User Tools

Site Tools


security_engineering

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
security_engineering [2018/05/14 02:28]
fabio.massacci@unitn.it [Schedule and Additional Material]
security_engineering [2021/01/29 10:58] (current)
Line 5: Line 5:
 See the [[teaching_activities|UniTrento Cyber Security Master Track page]] for further information. See the [[teaching_activities|UniTrento Cyber Security Master Track page]] for further information.
  
-===== Course Objectives (2017/​2018) ​=====+===== Lecturers ​=====
  
-Most CS professionals will actually use, buy, or sell security technology and make security decisionsThey don't design protocols, nor crypto algorithms, they decide which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on balancing threat and controls, costs, impact and likelihood of events. In other words the course will teach them to manage risk+  * Lecturers: [[https://​www.massacci.org|Fabio Massacci]] 
 +  * Teaching Assistant: TBC
  
-The course will introduce students to the key principles of Security Risk Assessment (Risk and Threat Analysis, Risk Assessment, Control Frameworks). The student will identify threats and the corresponding security controls appropriate for two industrial case studies.+===== Syllabus =====
  
-At the end students should be able to make their own cyber risk assessment, documenting the threats and the security controls or requirements for an industrial case study +==== Course objectives ====
  
-==== Pre-requisite ====+Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decide which security technology they are going to use. The course provides the fundamentals to chose the appropriate security technology based on balancing threat and controls, costs, impact and likelihood of events. In other words the course will teach students to manage risk. 
  
-General knowledge about Security is mandatory before attending this course ​(for the obvious reason that you cannot chose among technologies you don't know at all). This might be obtained by attending the Master Level courses ​of Introduction to Computer ​and Network SecurityCryptography, and Security Testing at the [[https://​masterschool.eitdigital.eu/​programmes/​cse/​|Cyber Security track]] in Trento. Bachelor students from Trento might also consider ​the course on Reti Avanzate which provides the minimum knowledge about cryptographic protocols.+The course ​will introduce students to the key principles ​of Security Risk Assessment (Risk and Threat AnalysisRisk AssessmentControl Frameworks) both qualitatively ​and quantitativelyThe student will identify threats and the corresponding security controls appropriate for two industrial case studies.
  
-==== Course Material of Previous Years ====+//Students interested in further exploring the research topics behind this area can also take a Software Project (6ECTS) or a Research Project (12ECTS) by contacting the lecturers.//​
  
-  * [[security_engineering_2014|academic year 2014/2015]] 
-  * [[security_engineering_2015|academic year 2015/2016]] 
-  * [[security_engineering_2016|academic year 2016/2017]] 
  
-===== Lecturers =====+==== Intended learning outcomes ​====
  
-  * LecturersFabio Massacci +Regular and active participation in the teaching activities offered by the course (lectures, laboratories and group work) and in independent study and project activities will enable students to
-  * Teaching assistants: TBA+  * understand the fundamentals of risk management;​ 
 +  * identify the relevant assets and the corresponding impacts of possible threats for a moderately complex case study; 
 +  * mitigate threats with control according to the risk appetite of a relevant stakeholder;​ 
 +  * quantitatively estimate, for the particular case of cyber threats, the technical impact of vulnerabilities and the particular impact on their presence in a company'​s enviroment;​ 
 +  * quantitatively estimate the overall risk for a large scale network.
  
-===== Textbook =====+In terms of soft skills, active participation in the group-based teaching activities will enable students to learn how to organize group work, apply problem-solving techniques, deliver a presentation,​ and support their results with compelling arguments.
  
-  * [[http://​www.jblearning.com/​catalog/​9781284055955/​|Gibson. "​Managing Risk in Information Systems"​]]. Jones and BartlettISBN13: 9781284055955+At the end students who successfully passed the course should be able to prepare and defend a cyber risk assessment, identifying the threats and the security controls ​and the residual risk for an industrial case study of moderate complexity
  
-Other recommended texts are  +==== Prerequisites ==== 
-  ​* ​[[http://www.cl.cam.ac.uk/~rja14/book.html|Anderson. "Security ​Engineering"​]] For which a old version is also on the web+ 
-  * [[https://​www.wiley.com/​WileyCDA/​WileyTitle/​productCd-0470741155,miniSiteCd-BSG.html|Gollmann"​Computer Security"​]] which is mostly ​reference book for Security ​Technologies+General knowledge about Security is mandatory before attending this course (for the obvious reason that you cannot chose among technologies you don't know). This might be obtained by attending the Master Level courses of Introduction to Computer and Network Security, Cryptography,​ and Security Testing at the [[https://masterschool.eitdigital.eu/programmes/​cse/|Cyber Security ​track]] in Trento. Bachelor students from Trento might also consider the course ​on Reti Avanzate which provides ​the minimum knowledge about security protocols
-===== Exam Modalities ​=====+ 
 +==== Content of the course ==== 
 + 
 +^Month ^Topic ^ 
 +| February | Introduction and Methodology | 
 +... | Risk Management Fundamentals | 
 +| ... | Risk Methodology to be used | 
 +| ... | IND1 First Case Study Presentation | 
 +| ... | Identifying Assets and Activities to Be Protected | 
 +| March | Identifying and Analyzing ThreatsVulnerabilities,​ and Exploits | 
 +| ... | Risk Mitigation with Security Controls | 
 +| ... | Mitigating Risks by post-controls for Business Continuity and Disaster Recovery ​ | 
 +| ... | Discussion on Likelihood estimation | 
 +... | IND2 - Second Case Study Presentation by Company | 
 +| April | Introduction to Quantitative Risks | 
 +| ... | CVSS Base Metrics | 
 +| ... | CVSS Environmental Metrics | 
 +| ... | Quantitative Risk Analysis - Operational Risk Measures | 
 +|May| Review of students'​ reports and material | 
 +| ... | Clarification of previous arguments | 
 + 
 +During the course we will have a visit to a Security ​Operations Center @ Trentino Network. 
 + 
 +==== Teaching Methods and Learning Activities ==== 
 + 
 +The instructors will use: 
 +  * highly interactive lecture-style presentation during which students will be required to actively participate;​ 
 +  * group projects given to small groups of students, who must discuss, analyze and present to the class the results achieved. 
 + 
 +==== Assessment Methods and Criteria ​====
  
 The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course'​s arguments. The exam will consists of both individual exercises to be done in the lab and a final report. ​ The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course'​s arguments. The exam will consists of both individual exercises to be done in the lab and a final report. ​
Line 41: Line 72:
 In the report students working in group or alone apply the concepts learned during the course to analyze a real case study. The report will be discussed with the lecturer and a company representative owning the case study. If the work for the report has been done in group, all the group members will normally be assigned the same mark. In the report students working in group or alone apply the concepts learned during the course to analyze a real case study. The report will be discussed with the lecturer and a company representative owning the case study. If the work for the report has been done in group, all the group members will normally be assigned the same mark.
  
-  * Step-by-Step Qualita/ve RA Exercises during the course ​(up to 16/30) +  * Step-by-Step Qualita/ve RA Exercises during the course: ​12 points 
-     * Item Industrial Cases:Remote Virtual Control Tower Center (RTC) +      * Identify Assets, Threats, Pre and Post Controls 
-     ​Building AutomaMon by UTC (UTC) +  * Technical Assessment of Cyber Vulnerabilities: 8 points 
-     * These include: ​Identify Assets, Threats, Pre and Post Controls +     ​* ​Students will use the CVSS (Common Vulnerabilities Scoring System), world standard to identify risk  
-  * Assess ​Vulnerabilities ​Exercise (Up to 6/30) +     ​* ​from descriptions as they arrive in a CERT Bulletin 
-     * CVSS (Common Vulnerabilities Scoring System), world standard+     * as they apply to one's own security architecture 
-     * exercise 1 is to identify risk from descriptions as they arrive in a CERT Bulletin) +  * Final Project: 14 points
-     ​* ​Exercise 2 is to identify risk as they apply to you on your security architecture +
-  * Final Project ​(Up to 12/30)+
      * A complete detailed quantitative risk assessment of the industrial automation case study security architecture      * A complete detailed quantitative risk assessment of the industrial automation case study security architecture
-     * Evaluation by Industry experts ​of UTC +     * Evaluation by Industry experts ​from the case study 
  
-Being able to defend your ideas in class is an important part of the evaluation (if you cannot explain why you chose something you get a negative vote for the relative exercise).+A key criteria ​for the assessment would be the ability to identify risk assessment elements that are specific to the case study.
  
 +Being able to defend one's ideas in class is an important part of the evaluation (if a student cannot explain why s/he choses something him/her will get a negative vote for the relative exercise).
  
-===== Classroom Registration Form ===== 
  
-Please register to [[https://​classroom.google.com/​c/​MTIxMjA3NjY4NTFa|Google Classroom]] for assignments ​and notifications. ​+==== Reference ​and Bibliographic Material ====
  
-**If you do not register you will not be able to submit the step-by-step assignments ​and therefore you will not get the correspoding grades.**+The following books might be useful: 
 +  * [[http://​www.jblearning.com/​catalog/​9781284055955/​|Gibson. "​Managing Risk in Information Systems"​]]. Jones and BartlettISBN13: 9781284055955
  
-===== Schedule and Additional Material =====+Other recommended texts are  
 +  * [[http://​www.cl.cam.ac.uk/​~rja14/​book.html|Anderson. "​Security Engineering"​]] For which a old version is also on the web. 
 +  * [[https://​www.wiley.com/​WileyCDA/​WileyTitle/​productCd-0470741155,​miniSiteCd-BSG.html|Gollmann. "​Computer Security"​]] which is mostly a reference book for Security Technologies.
  
-  * Monday - room A220 - 11:​30-13:​30 +===== Detailed Schedule and Additional Material =====
-  * Friday - room A114 - 14:30-16:30 (up to 17:30 when practical exercises are held)+
  
 +**The precise schedule will only be available in the late winter 2019.**
 +  * 2 hours lectures/​exercises by professors
 +  * 2-3 hours students presentations and reviews
  
-^Date ^Topic ^Slides ^Other Material ^ +==== Past Lectures ​====
-|2018-02-19 |Introduction | {{:​teaching:​seceng:​2017:​cybrisk-2017-01-introduction.pdf|Introduction}},​ {{:​teaching:​seceng:​2017:​cybrisk-2017-02-terminology.pdf|Terminology}}| {{:​teaching:​seceng:​2015:​itgov-2012-cardfrauds.pdf|Card Frauds}}{{:​teaching:​seceng:​2015:​usgov-2015-idtheft-stats.pdf|ID Theft Stats}} | +
-|2018-02-23 |Risk Management Fundamentals | {{:​teaching:​seceng:​2017:​cybrisk-2017-03-riskmanagement.pdf|Risk Management}}| The SESAR SecRAM Manual is available on the Google ClassRoom. As examples of management guides [[https://​cobitonline.isaca.org/​l3-main?​book=framework|COBIT 5 Book]] e [[http://​csrc.nist.gov/​publications/​nistpubs/​800-30-rev1/​sp800_30_r1.pdf|NIST 800-30 Risk Assessment Guide]] and the associated [[http://​nvlpubs.nist.gov/​nistpubs/​SpecialPublications/​NIST.SP.800-53r4.pdf|NIST 800-53 Security Controls Catalog]], [[https://​www.ncsc.gov.uk/​content/​files/​guidance_files/​IS1%20%26%202%20-%20Information%20Risk%20Management%20-%20issue%204.0%20April%202012%20-%20NCSC%20Web.pdf|UK IAS risk Assessment]]| +
-| 2018-02-26 | Identifying Assets and Activities to Be Protected | {{:​teaching:​seceng:​2017:​cybrisk-2017-05-asset-identification.pdf|Slides}} | [[https://​download.gsb.bund.de/​BSI/​ITGSKEN/​IT-GSK-13-EL-en-all_v940.pdf|BSI Catalogues]] | +
-| 2018-03-05 | Identifying and Analyzing Threats, Vulnerabilities,​ and Exploits | {{:​teaching:​seceng:​2017:​cybrisk-2017-06-threats-vulns-exploits.pdf|Slides}}| {{:​teaching:​seceng:​2017:​enisa-threats-taxonomy.pdf|ENISA Threat Taxonomy}}. | +
-| 2018-03-12 | Risk Mitigation with Security Controls | {{:​teaching:​seceng:​2017:​cybrisk-2017-07-controls.pdf|Slides}}| see above for information. | +
-| 2018-03-19 | UTC - Case Study Presentation | See Google Classroom for the presentation | US CERT's case study on [[https://​ics-cert.us-cert.gov/​sites/​default/​files/​recommended_practices/​CaseStudy-002.pdf|Malware attacks on Industry Control Systems]] | +
-| 2018-03-23 | Mitigating Risks by post-controls for Business Continuity and Disaster Recovery ​ | {{:​teaching:​seceng:​2017:​cybrisk-2017-09-recovery.pdf|Slides}}| | +
-| 2018-03-26 | Discussion on Likelihood estimation | | See above for the IAS | +
-| 2018-04-06 | Visit to a SOC @ Trentino Network | | | +
-| 2018-04-13 | Introduction to Quantitative Risks | {{:​teaching:​seceng:​2017:​cybrisk-2017-09-quantitative.pdf|}} | There are several proposals for example [[https://​users.encs.concordia.ca/​~wang/​papers/​ijngc10.pdf|metrics using attack graphs]], another variant available as [[https://​pdfs.semanticscholar.org/​600e/​af2f14b549bed20f1af15b80aca3175e511b.pdf|NIST Interagency report]]| +
-| 2018-04-16 | CVSS Base Introduction |{{:​teaching:​seceng:​2017:​cybrisk-2017-10-qra-cvss-base.pdf|Slides}} | {{:​teaching:​seceng:​material:​cvss-v30-user_guide.pdf|CVSS Original User Guide}}, {{:​teaching:​seceng:​material:​cvss-v30-examples.pdf|CVSS SCoring Examples}}. There is also an [[https://​learning.first.org/​courses/​course-v1:​FIRST+CVSSv3+2017/​about|official tutorial on CVSS]], which also has an HTML transcript | +
-| 2018-04-23 | CVSS Environment Introduction | {{:​teaching:​seceng:​2017:​cybrisk-2017-10-qra-cvss-environment.pdf|Slides}} | See above. Look also at {{https://​www.elsevier.com/​books/​pci-compliance/​williams/​978-1-59749-948-4|PCI Compliance}} | +
-| 2018-05-04 | CVSS Environment Review | | | +
-| 2018-05-07 | Quantitative Risk Analysis II | {{:​teaching:​seceng:​2017:​cybrisk-2017-11-quantitative-costs.pdf|Slides}} | | +
-==== Assigned Exercises (Graded) ​====+
  
-All assignments are assigned through Google Classroom. Students will be asked to comment in class on their assignment which must be submitted through Classroom. 
  
-^Date ^Topic ^Other Material ​+^ Date ^ Weekday ^ Hours ^ Topic ^ Slides ^ Additional materials ​
-| 2018-03-02 | ROT Exercise - Assets | [[http://​www.sesarju.eu/​sesar-solutions/​airport-integration-and-throughput/​remote-tower-single-airport|Remote Virtual Tower Description]] | +To be filled ​when the course starts.
-| 2018-03-09 | ROT Exercise Threats | Chris Johnson'​s analysis of the incidents of [[http://​www.dcs.gla.ac.uk/​~johnson/​papers/​Linate/​Chris_W_Johnson_Ueberlingen_Linate.pdf|Linate and Uberlingen]] and of [[http://​www.dcs.gla.ac.uk/​~johnson/​papers/​IET_2007/​Accident_reports.pdf|114 US incidents]]. An article on the drone accident nearby [[http://​www.ntsb.gov/​aviationquery/​brief2.aspx?​ev_id=20060509X00531&​ntsbno=CHI06MA121&​akey=1|Nogales (2006)]], and Washington Post's article on [[http://​www.washingtonpost.com/​sf/​investigative/​2014/​06/​20/​when-drones-fall-from-the-sky/ |Drones'​ incidents]]ABC reports of attempted [[http://​abcnews.go.com/​US/​story?​id=95993|voice hijacking]] of airplanes. Bowden'​s Hacking of a sewage treatment plant ({{:​teaching:​seceng:​2014:​grc-boden-sewage_spillover-fisma-study.pdf|FISMA study of security controls}} or the {{:​teaching:​seceng:​2014:​grc-boden-sewage_spillover.pdf|Court conviction}}). Terry Childs'​ refusal to pass admin rights ({{:​teaching:​seceng:​2014:​grc-childs-refusal.pdf|Court documents}} and discussion on {{http://​www.cio.com.au/​article/​255165/​sorting_facts_terry_childs_case?​fp=&​fpid=&​pf=1|CIO Magazine}} and {{http://​www.computerworld.com/​article/​2517653/​security0/​after-verdict--debate-rages-in-terry-childs-case.html|on ComputerWorld}}) | +
-| 2018-03-16 | ROT Exercise - Pre Controls | see above | +
-| 2018-04-09 | ROT Exercise - Post Controls | see above |+
  
-==== Forthcoming ​Lectures ====+==== Upcoming ​Lectures ====
  
-^Date ^Topic ^Slides ^Other Material ​+^ Date ^ Weekday ^ Hours ^ Topic ^ Slides ^ Additional materials ​
-| 2018-04-23 | CVSS Environmental ​(Introduction| | | +To be filled when the course schedule is known (around January).
-| 2018-04-07 | Quantitative Risk Assessment (cont) | | | +
-| 2018-05-14 | UTC Case Study Webinar | See Google Classroom | There is a comprehensive [[https://​ics-cert-training.inl.gov/​learn|tutorial on Security for ICS]] | +
-| 2018-05-06 | Presentations Review | | |+
  
-==== Forthcoming Discussion in Class of Exercises (Graded) ====+==== Assigned ​Exercises (Graded) ====
  
-^Date ^Topic ^Other Material ^ +All assignments are assigned through Google Classroom. Students will be asked to comment in class on their assignment which must be submitted through Classroom. 
-2018-04-20 CVSS Base Exercise in Class (Graded - individually) ​| | + 
-2018-04-27 | CVSS Environmental ​Exercise in Class (Graded -individually) ​| | +The following is a tentative schedule. 
-2018-05-18 ​UTC Exercise ​- Qualitative ​Report Review | + 
-2018-05-28 ​UTC Exercise ​- Quantitative ​+^Date ^Topic ^ Submission Type  
-2018-06-04 ​UTC Exercise ​Quantitative II | |+ 1 week March | IND1 Assets Identification  ​ 
 + 2nd week March | IND1 - Threats Identification ​
 + 3rd week March | IND1 Pre Controls Identification | 
 +|  1st week April | IND1 Post Controls Identification | 
 +|  4th week April | CVSS Base Lab | 
 +|  1st week May | CVSS Environmental ​Lab | 
 +| 2nd week May | IND2 Case Study Webinar by Industry partner ​|  
 +1st week June IND2 Draft Report ​- Qualitative | 
 +Mid June IND2 Final Report ​- Quantitative | 
 +4th week June IND2 students'​ presentations to industry partners ​|
  
 ==== Final Report ==== ==== Final Report ====
  
-The final deliverable by June 11 should include: +The final deliverable by Mid June on case study IND2 should include: 
-  * the report ​summarising ​the finding ​of your security risk assessment ​in Google Docs format ​ +  * the report ​summarizing ​the findings ​of your security risk assessment 
-  * security risk assessment ​of the case with SESAR SecRAM in Google Spreadsheets format+  * the spreadsheet with the detailed ​security risk assessment ​
  
 Please check Google Classroom for the templates and submission. Please check Google Classroom for the templates and submission.
  
 +===== Classroom Registration Form =====
 +
 +Please register to Google Classroom for assignments and notifications. ​
 +
 +**If you do not register you will not be able to submit the step-by-step assignments and therefore you will not get the correspoding grades.**
 +
 +
 +
 +===== Course Material of Previous Years =====
 +
 +  * [[security_engineering_2014|academic year 2014/2015]]
 +  * [[security_engineering_2015|academic year 2015/2016]]
 +  * [[security_engineering_2016|academic year 2016/2017]]
 +  * [[security_engineering_2017|academic year 2017/2018]]
  
security_engineering.1526257713.txt.gz · Last modified: 2021/01/29 10:58 (external edit)