Are you a designer or a techie? Do you want to become a security analyst?
We will teach you how to test a system for vulnerabilities.
Security plays an increasingly important role in today’s society as our world grows more and more interconnected. Almost every day we read about a security incident in the news. To gain assurance of the security of things like self-driving cars and internet banking, it is essential that such systems be adequately evaluated. Building on your creative capacity or technical background, we challenge you to become a security analyst. You will learn the security mindset in an interdisciplinary setting.
As a designer you will investigate how we might make the Internet of Things more privacy friendly. You’ll do so through concept development and scenario building, intertwined with design reviews. Also, by investigating the usability of secure communication platforms, you’ll be helping people in oppressive regimes communicate more securely. Finally, you will run a field study on how and why users click on malicious emails, as user awareness is vital in preventing many types of attacks.
Techies taking part in the minor will look at how to solve the problem of keeping Internet of Things devices up to date, looking at safety-critical devices like smart insulin pumps. An update platform is implemented and tested through adversarial review. Besides this, you will perform a collaborative code review of open source software that keeps the Internet running. To train your consulting skills, you will also participate in a challenge in which you evaluate the security of the network of CERN.
IMPORTANT: In the minor you learn skills that can be used for good or bad. The IEEE Code of Ethics (http://www.ieee.org/about/corporate/governance/p7-8.html) is to be abided by at all times. Additionally, the NCSC Responsible Disclosure Guideline (https://www.ncsc.nl/english/current-topics/news/responsible-disclosure-guideline.html) must be followed. Else students risk expulsion.
Structure and content
The minor starts with four weeks of fundamental theory, followed by three five-week projects. On theory days, concepts are discussed in the morning through demos, cases, and exercises, and toy systems are evaluated in the afternoon. The projects for the human track / technical track are:
- design a private platform for intimate devices / program a secure way to update insulin pumps
- test the usability of encrypted email and chat / perform a code audit of open source software
- run a phishing campaign to raise user awareness / execute a web application penetration test
As a security analyst, after successful completion of the minor, a student can independently:
- spot common errors in cryptography, computer security, network security, and human factors
- formulate and execute appropriate evaluation strategies, and responsibly disclose their findings
- apply red teaming, laboratory testing, and field study research methods in security contexts
Additional information: See http://roselabs.nl/files/courses/minor.pdf for more details.
Students do not need to study a specific major, but they need to have in-depth knowledge of human factors (e.g. human-computer interaction, user experience, usability) or computer systems (e.g. computer architectures, networking, programming). Given the workload of the minor, students should not have retakes or similar availability constraints.
Assessment of theory is done through quizes, a lab journal, and active participation. Project weeks are graded based on various deliverables, carried out either individually or as a group.
Theoretical and practical background is given in class, and there are specific books for further reading. A list of all the books that are used for the different parts of the minor is given at http://roselabs.nl/links/, including links to audits reports. An open source course book is currently under development at https://github.com/arnepadmos/book.
The minor runs from week 1 in Q1 to week 10 in Q2. Full-time attendance is required. Students are expected to arrive by 09:00 at the dedicated security lab, and the day ends around 17:00. One day consist of 4 contact hours and 4 hours of group work; each week has 20 contact hours. The total workload is 840 hours, which is equivalent to 30 ECTS.