Sandro Etalle is full professor and head of the Security group at the Eindhoven University of Technology. He holds an MSc in mathematics from the University of Padova and a PhD in computer science from the University of Amsterdam. His research is about IT security with a particular interest for intrusion detection and protection of the critical infrastructure. Today he is also a co-founder of the spin-off Security Matters, where he served for more than 4 years as CEO and is now chairman of the board. Etalle is one of the authors of the Dutch ‘National Cyber Security Research Agenda’, he has been leader of several national and EU projects, and program chair of several international conferences.
In this course, we discuss on one hand how cybercriminals actually operate, and on the other hand the legal framework that underpins the regulatory and privacy aspects that managers have to be aware of.
In the first part, we will start discussing the technical attack vectors (XSS, SQL Injections, XSRF, drive-by download) and how these vectors are embodied in complex attacks (malware, spyware, ransomware, botnets) Then, we will see how these attacks are used in the cybercrime economy (spam, phishing, infections and money laundering), and we will touch on the economic aspects of cyber criminality, and on the markets of cybercrime as a service. Finally, we will discuss attacks sophistication, state-sponsored attacks and the emergence of a grey-market. We will make use of case-studies (e.g., Hacking Team, Stuxnet, Flame, etc).
In the second part, we will discuss the national, European and international legal framework on privacy and the protection of personal data. Particular attention will be devoted to the EU General Data Protection Regulation – which will become applicable as of May 2018 - and on the EU-US-Privacy Shield, in consideration of the relevance of the transfer of personal data to the United States. The rules will be examined in the light of roles and responsibilities of Digital Technology Managers, who have to make crucial technical and organizational choices on security and data protection, such as in the selection of cloud service providers.
Then we will touch on other legal aspects of interest for the managers of IT- and IT-based companies, such as Intellectual Property Rights, IT contracts, administrative and criminal responsibility for cybercrimes.