This is an old revision of the document!
This course is offered at the University of Trento by the security group in the framework of the Cyber Security track of the European Institute of Innovation and Technology (EIT Digital) Master School programme.
See the UniTrento Cyber Security Master Track page for further information.
Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decide which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on balancing threat and controls, costs, impact and likelihood of events. In other words the course will teach them to manage risk.
The course will introduce students to the key principles of Security Risk Assessment (Risk and Threat Analysis, Risk Assessment, Control Frameworks). The student will identify threats and the corresponding security controls appropriate for two industrial case studies.
At the end students should be able to make their own cyber risk assessment, documenting the threats and the security controls or requirements for an industrial case study
General knowledge about Security is mandatory before attending this course (for the obvious reason that you cannot chose among technologies you don't know at all). This might be obtained by attending the Master Level courses of Introduction to Computer and Network Security, Cryptography, and Security Testing at the Cyber Security track in Trento. Bachelor students from Trento might also consider the course on Reti Avanzate which provides the minimum knowledge about cryptographic protocols.
Other recommended texts are
The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of both individual exercises to be done in the lab and a final report.
In the report students working in group or alone apply the concepts learned during the course to analyze a real case study. The report will be discussed with the lecturer and a company representative owning the case study. If the work for the report has been done in group, all the group members will normally be assigned the same mark.
Being able to defend your ideas in class is an important part of the evaluation (if you cannot explain why you chose something you get a negative vote for the relative exercise).
Please register to Google Classroom for assignments and notifications.
If you do not register you will not be able to submit the step-by-step assignments and therefore you will not get the correspoding grades.
|2018-02-19||Introduction||Introduction, Terminology||Card FraudsID Theft Stats|
|2018-02-23||Risk Management Fundamentals||Risk Management||The SESAR SecRAM Manual is available on the Google ClassRoom. As examples of management guides COBIT 5 Book e NIST 800-30 Risk Assessment Guide and the associated NIST 800-53 Security Controls Catalog, UK IAS risk Assessment|
|2018-02-26||Identifying Assets and Activities to Be Protected||Slides||BSI Catalogues|
|2018-03-05||Identifying and Analyzing Threats, Vulnerabilities, and Exploits||Slides||ENISA Threat Taxonomy.|
|2018-03-12||Risk Mitigation with Security Controls||Slides||see above for information.|
|2018-03-19||UTC - Case Study Presentation||See Google Classroom for the presentation||US CERT's case study on Malware attacks on Industry Control Systems|
|2018-03-23||Mitigating Risks by post-controls for Business Continuity and Disaster Recovery||Slides|
|2018-03-26||Discussion on Likelihood estimation||See above for the IAS|
|2018-04-06||Visit to a SOC @ Trentino Network|
|2018-04-13||Introduction to Quantitative Risks||cybrisk-2017-09-quantitative.pdf||There are several proposals for example metrics using attack graphs, another variant available as NIST Interagency report|
|2018-04-16||CVSS Base Introduction||Slides||CVSS Original User Guide, CVSS SCoring Examples. There is also an official tutorial on CVSS, which also has an HTML transcript|
|2018-04-23||CVSS Environment Introduction||Slides||See above. Look also at PCI Compliance|
|2018-05-04||CVSS Environment Review|
All assignments are assigned through Google Classroom. Students will be asked to comment in class on their assignment which must be submitted through Classroom.
|2018-03-02||ROT Exercise - Assets||Remote Virtual Tower Description|
|2018-03-09||ROT Exercise Threats||Chris Johnson's analysis of the incidents of Linate and Uberlingen and of 114 US incidents. An article on the drone accident nearby Nogales (2006), and Washington Post's article on Drones' incidents. ABC reports of attempted voice hijacking of airplanes. Bowden's Hacking of a sewage treatment plant (FISMA study of security controls or the Court conviction). Terry Childs' refusal to pass admin rights (Court documents and discussion on CIO Magazine and on ComputerWorld)|
|2018-03-16||ROT Exercise - Pre Controls||see above|
|2018-04-09||ROT Exercise - Post Controls||see above|
|2018-04-23||CVSS Environmental (Introduction)|
|2018-04-07||Quantitative Risk Assessment (cont)|
|2018-05-14||UTC Case Study Webinar||See Google Classroom||There is a comprehensive tutorial on Security for ICS|
|2018-04-20||CVSS Base Exercise in Class (Graded - individually)|
|2018-04-27||CVSS Environmental Exercise in Class (Graded -individually)|
|2018-05-18||UTC Exercise - Qualitative Report Review|
|2018-05-28||UTC Exercise - Quantitative|
|2018-06-04||UTC Exercise - Quantitative II|
The final deliverable by June 11 should include:
Please check Google Classroom for the templates and submission.