User Tools

Site Tools


security_engineering_2015

Security Engineering and Cyber Security Risk Assessment

This course is offered at the University of Trento by the security group in the framework of the Security and Privacy Master of the European Institute of Innovation and Technology (EIT Digital).

See the UNITN S&P EIT page for further information.

See the new course for this academic year for uptodate information

Course Objectives (2015/2016)

Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decides which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on case studies from industry.

The course will introduce students to a number of methodologies for Security Management (Risk and Threat Analysis, Risk Assessment, Control Frameworks) and provide a high level view of some Security Technologies (Authentication, Database, Access control, Web Application, etc). By using two industrial risk assessment methodologies, the student will identify threats and the corresponding security controls appropriate for an industrial case study.

At the end students should be able to make their own security analysis, documenting the threats and the security controls or requirements for an industrial case study

Lecturers

  • Lecturers: Fabio Massacci
  • Teaching assistant: Katsiaryna Labunets

Exam Modalities

The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of an oral and written part. The written part will be a report where students working in group or alone apply the concepts learned during the course to analyze a real case study. The oral part will consist in a discussion of the report with the lecturer and a company representative owning the case study.

The students who will attend the class will have the opportunity to present their work and receive feedbacks before the final submission of the report. The final mark will be assigned based on the written report. If the work for the report has been done in group, all the group members will be assigned the same mark

Registration Form

You can register to the course on the following link: registration form BY October 13th.

Note: If you have a problem in finding a group partner, send us a message: katsiaryna (dot) labunets (at) unitn.it.

Schedule

  • Tuesday - room A224 - 11:00-13:00
  • Wednesday - room A203 - 14:00-16:00 (up to 17:00 when practical exercises are held)
Date Topic Slides Other Material
2015-09-15 Administrative Information and Introduction Lecture 1 Card FraudsID Theft Stats
2015-09-16 Terminology Lecture 2 Lecture 2 Crime Statistics
2015-09-22 GRC Lecture 3 GRC and MFC exercise with data As examples of management guides COBIT 5 Book e NIST 800-30 Risk Assessment Guide and the associated NIST 800-53 Security Controls Catalog. To understand risks, try doing this exercise in Epidemiology
2015-09-23 Comprehensibility Exercise Understanding Risk Models, See Google Classroom.
2015-09-29 SESAR SecRAM Lecture 4 SESAR SecRAM Additional material subject to NDAs, See Google Classroom
2015-09-30 SESAR Exercise See Google Classroom
2015-10-06 CORAS Lecture 6 CORAS CORAS Guidelines (Book is in the library)
2015-10-07 CORAS Exercises See Google Classroom
2015-10-13 Case Study Lecture 8 UTM Brief UTM NASA fact sheet, Technical Memorandum for security and safety requirements UTM NASA technical memo, and Amazon memorandum for commercial interests. Additional Information from NASA: utm nasa presentation long, utm nasa presentation very long, utm thesis Connor Theilmann. Additional material on ATM incidents: Chris Johnson's analysis of the incidents of Linate and Uberlingen and of 114 US incidents. An article on the drone accident nearby Nogales in 2006 (old link, new link), and Washington Post's article on Drones' incidents
2015-10-14 Users - Introduction to Identity and Access Management Lecture 9 IAM Report on the frauds by John Rusnak and by Jerome Kevriel as (INSEAD Case study or the offical report)
2015-10-20 Users - Security Models Lecture 10 Access Models Bowden's Hacking of a sewage treatment plant (FISMA study of security controls or the Court conviction). Terry Childs' refusal to pass admin rights (Court documents and discussion on CIO Magazine and on ComputerWorld)
2015-09-20 Exercise Finding security requirements without RASEcurity Requirements Guide
2015-10-21 Crytography (A superzipped introduction) Lecture 11 Cryptography Attend the Applied Crypto Course for more information, Information on the importance of protecting keys and certificates for Diginotar Failure and additional details in FoxIT security report
2015-10-27 Users - Authentication Lecture 12 Authentication ABC report of attempted voice hijacking of airplanes
2015-10-28 Applications - Web Authentication (SSO, etc.) Lecture 13 (Web) Application security Cross site scripting for ICS on the US CERT ICS Web Site
2015-11-03 Applications - OWASP Software Security Lecture 14 WebApp Security
2015-11-04
2015-11-10 Applications - Database Security Lecture 15 DB Security
2015-11-11 Infrastructure - Network Lecture 16 Network Security
2015-11-17 Infrastructure - OS Security Lecture 17 OS Security ESWeek tutorial
2015-11-18 Infrastructure Cloud Security Lecture 18 Cloud security Datacenter as computer Google Admin Fired Waidner-Security and Cloud Computing
2015-11-24 CORAS Discussion on User
2015-11-25 SECRAM Discussion on User
2015-12-01 Infrastructure - Mobile Security
2015-12-02 Vulnerability Exercise
2015-12-08
2015-12-09 CORAS/SECRAM Discussion on Application
2015-12-15 Cloud Exercise
2015-12-16 CORAS/SecRAM Discussion on Network

Final Report, Group Assignment, Deadlines

Final Report

The final deliverable should include the following documents:

  1. [1 file] Security Engineering report which presents the results of all three deliverables (template).
  2. [1 file] Summary of results which aggregates the results of all three deliverables (template). This document should be submitted in Excel format ONLY.
  3. [4 files] Method artifact files for each deliverable (1a, 1b, 2 and 3): CORAS artifact file (template) or SecRAM artifact file (template).

The final presentation template in .pptx format: template. The final presentation should be submitted in Power Point or PDF format.

Groups Assignment to Methods

Group Task 1a (Identity management) Task 1b (Access management) Task 2 (WebApp/DB) Task 3 (Networking/Infrastructure)
G01 SECRAM CORAS SECRAM CORAS
G02 CORAS SECRAM CORAS SECRAM
G03 CORAS SECRAM CORAS SECRAM
G04 CORAS SECRAM CORAS SECRAM
G05 SECRAM CORAS SECRAM CORAS
G06 SECRAM CORAS SECRAM CORAS
G07 CORAS SECRAM CORAS SECRAM
G08 SECRAM CORAS SECRAM CORAS
G09 CORAS SECRAM CORAS SECRAM
G10 CORAS SECRAM CORAS SECRAM
G11 CORAS SECRAM CORAS SECRAM
G12 SECRAM CORAS SECRAM CORAS
G13 SECRAM CORAS SECRAM CORAS
G14 CORAS SECRAM CORAS SECRAM
G15 CORAS SECRAM CORAS SECRAM
G16 SECRAM CORAS SECRAM CORAS
G17 CORAS SECRAM CORAS SECRAM
G18 SECRAM CORAS SECRAM CORAS
G19 CORAS SECRAM CORAS SECRAM
G20 CORAS SECRAM CORAS SECRAM
G21 SECRAM CORAS SECRAM CORAS
G22 SECRAM CORAS SECRAM CORAS
G23 SECRAM CORAS SECRAM CORAS
G24 CORAS SECRAM CORAS SECRAM
G25 SECRAM CORAS SECRAM CORAS
G26 SECRAM CORAS SECRAM CORAS
G27 CORAS SECRAM CORAS SECRAM

Deadlines

Deadline Deliverable Submission link
2015-11-16 User Level Security Select the course on classroom.google.com
2015-11-30 Application Security
2015-12-14 Infrastructural Security
2016-01-11

Each deliverable should be submitted by 12:00:00 PM (noon) of the day of the deadline (see the table above).

security_engineering_2015.txt · Last modified: 2018/02/20 12:00 by fabio.massacci@unitn.it