Table of Contents

Security Engineering and Management (2014/2015)

This course is offered at the University of Trento by the security group in the framework of the Security and Privacy Master of the European Institute of Innovation and Technology (EIT Digital).

See the UNITN S&P EIT page for further information.

See the current Security Engineering Course for further information.

Course Objectives

Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decides which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on case studies from industry.

The course will introduce students to a number of methodologies for Security Management (Risk and Threat Analysis, Risk Assessment, Control Frameworks) and provide a high level view of some Security Technologies (Authentication, Database, Access control, Web Application, etc). By using two industrial risk assessment methodologies, the student will identify threats and the corresponding security controls appropriate for an industrial case study.

At the end students should be able to make their own security analysis, documenting the threats and the security controls or requirements for an industrial case study

Lecturers

Exam Modalities

The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of an oral and written part. The written part will be a report where students working in group or alone apply the concepts learned during the course to analyze a real case study. The oral part will consist in a discussion of the report with the lecturer and a company representative owning the case study.

The students who will attend the class will have the opportunity to present their work and receive feedbacks before the final submission of the report. The final mark will be assigned based on the written report. If the work for the report has been done in group, all the group members will be assigned the same mark

Registration Form

You can register to the course on the following link: registration form BY October 13th.

Note: If you have a problem in finding a group partner, send us a message: labunets (at) disi.unitn.it.

Schedule

Date Topic Slides Other Material
2014-09-16 Administrative Information and Introduction General Information and Terminology and Foundations
2014-09-17 Malware Markets and Advanced Persistent Threats Overview of attackers
2014-09-23 Information Security Management GRC and ISMS COBIT 5 Book
2014-09-24 Risk Management Slides NIST 800-53 Security Controls Catalog, NIST 800-30 Risk Assessment Guide
2014-09-29 Cryptopgraphy (a superzipped introduction) Slides Attend the Applied Crypto course if you are interested in further details Information on the importance of protecting keys and certificates for Diginotar Failure and additional details in FoxIT security report
2014-10-07 SESAR SecRAM Tutorial Slides The SESAR SecRAM tutorial is restricted by NDA
2014-10-14 Coras Tutorial Slides CORAS Guidelines (Book is in the library), Ponemon Reports on Data breaches 2014 (Global) and 2011 by country (US and DE contain breakdown by threat agent)
2014-10-20 Case Study Presentation The Remote and Virtual Tower document is restricted by NDA. If you are planning to do the the exam, fill the NDA and hand it in class Chris Johnson's analysis of the incidents of Linate and Uberlingen and of 114 US incidents. An article on the drone accident nearby Nogales (2006), and Washington Post's article on Drones' incidents
2014-10-21 Identity and Access Management lecture-2014-10-identity-and-access-control.pdf Report on the frauds by John Rusnak and by Jerome Kevriel as (INSEAD Case study or the offical report)
2014-10-28 MAC and Access Control Models slides Bowden's Hacking of a sewage treatment plant (FISMA study of security controls or the Court conviction). Terry Childs' refusal to pass admin rights (Court documents and discussion on CIO Magazine and on ComputerWorld)
2014-10-29 User Authentication Slides ABC reports of attempted voice hijacking of airplanes
2014-11-04 Web Application Security Slides
2014-11-11 Web Application Security - II Slides Cross site scripting for ICS on the US CERT ICS Web Site
2014-11-12 Discussion of Security Standards PCI (Credit Cards) and BSI (German General Standard) PCI - General Guidance for overall system securityPCI - application security guidelines, BSI General Catalogue of security controls
2014-11-17 Infrastructural Security - Network Security Slides US CERT cyber list of vulnerabilities
2014-11-18 Infrastructural Security - OS Security Slides US CERT's definition of Engineering Workstations
2014-12-02 BYOD and Mobile Security Slides
2014-12-03 Malware US CERT's case study on Malware attacks on Industry Control Systems

Additional Material

Date Topic Slides Material Delivery date
2014-09-17 Vulnerability Assessment Exercise Vulnerability scoring exercise slides List of Vulnerabilities (Scoring instructions on paper) in class
2014-09-24 Security Controls and Requirements Exercise: identify the security controls for a e-health application no slides List of security controls and Instruction Sheet Return sheet on Tuesday 30/September
2014-10-01 Modeling Risk Exercise: evaluate the comprehension of graphical and tabular risk models Risk modeling exercise slides No Material in class
2014-10-08 SecRAM exercise SecRAM exercise slides Dropbox folder with material in class: upload here
2014-10-15 CORAS exercise CORAS exercise slides Dropbox folder with material Final result to be uploaded here before next lecture
2014-11-05 Web Application Security exercise exercise slides WebGoat
2014-11-28 Sweden opens the first airport with Remote Tower Services News Announcement on LFV web site

Report: Material, Deadlines, Assignments

Materials

The final deliverable should include the following documents:

  1. [1 file] Security Engineering report which presents the results of all three deliverables (template).
  2. [1 file] Summary of results which aggregates the results of all three deliverables (template). This document should be submitted in Excel format ONLY.
  3. [4 files] Method artifact files for each deliverable (1a, 1b, 2 and 3): CORAS artifact file (template) or SecRAM artifact file (template).

The final presentation template in .pptx format: template. The final presentation should be submitted in Power Point or PDF format.


[OLD] Each deliverable should include the following documents:

  1. Security Engineering report (template).
  2. Summary of results (template). This document should be submitted in Excel format ONLY.
  3. Method artifact file: CORAS artifact file (template) or SecRAM artifact file (template). Note: Deliverable 1 should contain method artifact files for both CORAS and SecRAM methods. Deliverable 2 and 3 should contain method artifact file for the assigned method.

Groups Assignment to Methods

Group Task 1a (Identity management) Task 1b (Access management) Task 2 (WebApp/DB) Task 3 (Networking/Infrastructure)
G01 CORAS SecRAM CORAS SecRAM
G02 SecRAM CORAS SecRAM CORAS
G03 CORAS SecRAM CORAS SecRAM
G04 CORAS SecRAM CORAS SecRAM
G05 CORAS SecRAM CORAS SecRAM
G06 CORAS SecRAM CORAS SecRAM
G07 SecRAM CORAS SecRAM CORAS
G08 SecRAM CORAS SecRAM CORAS
G09 SecRAM CORAS SecRAM CORAS
G10 SecRAM CORAS SecRAM CORAS
G11 CORAS SecRAM CORAS SecRAM
G12 CORAS SecRAM CORAS SecRAM
G13 SecRAM CORAS SecRAM CORAS
G14 SecRAM CORAS SecRAM CORAS
G15 SecRAM CORAS SecRAM CORAS
G16 CORAS SecRAM CORAS SecRAM
G17 SecRAM CORAS SecRAM CORAS
G18 CORAS SecRAM CORAS SecRAM
G19 SecRAM CORAS SecRAM CORAS
G20 CORAS SecRAM CORAS SecRAM

Deadlines

Deadline Deliverable Submission link
2014-11-17 Deliverable 1: Report on the methods (CORAS and SecRAM) application on the Authentication and Access Management Security. 1) Submit report files by 2014-11-17 12:00:00 (Trento time zone) via upload form. 2) Both members of the group should answer post-task questionnaire by 2014-11-17 18:00:00 (Trento time) via post-task questionnaire form. NOTE THAT If only one of two team members answers the post-task questionnaire then the submission will not be accepted.
2014-12-01 Deliverable 2: Report on method application on the Web Application Security. Submit report files by 2014-12-01 12:00:00 (Trento time zone) via upload form.
2014-12-15 Deliverable 3: Report on method application on the Networking and Infrastructure Security. Submit report files by 2014-12-15 12:00:00 (Trento time zone) via upload form.
2015-01-12 Final Deliverable: Final report on the methods application on three security tasks. 1) Submit report files by 2015-01-12 12:00:00 (Trento time zone) via upload form. 2) Both members of the group should answer post-task questionnaire by 2015-01-12 18:00:00 (Trento time) via post-task questionnaire form. NOTE THAT If only one of two team members answers the post-task questionnaire then the submission will not be accepted.
2015-01-13 - 2015-01-16 Focus Group Interviews Each group member should register for focus groups by 2015-01-12 15:00 via Doodle form. Pick up one time slot per person. Fist come, first served.
2015-01-28 - 2015-01-29 Final presentation in front of the ATM security expert. Submit final presentation file by 2015-01-26 12:00:00 (Trento time zone) via upload form. In order to register to the final exam you need: 1) Register to Security engineering final exam in January via ESSE3. 2) Pick up one slot for your presentation in Doodle. In the Doodle specify your group ID and the name of the student who made the registration.

Each deliverable should be submitted by 12:00:00 PM (noon) of the day of the deadline (see the table above).