This course is offered at the University of Trento by the security group in the framework of the Cyber Security track of the European Institute of Innovation and Technology (EIT Digital) Master School programme.
See the UniTrento CSE track page for further information.
Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decide which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on balancing threat and controls, costs, impact and likelihood of events. In other words the course will teach them to manage risk.
The course will introduce students to a number of methodologies for Security Management (Risk and Threat Analysis, Risk Assessment, Control Frameworks). The student will identify threats and the corresponding security controls appropriate for an industrial case study.
At the end students should be able to make their own cyber risk assessment, documenting the threats and the security controls or requirements for an industrial case study
The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of both classroom exercises to be done in the lab and a final report.
In the report students working in group or alone apply the concepts learned during the course to analyze a real case study. The report will be discussed with the lecturer and a company representative owning the case study. If the work for the report has been done in group, all the group members will normally be assigned the same mark.
Please register to Google Classroom for assignements and notification.
|2016-09-14||Introduction||Admin. Introd., Security Terminology||Card FraudsID Theft Stats|
|2016-09-20||Risk Management Fundamentals||RA Introd.||There is one exercise on Google Classroom. To understand risks, try also doing this exercise in Epidemiology|
|2016-09-21||Comprensibility Exercise||See Google Classroom||See Google Classroom|
|2016-09-27||Developing a Risk Management Plan and Performing a Risk Assessment||Slides||The SESAR SecRAM Manual is available on the Google ClassRoom. As examples of management guides COBIT 5 Book e NIST 800-30 Risk Assessment Guide and the associated NIST 800-53 Security Controls Catalog.|
|2016-09-28||Exercise on Risk Assessment||See Google Classroom|
|2016-10-04||Identifying Assets and Activities to Be Protected||Slides||Chapter 7: Identifying Assets and Activities to Be Protected. Terry Childs' refusal to pass admin rights (Court documents and discussion on CIO Magazine and on ComputerWorld)|
|2016-10-04||Remotely Operated Virtual Tower||See Google Classroom||The scenario desription is on Google Classroom.|
|2016-10-05||RVT Exercise - Assets||See Google Classroom||Chris Johnson's analysis of the incidents of Linate and Uberlingen and of 114 US incidents. An article on the drone accident nearby Nogales (2006), and Washington Post's article on Drones' incidents|
|2016-10-11||Identifying and Analyzing Threats, Vulnerabilities, and Exploits||cybrisk-2016-08-threats-vulns-exploits.pdf||Chapter 8: Identifying and Analyzing Threats, Vulnerabilities, and Exploits. Threat, vuln and exploit assessment. Review public penetration testing reports from the industry for a practical perspective on the material seen in class: https://github.com/juliocesarfort/public-pentesting-reports. If you want to get your hands “dirty” with some guided pentesting, see Rapid7's Metasploitable 2 Exploitability guide here: https://community.rapid7.com/docs/DOC-1875|
|2016-10-12||RVT Exercise - Threat||See Google Classroom||Bowden's Hacking of a sewage treatment plant (FISMA study of security controls or the Court conviction). ABC report of attempted voice hijacking of airplanes.|
|2016-10-18||Identifying Controls||cyberrisk-2016-08-controls.pdf||Chapter 9: Identifying and Analyzing Risk Mitigation Security Controls. See also last year's slide on controls Identity Management, Access Control Models, Cryptography, Authentication, Web Application Security, Database Security, Network and Infrastructure SecurityO.S. Security, as well as Ross Anderson Book.|
|2016-10-19||RVT Exercise - Pre-Controls||See Google Classroom||Report on the frauds by John Rusnak and by Jerome Kevriel as (INSEAD Case study or the offical report). Information on the importance of protecting keys and certificates for Diginotar Failure and additional details in FoxIT security report|
|2016-10-25||Mitigating Risk with a Business Continuity and Disaster Recovery Plan||Slides||For a discussion on Dyn Attacks in the USA see Monday 24/10 lecture of Offensive Technologies|
|2016-10-26||RVT Exercise - Post-Controls||See Google Classroom||See Exercise 1 Assignment in Google Classroom|
|2016-11-02||RVT Full fledged Exercise||See Google Classroom||See Exercise 2 Assignment in Google Classroom|
|2016-11-08||Managing Risk: Threats, Vulnerabilities, and Exploits - CVSS Base||Slides CVSS Base||Note: Scoring slides are updated with comments for each metric. Official scores with additional information reported. CVSS Specification documentation: https://www.first.org/cvss/specification-document|
|2016-11-09||CVSS Base Exercise|
|2016-11-15||Managing Risk: Threats, Vulnerabilities, and Exploits - Network||CVSS Env + Temporal|
|2016-11-22||Case Study Presentation||Please see Google Classroom for the material, the report format and how to submit clarification issues|
|2016-11-29||understanding Internet Evidence for Risk assessment|
|2016-11-30||Mitigating Risk with a Business Impact Analysis|
|2016-12-06||Quantitative approaches to risk - Part 1||Slides|
|2016-12-07||Quantitative approaches to risk - Part 2||Slides||Verizon DBI Reports: 2013, 2014, 2015, 2016; Verizon dataset: XLSX. See Google Classroom for MATLAB script.|
|2016-12-13||Visit to a SIEM @ Informatica Trentina||Registration is Mandatory. Please see Google Classroom|
|2016-12-14||G. Woo (Risk Management Solutions)||Slides from Dr. Gordon Woo||Lecture starts at 14:30.|
|2016-12-20||Students Presentations||See Google Classroom for the registration.|
|2016-12-21||Students Presentations||See Google Classroom for the registration.|
The final deliverable by January 11 should include:
Please check Google Classroom for the templates and submission.