User Tools

Site Tools


security_engineering

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
security_engineering [2018/08/24 17:44]
fabio.massacci@unitn.it
security_engineering [2018/08/25 13:48]
fabio.massacci@unitn.it [Course objectives]
Line 4: Line 4:
  
 See the [[teaching_activities|UniTrento Cyber Security Master Track page]] for further information. See the [[teaching_activities|UniTrento Cyber Security Master Track page]] for further information.
 +
 +===== Lecturers =====
 +
 +  * Lecturers: [[https://​www.massacci.org|Fabio Massacci]]
 +  * Teaching Assistant: TBC
  
 ===== Syllabus ===== ===== Syllabus =====
Line 12: Line 17:
  
 The course will introduce students to the key principles of Security Risk Assessment (Risk and Threat Analysis, Risk Assessment, Control Frameworks) both qualitatively and quantitatively. The student will identify threats and the corresponding security controls appropriate for two industrial case studies. The course will introduce students to the key principles of Security Risk Assessment (Risk and Threat Analysis, Risk Assessment, Control Frameworks) both qualitatively and quantitatively. The student will identify threats and the corresponding security controls appropriate for two industrial case studies.
 +
 +//Students interested in further exploring the research topics behind this area can also take a Software Project (6ECTS) or a Research Project (12ECTS) by contacting the lecturers.//​
 +
  
 ==== Intended learning outcomes ==== ==== Intended learning outcomes ====
  
 Regular and active participation in the teaching activities offered by the course (lectures, laboratories and group work) and in independent study and project activities will enable students to: Regular and active participation in the teaching activities offered by the course (lectures, laboratories and group work) and in independent study and project activities will enable students to:
- * understand the fundamentals of risk management;+  ​* understand the fundamentals of risk management;
   * identify the relevant assets and the corresponding impacts of possible threats for a moderately complex case study;   * identify the relevant assets and the corresponding impacts of possible threats for a moderately complex case study;
   * mitigate threats with control according to the risk appetite of a relevant stakeholder;​   * mitigate threats with control according to the risk appetite of a relevant stakeholder;​
Line 29: Line 37:
  
 General knowledge about Security is mandatory before attending this course (for the obvious reason that you cannot chose among technologies you don't know). This might be obtained by attending the Master Level courses of Introduction to Computer and Network Security, Cryptography,​ and Security Testing at the [[https://​masterschool.eitdigital.eu/​programmes/​cse/​|Cyber Security track]] in Trento. Bachelor students from Trento might also consider the course on Reti Avanzate which provides the minimum knowledge about security protocols. General knowledge about Security is mandatory before attending this course (for the obvious reason that you cannot chose among technologies you don't know). This might be obtained by attending the Master Level courses of Introduction to Computer and Network Security, Cryptography,​ and Security Testing at the [[https://​masterschool.eitdigital.eu/​programmes/​cse/​|Cyber Security track]] in Trento. Bachelor students from Trento might also consider the course on Reti Avanzate which provides the minimum knowledge about security protocols.
- 
-===== Lecturers ===== 
- 
-  * Lecturers: Fabio Massacci, 
-  * Teaching Assistant: TBC 
  
 ==== Content of the course ==== ==== Content of the course ====
Line 69: Line 72:
 In the report students working in group or alone apply the concepts learned during the course to analyze a real case study. The report will be discussed with the lecturer and a company representative owning the case study. If the work for the report has been done in group, all the group members will normally be assigned the same mark. In the report students working in group or alone apply the concepts learned during the course to analyze a real case study. The report will be discussed with the lecturer and a company representative owning the case study. If the work for the report has been done in group, all the group members will normally be assigned the same mark.
  
-  * Step-by-Step Qualita/ve RA Exercises during the course: ​16 points+  * Step-by-Step Qualita/ve RA Exercises during the course: ​12 points
       * Identify Assets, Threats, Pre and Post Controls       * Identify Assets, Threats, Pre and Post Controls
-  * Technical Assessment of Cyber Vulnerabilities: ​points+  * Technical Assessment of Cyber Vulnerabilities: ​points
      * Students will use the CVSS (Common Vulnerabilities Scoring System), world standard to identify risk       * Students will use the CVSS (Common Vulnerabilities Scoring System), world standard to identify risk 
      * from descriptions as they arrive in a CERT Bulletin      * from descriptions as they arrive in a CERT Bulletin
      * as they apply to one's own security architecture      * as they apply to one's own security architecture
-  * Final Project: ​12 points+  * Final Project: ​14 points
      * A complete detailed quantitative risk assessment of the industrial automation case study security architecture      * A complete detailed quantitative risk assessment of the industrial automation case study security architecture
      * Evaluation by Industry experts from the case study       * Evaluation by Industry experts from the case study 
Line 83: Line 86:
 Being able to defend one's ideas in class is an important part of the evaluation (if a student cannot explain why s/he choses something him/her will get a negative vote for the relative exercise). Being able to defend one's ideas in class is an important part of the evaluation (if a student cannot explain why s/he choses something him/her will get a negative vote for the relative exercise).
  
-===== Classroom Registration Form ===== 
  
-Please register to Google Classroom for assignments ​and notifications. ​+==== Reference ​and Bibliographic Material ====
  
-**If you do not register you will not be able to submit the step-by-step assignments ​and therefore you will not get the correspoding grades.**+The following books might be useful: 
 +  * [[http://​www.jblearning.com/​catalog/​9781284055955/​|Gibson. "​Managing Risk in Information Systems"​]]. Jones and BartlettISBN13: 9781284055955
  
-===== Schedule and Additional Material =====+Other recommended texts are  
 +  * [[http://​www.cl.cam.ac.uk/​~rja14/​book.html|Anderson. "​Security Engineering"​]] For which a old version is also on the web. 
 +  * [[https://​www.wiley.com/​WileyCDA/​WileyTitle/​productCd-0470741155,​miniSiteCd-BSG.html|Gollmann. "​Computer Security"​]] which is mostly a reference book for Security Technologies.
  
 +===== Detailed Schedule and Additional Material =====
 +
 +**The precise schedule will only be available in the late winter 2019.**
   * 2 hours lectures/​exercises by professors   * 2 hours lectures/​exercises by professors
   * 2-3 hours students presentations and reviews   * 2-3 hours students presentations and reviews
  
 ==== Past Lectures ==== ==== Past Lectures ====
 +
  
 ^ Date ^ Weekday ^ Hours ^ Topic ^ Slides ^ Additional materials ^ ^ Date ^ Weekday ^ Hours ^ Topic ^ Slides ^ Additional materials ^
 +To be filled when the course starts.
  
 ==== Upcoming Lectures ==== ==== Upcoming Lectures ====
  
 ^ Date ^ Weekday ^ Hours ^ Topic ^ Slides ^ Additional materials ^ ^ Date ^ Weekday ^ Hours ^ Topic ^ Slides ^ Additional materials ^
 +To be filled when the course schedule is known (around January).
  
 ==== Assigned Exercises (Graded) ==== ==== Assigned Exercises (Graded) ====
Line 113: Line 124:
 |  3rd week March | IND1 - Pre Controls Identification | |  3rd week March | IND1 - Pre Controls Identification |
 |  1st week April | IND1 - Post Controls Identification | |  1st week April | IND1 - Post Controls Identification |
-|  4th week April |  CVSS Base Lab | +|  4th week April | CVSS Base Lab | 
-|  1st week May |  CVSS Environmental Lab |  ​|+|  1st week May | CVSS Environmental Lab |
 | 2nd week May | IND2 Case Study Webinar by Industry partner |  | 2nd week May | IND2 Case Study Webinar by Industry partner | 
 | 1st week June | IND2 Draft Report - Qualitative | | 1st week June | IND2 Draft Report - Qualitative |
Line 128: Line 139:
 Please check Google Classroom for the templates and submission. Please check Google Classroom for the templates and submission.
  
-==== Course Material of Previous Years ====+===== Classroom Registration Form ===== 
 + 
 +Please register to Google Classroom for assignments and notifications.  
 + 
 +**If you do not register you will not be able to submit the step-by-step assignments and therefore you will not get the correspoding grades.** 
 + 
 + 
 + 
 +===== Course Material of Previous Years =====
  
   * [[security_engineering_2014|academic year 2014/2015]]   * [[security_engineering_2014|academic year 2014/2015]]
security_engineering.txt · Last modified: 2021/01/29 10:58 (external edit)