This week sees the start of a course on security engineering that Sam Ainsworth and I are teaching. It’s based on the third edition of my Security Engineering book, and is a first cut at a ‘film of the book’.
Each week we will put two lectures online, and here are the first two. Lecture 1 discusses our adversaries, from nation states through cyber-crooks to personal abuse, and the vulnerability life cycle that underlies the ecosystem of attacks. Lecture 2 abstracts this empirical experience into more formal threat models and security policies.
Although our course is designed for masters students and fourth-year undergrads in Edinburgh, we’re making the lectures available to everyone. I’ll link the rest of the videos in followups here, and eventually on the book’s web page.
Here are the videos for lecture 3 and lecture 4, which cover banking and payment security. Lots of real-world attacks go after the money, so the security engineer needs to understand how payment systems work, and how they get exploited. I cover the mechanisms that underlie ATMs and card payments, online banking, and even the anti-money-laundering system – ending up with the surprising fact that cybercrime patterns have been stable for a decade, despite the move from laptops to phones and from on-premises servers to the cloud. There is one stand-out exception, though: ransomware.
Hello, do you guys have plans on transforming those classes into a podcast?
Here are the videos for lecture 5 on security economics and for lecture 6 on security psychology. The last twenty years have seen huge advances in our understanding of both, and the human aspect of security – at both the institutional and personal levels – is vital for understanding many of the things that go wrong in practice. As for Vinícius’ question, we’re not going to turn our online classes into a podcast; those are for Edinburgh students, who have not given consent for their participation to be shared beyond the classroom.
This week we dive into more technical material, with the videos for lecture 7 on network security, and lecture 8 on hardware security.
Here are the videos for lecture 9 on hardware security , which starts with Rowhammer, covers side-channel attacks such as Spectre and Plundervolt, and ends up with Cheri, a major innovation from colleagues at Cambridge; and lecture 10 on operating system security, which explains how mandatory and discretionary access controls combine in Android, iOS and Windows.
We now release the videos for lecture 11, on virtualisation, sandboxes and containers; and lecture 12, which is on app stores, supply chains and other ecosystems such as accessory control.
Here’s the final instalment: lecture 13 on safety and security, lecture 14 on assurance and sustainability and lecture 15 on governance and regulation.
Thank you.. much appreciated..
Now here is the guest lecture. This was the final event of the course, and was also an event for the whole security group at Edinburgh. The speaker, Ian Levy, is the CTO at NCSC.