User Tools

Site Tools


security_engineering_2016

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

security_engineering_2016 [2018/02/20 12:27] (current)
fabio.massacci@unitn.it created
Line 1: Line 1:
 +====== Cyber Security Risk Assessment ======
 +
 +This course is offered at the University of Trento by the [[security_group|security group]] in the framework of the [[https://masterschool.eitdigital.eu/programmes/cse/|Cyber Security track]] of the [[https://www.eitdigital.eu/|European Institute of Innovation and Technology (EIT Digital)]] Master School programme.
 +
 +See the [[teaching_activities|UniTrento CSE track page]] for further information.
 +
 +
 +===== Course Objectives (2016/2017) =====
 +
 +Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decide which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on balancing threat and controls, costs, impact and likelihood of events. In other words the course will teach them to manage risk. 
 +
 +The course will introduce students to a number of methodologies for Security Management (Risk and Threat Analysis, Risk Assessment, Control Frameworks). The student will identify threats and the corresponding security controls appropriate for an industrial case study.
 +
 +At the end students should be able to make their own cyber risk assessment, documenting the threats and the security controls or requirements for an industrial case study 
 +
 +===== Lecturers =====
 +
 +  * Lecturers: Fabio Massacci
 +  * Teaching assistants: TBA
 +
 +===== Textbook =====
 +
 +  * [[http://www.jblearning.com/catalog/9781284055955/|Gibson. "Managing Risk in Information Systems"]]. Jones and Bartlett. ISBN13: 9781284055955
 +
 +===== Exam Modalities =====
 +
 +The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of both classroom exercises to be done in the lab and a final report. 
 +
 +In the report students working in group or alone apply the concepts learned during the course to analyze a real case study. The report will be discussed with the lecturer and a company representative owning the case study. If the work for the report has been done in group, all the group members will normally be assigned the same mark.
 +
 +===== Classroom Registration Form =====
 +
 +Please register to Google Classroom for assignements and notification.
 +
 +===== Schedule and Additional Material =====
 +
 +  * Tuesday   - room B103 - 11:00-13:00
 +  * Wednesday - room B103 (labs in A201) - 14:00-16:00 (up to 17:00 when practical exercises are held)
 +
 +
 +^Date ^Topic ^Slides ^Other Material ^
 +|2016-09-14 |Introduction |{{:teaching:seceng:2016:cybrisk-2016-01-introduction.pdf|Admin. Introd.}}, {{:teaching:seceng:2016:cybrisk-2016-02-terminology.pdf|Security Terminology}}| {{:teaching:seceng:2015:itgov-2012-cardfrauds.pdf|Card Frauds}}{{:teaching:seceng:2015:usgov-2015-idtheft-stats.pdf|ID Theft Stats}} |
 +|2016-09-20 |Risk Management Fundamentals |{{:teaching:seceng:2016:cybrisk-2016-03-introdtosra-v2.pdf|RA Introd.}} | There is one exercise on Google Classroom. To understand risks, try also doing this [[http://health.mo.gov/training/epi/index.html|exercise in Epidemiology]]|
 +| 2016-09-21 |Comprensibility Exercise |See Google Classroom | See Google Classroom | 
 +| 2016-09-27 |Developing a Risk Management Plan and Performing a Risk Assessment |{{:teaching:seceng:2016:cybrisk-2016-05-riskmanagement.pdf|Slides}} | The SESAR SecRAM Manual is available on the Google ClassRoom. As examples of management guides [[https://cobitonline.isaca.org/l3-main?book=framework|COBIT 5 Book]] e [[http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf|NIST 800-30 Risk Assessment Guide]] and the associated [[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf|NIST 800-53 Security Controls Catalog]].|
 +| 2016-09-28 |Exercise on Risk Assessment|See Google Classroom | |
 +| 2016-10-04 |Identifying Assets and Activities to Be Protected |{{:teaching:seceng:2016:cybrisk-2016-06-asset-identification.pdf|Slides}}|Chapter 7: Identifying Assets and Activities to Be Protected. Terry Childs' refusal to pass admin rights ({{:teaching:seceng:2014:grc-childs-refusal.pdf|Court documents}} and discussion on {{http://www.cio.com.au/article/255165/sorting_facts_terry_childs_case?fp=&fpid=&pf=1|CIO Magazine}} and {{http://www.computerworld.com/article/2517653/security0/after-verdict--debate-rages-in-terry-childs-case.html|on ComputerWorld}})|
 +| 2016-10-04 |Remotely Operated Virtual Tower | See Google Classroom | The scenario desription is on Google Classroom. |
 +| 2016-10-05 |RVT Exercise - Assets |See Google Classroom| Chris Johnson's analysis of the incidents of [[http://www.dcs.gla.ac.uk/~johnson/papers/Linate/Chris_W_Johnson_Ueberlingen_Linate.pdf|Linate and Uberlingen]] and of [[http://www.dcs.gla.ac.uk/~johnson/papers/IET_2007/Accident_reports.pdf|114 US incidents]]. An article on the drone accident nearby [[http://www.ntsb.gov/aviationquery/brief2.aspx?ev_id=20060509X00531&ntsbno=CHI06MA121&akey=1|Nogales (2006)]], and Washington Post's article on [[http://www.washingtonpost.com/sf/investigative/2014/06/20/when-drones-fall-from-the-sky/
 +|Drones' incidents]] |
 +| 2016-10-11 |Identifying and Analyzing Threats, Vulnerabilities, and Exploits |{{:teaching:seceng:2016:cybrisk-2016-08-threats-vulns-exploits.pdf}} |Chapter 8: Identifying and Analyzing Threats, Vulnerabilities, and Exploits. Threat, vuln and exploit assessment. Review public penetration testing reports from the industry for a practical perspective on the material seen in class: [[https://github.com/juliocesarfort/public-pentesting-reports]]. If you want to get your hands "dirty" with some guided pentesting, see Rapid7's Metasploitable 2 Exploitability guide here: [[https://community.rapid7.com/docs/DOC-1875]]|
 +| 2016-10-12 |RVT Exercise - Threat | See Google Classroom | Bowden's Hacking of a sewage treatment plant ({{:teaching:seceng:2014:grc-boden-sewage_spillover-fisma-study.pdf|FISMA study of security controls}} or the {{:teaching:seceng:2014:grc-boden-sewage_spillover.pdf|Court conviction}}). ABC report of attempted [[http://abcnews.go.com/US/story?id=95993|voice hijacking]] of airplanes.  |
 +| 2016-10-18 |Identifying Controls |{{:teaching:seceng:2016:cyberrisk-2016-08-controls.pdf|}} |Chapter 9: Identifying and Analyzing Risk Mitigation Security Controls. See also last year's slide on controls {{:teaching:seceng:2015:seceng-2015-09-iam.pdf|Identity Management}}, {{:teaching:seceng:2015:seceng-2015-10_b-accessmodels.pdf|Access Control Models}}, {{:teaching:seceng:2015:seceng-2015-11-cryptography.pdf|Cryptography}}, {{:teaching:seceng:2015:seceng-2015-12-authentication.pdf|Authentication}}, {{:teaching:seceng:2015:seceng-2015-14-websecurity.pdf|Web Application Security}}, {{:teaching:seceng:2015:seceng-2015-15-dbsecurity.pdf|Database Security}}, {{:teaching:seceng:2015:seceng-2015-16-networksecurity.pdf|Network and Infrastructure Security}}{{:teaching:seceng:2015:seceng-2015-17-os-security.pdf|O.S. Security}}, as well as Ross Anderson Book. |
 +| 2016-10-19 |RVT Exercise - Pre-Controls | See Google Classroom|Report on the frauds by {{:teaching:seceng:2014:grc-john_rusnak_s_banking_fraud.pdf|John Rusnak}} and by Jerome Kevriel as ([[http://www.insead.edu/facultyresearch/centres/isic/ecsr/research/documents/SocieteGeneraleATheRogueTrader.pdf|INSEAD Case study]] or {{:teaching:seceng:2014:grc-soc-jerome_kevriel_fraud.pdf|the offical report}}). Information on the importance of protecting keys and certificates for [[http://en.wikipedia.org/wiki/DigiNotar|Diginotar Failure]] and additional details in {{:teaching:offtech:2014:black-tulip-update.pdf|FoxIT security report}} |
 +| 2016-10-25 |Mitigating Risk with a Business Continuity and Disaster Recovery Plan | {{:teaching:seceng:2016:cybrisk-2016-09-recovery.pdf|Slides}}| For a discussion on Dyn Attacks in the USA see [[course_on_offensive_technologies|Monday 24/10 lecture of Offensive Technologies]] |
 +| 2016-10-26 |RVT Exercise - Post-Controls |See Google Classroom| See Exercise 1 Assignment in Google Classroom |
 +| 2016-11-02 |RVT Full fledged Exercise |See Google Classroom|See Exercise 2 Assignment in Google Classroom |
 +| 2016-11-08 |Managing Risk: Threats, Vulnerabilities, and Exploits - CVSS Base | {{:teaching:seceng:2016:cybrisk-2016-10-cvss_base.pdf|Slides CVSS Base}}| **Note:** Scoring slides are updated with comments for each metric. Official scores with additional information reported. **CVSS Specification documentation:** [[https://www.first.org/cvss/specification-document]] |
 +| 2016-11-09 |CVSS Base Exercise | | |
 +| 2016-11-15 |Managing Risk: Threats, Vulnerabilities, and Exploits - Network | {{:teaching:seceng:2016:cybrisk-2016-11-cvss_env.pdf|CVSS Env + Temporal}} | |
 +| 2016-11-16 |CVSS Environmental | | |
 +| 2016-11-22 |Case Study Presentation | | Please see Google Classroom for the material, the report format and how to submit clarification issues|
 +| 2016-11-23 |Detailed feedback | {{:teaching:seceng:2016:cybrisk-2016-exercise1-2_typical_problems.pdf|Slides}} | |
 +| 2016-11-29 |understanding Internet Evidence for Risk assessment | | |
 +| 2016-11-30 |Mitigating Risk with a Business Impact Analysis | | |
 +| 2016-12-06 |Quantitative approaches to risk - Part 1 | {{:teaching:seceng:2016:cybrisk-2016-13-quantitative.pdf|Slides}}  | |
 +| 2016-12-07 |Quantitative approaches to risk - Part 2 | {{:teaching:seceng:2016:cybrisk-2016-14-quantitative.pdf|Slides}} | Verizon DBI Reports: {{:teaching:seceng:2016:quantitative_risk_material:verizon-dbir-2013.pdf|2013}}, {{:teaching:seceng:2016:quantitative_risk_material:verizon-dbir-2014.pdf|2014}}, {{:teaching:seceng:2016:quantitative_risk_material:verizon-dbir-2015.pdf|2015}}, {{:teaching:seceng:2016:quantitative_risk_material:verizon-dbir-2016.pdf|2016}}; Verizon dataset: {{:teaching:seceng:2016:quantitative_risk_material:verizon.xlsx|XLSX}}. See Google Classroom for MATLAB script.|
 +| 2016-12-13 |Visit to a SIEM @ Informatica Trentina | | Registration is Mandatory. Please see Google Classroom |
 +| 2016-12-14 |G. Woo (Risk Management Solutions) | {{:teaching:seceng:2016:gwoo14dec.pdf|Slides from Dr. Gordon Woo}}| Lecture starts at 14:30. |
 +| 2016-12-20 |Students Presentations | | See Google Classroom for the registration. |
 +| 2016-12-21 |Students Presentations | | See Google Classroom for the registration. |
 +==== Forthcoming Lectures ====
 +
 +^Date ^Topic ^Slides ^Other Material ^
 +
 +==== Final Report ====
 +
 +The final deliverable by January 11 should include:
 +  * the report summarising the finding of your security risk assessment in Google Docs format (CybSec-2016-Report-template)
 +  * security risk assessment of the case with SESAR SecRAM in Google Spreadsheets format (SecRAM-template).
 +
 +Please check Google Classroom for the templates and submission.
 +
  
security_engineering_2016.txt ยท Last modified: 2018/02/20 12:27 by fabio.massacci@unitn.it