This one semester graduate be intended for graduate
students or seniors from computer science, engineering (including systems
engineering) and business. It examines quantitative and algorithmic aspects
of cyber security risks and their mitigation approaches.
Prerequisites: College level
mathematics including probability and statistics, undergraduate background in
CS, ECE or business.
Textbook: No specific text-book is required. In addition to the lecture notes,
we will draw information from various publications and reports. The students
are required to do research using articles in journals, conferences,
technical reports, white-papers and news articles
Instructional format: Both on-campus
and on-line students will use Canvas/Piazza for assignments/quizzes. Both
sections will use an on-line format in fall 2020, the video recordings will
be found in Canvas (Echo360). The on-campus students are expected to
participate in the presentations/discussions during the interactive sessions
using MS
Teams during specific class sessions. It is critically important that
students check out the course website and the Canvas page a few times a week.
All tests and assignment due dates are posted there. Sometimes this may be
the only announcement of an assignment. It is the student's responsibility to
continually check for new assignments. Assignment are
usually posted 7 days to 10 days ahead of due dates. There will
be an on-line almost every week.
Grading (subject to revision):
- Presentations/Research
Project (40%)
- Interaction (10%)
- Assignments and
quizzes (on-line or in-class)(15-25%)
- Exams (25-35%)
Letter grades will be based on the following
standard breakpoints: ≥ 90 is an A, ≥ 88 is an A-, ≥86 is a B+, ≥80 is a B,
≥78 is a B-, ≥76 is a C+, ≥70 is a C, ≥60 is a D, and <60 is an F. I will
not cut higher than this, but I may cut lower.
1.
Course Outline (Preliminary):
2.
Introduction
· Outline
· Current
state
· Access
control
· Security
framework
2.
Risk
·
Risk
as the product of breach likelihood and breach cost and their components
· Discussion
of conflicting definitions of risk
· Linear/logarithmic
scales
· Risk
Matrix
· Time-frame: per event (single breach) vs per year (annual loss
expectancy).
3.
Probability/distributions
· A
review of essential concepts from probability, conditional probabilities, Bay's rule
· Common
distributions used in risk evaluation
· Monte
Carlo simulation
4.
Modeling
· Modeling
approaches
· Regression
5.
Vulnerabilities types
· Software:
defect vs vulnerabilities
·
system/network/configuration
·
physical vulnerabilities (such as snooping),
· Social
engineering: exploitation of human weaknesses
6.
Vulnerability life cycle
·
Introduction, discovery, disclosure, patching,
exploitation.
· Modeling
Vulnerability Discovery process in individual and evolving programs
· Longer
term trends
7.
Vulnerability Metrics & data bases
·
CVSS v2/v3 metrics and scores.
· Temporal
(patches and exploits)
· Environmental
metrics CVSS
· Databases:
NVD, CVEDetails, VulnDB, ExploitDB
8.
Testing for vulnerabilities
· Testing
as exercising input or structure space
·
Coverage metrics
·
Fuzzing
· Probabilistic
vs deterministic testing
o
Test effectiveness
Midterm
Research methodology
·
Potential sources of information
· Identifying
research threads and trends
· Information
extraction and consolidation
· Assessing
promise of a research direction
Attacks
· Attack
types
· Intrusion
detection
· Mitre
ATTack framework
Breach likelihood
components
·
vulnerability presence
·
vulnerability exploitability, and reachability
·
motivation/skill/tool support of potential
adversaries
·
impact of management policies
Breach cost components
· Investigation
costs, crisis mitigation costs, cost of sanctions and lawsuits
· Question
of insurance coverage, tax breaks
· Longer
term costs: loss of reputation and business opportunity
· Costs
to a government/nation including loss of industrial IP, defensive secrets,
tempering with national infrastructure or defenses
Risk mitigation
· Reducing
the breach likelihood
· Reducing
the breach cost
·
Security investment ROI
·
Attack surfaces and connectivity
·
Threat containment strategies and their
effectiveness
Discussion sessions
·
Presentations of assigned papers
·
Investigation results and perspectives
Vulnerability markets
·
Legitimate (for example rewards programs)
·
Gray (vulnerability brokers) and black markets
· Potential
buyers and sellers of Zero-day vulnerabilities and exploits
Project Presentations
·
Final presentations of individual project
results
·
Per reviews
Final