Unmanned Aerial Vehicles (UAVs), commonly known as drones, have found applications in various fields in recent years. However, along with their proliferation, security and privacy attacks have also increased. Nearby or even remote attackers may interfere with their electronic systems to take control of UAVs or alter their operations. In addition, UAVs equipped with sensors may be abused by their operators to trigger privacy attacks, such as spying or monitoring of individuals. The aim of this tutorial is to assist the reader in gaining a fundamental understanding and practical knowledge of security and privacy threats, attacks and mitigation controls for UAVs. Initially, we provide a description of the underlying technologies, architectures and applications of UAVs. Then we dive into security and privacy attacks and countermeasures. We analyze the various risks and cyberattacks that may arise, as well as the possible ways through which organizations and individuals may address the challenges presented by the malicious use of UAVs. As our main goal is to provide the reader with both theoretical and technical knowledge on UAV security, we describe a step-by-step security assessment methodology for UAV applications. The methodology which is based on well-known security standards may help the interested reader in gaining a holistic view of a security assessment, starting from threat modeling and going through penetration testing to security management. Finally, to showcase the methodology, we apply it in a practical, hands-on scenario, demonstrating the identification of attack paths against UAVs and the implementation of appropriate mitigation controls.