User Tools
Table of Contents
Security Engineering and Cyber Security Risk Assessment
This course is offered at the University of Trento by the security group in the framework of the Security and Privacy Master of the European Institute of Innovation and Technology (EIT Digital).
See the UNITN S&P EIT page for further information.
See the new course for this academic year for uptodate information
Course Objectives (2015/2016)
Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decides which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on case studies from industry.
The course will introduce students to a number of methodologies for Security Management (Risk and Threat Analysis, Risk Assessment, Control Frameworks) and provide a high level view of some Security Technologies (Authentication, Database, Access control, Web Application, etc). By using two industrial risk assessment methodologies, the student will identify threats and the corresponding security controls appropriate for an industrial case study.
At the end students should be able to make their own security analysis, documenting the threats and the security controls or requirements for an industrial case study
Lecturers
- Lecturers: Fabio Massacci
- Teaching assistant: Katsiaryna Labunets
Exam Modalities
The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of an oral and written part. The written part will be a report where students working in group or alone apply the concepts learned during the course to analyze a real case study. The oral part will consist in a discussion of the report with the lecturer and a company representative owning the case study.
The students who will attend the class will have the opportunity to present their work and receive feedbacks before the final submission of the report. The final mark will be assigned based on the written report. If the work for the report has been done in group, all the group members will be assigned the same mark
Registration Form
You can register to the course on the following link: registration form BY October 13th.
Note: If you have a problem in finding a group partner, send us a message: katsiaryna (dot) labunets (at) unitn.it.
Schedule
- Tuesday - room A224 - 11:00-13:00
- Wednesday - room A203 - 14:00-16:00 (up to 17:00 when practical exercises are held)
| Date | Topic | Slides | Other Material |
|---|---|---|---|
| 2015-09-15 | Administrative Information and Introduction | Lecture 1 | Card FraudsID Theft Stats |
| 2015-09-16 | Terminology | Lecture 2 | Lecture 2 Crime Statistics |
| 2015-09-22 | GRC | Lecture 3 GRC and MFC exercise with data | As examples of management guides COBIT 5 Book e NIST 800-30 Risk Assessment Guide and the associated NIST 800-53 Security Controls Catalog. To understand risks, try doing this exercise in Epidemiology |
| 2015-09-23 | Comprehensibility Exercise | Understanding Risk Models, See Google Classroom. | |
| 2015-09-29 | SESAR SecRAM | Lecture 4 SESAR SecRAM | Additional material subject to NDAs, See Google Classroom |
| 2015-09-30 | SESAR Exercise | See Google Classroom | |
| 2015-10-06 | CORAS | Lecture 6 CORAS | CORAS Guidelines (Book is in the library) |
| 2015-10-07 | CORAS Exercises | See Google Classroom | |
| 2015-10-13 | Case Study | Lecture 8 UTM | Brief UTM NASA fact sheet, Technical Memorandum for security and safety requirements UTM NASA technical memo, and Amazon memorandum for commercial interests. Additional Information from NASA: utm nasa presentation long, utm nasa presentation very long, utm thesis Connor Theilmann. Additional material on ATM incidents: Chris Johnson's analysis of the incidents of Linate and Uberlingen and of 114 US incidents. An article on the drone accident nearby Nogales in 2006 (old link, new link), and Washington Post's article on Drones' incidents |
| 2015-10-14 | Users - Introduction to Identity and Access Management | Lecture 9 IAM | Report on the frauds by John Rusnak and by Jerome Kevriel as (INSEAD Case study or the offical report) |
| 2015-10-20 | Users - Security Models | Lecture 10 Access Models | Bowden's Hacking of a sewage treatment plant (FISMA study of security controls or the Court conviction). Terry Childs' refusal to pass admin rights (Court documents and discussion on CIO Magazine and on ComputerWorld) |
| 2015-09-20 | Exercise | Finding security requirements without RASEcurity Requirements Guide | |
| 2015-10-21 | Crytography (A superzipped introduction) | Lecture 11 Cryptography | Attend the Applied Crypto Course for more information, Information on the importance of protecting keys and certificates for Diginotar Failure and additional details in FoxIT security report |
| 2015-10-27 | Users - Authentication | Lecture 12 Authentication | ABC report of attempted voice hijacking of airplanes |
| 2015-10-28 | Applications - Web Authentication (SSO, etc.) | Lecture 13 (Web) Application security | Cross site scripting for ICS on the US CERT ICS Web Site |
| 2015-11-03 | Applications - OWASP Software Security | Lecture 14 WebApp Security | |
| 2015-11-04 | |||
| 2015-11-10 | Applications - Database Security | Lecture 15 DB Security | |
| 2015-11-11 | Infrastructure - Network | Lecture 16 Network Security | |
| 2015-11-17 | Infrastructure - OS Security | Lecture 17 OS Security | ESWeek tutorial |
| 2015-11-18 | Infrastructure Cloud Security | Lecture 18 Cloud security | Datacenter as computer Google Admin Fired Waidner-Security and Cloud Computing |
| 2015-11-24 | CORAS Discussion on User | ||
| 2015-11-25 | SECRAM Discussion on User | ||
| 2015-12-01 | Infrastructure - Mobile Security | ||
| 2015-12-02 | Vulnerability Exercise | ||
| 2015-12-08 | |||
| 2015-12-09 | CORAS/SECRAM Discussion on Application | ||
| 2015-12-15 | Cloud Exercise | ||
| 2015-12-16 | CORAS/SecRAM Discussion on Network |
Final Report, Group Assignment, Deadlines
Final Report
The final deliverable should include the following documents:
- [1 file] Security Engineering report which presents the results of all three deliverables (template).
- [1 file] Summary of results which aggregates the results of all three deliverables (template). This document should be submitted in Excel format ONLY.
The final presentation template in .pptx format: template. The final presentation should be submitted in Power Point or PDF format.
Groups Assignment to Methods
| Group | Task 1a (Identity management) | Task 1b (Access management) | Task 2 (WebApp/DB) | Task 3 (Networking/Infrastructure) |
|---|---|---|---|---|
| G01 | SECRAM | CORAS | SECRAM | CORAS |
| G02 | CORAS | SECRAM | CORAS | SECRAM |
| G03 | CORAS | SECRAM | CORAS | SECRAM |
| G04 | CORAS | SECRAM | CORAS | SECRAM |
| G05 | SECRAM | CORAS | SECRAM | CORAS |
| G06 | SECRAM | CORAS | SECRAM | CORAS |
| G07 | CORAS | SECRAM | CORAS | SECRAM |
| G08 | SECRAM | CORAS | SECRAM | CORAS |
| G09 | CORAS | SECRAM | CORAS | SECRAM |
| G10 | CORAS | SECRAM | CORAS | SECRAM |
| G11 | CORAS | SECRAM | CORAS | SECRAM |
| G12 | SECRAM | CORAS | SECRAM | CORAS |
| G13 | SECRAM | CORAS | SECRAM | CORAS |
| G14 | CORAS | SECRAM | CORAS | SECRAM |
| G15 | CORAS | SECRAM | CORAS | SECRAM |
| G16 | SECRAM | CORAS | SECRAM | CORAS |
| G17 | CORAS | SECRAM | CORAS | SECRAM |
| G18 | SECRAM | CORAS | SECRAM | CORAS |
| G19 | CORAS | SECRAM | CORAS | SECRAM |
| G20 | CORAS | SECRAM | CORAS | SECRAM |
| G21 | SECRAM | CORAS | SECRAM | CORAS |
| G22 | SECRAM | CORAS | SECRAM | CORAS |
| G23 | SECRAM | CORAS | SECRAM | CORAS |
| G24 | CORAS | SECRAM | CORAS | SECRAM |
| G25 | SECRAM | CORAS | SECRAM | CORAS |
| G26 | SECRAM | CORAS | SECRAM | CORAS |
| G27 | CORAS | SECRAM | CORAS | SECRAM |
Deadlines
| Deadline | Deliverable | Submission link |
|---|---|---|
| 2015-11-16 | User Level Security | Select the course on classroom.google.com |
| 2015-11-30 | Application Security | |
| 2015-12-14 | Infrastructural Security | |
| 2016-01-11 | ||
Each deliverable should be submitted by 12:00:00 PM (noon) of the day of the deadline (see the table above).
