CERIAS Weekly Security Seminar - Purdue University

The Internet of Things (IoT) is the notion that nearly everything we use, from gym shorts to streetlights, will soon be connected to the Internet. Industry and financial analysts have predicted that the number of Internet-enabled devices will increase from 11 billion to upwards of 25 billion in coming years. Regardless of the number, the end result looks to be a mind-boggling explosion in Internet connected stuff. Yet, there has been relatively little attention paid to how we should go about regulating smart devices, and still less about how cybersecurity should be enhanced. Similarly, now that everything from refrigerators to stock exchanges can be connected to a ubiquitous Internet, how can we better safeguard privacy across networks and borders? This talk will explore these issues by pulling from the recently published book, ‘The Internet of Things: What Everyone Needs to Know.' Our discussion will also be couched by the findings of a recent report for the Indiana Executive Council on Cybersecurity entitled, ‘State of Hoosier Cybersecurity 2020.' About the speaker: Professor Scott J. Shackelford serves on the faculty of Indiana University where he is Cybersecurity Program Chair along with being the Executive Director of the Ostrom Workshop. He is also an Affiliated Scholar at both the Harvard Kennedy School's Belfer Center for Science and International Affairs and Stanford's Center for Internet and Society, as well as a Senior Fellow at the Center for Applied Cybersecurity Research, and a Term Member at the Council on Foreign Relations. Professor Shackelford has written more than 100 articles, book chapters, essays, and op-eds for diverse publications. Similarly, Professor Shackelford's research has been covered by an array of outlets, including Politico, NPR, CNN, Forbes, Time, the Washington Post, and the LA Times. He is also the author of The Internet of Things: What Everyone Needs to Know (Oxford University Press, 2020), Governing New Frontiers in the Information Age: Toward Cyber Peace (Cambridge University Press, 2020), and Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace (Cambridge University Press, 2014). Both Professor Shackelford's academic work and teaching have been recognized with numerous awards, including a Harvard University Research Fellowship, a Stanford University Hoover Institution National Fellowship, a Notre Dame Institute for Advanced Study Distinguished Fellowship, the 2014 Indiana University Outstanding Junior Faculty Award, and the 2015 Elinor Ostrom Award.

Modern end-user computing platforms such as smartphones (e.g., Android and iOS)and smart home systems (e.g., SmartThings and NEST) provide programmable interfaces for third-party integration, enabling expressive and popular functionality that is often manifested in applications, or ​apps.​ Thus, for the last decade, designing security systems to analyze ​apps for vulnerabilities or unwanted behavior has been a major focus within the security community. This approach has continued well into the smart home, with researchers developing systems inspired by lessons from Android security to inspect ​IoT apps developed for popular platforms such as SmartThings. However, emerging characteristics of smart home ecosystems indicate that IoTapps may not represent automation in real homes, and may even be unavailable in the near future. That is, while API misuse by third-party developers is an important problem, the approach of ​analyzing/instrumenting IoT apps may not offer an effective or sustainable solution. In this talk, I will describe the challenges for research in the backdrop of the unsuitability of IoTapps for practical security analysis, and motivate three alternate research directions. First, I will describe the need to develop an alternative artifact for security analysis that is representative of automation usage in the wild. To this end, I will introduce Helion, a system that uses statistical language modeling to generate natural ​home automation scenarios​, i.e., realistic event sequences that are closely aligned with the real home automation usage in end-user homes,which can be used for security or safety analysis. Second, I will illustrate the need to improve the security of mobile companion apps, which often form the weakest link in smart home deployments, and the important position of security analysis/compliance tools in ensuring the development of secure companion apps. To this end, I will present the mSE framework, which automatically and rigorously evaluates static program analysis-based security systems using mutation testing. Our work on mSE (and its successor, MASC) culminated in the discovery of critical security flaws in popular tools such as FlowDroid, CryptoGuard, Argus, and Coverity that affect the reliability and soundness of their analysis. Finally, I will conclude the talk by describing our current efforts to build ​system-level defenses into IoT platforms that are agnostic to IoTapps, i.e., independent of their visibility or mutability, thereby potentially providing a lasting solution to API misuse by third-party developers.

Modern end-user computing platforms such as smartphones (e.g., Android and iOS)and smart home systems (e.g., SmartThings and NEST) provide programmable interfaces for third-party integration, enabling expressive and popular functionality that is often manifested in applications, or ​apps.​ Thus, for the last decade, designing security systems to analyze ​apps for vulnerabilities or unwanted behavior has been a major focus within the security community. This approach has continued well into the smart home, with researchers developing systems inspired by lessons from Android security to inspect ​IoT apps developed for popular platforms such as SmartThings. However, emerging characteristics of smart home ecosystems indicate that IoTapps may not represent automation in real homes, and may even be unavailable in the near future. That is, while API misuse by third-party developers is an important problem, the approach of ​analyzing/instrumenting IoT apps may not offer an effective or sustainable solution.In this talk, I will describe the challenges for research in the backdrop of the unsuitability of IoTapps for practical security analysis, and motivate three alternate research directions. First, I will describe the need to develop an alternative artifact for security analysis that is representative of automation usage in the wild. To this end, I will introduce Helion, a system that uses statistical language modeling to generate natural ​home automation scenarios​, i.e., realistic event sequences that are closely aligned with the real home automation usage in end-user homes,which can be used for security or safety analysis. Second, I will illustrate the need to improve the security of mobile companion apps, which often form the weakest link in smart home deployments, and the important position of security analysis/compliance tools in ensuring the development of secure companion apps. To this end, I will present the mSE framework, which automatically and rigorously evaluates static program analysis-based security systems using mutation testing. Our work on mSE (and its successor, MASC) culminated in the discovery of critical security flaws in popular tools such as FlowDroid, CryptoGuard, Argus, and Coverity that affect the reliability and soundness of their analysis. Finally, I will conclude the talk by describing our current efforts to build ​system-level defenses into IoT platforms that are agnostic to IoTapps, i.e., independent of their visibility or mutability, thereby potentially providing a lasting solution to API misuse by third-party developers. About the speaker: ​Adwait Nadkarni is an Assistant Professor in the ​Department of Computer Science​, and director of the ​Secure Platforms Lab (SPL) at ​William & Mary​. Prof. Nadkarni's primary research domain is security and privacy, with a focus on emerging platforms, and the areas of operating systems and software security. Prior to joining William & Mary, Prof. Nadkarni earned his Bachelor of Engineering (BE) in Computer Engineering from the ​University of Mumbai in July 2011, followed by his Ph.D. and M.S. in Computer Science from the ​Computer Science Department at the ​North Carolina State University in May 2017 and December 2012respectively, both with ​Dr. William Enck​. At NC State, Prof. Nadkarni was a founding member of the ​Wolfpack Security and Privacy Research (WSPR) Lab​, and served as its Lead Graduate  Student until May 2017.

Traditionally, security and privacy research focused mostly on technical mechanisms and was based on the naive assumptions that Alice and Bob were capable, attentive, and willing to jump through any number of hoops to communicate securely. However, about 20 years ago that started to change when a seminal paper asked "Why Johnny Can't Encrypt" and called for usability evaluations and usable design strategies for security. Today a substantial body of interdisciplinary literature exists on usability evaluations and design strategies for both security and privacy. Nonetheless, it is still difficult for most people to encrypt their email, manage their passwords, and configure their social network privacy settings. In this talk I will highlight some of the lessons learned from the past 20 years of usable privacy and security research, and explore where the field might be headed.

Traditionally, security and privacy research focused mostly on technical mechanisms and was based on the naive assumptions that Alice and Bob were capable, attentive, and willing to jump through any number of hoops to communicate securely. However, about 20 years ago that started to change when a seminal paper asked "Why Johnny Can't Encrypt" and called for usability evaluations and usable design strategies for security. Today a substantial body of interdisciplinary literature exists on usability evaluations and design strategies for both security and privacy. Nonetheless, it is still difficult for most people to encrypt their email, manage their passwords, and configure their social network privacy settings. In this talk I will highlight some of the lessons learned from the past 20 years of usable privacy and security research, and explore where the field might be headed. About the speaker: Lorrie Faith Cranor is the Director and Bosch Distinguished Professor in Security and Privacy Technologies of CyLab and the FORE Systems Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University. She also directs the CyLab Usable Privacy and Security Laboratory (CUPS) and co-directs the MSIT-Privacy Engineering masters program. In 2016 she served as Chief Technologist at the US Federal Trade Commission. She is also a co-founder of Wombat Security Technologies, Inc, a security awareness training company that was acquired by Proofpoint. She has authored over 200 research papers on online privacy, usable security, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability and founded the Symposium On Usable Privacy and Security (SOUPS). She has served on a number of boards and working groups, including the Electronic Frontier Foundation Board of Directors, the Computing Research Association Board of Directors, and the Aspen Institute Cybersecurity Group. In her younger days she was honored as one of the top 100 innovators 35 or younger by Technology Review magazine. More recently she was elected to the ACM CHI Academy, named an ACM Fellow for her contributions to usable privacy and security research and education, and named an IEEE Fellow for her contributions to privacy engineering. She has also received an Alumni Achievement Award from the McKelvey School of Engineering at Washington University in St. Louis, the 2018 ACM CHI Social Impact Award, the 2018 International Association of Privacy Professionals Privacy Leadership Award, and (with colleagues) the 2018 IEEE Cybersecurity Award for Practice. She was previously a researcher at AT&T-Labs Research and taught in the Stern School of Business at New York University. She holds a doctorate in Engineering and Policy from Washington University in St. Louis. In 2012-13 she spent her sabbatical as a fellow in the Frank-Ratchye STUDIO for Creative Inquiry at Carnegie Mellon University where she worked on fiber arts projects that combined her interests in privacy and security, quilting, computers, and technology. She practices yoga, plays soccer, walks to work, and runs after her three teenagers.

The threat of cyber attacks is a growing concern across the world, leading to an increasing need for sophisticated cyber defense techniques that leverage the defender’s “home field advantage". We designed the Tularosa Study to understand how defensive deception, both cyber and psychological, affects cyber attackers. Over 130 professional red teamers participated in a network penetration test over two days in which both the presence of and explicit mention of deceptive defensive techniques were controlled. To our knowledge, this represents the largest study of its kind ever conducted on a skilled red team population. The design was conducted with a battery of questionnaires (e.g., experience, personality, etc.) and cognitive tasks (e.g., fluid intelligence, working memory, etc.), allowing for the characterization of a “typical” red teamer, as well as physiological measures (e.g., galvanic skin response, heart rate, etc.) to be correlated with the cyber events. Preliminary results support a new finding that the combination of the presence of deception and the true information that deception is present has the greatest effect on cyber attackers, when compared to a control condition in which no deception was used. Special Panel Immediately following Dr. Ferguson-Walter's seminar, join CERIAS for a unique opportunity to hear six professionals from NSA -- including two Purdue alumni -- who will share their careers and experiences as cybersecurity researchers and practitioners. The panelists will describe opportunities for students and graduates, and answer questions from the audience about their work and life at NSA. [Note:  Only US citizens are able to work at the NSA.] Topic: What is it like to work at the National Security Agency (NSA) Register in advance for this webinar: https://purdue-edu.zoom.us/webinar/register/WN_mRCKeiU9TbqNJNxcogddsA After registering, you will receive a confirmation email containing information about joining the webinar. Eric Bryant is currently serving as a Director of Cybersecurity Operations in the NSA/CSS Cybersecurity Operations Center (NCSOC). In this capacity, he is responsible for leading a diverse team working around the clock to prevent and eradicate cybersecurity threats to the nation. He also serves as NSA’s Academic Liaison to Purdue University, where he graduated with a degree in computer science and is an alumni of CERIAS.   Dr. Josiah Dykstra is a Technical Fellow and Senior Executive in the Cybersecurity Collaboration Center of the National Security Agency. He holds a Ph.D. in computer science and previously served at NSA as a cyber operator and researcher. Dr. Dykstra is interested in cybersecurity science and how humans intersect with technology. He is the author of numerous peer-reviewed research papers and one book. Dr. Kimberly Ferguson-Walter is a Senior Research Scientist with NSA’s Laboratory for Advanced Cybersecurity Research where her research focuses on the intersection of computer security, artificial intelligence, and human behavior. She has been focused on adaptive cybersecurity at the NSA for the past ten years and is the lead for the Research Directorate’s deception for cyber-defense effort. She has a Ph.D. in computer science and is currently on joint-duty assignment to the Naval Information Warfare Center Pacific to perform collaborative research and facilitate strategic alignment and technology transfers. Natalie Janiszewski is a Higher Education Outreach Advocate with NSA's office of Academic Engagement. Natalie brings over 25 years of educational experience to her role at NSA. She is responsible for maintaining strong relationships with academic institutions to influence curriculum and encourage activities in NSA's mission-critical areas: science, technology. engineering, math, intelligence analysis, language and cybersecurity. Natalie taught classes in a graduate program for educational technology. Her passion lies in designing environments that facilitate durable, actionable learning for students.   Joel Klasa graduated from Purdue in May 2020 with a degree in computer science and participated in the NSA co-op program throughout his time at Purdue. Upon graduation, he was hired into a development program at the agency and has a current focus of machine learning and artificial intelligence in cybersecurity. Dr. Celeste Lyn Paul is a senior researcher and technical leader at the National Security Agency. Her work has focused on a broad range of topics including emerging technologies, human factors in security, and more recently, securing cyberspace in outer space. 5:30pm EDT: 

The threat of cyber attacks is a growing concern across the world, leading to an increasing need for sophisticated cyber defense techniques that leverage the defender's "home field advantage". We designed the Tularosa Study to understand how defensive deception, both cyber and psychological, affects cyber attackers. Over 130 professional red teamers participated in a network penetration test over two days in which both the presence of and explicit mention of deceptive defensive techniques were controlled. To our knowledge, this represents the largest study of its kind ever conducted on a skilled red team population. The design was conducted with a battery of questionnaires (e.g., experience, personality, etc.) and cognitive tasks (e.g., fluid intelligence, working memory, etc.), allowing for the characterization of a "typical" red teamer, as well as physiological measures (e.g., galvanic skin response, heart rate, etc.) to be correlated with the cyber events. Preliminary results support a new finding that the combination of the presence of deception and the true information that deception is present has the greatest effect on cyber attackers, when compared to a control condition in which no deception was used.Special PanelImmediately following Dr. Ferguson-Walter's seminar, join CERIAS for a unique opportunity to hear six professionals from NSA -- including two Purdue alumni -- who will share their careers and experiences as cybersecurity researchers and practitioners. The panelists will describe opportunities for students and graduates, and answer questions from the audience about their work and life at NSA.[Note:  Only US citizens are able to work at the NSA.]Topic: What is it like to work at the National Security Agency (NSA)Register in advance for this webinar:https://purdue-edu.zoom.us/webinar/register/WN_mRCKeiU9TbqNJNxcogddsAAfter registering, you will receive a confirmation email containing information about joining the webinar.Eric Bryant is currently serving as a Director of Cybersecurity Operations in the NSA/CSS Cybersecurity Operations Center (NCSOC). In this capacity, he is responsible for leading a diverse team working around the clock to prevent and eradicate cybersecurity threats to the nation. He also serves as NSA's Academic Liaison to Purdue University, where he graduated with a degree in computer science and is an alumni of CERIAS.  Dr. Josiah Dykstra is a Technical Fellow and Senior Executive in the Cybersecurity Collaboration Center of the National Security Agency. He holds a Ph.D. in computer science and previously served at NSA as a cyber operator and researcher. Dr. Dykstra is interested in cybersecurity science and how humans intersect with technology. He is the author of numerous peer-reviewed research papers and one book.Dr. Kimberly Ferguson-Walter is a Senior Research Scientist with NSA's Laboratory for Advanced Cybersecurity Research where her research focuses on the intersection of computer security, artificial intelligence, and human behavior. She has been focused on adaptive cybersecurity at the NSA for the past ten years and is the lead for the Research Directorate's deception for cyber-defense effort. She has a Ph.D. in computer science and is currently on joint-duty assignment to the Naval Information Warfare Center Pacific to perform collaborative research and facilitate strategic alignment and technology transfers.Natalie Janiszewski is a Higher Education Outreach Advocate with NSA's office of Academic Engagement. Natalie brings over 25 years of educational experience to her role at NSA. She is responsible for maintaining strong relationships with academic institutions to influence curriculum and encourage activities in NSA's mission-critical areas: science, technology. engineering, math, intelligence analysis, language and cybersecurity. Natalie taught classes in a graduate program for educational technology. Her passion lies in designing environments that facilitate durable, actionable learning for students.  Joel Klasa graduated from Purdue in May 2020 with a degree in computer science and participated in the NSA co-op program throughout his time at Purdue. Upon graduation, he was hired into a development program at the agency and has a current focus of machine learning and artificial intelligence in cybersecurity.Dr. Celeste Lyn Paul is a senior researcher and technical leader at the National Security Agency. Her work has focused on a broad range of topics including emerging technologies, human factors in security, and more recently, securing cyberspace in outer space.5:30pm EDT:  About the speaker: Dr Kimberly Ferguson-Walter is a Senior Research Scientist for the Laboratory for Advanced Cybersecurity Research. She earned a BS in Information and Computer Science from the University of California Irvine, cum laude, with a specialization in artificial intelligence and her MS and PhD in Computer Science from the University of Massachusetts Amherst. Her research interests are focused on the intersection of computer security, artificial intelligence, and human behavior. She has been focused on adaptive cybersecurity for the past ten years and is the lead for the Research Directorate's deception for cyber-defense effort. Her research background also includes reinforcement learning, transfer learning, representation learning, and intelligent tutoring systems. She is currently on joint-duty assignment to the Naval Information Warfare Center Pacific to perform collaborative research and facilitate strategic alignment and technology transfers. She has organized multiple international workshops on cyber deception, autonomous cyber operations, and cognitive security. Dr Ferguson-Walter is a founding member of the Cybersecurity Technical Group of the Human Factors and Ergonomics Society (HFES) and co-chairs a mini-track at the Hawaiian International Conference on System Science (HICSS) on Cyber Deception and Cyber Psychology for Defense.

IP address blocklists are a useful source of information about repeat attackers. Such information can be used to prioritize which traffic to divert for deeper inspection (e.g., repeat offender traffic), or which traffic to serve first (e.g., traffic from sources that are not blocklisted). But blocklists also suffer from overspecialization -- each list is geared towards a specific purpose -- and they may be inaccurate due to misclassification or stale information. We propose BLAG, a system that evaluates and aggregates multiple blocklists feeds, producing a more useful, accurate and timely master blocklist, tailored to the specific customer network. BLAG uses a sample of the legitimate sources of the customer network's inbound traffic to evaluate the accuracy of each blocklist over regions of address space. It then leverages recommendation systems to select the most accurate information to aggregate into its master blocklist. Finally, BLAG identifies portions of the master blocklist that can be expanded into larger address regions (e.g. /24 prefixes) to uncover more malicious addresses with minimum collateral damage. Our evaluation of blocklists of various attack types and three ground-truth datasets shows that BLAG achieves high specificity up to 99%, improves recall by up to 114 times compared to competing approaches, and detects attacks up to 13.7 days faster, which makes it a promising approach for blocklist generation. Although performance of blocklists can be improved, they need to be used carefully. Blocklists can potentially lead to unjust blocking to legitimate users due to IP address reuse, where more users could be blocked than intended. IP addresses can be reused either at the same time (Network Address Translation) or over time (dynamic addressing). We present two new techniques to identify reused addresses. We built a crawler using the BitTorrent Distributed Hash Table to detect NATed addresses and use the RIPE Atlas measurement logs to detect dynamically allocated address spaces. We then analyze 151 publicly available IPv4 blocklists to show the implications of reused addresses and find that 53--60% of blocklists contain reused addresses having about 30.6K--45.1K listings of reused addresses. We also find that reused addresses can potentially affect as many as 78 legitimate users for as many as 44 days. About the speaker: Sivaram is a fifth-year Ph.D. student at the University of Southern California. His research focuses on developing systems to improve internet security and providing better measurements in the network.

IP address blocklists are a useful source of information about repeat attackers. Such information can be used to prioritize which traffic to divert for deeper inspection (e.g., repeat offender traffic), or which traffic to serve first (e.g., traffic from sources that are not blocklisted). But blocklists also suffer from overspecialization -- each list is geared towards a specific purpose -- and they may be inaccurate due to misclassification or stale information. We propose BLAG, a system that evaluates and aggregates multiple blocklists feeds, producing a more useful, accurate and timely master blocklist, tailored to the specific customer network. BLAG uses a sample of the legitimate sources of the customer network's inbound traffic to evaluate the accuracy of each blocklist over regions of address space. It then leverages recommendation systems to select the most accurate information to aggregate into its master blocklist. Finally, BLAG identifies portions of the master blocklist that can be expanded into larger address regions (e.g. /24 prefixes) to uncover more malicious addresses with minimum collateral damage. Our evaluation of blocklists of various attack types and three ground-truth datasets shows that BLAG achieves high specificity up to 99%, improves recall by up to 114 times compared to competing approaches, and detects attacks up to 13.7 days faster, which makes it a promising approach for blocklist generation. Although performance of blocklists can be improved, they need to be used carefully. Blocklists can potentially lead to unjust blocking to legitimate users due to IP address reuse, where more users could be blocked than intended. IP addresses can be reused either at the same time (Network Address Translation) or over time (dynamic addressing). We present two new techniques to identify reused addresses. We built a crawler using the BitTorrent Distributed Hash Table to detect NATed addresses and use the RIPE Atlas measurement logs to detect dynamically allocated address spaces. We then analyze 151 publicly available IPv4 blocklists to show the implications of reused addresses and find that 53--60% of blocklists contain reused addresses having about 30.6K--45.1K listings of reused addresses. We also find that reused addresses can potentially affect as many as 78 legitimate users for as many as 44 days.

"Wouldn't it be great if we could download anything, explore anything and build anything without the annoying feeling that you are going to get hacked?"  This was a question from my kids, who are currently in elementary school. Have you experienced similar questions from kids and adults alike? Computing is becoming such an integral part of our lives, wouldn't it be great to use compute resources fully for all aspects of our lives. This includes work, education, healthcare and finance; be creative and innovate without the constant fear of backlash? This is what we mean by fearless computing: where we investigate how the very design of compute has security and privacy features built into the design of the platform. We will also explore how through education and awareness we can help nurture the freedom of thought and innovation to not only protect ourselves but create a cyber talent that builds the next generation systems and solutions. Join us for a discussion on the technology and solutions that helps us work towards our vision for fearless computing. About the speaker: Abhilasha Bhargav-Spantzel is a Principal Engineer at Intel, focusing on hardware-based security product architecture. She has 15+ years of experience in security and privacy. She completed her doctorate from Purdue University, which focused on identity and privacy protection using cryptography and biometrics. Abhilasha drives thought leadership and the future evolution of cybersecurity platforms through innovation, architecture, and education. She has given numerous talks at conferences and universities as part of distinguished lecture series and workshops. She has written 5 book chapters and 30+ ACM and IEEE articles and has 25+ patents. Abhilasha leads multiple D&I and actively drives the retention and development of women in technology. She is passionate about STEM K-12 cybersecurity education initiatives, as well as co-organizes regular camps and workshops for the same.

“Wouldn’t it be great if we could download anything, explore anything and build anything without the annoying feeling that you are going to get hacked?”   This was a question from my kids, who are currently in elementary school. Have you experienced similar questions from kids and adults alike? Computing is becoming such an integral part of our lives, wouldn’t it be great to use compute resources fully for all aspects of our lives. This includes work, education, healthcare and finance; be creative and innovate without the constant fear of backlash? This is what we mean by fearless computing: where we investigate how the very design of compute has security and privacy features built into the design of the platform. We will also explore how through education and awareness we can help nurture the freedom of thought and innovation to not only protect ourselves but create a cyber talent that builds the next generation systems and solutions. Join us for a discussion on the technology and solutions that helps us work towards our vision for fearless computing.

The last time you gave to a favorite charity, did you think about their cybersecurity? Do you sit on the board of a nonprofit? Are nonprofits using your cybersecurity solutions? The "wild" of the Internet and continually evolving threat landscape force nonprofits to defend themselves against intrusion and cyber-attacks. Breaking down the myths and assumptions about nonprofits' cybersecurity, this session spotlights approaches and exciting results from local nonprofit organizations of all sizes. Join us with your favorite nonprofit in mind and walk away with new information about this overlook business sector and why it matters. About the speaker: Dr. Kelley Misata is a cyber and information security executive with 15+ years of experience in strategic initiatives, business development, community and customer growth, marketing, and communications. Today, Dr. Misata is the Founder and CEO of Sightline Security, a security start-up missioned to helping underserved enterprises and community sectors. She is also the President and Executive Director of The Open Information Security Foundation (OISF), a nonprofit organization that owns and manages the open-source network security technology, Suricata. Her leadership experience with both Sightline and OISF, combined with her past role as Communications Director at The Tor Project, allows Dr. Misata to use her expertise in bringing complex cyber and information security principles to a wide array of business sectors and audiences. A business-minded researcher with a groundbreaking dissertation in nonprofits' information security, she continually draws on current trends and conversations in information security and privacy to create strategies that intersect people, process, and technology. Dr. Misata holds a Ph.D. in Information Security from Purdue University, a Masters Degree in Business Administration and Marketing from Bentley University, and a Bachelor of Science in Marketing from Westfield University.

The last time you gave to a favorite charity, did you think about their cybersecurity? Do you sit on the board of a nonprofit? Are nonprofits using your cybersecurity solutions? The “wild” of the Internet and continually evolving threat landscape force nonprofits to defend themselves against intrusion and cyber-attacks. Breaking down the myths and assumptions about nonprofits' cybersecurity, this session spotlights approaches and exciting results from local nonprofit organizations of all sizes. Join us with your favorite nonprofit in mind and walk away with new information about this overlook business sector and why it matters.

Can objects be truly secured independently without resorting to a massive central reference monitor? It's a great question and we will discuss a solution to it called NUTS. During this talk, we'll take data structures, message protocols and applied cryptography and toss them into the cauldron of reality, sprinkle in some DNA and data management to brew up some Security at the Data Perimeter towards crafting Data as the Endpoint. It sounds like a bad witch's brew of epic proportions but once we cast the spell, you will see the integration of many CS/CISSP concepts you've learned over the years and new ways to use it.  Our goal is to make sure that the private individual has the best applied cryptographic technologies at their disposal for free in an unobtrusive way. By the way, a nut is the only secure data structure we know of that can help mitigate insider threats in a purely cryptographic way independent of reference monitors. We'll also show you how the NUTS Ecosystem can provide Alice with a ransom-ware resistant ‘hot' system at home using just 2 computers. About the speaker: Yoon Auh, CISSP, is the founder and CEO of NUTS Technologies® Inc., a midwestern cybersecurity startup. He holds multiple US patents around structured security and structured cryptography. His firm is breaking new grounds in applying structured security and cryptography at the data layer. He graduated from Columbia College in NYC with a BA in Physics and a BS in Engineering Mechanics from Columbia School of Engineering. Yoon's prior career was in finance and technology culminating to a successful career as Head Trader for several world class financial firms. A little NUTS history; Tired of poor personal data protection tools and even worse data management methods for the average Joe, Yoon created the eNcrypted Userdata Transit & Storage (NUTS) ecosystem which relies on viewing Data as the Endpoint™. To this end, a secure cryptographic data structure was created called a nut which is a complex structured cryptographic data structure featuring built-in multi-layered, multi-model pure cryptographic access controls requiring no reference monitors (if you understood this sentence, you are in for a real treat) - essentially, a nut allows the security perimeter to be brought down to the data layer so that it can travel with it.

Can objects be truly secured independently without resorting to a massive central reference monitor? It's a great question and we will discuss a solution to it called NUTS. During this talk, we’ll take data structures, message protocols and applied cryptography and toss them into the cauldron of reality, sprinkle in some DNA and data management to brew up some Security at the Data Perimeter towards crafting Data as the Endpoint.  It sounds like a bad witch’s brew of epic proportions but once we cast the spell, you will see the integration of many CS/CISSP concepts you’ve learned over the years and new ways to use it.   Our goal is to make sure that the private individual has the best applied cryptographic technologies at their disposal for free in an unobtrusive way.  By the way, a nut is the only secure data structure we know of that can help mitigate insider threats in a purely cryptographic way independent of reference monitors. We’ll also show you how the NUTS Ecosystem can provide Alice with a ransom-ware resistant ‘hot’ system at home using just 2 computers.