User Tools

Site Tools


security_engineering_2014

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

security_engineering_2014 [2015/09/10 14:48]
fabio.massacci@unitn.it created
security_engineering_2014 [2015/09/10 14:52] (current)
fabio.massacci@unitn.it
Line 1: Line 1:
 +====== Security Engineering and Management (2014/2015) ======
 +
 +This course is offered at the University of Trento by the [[security_group|security group]] in the framework of the [[http://www.masterschool.eitictlabs.eu/programme/majors/sap/|Security and Privacy Master]] of the [[http://www.eitictlabs.eu/|European Institute of Innovation and Technology (EIT Digital)]].
 +
 +See the [[teaching_activities|UNITN S&P EIT page]] for further information.
 +
 +See the current [[security_engineering|Security Engineering Course]] for further information.
 +
 +===== Course Objectives =====
 +
 +Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decides which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on case studies from industry. 
 +
 +The course will introduce students to a number of methodologies for Security Management (Risk and Threat Analysis, Risk Assessment, Control Frameworks) and provide a high level view of some Security Technologies (Authentication, Database, Access control, Web Application, etc). By using two industrial risk assessment methodologies, the student will identify threats and the corresponding security controls appropriate for an industrial case study.
 +
 +At the end students should be able to make their own security analysis, documenting the threats and the security controls or requirements for an industrial case study 
 +
 +===== Lecturers =====
 +
 +  * Lecturers: Fabio Massacci
 +  * Teaching assistant: Katsiaryna Labunets
 +
 +===== Exam Modalities =====
 +
 +The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of an oral and written part. The written part will be a report where students working in group or alone apply the concepts learned during the course to analyze a real case study. The oral part will consist in a discussion of the report with the lecturer and a company representative owning the case study.
 +
 +The students who will attend the class will have the opportunity to present their work and receive feedbacks before the final submission of the report.
 +The final mark will be assigned based on the written report. If the work for the report has been done in group, all the group members will be assigned the same mark
 +
 +===== Registration Form =====
 +
 +You can register to the course on the following link: [[https://docs.google.com/forms/d/1n4OZiOziiABww-XXvmOP2_wSsTtbZloARvDzZ50XuSQ/viewform|registration form]] **BY October 13th**. 
 +
 +**Note:** If you have a problem in finding a group partner, send us a message: __labunets (at) disi.unitn.it__.
 +
 +===== Schedule =====
 +
 +  * Tuesday   - room A224 - 11:00-12:30
 +  * Wednesday - room A222 - 14:00-15:30 (up to 17:00 when practical exercises are held)
 +
 +^ Date       ^ Topic                                           ^ Slides ^ Other Material ^
 +| 2014-09-16 | Administrative Information and Introduction     | {{:teaching:seceng:2014:lecture-2014-01-introduction.pdf|General Information}} and {{:teaching:seceng:2014:lecture-2014-02-computer-security-foundations.pdf|Terminology and Foundations}} |
 +| 2014-09-17 | Malware Markets and Advanced Persistent Threats | {{:lecture_17-09-2014bpdf.pdf|Overview of attackers}}|
 +| 2014-09-23 | Information Security Management |{{:teaching:seceng:2014:lecture-2014-03-security-management.pdf|GRC and ISMS}} | [[https://cobitonline.isaca.org/l3-main?book=framework|COBIT 5 Book]] |
 +| 2014-09-24 | Risk Management | {{:teaching:seceng:2014:lecture-2014-04-risk_assessment.pdf|Slides}}| [[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf|NIST 800-53 Security Controls Catalog]], [[http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf|NIST 800-30 Risk Assessment Guide]] |
 +| 2014-09-29 | Cryptopgraphy (a superzipped introduction) | {{:teaching:seceng:2014:lecture-2014-05-cryptography.pdf|Slides}} Attend the Applied Crypto course if you are interested in further details  | Information on the importance of protecting keys and certificates for [[http://en.wikipedia.org/wiki/DigiNotar|Diginotar Failure]] and additional details in {{:teaching:offtech:2014:black-tulip-update.pdf|FoxIT security report}} |
 +| 2014-10-07| SESAR SecRAM Tutorial | {{:teaching:teaching:seceng:2014:sesar-secram-tutorial.pdf|Slides}}  | The SESAR SecRAM tutorial is restricted by NDA |
 +| 2014-10-14| Coras Tutorial | {{:teaching:seceng:2014:lecture-2014-07-coras-riskanalysis.pdf|Slides}} | CORAS {{:teaching:seceng:2014:coras.pdf|Guidelines}} (Book is in the library), Ponemon Reports on Data breaches 2014 ({{:teaching:seceng:2014:ponemom-databreach-2014.pdf|Global}}) and 2011 by country ({{:teaching:seceng:2014:ponemom-databreach-us-2011.pdf|US}} and  {{:teaching:seceng:2014:ponemom-databreach-de-2011.pdf|DE}} contain breakdown by threat agent)  |
 +| 2014-10-20| Case Study Presentation | The Remote and Virtual Tower document is restricted by NDA. If you are planning to do the the exam, fill the NDA and hand it in class | Chris Johnson's analysis of the incidents of [[http://www.dcs.gla.ac.uk/~johnson/papers/Linate/Chris_W_Johnson_Ueberlingen_Linate.pdf|Linate and Uberlingen]] and of [[http://www.dcs.gla.ac.uk/~johnson/papers/IET_2007/Accident_reports.pdf|114 US incidents]]. An article on the drone accident nearby [[http://www.ntsb.gov/aviationquery/brief2.aspx?ev_id=20060509X00531&ntsbno=CHI06MA121&akey=1|Nogales (2006)]], and Washington Post's article on [[http://www.washingtonpost.com/sf/investigative/2014/06/20/when-drones-fall-from-the-sky/
 +|Drones' incidents]] |
 +| 2014-10-21| Identity and Access Management | {{:teaching:seceng:2014:lecture-2014-10-identity-and-access-control.pdf|}} | Report on the frauds by {{:teaching:seceng:2014:grc-john_rusnak_s_banking_fraud.pdf|John Rusnak}} and by Jerome Kevriel as ([[http://www.insead.edu/facultyresearch/centres/isic/ecsr/research/documents/SocieteGeneraleATheRogueTrader.pdf|INSEAD Case study]] or {{:teaching:seceng:2014:grc-soc-jerome_kevriel_fraud.pdf|the offical report}}) |
 +| 2014-10-28| MAC and Access Control Models | {{:teaching:seceng:2014:lecture-2014-11-security-models.pdf|slides}} | Bowden's Hacking of a sewage treatment plant ({{:teaching:seceng:2014:grc-boden-sewage_spillover-fisma-study.pdf|FISMA study of security controls}} or the {{:teaching:seceng:2014:grc-boden-sewage_spillover.pdf|Court conviction}}). Terry Childs' refusal to pass admin rights ({{:teaching:seceng:2014:grc-childs-refusal.pdf|Court documents}} and discussion on {{http://www.cio.com.au/article/255165/sorting_facts_terry_childs_case?fp=&fpid=&pf=1|CIO Magazine}} and {{http://www.computerworld.com/article/2517653/security0/after-verdict--debate-rages-in-terry-childs-case.html|on ComputerWorld}})|
 +| 2014-10-29| User Authentication | {{:teaching:seceng:2014:lecture-2014-12-authentication.pdf|Slides}} | ABC reports of attempted [[http://abcnews.go.com/US/story?id=95993|voice hijacking]] of airplanes |
 +| 2014-11-04| Web Application Security | {{:teaching:seceng:2014:lecture-2014-13-web-application-security.pdf|Slides}} |  |
 +| 2014-11-11| Web Application Security - II | {{:teaching:seceng:2014:lecture-2014-15-webapplicationsecurity.pdf|Slides}} | [[https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/RP_CaseStudy_XSS_10-24-07_Final.pdf|Cross site scripting for ICS]] on the US CERT ICS Web Site |
 +| 2014-11-12| Discussion of Security Standards | PCI (Credit Cards) and BSI (German General Standard) | [[https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf|PCI - General Guidance for overall system security]][[https://www.pcisecuritystandards.org/documents/PA-DSS_v3.pdf|PCI - application security guidelines]], [[https://gsb.download.bva.bund.de/BSI/ITGSKEN/IT-GSK-13-EL-en-all_v940.pdf|BSI General Catalogue of security controls]] |
 +| 2014-11-17| Infrastructural Security - Network Security | {{:teaching:seceng:2014:lecture-2014-16-network-security.pdf|Slides}} | [[https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities|US CERT cyber list of vulnerabilities]] |
 +| 2014-11-18| Infrastructural Security - OS Security | {{:teaching:seceng:2014:lecture-2014-17-os-vm-security.pdf|Slides}} | US CERT's definition of [[https://ics-cert.us-cert.gov/Control_System_Engineering_Workstation-Definition.html|Engineering Workstations]] |
 +| 2014-12-02| BYOD and Mobile Security | {{:teaching:seceng:2014:lecture_2014-18-byod-mobile.pdf|Slides}} |  |
 +| 2014-12-03 | Malware |  | US CERT's case study on [[https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/CaseStudy-002.pdf|Malware attacks on Industry Control Systems]] |
 +
 +
 +===== Additional Material =====
 +
 ^ Date       ^ Topic                                           ^ Slides ^ Material ^ Delivery date ^ ^ Date       ^ Topic                                           ^ Slides ^ Material ^ Delivery date ^
 | 2014-09-17 | Vulnerability Assessment Exercise | {{:lecture_17-09-2014_excercise_pdf.pdf|Vulnerability scoring exercise slides}}| {{:teaching:seceng:2014:scoring_excercise_unitn_pdf.pdf|List of Vulnerabilities}} (Scoring instructions on paper) | in class | | 2014-09-17 | Vulnerability Assessment Exercise | {{:lecture_17-09-2014_excercise_pdf.pdf|Vulnerability scoring exercise slides}}| {{:teaching:seceng:2014:scoring_excercise_unitn_pdf.pdf|List of Vulnerabilities}} (Scoring instructions on paper) | in class |
Line 7: Line 70:
 | 2014-11-05 | Web Application Security exercise | {{:teaching:teaching:seceng:2014:lecture-14-applicationsecurity.pdf|exercise slides}}|  | [[https://www.dropbox.com/sh/4tq27o35n979bcz/AAD1FcyMvdPgJHzmbhb-HKita?dl=0|WebGoat]]| | 2014-11-05 | Web Application Security exercise | {{:teaching:teaching:seceng:2014:lecture-14-applicationsecurity.pdf|exercise slides}}|  | [[https://www.dropbox.com/sh/4tq27o35n979bcz/AAD1FcyMvdPgJHzmbhb-HKita?dl=0|WebGoat]]|
 | 2014-11-28 | Sweden opens the first airport with Remote Tower Services | |  | [[http://www.lfv.se/en/News/News-20141/LFV-first-in-the-world-to-have-an-operating-licence-for-remote-towers/|News Announcement]] on LFV web site| | 2014-11-28 | Sweden opens the first airport with Remote Tower Services | |  | [[http://www.lfv.se/en/News/News-20141/LFV-first-in-the-world-to-have-an-operating-licence-for-remote-towers/|News Announcement]] on LFV web site|
 +
 +===== Report: Material, Deadlines, Assignments =====
 +
 +===== Materials =====
 +The final deliverable should include the following documents:
 +  - [1 file] Security Engineering report which presents the results of all three deliverables  ({{:teaching:seceng:2014:security_engineering_report_-_template.docx|template}}).
 +  - [1 file] Summary of results which aggregates the results of all three deliverables ({{:teaching:seceng:2014:summary_of_results_-_template.xlsx|template}}). This document should be **submitted in Excel format ONLY**.
 +  - [4 files] Method artifact files for each deliverable (1a, 1b, 2 and 3): CORAS artifact file ({{:teaching:seceng:2014:coras-excercise-template.pptx|template}}) or SecRAM artifact file ({{:teaching:seceng:2014:secram-exercise-template.xlsx|template}}).
 +
 +The final presentation template in .pptx format: {{:teaching:seceng:2014:seceng-final-persentation-template.pptx|template}}. The final presentation should be submitted in Power Point or PDF format.
 +
 +----
 +
 +[OLD] Each deliverable should include the following documents:
 +  - Security Engineering report ({{:teaching:seceng:2014:security_engineering_report_-_template.docx|template}}).
 +  - Summary of results ({{:teaching:seceng:2014:summary_of_results_-_template.xlsx|template}}). This document should be **submitted in Excel format ONLY**.
 +  - Method artifact file: CORAS artifact file ({{:teaching:seceng:2014:coras-excercise-template.pptx|template}}) or SecRAM artifact file ({{:teaching:seceng:2014:secram-exercise-template.xlsx|template}}). **Note:** Deliverable 1 should contain method artifact files for both CORAS and SecRAM methods. Deliverable 2 and 3 should contain method artifact file for the assigned method.
 +
 +
 +===== Groups Assignment to Methods =====
 +
 +^ Group ^ Task 1a (Identity management) ^ Task 1b (Access management) ^ Task 2 (WebApp/DB) ^ Task 3 (Networking/Infrastructure) ^
 +| G01 | CORAS | SecRAM | CORAS | SecRAM |
 +| G02 | SecRAM | CORAS | SecRAM | CORAS |
 +| G03 | CORAS | SecRAM | CORAS | SecRAM |
 +| G04 | CORAS | SecRAM | CORAS | SecRAM |
 +| G05 | CORAS | SecRAM | CORAS | SecRAM |
 +| G06 | CORAS | SecRAM | CORAS | SecRAM |
 +| G07 | SecRAM | CORAS | SecRAM | CORAS |
 +| G08 | SecRAM | CORAS | SecRAM | CORAS |
 +| G09 | SecRAM | CORAS | SecRAM | CORAS |
 +| G10 | SecRAM | CORAS | SecRAM | CORAS |
 +| G11 | CORAS | SecRAM | CORAS | SecRAM |
 +| G12 | CORAS | SecRAM | CORAS | SecRAM |
 +| G13 | SecRAM | CORAS | SecRAM | CORAS |
 +| G14 | SecRAM | CORAS | SecRAM | CORAS |
 +| G15 | SecRAM | CORAS | SecRAM | CORAS |
 +| G16 | CORAS | SecRAM | CORAS | SecRAM |
 +| G17 | SecRAM | CORAS | SecRAM | CORAS |
 +| G18 | CORAS | SecRAM | CORAS | SecRAM |
 +| G19 | SecRAM | CORAS | SecRAM | CORAS |
 +| G20 | CORAS | SecRAM | CORAS | SecRAM |
 +===== Deadlines =====
 +
 +^ Deadline                  ^ Deliverable ^ Submission link   ^
 +|2014-11-17 | Deliverable 1: Report on the methods (CORAS and SecRAM) application on the Authentication and Access Management Security. | 1) Submit report files by 2014-11-17 12:00:00 (Trento time zone) via [[http://www.surveygizmo.com/s3/1892992/seceng2014-d1-upload-form|upload form]]. 2) Both members of the group should answer post-task questionnaire by 2014-11-17 18:00:00 (Trento time) via [[http://www.surveygizmo.com/s3/1890503/seceng2014-post-task-questionnaire|post-task questionnaire form]]. NOTE THAT If only one of two team members answers the post-task questionnaire then the submission will not be accepted. |
 +|2014-12-01 | Deliverable 2: Report on method application on the Web Application Security. | Submit report files by 2014-12-01 12:00:00 (Trento time zone) via [[http://www.surveygizmo.com/s3/1905593/seceng2014-d2-upload-form|upload form]]. |
 +|2014-12-15 | Deliverable 3: Report on method application on the Networking and Infrastructure Security. | Submit report files by 2014-12-15 12:00:00 (Trento time zone) via [[http://www.surveygizmo.com/s3/1931094/seceng2014-d3-upload-form|upload form]]. |
 +|2015-01-12 | Final Deliverable: Final report on the methods application on three security tasks. | 1) Submit report files by 2015-01-12 12:00:00 (Trento time zone) via [[http://www.surveygizmo.com/s3/1954820/seceng2014-final-upload-form|upload form]]. 2) Both members of the group should answer post-task questionnaire by 2015-01-12 18:00:00 (Trento time) via [[http://www.surveygizmo.com/s3/1954808/seceng2014-final-post-task-questionnaire|post-task questionnaire form]]. NOTE THAT If only one of two team members answers the post-task questionnaire then the submission will not be accepted. |
 +|2015-01-13 - 2015-01-16| Focus Group Interviews | Each group member should register for focus groups by 2015-01-12 15:00 via [[http://doodle.com/v9f9z5kf85hf9eap|Doodle form]]. Pick up one time slot per person. Fist come, first served. |
 +|2015-01-28 - 2015-01-29| Final presentation in front of the ATM security expert. | Submit final presentation file by 2015-01-26 12:00:00 (Trento time zone) via [[http://www.surveygizmo.com/s3/1956545/seceng-2014-slides-upload-form|upload form]]. In order to register to the final exam you need: 1) Register to Security engineering final exam in January via ESSE3. 2) Pick up one slot for your presentation in [[http://doodle.com/f6wkse3aiv8qppf7|Doodle]]. In the Doodle specify your group ID and the name of the student who made the registration. |
 +
 +Each deliverable should be submitted **by 12:00:00 PM (noon) of the day of the deadline** (see the table above).
 +
  
security_engineering_2014.txt ยท Last modified: 2015/09/10 14:52 by fabio.massacci@unitn.it