User Tools
Table of Contents
Cyber Security Risk Assessment
This course is offered at the University of Trento by the security group in the framework of the Cyber Security track of the European Institute of Innovation and Technology (EIT Digital) Master School programme.
See the UniTrento Cyber Security Master Track page for further information.
See the new course for this academic year for uptodate information
Course Objectives (2017/2018)
Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decide which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on balancing threat and controls, costs, impact and likelihood of events. In other words the course will teach them to manage risk.
The course will introduce students to the key principles of Security Risk Assessment (Risk and Threat Analysis, Risk Assessment, Control Frameworks). The student will identify threats and the corresponding security controls appropriate for two industrial case studies.
At the end students should be able to make their own cyber risk assessment, documenting the threats and the security controls or requirements for an industrial case study
Pre-requisite
General knowledge about Security is mandatory before attending this course (for the obvious reason that you cannot chose among technologies you don't know at all). This might be obtained by attending the Master Level courses of Introduction to Computer and Network Security, Cryptography, and Security Testing at the Cyber Security track in Trento. Bachelor students from Trento might also consider the course on Reti Avanzate which provides the minimum knowledge about cryptographic protocols.
Lecturers
- Lecturers: Fabio Massacci
Textbook
- Gibson. "Managing Risk in Information Systems". Jones and Bartlett. ISBN13: 9781284055955
Other recommended texts are
- Anderson. "Security Engineering" For which a old version is also on the web.
- Gollmann. "Computer Security" which is mostly a reference book for Security Technologies.
Exam Modalities
The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of both individual exercises to be done in the lab and a final report.
In the report students working in group or alone apply the concepts learned during the course to analyze a real case study. The report will be discussed with the lecturer and a company representative owning the case study. If the work for the report has been done in group, all the group members will normally be assigned the same mark.
- Step-by-Step Qualita/ve RA Exercises during the course (up to 16/30)
- Item Industrial Cases:Remote Virtual Control Tower Center (RTC)
- Building AutomaMon by UTC (UTC)
- These include: Identify Assets, Threats, Pre and Post Controls
- Assess Vulnerabilities Exercise (Up to 6/30)
- CVSS (Common Vulnerabilities Scoring System), world standard.
- exercise 1 is to identify risk from descriptions as they arrive in a CERT Bulletin)
- Exercise 2 is to identify risk as they apply to you on your security architecture
- Final Project (Up to 12/30)
- A complete detailed quantitative risk assessment of the industrial automation case study security architecture
- Evaluation by Industry experts of UTC
Being able to defend your ideas in class is an important part of the evaluation (if you cannot explain why you chose something you get a negative vote for the relative exercise).
Schedule and Additional Material
- Monday - room A220 - 11:30-13:30
- Friday - room A114 - 14:30-16:30 (up to 17:30 when practical exercises are held)
| Date | Topic | Slides | Other Material |
|---|---|---|---|
| 2018-02-19 | Introduction | Introduction, Terminology | Card FraudsID Theft Stats |
| 2018-02-23 | Risk Management Fundamentals | Risk Management | The SESAR SecRAM Manual is available on the Google ClassRoom. As examples of management guides COBIT 5 Book e NIST 800-30 Risk Assessment Guide and the associated NIST 800-53 Security Controls Catalog, UK IAS risk Assessment |
| 2018-02-26 | Identifying Assets and Activities to Be Protected | Slides | BSI Catalogues |
| 2018-03-05 | Identifying and Analyzing Threats, Vulnerabilities, and Exploits | Slides | ENISA Threat Taxonomy. |
| 2018-03-12 | Risk Mitigation with Security Controls | Slides | see above for information. |
| 2018-03-19 | UTC - Case Study Presentation | See Google Classroom for the presentation | US CERT's case study on Malware attacks on Industry Control Systems |
| 2018-03-23 | Mitigating Risks by post-controls for Business Continuity and Disaster Recovery | Slides | |
| 2018-03-26 | Discussion on Likelihood estimation | See above for the IAS | |
| 2018-04-06 | Visit to a SOC @ Trentino Network | ||
| 2018-04-13 | Introduction to Quantitative Risks | cybrisk-2017-09-quantitative.pdf | There are several proposals for example metrics using attack graphs, another variant available as NIST Interagency report |
| 2018-04-16 | CVSS Base Introduction | Slides | CVSS Original User Guide, CVSS SCoring Examples. There is also an official tutorial on CVSS, which also has an HTML transcript |
| 2018-04-23 | CVSS Environment Introduction | Slides | See above. Look also at PCI Compliance |
| 2018-05-04 | CVSS Environment Review | ||
| 2018-05-07 | Quantitative Risk Analysis II | Slides | |
| 2018-05-07 | Quantitative Risk Analysis III | Detailed Instruction here |
Assigned Exercises (Graded)
All assignments are assigned through Google Classroom. Students will be asked to comment in class on their assignment which must be submitted through Classroom.
| Date | Topic | Other Material |
|---|---|---|
| 2018-03-02 | ROT Exercise - Assets | Remote Virtual Tower Description |
| 2018-03-09 | ROT Exercise Threats | Chris Johnson's analysis of the incidents of Linate and Uberlingen and of 114 US incidents. An article on the drone accident nearby Nogales (2006), and Washington Post's article on Drones' incidents. ABC reports of attempted voice hijacking of airplanes. Bowden's Hacking of a sewage treatment plant (FISMA study of security controls or the Court conviction). Terry Childs' refusal to pass admin rights (Court documents and discussion on CIO Magazine and on ComputerWorld) |
| 2018-03-16 | ROT Exercise - Pre Controls | see above |
| 2018-04-09 | ROT Exercise - Post Controls | see above |
| 2018-05-21 | UTC Case Study Webinar | See Google Classroom. There is a comprehensive tutorial on Security for ICS |
| 2018-05-06 | Presentations Review | |
| 2018-04-20 | CVSS Base Exercise in Class (Graded - individually) | |
| 2018-04-27 | CVSS Environmental Exercise in Class (Graded -individually) | |
| 2018-05-18 | UTC Exercise - Qualitative Report Review | |
| 2018-05-28 | UTC Exercise - Quantitative | |
| 2018-06-04 | UTC Exercise - Quantitative II |
Final Report
The final deliverable by June 11 should include:
- the report summarising the finding of your security risk assessment in Google Docs format
- security risk assessment of the case with SESAR SecRAM in Google Spreadsheets format
