MISSM @ University of Luxembourg
Abstract #
Modern cyber risk is no longer confined to laptops and servers. Organisations now operate in environments where connected devices (IoT) extend digital exposure into homes, factories, hospitals, vehicles, and cities; AI and generative AI accelerate the speed and sophistication of attacks while introducing new classes of application vulnerabilities; and quantum computing threatens long-standing cryptographic assumptions that underpin authentication, confidentiality, and trust at scale. This lecture provides a structured, defensive, and practical overview of threats, attacks, and countermeasures, with a dedicated focus on the emerging risks created by IoT, AI/GenAI systems, and post‑quantum readiness.
Participants will build a shared vocabulary for threats vs. vulnerabilities vs. attacks vs. risk, then apply it to real operational challenges: IoT asset discovery and segmentation, vendor and firmware lifecycle risk, AI-enabled fraud and persuasion at scale, prompt-injection and tool/agent misuse in LLM applications, and the planning required for a staged transition to post‑quantum cryptography. The lecture is grounded in widely used security frameworks and current guidance (e.g., IoT security baselines, LLM application security taxonomies, AI risk management frameworks, and PQC standards), and emphasizes decisions and controls that improve resilience quickly—without relying on “magic tools” or unrealistic assumptions.
Course material and slides #
| Slides | Description |
|---|---|
| Session 3 - threats, attacks & countermeasures | Cybersecurity gets messy when we blur terms. Threats are possibilities; vulnerabilities are weaknesses; attacks are actions; risk is context. Emerging tech doesn’t replace old threats—it increases scale and complexity. Availability attacks and ransomware are still major drivers, but IoT expands exposure and AI accelerates both offense and defense. |
References and further reading #
A. IoT SECURITY — STANDARDS, GUIDANCE, LABELING #
- National Institute of Standards and Technology (NIST) - NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline.
- Landing page: https://csrc.nist.gov/pubs/ir/8259/a/final
- PDF: https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259A.pdf
- National Institute of Standards and Technology (NIST) - SP 800-213 IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements
- Landing page: https://csrc.nist.gov/pubs/sp/800/213/final
- PDF: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213.pdf
- European Telecommunications Standards Institute (ETSI) - EN 303 645 Cyber Security for Consumer Internet of Things: Baseline Requirements.
- Federal Communications Commission (FCC) - Cybersecurity Labeling Program for Internet of Things (IoT) Products
- UK Department for Science, Innovation and Technology - The UK Product Security and Telecommunications Infrastructure (PSTI) regime
- European Union Regulation (EU) 2024/2847 - Cyber Resilience Act (CRA): horizontal cybersecurity requirements for products with digital elements
- Official Journal text: https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng
- Consolidated view: https://eur-lex.europa.eu/eli/reg/2024/2847/2024-11-20/eng
B. THREAT LANDSCAPE / DEFENSIVE TAXONOMIES #
- Verizon Data Breach Investigations Report (DBIR) 2025
- MITRE ATT&CK®
C. AI / GENAI SECURITY — APPLICATION RISKS, THREAT KNOWLEDGE, RISK MANAGEMENT #
- OWASP Top 10 for Large Language Model Applications
- https://owasp.org/www-project-top-10-for-large-language-model-applications/
- PDF: https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-v2025.pdf
- MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems)
- National Institute of Standards and Technology (NIST) - Artificial Intelligence Risk Management Framework
- Publication page: https://www.nist.gov/publications/artificial-intelligence-risk-management-framework-ai-rmf-10
- PDF: https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf
- Program page: https://www.nist.gov/itl/ai-risk-management-framework
- National Institute of Standards and Technology (NIST) - Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile
- Publication page: https://www.nist.gov/publications/artificial-intelligence-risk-management-framework-generative-artificial-intelligence
- PDF: https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
D. POST-QUANTUM / QUANTUM — STANDARDS & MIGRATION GUIDANCE #
- National Institute of Standards and Technology (NIST) - FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)
- PDF: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf
- CSRC page: https://csrc.nist.gov/pubs/fips/203/final
- National Institute of Standards and Technology (NIST) - FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA)
- PDF: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf
- CSRC page: https://csrc.nist.gov/pubs/fips/204/final
- National Institute of Standards and Technology (NIST) - FIPS 205: Stateless Hash-Based Digital Signature Standard (SLH-DSA)
- PDF: https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.205.pdf
- CSRC page: https://csrc.nist.gov/pubs/fips/205/final
- Cybersecurity and Infrastructure Security Agency (CISA) - Quantum-Readiness: Migration to Post-Quantum Cryptography
- https://www.cisa.gov/resources-tools/resources/quantum-readiness-migration-post-quantum-cryptography
- PDF: https://www.nccoe.nist.gov/sites/default/files/2023-08/quantum-readiness-fact-sheet.pdf
- (EU) A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography
- https://digital-strategy.ec.europa.eu/en/library/coordinated-implementation-roadmap-transition-post-quantum-cryptography
- PDF: https://ec.europa.eu/newsroom/dae/redirection/document/117507
- UK National Cyber Security Centre (NCSC) - Timelines for migration to post-quantum cryptography