and cons) with scanning, feed updates etc.
- Web Application Firewalls (Ostertág) - Husárová
- overview of actual WAFs (free, open-source, commercial, with AI, ...)
- install, explore and compare their capabilities
- try at least ModSecurity, Naxsi, Signal Sciences Next-Gen WAF
- does any information leaves to provider of the service
- compare their phylosophy like:
- deny everything by default
- how rules are updated
- learning modes
- test some known attacks against web application protected by selected WAF
- your opinion
- WireGuard vs. OpenVPN (Janáček) - Novota
- Setup OpenVPN (the open-source edition) and WireGuard on several platforms (at lease on Linux, Windows, Android)
- Compare them in terms of ease of setup, ease of use, scalability, security and suitability for the following scenarios:
- a VPN server with multiple clients (consider also large number of clients)
- a site to site VPN
- Check Interoperability of IPsec Implementations in Different OS's (Janáček) - Koseček
- Configure IPsec in different operating systems (Windows, Linux, ...) and explore interoperability issues of various configurations.
- UEFI and Secure Boot (Stanek) - Vita
- what is it, how it works
- what threats it tries to address, and what is outside the scope of the secure boot
- real live example (configuration, "attack" detection)
- personal opinion
- Suricata (Stanek) - Martínez
- what is it, how it works
- install, explore and demonstrate its capabilities
- choose at least 3 different attack types and show how they are detected
- construct 1 custom rule and show it works as intended
- personal opinion
- Full disk encryption in Linux (Stanek) - Gavlák
- what options are available for full disk encryption (FDE)
- what threats does FDE address
- choose a major Linux distribution and configure FDE with TPM
- compare disk operation performance with and without FDE
- your opinion on user experience
- Physical Access Control Systems security (Ostertág) - Pasichnyk
- https://www.securityindustry.org/industry-standards/open-supervised-device-protocol/
- https://www.youtube.com/watch?v=mZme8dIXPfQ
- https://www.youtube.com/watch?v=Kz8EGkqpd1I
- Describe the Open Supervised Device Protocol (OSDP) and its advantages for access control systems over the classic Wiegand protocol implementation.
- Describe differences between MIFARE, DESFire EV1 and DESFire EV2 from security perspective.
- IoT device security (Janáček) - Kabátová
- perform active reconnaisance on a set of IoT devices:
- network scans, identify running services
- capture and analyze network traffic during normal operation and initial configuration
- search for vulnerabilities and attack vectors
- assess adherence to best practices
- perform active reconnaisance on a set of IoT devices:
- BadUSB attacks (Janáček) - Grochal
- Explain how such attacks work
- Demo an attack on a major operating system (Windows / Linux)
- execute a malicious application
- explore reverse host to BadUSB communication
- Opinion on the difficulty of attack execution and possible countermeasures.
- File Integrity Monitoring (FIM) (Stanek) - Priner
- What is it, what security problems and threats does FIM address.
- Explain how it works in AIDE and Wazuh.
- Install and configure both solutions, show they work as intended, and that they detect modification of files.
- Compare AIDE and Wazuh FIM (ease of use, administration, detection speed, scalability, etc.).
- Authenticity of applications (Stanek) - Jóža
- describe and compare how the authenticity of applications is ensured in Windows and iOS
- installation vs. running binary applications
- digital signatures - when required, default policies, risks, trust, key distribution
- configuration options, installation and usage of custom SW
- showcase these security controls
- your opinion
- ... Ďalšie projekty je možné navrhnúť a konzultovať s niektorým prednášajúcim. Po schválení je možné projekt realizovať.