This one semester graduate be
intended for graduate students or seniors from computer science, engineering
(including systems engineering) and business. It examines quantitative and
algorithmic aspects of cyber security risks and their mitigation approaches.
Prerequisites:
College level mathematics including probability and statistics, undergraduate
background in CS, ECE or business.
Textbook:
No specific text-book is required. In addition to
the lecture notes, we will draw information from various publications and
reports. The students are required to do research using articles in journals,
conferences, technical reports, white-papers and news articles
Instructional
format: Both on-campus and on-line students will use Canvas for
assignments/quizzes. The video recordings will be found in Canvas (Echo360).
The on-campus students are expected to participate in the
presentations/discussions during the interactive sessions using MS
Teams during specific class sessions. It is critically important that
students check out the course website and the Canvas page a few times a week.
All tests and assignment due dates are posted there. Sometimes this may be
the only announcement of an assignment. It is the student's responsibility to
continually check for new assignments. Assignment are
usually posted 7 days to 10 days ahead of due dates. There will
be an on-line almost every week.
Grading (subject to revision):
- Presentations/Research
Project (40%)
- Interaction (10%)
- Assignments and
quizzes (on-line or in-class)(15-25%)
- Exams (25-35%)
Letter grades will be based on the following standard
breakpoints: ≥ 90 is an A, ≥ 88 is an A-, ≥86 is a B+, ≥80 is a B, ≥78 is a
B-, ≥76 is a C+, ≥70 is a C, ≥60 is a D, and <60 is an F. I will not cut
higher than this, but I may cut lower.
1.
Course Outline (Preliminary):
2.
Introduction
· Outline
· Current
state
· Access
control
· Security
framework
2.
Risk
·
Risk
as the product of breach likelihood and breach cost and their components
· Discussion
of conflicting definitions of risk
· Linear/logarithmic
scales
· Risk
Matrix
· Time-frame: per event (single breach) vs per year (annual
loss expectancy).
3.
Probability/distributions
· A
review of essential concepts from probability, conditional probabilities, Baye’s
rule
· Common
distributions used in risk evaluation
· Monte
Carlo simulation
4.
Modeling
· Modeling
approaches
· Regression
5.
Vulnerabilities types
· Software:
defect vs vulnerabilities
·
system/network/configuration
·
physical vulnerabilities (such as snooping),
· Social
engineering: exploitation of human weaknesses
6.
Vulnerability life cycle
·
Introduction, discovery, disclosure, patching,
exploitation.
· Modeling
Vulnerability Discovery process in individual and evolving programs
· Longer
term trends
7.
Vulnerability Metrics & data bases
·
CVSS v2/v3 metrics and scores.
· Temporal
(patches and exploits)
· Environmental
metrics CVSS
· Databases:
NVD, CVEDetails, VulnDB, ExploitDB
8.
Testing for vulnerabilities
· Testing
as exercising input or structure space
·
Coverage metrics
·
Fuzzing
· Probabilistic
vs deterministic testing
o
Test effectiveness
Midterm
Research methodology
·
Potential sources of information
· Identifying
research threads and trends
· Information
extraction and consolidation
· Assessing
promise of a research direction
Attacks
· Attack
types
· Intrusion
detection
· Mitre
ATTack framework
Breach likelihood components
·
vulnerability presence
·
vulnerability exploitability, and reachability
·
motivation/skill/tool support of potential
adversaries
·
impact of management policies
Breach cost components
· Investigation
costs, crisis mitigation costs, cost of sanctions and lawsuits
· Question
of insurance coverage, tax breaks
· Longer
term costs: loss of reputation and business opportunity
· Costs
to a government/nation including loss of industrial IP, defensive secrets,
tempering with national infrastructure or defenses
Risk mitigation
· Reducing
the breach likelihood
· Reducing
the breach cost
·
Security investment ROI
·
Attack surfaces and connectivity
·
Threat containment strategies and their
effectiveness
Discussion sessions
·
Presentations of assigned papers
·
Investigation results and perspectives
Vulnerability markets
·
Legitimate (for example rewards programs)
·
Gray (vulnerability brokers) and black markets
· Potential
buyers and sellers of Zero-day vulnerabilities and exploits
Project Presentations
·
Final presentations of individual project
results
·
Per reviews
Final
