User Tools
Table of Contents
Security Engineering and Management (2014/2015)
This course is offered at the University of Trento by the security group in the framework of the Security and Privacy Master of the European Institute of Innovation and Technology (EIT Digital).
See the UNITN S&P EIT page for further information.
See the current Security Engineering Course for further information.
Course Objectives
Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decides which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on case studies from industry.
The course will introduce students to a number of methodologies for Security Management (Risk and Threat Analysis, Risk Assessment, Control Frameworks) and provide a high level view of some Security Technologies (Authentication, Database, Access control, Web Application, etc). By using two industrial risk assessment methodologies, the student will identify threats and the corresponding security controls appropriate for an industrial case study.
At the end students should be able to make their own security analysis, documenting the threats and the security controls or requirements for an industrial case study
Lecturers
- Lecturers: Fabio Massacci
- Teaching assistant: Katsiaryna Labunets
Exam Modalities
The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of an oral and written part. The written part will be a report where students working in group or alone apply the concepts learned during the course to analyze a real case study. The oral part will consist in a discussion of the report with the lecturer and a company representative owning the case study.
The students who will attend the class will have the opportunity to present their work and receive feedbacks before the final submission of the report. The final mark will be assigned based on the written report. If the work for the report has been done in group, all the group members will be assigned the same mark
Registration Form
You can register to the course on the following link: registration form BY October 13th.
Note: If you have a problem in finding a group partner, send us a message: labunets (at) disi.unitn.it.
Schedule
- Tuesday - room A224 - 11:00-12:30
- Wednesday - room A222 - 14:00-15:30 (up to 17:00 when practical exercises are held)
| Date | Topic | Slides | Other Material |
|---|---|---|---|
| 2014-09-16 | Administrative Information and Introduction | General Information and Terminology and Foundations | |
| 2014-09-17 | Malware Markets and Advanced Persistent Threats | Overview of attackers | |
| 2014-09-23 | Information Security Management | GRC and ISMS | COBIT 5 Book |
| 2014-09-24 | Risk Management | Slides | NIST 800-53 Security Controls Catalog, NIST 800-30 Risk Assessment Guide |
| 2014-09-29 | Cryptopgraphy (a superzipped introduction) | Slides Attend the Applied Crypto course if you are interested in further details | Information on the importance of protecting keys and certificates for Diginotar Failure and additional details in FoxIT security report |
| 2014-10-07 | SESAR SecRAM Tutorial | Slides | The SESAR SecRAM tutorial is restricted by NDA |
| 2014-10-14 | Coras Tutorial | Slides | CORAS Guidelines (Book is in the library), Ponemon Reports on Data breaches 2014 (Global) and 2011 by country (US and DE contain breakdown by threat agent) |
| 2014-10-20 | Case Study Presentation | The Remote and Virtual Tower document is restricted by NDA. If you are planning to do the the exam, fill the NDA and hand it in class | Chris Johnson's analysis of the incidents of Linate and Uberlingen and of 114 US incidents. An article on the drone accident nearby Nogales (2006), and Washington Post's article on Drones' incidents |
| 2014-10-21 | Identity and Access Management | lecture-2014-10-identity-and-access-control.pdf | Report on the frauds by John Rusnak and by Jerome Kevriel as (INSEAD Case study or the offical report) |
| 2014-10-28 | MAC and Access Control Models | slides | Bowden's Hacking of a sewage treatment plant (FISMA study of security controls or the Court conviction). Terry Childs' refusal to pass admin rights (Court documents and discussion on CIO Magazine and on ComputerWorld) |
| 2014-10-29 | User Authentication | Slides | ABC reports of attempted voice hijacking of airplanes |
| 2014-11-04 | Web Application Security | Slides | |
| 2014-11-11 | Web Application Security - II | Slides | Cross site scripting for ICS on the US CERT ICS Web Site |
| 2014-11-12 | Discussion of Security Standards | PCI (Credit Cards) and BSI (German General Standard) | PCI - General Guidance for overall system securityPCI - application security guidelines, BSI General Catalogue of security controls |
| 2014-11-17 | Infrastructural Security - Network Security | Slides | US CERT cyber list of vulnerabilities |
| 2014-11-18 | Infrastructural Security - OS Security | Slides | US CERT's definition of Engineering Workstations |
| 2014-12-02 | BYOD and Mobile Security | Slides | |
| 2014-12-03 | Malware | US CERT's case study on Malware attacks on Industry Control Systems |
Additional Material
| Date | Topic | Slides | Material | Delivery date |
|---|---|---|---|---|
| 2014-09-17 | Vulnerability Assessment Exercise | Vulnerability scoring exercise slides | List of Vulnerabilities (Scoring instructions on paper) | in class |
| 2014-09-24 | Security Controls and Requirements Exercise: identify the security controls for a e-health application | no slides | List of security controls and Instruction Sheet | Return sheet on Tuesday 30/September |
| 2014-10-01 | Modeling Risk Exercise: evaluate the comprehension of graphical and tabular risk models | Risk modeling exercise slides | No Material | in class |
| 2014-10-08 | SecRAM exercise | SecRAM exercise slides | Dropbox folder with material | in class: upload here |
| 2014-10-15 | CORAS exercise | CORAS exercise slides | Dropbox folder with material | Final result to be uploaded here before next lecture |
| 2014-11-05 | Web Application Security exercise | exercise slides | WebGoat | |
| 2014-11-28 | Sweden opens the first airport with Remote Tower Services | News Announcement on LFV web site |
Report: Material, Deadlines, Assignments
Materials
The final deliverable should include the following documents:
- [1 file] Security Engineering report which presents the results of all three deliverables (template).
- [1 file] Summary of results which aggregates the results of all three deliverables (template). This document should be submitted in Excel format ONLY.
The final presentation template in .pptx format: template. The final presentation should be submitted in Power Point or PDF format.
[OLD] Each deliverable should include the following documents:
Groups Assignment to Methods
| Group | Task 1a (Identity management) | Task 1b (Access management) | Task 2 (WebApp/DB) | Task 3 (Networking/Infrastructure) |
|---|---|---|---|---|
| G01 | CORAS | SecRAM | CORAS | SecRAM |
| G02 | SecRAM | CORAS | SecRAM | CORAS |
| G03 | CORAS | SecRAM | CORAS | SecRAM |
| G04 | CORAS | SecRAM | CORAS | SecRAM |
| G05 | CORAS | SecRAM | CORAS | SecRAM |
| G06 | CORAS | SecRAM | CORAS | SecRAM |
| G07 | SecRAM | CORAS | SecRAM | CORAS |
| G08 | SecRAM | CORAS | SecRAM | CORAS |
| G09 | SecRAM | CORAS | SecRAM | CORAS |
| G10 | SecRAM | CORAS | SecRAM | CORAS |
| G11 | CORAS | SecRAM | CORAS | SecRAM |
| G12 | CORAS | SecRAM | CORAS | SecRAM |
| G13 | SecRAM | CORAS | SecRAM | CORAS |
| G14 | SecRAM | CORAS | SecRAM | CORAS |
| G15 | SecRAM | CORAS | SecRAM | CORAS |
| G16 | CORAS | SecRAM | CORAS | SecRAM |
| G17 | SecRAM | CORAS | SecRAM | CORAS |
| G18 | CORAS | SecRAM | CORAS | SecRAM |
| G19 | SecRAM | CORAS | SecRAM | CORAS |
| G20 | CORAS | SecRAM | CORAS | SecRAM |
Deadlines
| Deadline | Deliverable | Submission link |
|---|---|---|
| 2014-11-17 | Deliverable 1: Report on the methods (CORAS and SecRAM) application on the Authentication and Access Management Security. | 1) Submit report files by 2014-11-17 12:00:00 (Trento time zone) via upload form. 2) Both members of the group should answer post-task questionnaire by 2014-11-17 18:00:00 (Trento time) via post-task questionnaire form. NOTE THAT If only one of two team members answers the post-task questionnaire then the submission will not be accepted. |
| 2014-12-01 | Deliverable 2: Report on method application on the Web Application Security. | Submit report files by 2014-12-01 12:00:00 (Trento time zone) via upload form. |
| 2014-12-15 | Deliverable 3: Report on method application on the Networking and Infrastructure Security. | Submit report files by 2014-12-15 12:00:00 (Trento time zone) via upload form. |
| 2015-01-12 | Final Deliverable: Final report on the methods application on three security tasks. | 1) Submit report files by 2015-01-12 12:00:00 (Trento time zone) via upload form. 2) Both members of the group should answer post-task questionnaire by 2015-01-12 18:00:00 (Trento time) via post-task questionnaire form. NOTE THAT If only one of two team members answers the post-task questionnaire then the submission will not be accepted. |
| 2015-01-13 - 2015-01-16 | Focus Group Interviews | Each group member should register for focus groups by 2015-01-12 15:00 via Doodle form. Pick up one time slot per person. Fist come, first served. |
| 2015-01-28 - 2015-01-29 | Final presentation in front of the ATM security expert. | Submit final presentation file by 2015-01-26 12:00:00 (Trento time zone) via upload form. In order to register to the final exam you need: 1) Register to Security engineering final exam in January via ESSE3. 2) Pick up one slot for your presentation in Doodle. In the Doodle specify your group ID and the name of the student who made the registration. |
Each deliverable should be submitted by 12:00:00 PM (noon) of the day of the deadline (see the table above).
