User Tools
security_engineering_2015
Differences
This shows you the differences between two versions of the page.
|
security_engineering_2015 [2018/02/20 12:00] fabio.massacci@unitn.it [Security Engineering and Cyber Security Risk Assessment] |
security_engineering_2015 [2021/01/29 11:58] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Security Engineering and Cyber Security Risk Assessment ====== | ||
| - | |||
| - | This course is offered at the University of Trento by the [[security_group|security group]] in the framework of the [[http://www.masterschool.eitictlabs.eu/programme/majors/sap/|Security and Privacy Master]] of the [[http://www.eitictlabs.eu/|European Institute of Innovation and Technology (EIT Digital)]]. | ||
| - | |||
| - | See the [[teaching_activities|UNITN S&P EIT page]] for further information. | ||
| - | |||
| - | ** See the [[security_engineering|new course for this academic year]] for uptodate information ** | ||
| - | |||
| - | ===== Course Objectives (2015/2016) ===== | ||
| - | |||
| - | Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decides which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on case studies from industry. | ||
| - | |||
| - | The course will introduce students to a number of methodologies for Security Management (Risk and Threat Analysis, Risk Assessment, Control Frameworks) and provide a high level view of some Security Technologies (Authentication, Database, Access control, Web Application, etc). By using two industrial risk assessment methodologies, the student will identify threats and the corresponding security controls appropriate for an industrial case study. | ||
| - | |||
| - | At the end students should be able to make their own security analysis, documenting the threats and the security controls or requirements for an industrial case study | ||
| - | |||
| - | |||
| - | ===== Lecturers ===== | ||
| - | |||
| - | * Lecturers: Fabio Massacci | ||
| - | * Teaching assistant: Katsiaryna Labunets | ||
| - | ===== Exam Modalities ===== | ||
| - | |||
| - | The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of an oral and written part. The written part will be a report where students working in group or alone apply the concepts learned during the course to analyze a real case study. The oral part will consist in a discussion of the report with the lecturer and a company representative owning the case study. | ||
| - | |||
| - | The students who will attend the class will have the opportunity to present their work and receive feedbacks before the final submission of the report. | ||
| - | The final mark will be assigned based on the written report. If the work for the report has been done in group, all the group members will be assigned the same mark | ||
| - | |||
| - | ===== Registration Form ===== | ||
| - | |||
| - | You can register to the course on the following link: [[https://docs.google.com/forms/d/1n4OZiOziiABww-XXvmOP2_wSsTtbZloARvDzZ50XuSQ/viewform|registration form]] **BY October 13th**. | ||
| - | |||
| - | **Note:** If you have a problem in finding a group partner, send us a message: __katsiaryna (dot) labunets (at) unitn.it__. | ||
| - | |||
| - | ===== Schedule ===== | ||
| - | |||
| - | * Tuesday - room A224 - 11:00-13:00 | ||
| - | * Wednesday - room A203 - 14:00-16:00 (up to 17:00 when practical exercises are held) | ||
| - | |||
| - | |||
| - | |||
| - | ^ Date ^ Topic ^ Slides ^ Other Material ^ | ||
| - | | 2015-09-15 | Administrative Information and Introduction |{{:teaching:seceng:2015:seceng-2015-01-intro-v2.pdf|Lecture 1}} |{{:teaching:seceng:2015:itgov-2012-cardfrauds.pdf|Card Frauds}}{{:teaching:seceng:2015:usgov-2015-idtheft-stats.pdf|ID Theft Stats}} | | ||
| - | | 2015-09-16 | Terminology | {{:teaching:seceng:2015:seceng-2015-02-terminology-v2.pdf|Lecture 2}} |{{:teaching:seceng:2015:lecture-2-crimestatistics.pdf|Lecture 2 Crime Statistics}} | | ||
| - | | 2015-09-22 | GRC | {{:teaching:seceng:2015:seceng-2015-03-grc.pdf|Lecture 3 GRC}} and {{:teaching:seceng:2015:seceng-2015-03-risk-discussion.pdf|MFC exercise with data}} | As examples of management guides [[https://cobitonline.isaca.org/l3-main?book=framework|COBIT 5 Book]] e [[http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf|NIST 800-30 Risk Assessment Guide]] and the associated [[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf|NIST 800-53 Security Controls Catalog]]. To understand risks, try doing this [[http://health.mo.gov/training/epi/index.html|exercise in Epidemiology]] | | ||
| - | | 2015-09-23 | Comprehensibility Exercise | | Understanding Risk Models, See Google Classroom. | | ||
| - | | 2015-09-29 | SESAR SecRAM |{{:teaching:seceng:2015:seceng-2015-04-sesar-secram.pdf|Lecture 4 SESAR SecRAM}} | Additional material subject to NDAs, See Google Classroom | | ||
| - | | 2015-09-30 | SESAR Exercise | | See Google Classroom | | ||
| - | | 2015-10-06 | CORAS | {{:teaching:seceng:2015:SecEng-2015-06-coras.pdf|Lecture 6 CORAS}} | CORAS {{:teaching:seceng:2014:coras.pdf|Guidelines}} (Book is in the library) | | ||
| - | | 2015-10-07 | CORAS Exercises | | See Google Classroom | | ||
| - | | 2015-10-13 | Case Study | {{:teaching:seceng:2015:seceng-2015-08-utm.pdf|Lecture 8 UTM}} | Brief {{:teaching:seceng:2015:utm-nasa-fact-sheet.pdf|UTM NASA fact sheet}}, Technical Memorandum for security and safety requirements {{:teaching:seceng:2015:utm-nasa-technical-memo-20150006814.pdf|UTM NASA technical memo}}, and {{:teaching:seceng:2015:utm-amazon-memorandum.pdf|Amazon memorandum}} for commercial interests. Additional Information from NASA: {{:teaching:seceng:2015:utm-nasa-presentation-long.pdf|utm nasa presentation long}}, {{:teaching:seceng:2015:utm-nasa-presentation-very-long.pdf|utm nasa presentation very long}}, {{:teaching:seceng:2015:utm-thesis-eas499honor-connortheilmann.pdf|utm thesis Connor Theilmann}}. Additional material on ATM incidents: Chris Johnson's analysis of the incidents of [[http://www.dcs.gla.ac.uk/~johnson/papers/Linate/Chris_W_Johnson_Ueberlingen_Linate.pdf|Linate and Uberlingen]] and of [[http://www.dcs.gla.ac.uk/~johnson/papers/IET_2007/Accident_reports.pdf|114 US incidents]]. An article on the drone accident nearby Nogales in 2006 ([[http://www.ntsb.gov/aviationquery/brief2.aspx?ev_id=20060509X00531&ntsbno=CHI06MA121&akey=1|old link]], [[http://www.skybrary.aero/index.php/Predator_B,_vicinity_Nogales_USA,_2006_%28LOC_HF%29|new link]]), and Washington Post's article on [[http://www.washingtonpost.com/sf/investigative/2014/06/20/when-drones-fall-from-the-sky/|Drones' incidents]] | | ||
| - | | 2015-10-14 | Users - Introduction to Identity and Access Management |{{:teaching:seceng:2015:seceng-2015-09-iam.pdf|Lecture 9 IAM}} | Report on the frauds by {{:teaching:seceng:2014:grc-john_rusnak_s_banking_fraud.pdf|John Rusnak}} and by Jerome Kevriel as ([[http://www.insead.edu/facultyresearch/centres/isic/ecsr/research/documents/SocieteGeneraleATheRogueTrader.pdf|INSEAD Case study]] or {{:teaching:seceng:2014:grc-soc-jerome_kevriel_fraud.pdf|the offical report}}) | | ||
| - | | 2015-10-20 | Users - Security Models |{{:teaching:seceng:2015:seceng-2015-10_b-accessmodels.pdf|Lecture 10 Access Models}} | Bowden's Hacking of a sewage treatment plant ({{:teaching:seceng:2014:grc-boden-sewage_spillover-fisma-study.pdf|FISMA study of security controls}} or the {{:teaching:seceng:2014:grc-boden-sewage_spillover.pdf|Court conviction}}). Terry Childs' refusal to pass admin rights ({{:teaching:seceng:2014:grc-childs-refusal.pdf|Court documents}} and discussion on {{http://www.cio.com.au/article/255165/sorting_facts_terry_childs_case?fp=&fpid=&pf=1|CIO Magazine}} and {{http://www.computerworld.com/article/2517653/security0/after-verdict--debate-rages-in-terry-childs-case.html|on ComputerWorld}}) | | ||
| - | | 2015-09-20 | Exercise | | Finding security requirements without RA{{:teaching:seceng:2015:seceng-2015-security_reqs_study.pdf|SEcurity Requirements Guide}} | | ||
| - | | 2015-10-21 | Crytography (A superzipped introduction) |{{:teaching:seceng:2015:seceng-2015-11-cryptography.pdf|Lecture 11 Cryptography}} | Attend the Applied Crypto Course for more information, Information on the importance of protecting keys and certificates for [[http://en.wikipedia.org/wiki/DigiNotar|Diginotar Failure]] and additional details in {{:teaching:offtech:2014:black-tulip-update.pdf|FoxIT security report}} | | ||
| - | | 2015-10-27 | Users - Authentication |{{:teaching:seceng:2015:seceng-2015-12-authentication.pdf|Lecture 12 Authentication}} | ABC report of attempted [[http://abcnews.go.com/US/story?id=95993|voice hijacking]] of airplanes | | ||
| - | | 2015-10-28 | Applications - Web Authentication (SSO, etc.) |{{:teaching:seceng:2015:seceng-2015-13-applicationsecurity.pdf|Lecture 13 (Web) Application security}} | [[https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/RP_CaseStudy_XSS_10-24-07_Final.pdf|Cross site scripting for ICS]] on the US CERT ICS Web Site | | ||
| - | | 2015-11-03 | Applications - OWASP Software Security |{{:teaching:seceng:2015:seceng-2015-14-websecurity.pdf|Lecture 14 WebApp Security}} | | | ||
| - | | 2015-11-04 | | | | | ||
| - | | 2015-11-10 | Applications - Database Security |{{:teaching:seceng:2015:seceng-2015-15-dbsecurity.pdf|Lecture 15 DB Security}} | | | ||
| - | | 2015-11-11 | Infrastructure - Network |{{:teaching:seceng:2015:seceng-2015-16-networksecurity.pdf|Lecture 16 Network Security}} | | | ||
| - | | 2015-11-17 | Infrastructure - OS Security |{{:teaching:seceng:2015:seceng-2015-17-os-security.pdf|Lecture 17 OS Security}} |{{:teaching:seceng:2015:lec-17-esweek-tutorial.pdf|ESWeek tutorial}} | | ||
| - | | 2015-11-18 | Infrastructure Cloud Security |{{:teaching:seceng:2015:seceng-2015-18-cloud-security.pdf|Lecture 18 Cloud security}} |{{:teaching:seceng:2015:lec-18-datacenterascomputer.pdf|Datacenter as computer}} {{:teaching:seceng:2015:lec-18-googleadminfired.pdf|Google Admin Fired}} {{:teaching:seceng:2015:lec-18-waidneroncloud.pdf|Waidner-Security and Cloud Computing}} | | ||
| - | | 2015-11-24 | CORAS Discussion on User | | | | ||
| - | | 2015-11-25 | SECRAM Discussion on User | | | | ||
| - | | 2015-12-01 | Infrastructure - Mobile Security | | | | ||
| - | | 2015-12-02 | Vulnerability Exercise | | | | ||
| - | | 2015-12-08 | | | | | ||
| - | | 2015-12-09 | CORAS/SECRAM Discussion on Application | | | | ||
| - | | 2015-12-15 | Cloud Exercise | | | | ||
| - | | 2015-12-16 | CORAS/SecRAM Discussion on Network | | | | ||
| - | ===== Final Report, Group Assignment, Deadlines ===== | ||
| - | |||
| - | |||
| - | ==== Final Report ==== | ||
| - | |||
| - | The final deliverable should include the following documents: | ||
| - | - [1 file] Security Engineering report which presents the results of all three deliverables ({{:teaching:seceng:2015:security_engineering_report.docx|template}}). | ||
| - | - [1 file] Summary of results which aggregates the results of all three deliverables ({{:teaching:seceng:2015:summary_of_results.xlsx|template}}). This document should be **submitted in Excel format ONLY**. | ||
| - | - [4 files] Method artifact files for each deliverable (1a, 1b, 2 and 3): CORAS artifact file ({{:teaching:seceng:2015:coras-excercise-template.pptx|template}}) or SecRAM artifact file ({{:teaching:seceng:2015:secram-exercise-template.xlsx|template}}). | ||
| - | |||
| - | The final presentation template in .pptx format: {{:teaching:seceng:2014:seceng-final-persentation-template.pptx|template}}. The final presentation should be submitted in Power Point or PDF format. | ||
| - | |||
| - | |||
| - | ==== Groups Assignment to Methods ==== | ||
| - | |||
| - | |||
| - | ^ Group ^ Task 1a (Identity management) ^ Task 1b (Access management) ^ Task 2 (WebApp/DB) ^ Task 3 (Networking/Infrastructure) ^ | ||
| - | | G01 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G02 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G03 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G04 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G05 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G06 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G07 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G08 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G09 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G10 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G11 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G12 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G13 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G14 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G15 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G16 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G17 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G18 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G19 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G20 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G21 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G22 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G23 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G24 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | | G25 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G26 | SECRAM | CORAS | SECRAM | CORAS | | ||
| - | | G27 | CORAS | SECRAM | CORAS | SECRAM | | ||
| - | ==== Deadlines ==== | ||
| - | |||
| - | ^ Deadline ^ Deliverable ^ Submission link ^ | ||
| - | |2015-11-16 |User Level Security | Select the course on classroom.google.com | | ||
| - | |2015-11-30 |Application Security | | | ||
| - | |2015-12-14 |Infrastructural Security | | | ||
| - | |2016-01-11 | | | | ||
| - | | | | | | ||
| - | | | | | | ||
| - | | | | | | ||
| - | |||
| - | Each deliverable should be submitted **by 12:00:00 PM (noon) of the day of the deadline** (see the table above). | ||
| - | |||
security_engineering_2015.txt ยท Last modified: 2021/01/29 10:58 (external edit)
Page Tools
