CERIAS Weekly Security Seminar - Purdue University

MITRE ATT&CK® seems to be the"next big thing". Every time I hear about it I can't help but wonder, "how doyou prevent all these attacks in the first place? Shouldn't that be the endgame?" To that end, I set out to map all the recommended "Mitigations" for allthe "Techniques" detailed in ATT&CK to see how many are already addressedby what is required in the Payment Card Industry Data Security Standard (PCIDSS). My hypothesis was all of them. The results were interesting and a little surprising, and I'm still trying to figure out how to best use the results and subsequently ATT&CK itself. I will present my findings in the briefing andhopefully generate a discussion about what to do with the results. About the speaker: Respected Information Security advocate, advisor, evangelist, international speaker, keynoter, host of Security & Compliance Weekly, co-host on Paul's Security Weekly, Tribe of Hackers, TOH Red Team, TOHSecurity Leaders, TOH Blue Team, and currently serving in a Consulting/Advisory role for Online Business Systems. Nearly 40 years of experience working in all aspects of computer, network, and information security, including cryptography, risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Certified NSA Cryptanalyst. Previously held security research, management and product development roles with the National Security Agency, the DoD and private-sector enterprises and was part of the first penetration testing "red team" at NSA. For the past twenty-five years has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation's best known companies.

MITRE ATT&CK® seems to be the“next big thing”. Every time I hear about it I can’t help but wonder, “how doyou prevent all these attacks in the first place? Shouldn’t that be the endgame?” To that end, I set out to map all the recommended “Mitigations” for allthe “Techniques” detailed in ATT&CK to see how many are already addressedby what is required in the Payment Card Industry Data Security Standard (PCIDSS). My hypothesis was all of them. The results were interesting and a little surprising, and I’m still trying to figure out how to best use the results and subsequently ATT&CK itself. I will present my findings in the briefing andhopefully generate a discussion about what to do with the results.

Users of social networks are having their accounts subverted. Threat actors are gaining unauthorized access to large numbers of accounts and inserting links to suspicious websites. Shared command-and-control infrastructure is used across 70+ different social networks, suggesting a coordinated campaign to drive user traffic. The actors behind this campaign, and the end goal for driving user traffic, remains uncertain. The campaign remains active with changing indicators. The fact that this campaign spans so many different social networks makes determining the scope of the overall problem difficult. Using Goodreads as an example, we detail how the attack is constructed.

Users of social networks are having their accounts subverted. Threat actors are gaining unauthorized access to large numbers of accounts and inserting links to suspicious websites. Shared command-and-control infrastructure is used across 70+ different social networks, suggesting a coordinated campaign to drive user traffic. The actors behind this campaign, and the end goal for driving user traffic, remains uncertain. The campaign remains active with changing indicators. The fact that this campaign spans so many different social networks makes determining the scope of the overall problem difficult. Using Goodreads as an example, we detail how the attack is constructed. About the speaker: Dr. Courtney Falk is an information security professional with over fifteen years of experience in the government, academic, and public sectors. He earned his doctorate of philosophy from Purdue University in the interdisciplinary information security program. When Courtney is not building systems as a principal software engineer, he enjoys painting miniature figures and playing war games.

Researchers from academia and industry have identifiedinteresting threat vectors against machine learning systems. These threatsexploit intrinsic vulnerabilities in the system, or vulnerabilities that arisenaturally from how the system works rather than being the result of a specificimplementation flaw. In this talk, I present recent results in threats tomachine learning systems from academia and industry, including some of our ownresearch at Riverside Research. Knowing about these threats is only half thebattle, however. We must determine how to transition both the understandinggained by developing attacks and specific defenses into practice to ensure thesecurity of fielded systems. In this talk I leverage my experience working onstandards committees to present an approach for leveraging machine learningprotection requirements on systems that use machine learning.

Researchers from academia and industry have identifiedinteresting threat vectors against machine learning systems. These threatsexploit intrinsic vulnerabilities in the system, or vulnerabilities that arisenaturally from how the system works rather than being the result of a specificimplementation flaw. In this talk, I present recent results in threats tomachine learning systems from academia and industry, including some of our ownresearch at Riverside Research. Knowing about these threats is only half thebattle, however. We must determine how to transition both the understandinggained by developing attacks and specific defenses into practice to ensure thesecurity of fielded systems. In this talk I leverage my experience working onstandards committees to present an approach for leveraging machine learningprotection requirements on systems that use machine learning. About the speaker: Dr. Mike Clark is a computer scientist at Riverside Researchand currently leads their Trusted and Resilient Systems research group. Heconducts research in the areas of security of distributed and cyber-physicalsystems, cryptographic secure computation, and security and privacy issues ofmachine learning and artificial intelligence. Dr. Clark also co-leads thecybersecurity subcommittee for the Sensor Open Systems Architecture (SOSA™)consortium, where he is developing security requirements and standards forsensor systems of the future.

CERIAS 2020 Annual Security Symposium Virtual Event https://ceri.as/symp Closing Keynote Panel Discussion - “Global Challenges in Security and Privacy Policy:elections, pandemics, and biometric technologies” Panelists: - Michel Beaudouin-Lafon, Vice Chair, ACM Technology Policy Council; Member, ACM Europe Council, Professor of Computer Science, Université Paris-Sud - James Hendler, Chair, US Technology Policy Committee, Professor of Computer, Web and Cognitive Sciences, Rensselaer Polytechnic Institute - Barbara Simons, Past President, ACM and ACM 2019 Policy Award Winner, Board of Advisors, US Election Assistance Commission, Chair, Board of Directors, Verified Voting Moderated by: Lorraine Kisselburgh, Chair, ACM Technology Policy Council, AdvisoryBoard and 2018 Resident Scholar, Electronic Privacy Information Center, Purdue University

CERIAS 2020 Annual Security Symposium Virtual Event https://ceri.as/sympClosing Keynote Panel Discussion - "Global Challenges in Security and Privacy Policy:elections, pandemics, and biometric technologies"Panelists:- Michel Beaudouin-Lafon, Vice Chair, ACM Technology Policy Council; Member, ACM Europe Council, Professor of Computer Science, Université Paris-Sud- James Hendler, Chair, US Technology Policy Committee, Professor of Computer, Web and Cognitive Sciences, Rensselaer Polytechnic Institute- Barbara Simons, Past President, ACM and ACM 2019 Policy Award Winner, Board of Advisors, US Election Assistance Commission, Chair, Board of Directors, Verified VotingModerated by: Lorraine Kisselburgh, Chair, ACM Technology Policy Council, AdvisoryBoard and 2018 Resident Scholar, Electronic Privacy Information Center, Purdue University About the speaker: Lorraine Kisselburgh is the inaugural Chair of ACM's new global Technology Policy Council, where she oversees technology policy engagement in the US, Europe, and other global regions. At Purdue University, she is a fellow in the Center for Educationand Research in Information Security (CERIAS), lecturer in the Discovery Park Center for Entrepreneurship, andformer professor of media, technology, and society. Her research focuses on thesocial implications of emerging technologies, including privacy, ethics, and collaboration;social interaction in technological contexts; and gender and leadership in STEMcareers. She has been funded by the National Science Foundation and theDepartment of Homeland Security, and with colleagues developed platforms forvirtual creative collaboration, and a framework to enhance ethical reasoningskills of STEM researchers (recognized by the National Academy of Engineering).In 2018 she was the Scholar-in-Residence at the Electronic Privacy InformationCenter (EPIC) in Washington, D.C., coordinating the development of theUniversity Guidelines for Artificial Intelligence, a framework grounded inhuman rights protection.Sheserved on the ACM Task Force on Code of Ethics and Professional Conduct from2017-2018, and ACM's US Technology Policy Committee (USTPC) from 2006-2019, andis a member of the Advisory Board for the Electronic Privacy InformationCenter. At Purdue she has also beenrecognized as the inaugural Faculty Scholar in the Butler Center forLeadership, CERIAS Faculty Fellow, a Service Learning Faculty Fellow and DiversityFaculty Fellow, and was the recipient of the Violet Haas Award for her effortson behalf of women.

The TCB has been very precisely defined since 1979, but in practice its implementation and application in today modern software stack is very blurry. This talk describes a very common application and how to consider its associated TCB, after explosive the problems it will propose an alternative to better release and execute software with unbreakable guarantee.

The TCB has been very precisely defined since 1979, but in practice its implementation and application in today modern software stack is very blurry. This talk describes a very common application and how to consider its associated TCB, after explosive the problems it will propose an alternative to better release and execute software with unbreakable guarantee. About the speaker: Osman Ismael is CTO and Co-founder of BedRock Systems Inc. Prior to his current role he served 12 years as a founding member and distinguished Engineer at FireEye. Osman helped lead and build projects at Sun Microsystems and Sun Microsystems Labs, where he spent 8+ years as staff engineer and Senior Staff Engineer. He served as a Senior Software Architect at Terraspring, acquired by Sun Microsystems in 2002. Osman has an extensive background in virtualization, cyber security, operating systems, networking and holds over 30 patents in these industries.

The payments ecosystem is evolving fast and making sure the cardholder’s digital payment experience is frictionless, smooth and secure has never been more important. With approval rates for digital payments at 82% compared to 97% for in-person payments, and globally digital transaction fraud currently four times higher than in-store expected to increase 68% by 2022, intelligence matters more than ever. As more transactions move to the digital world, particularly after COVID-19, on an ever-increasing array of devices, the need to keep up is vital. To help issuers’ real-time decisioning, increasing approval quality, improving the cardholder experience and reducing fraud, Mastercard leverages the power of proprietary data, sophisticated modelling and machine learning, combined with Mastercard’s global insights and analytics to process thousands of data points and delivers authentication assessment to the cardholder’s bank real-time during the payment to help the bank make an informed and robust decision.

The payments ecosystem is evolving fast and making sure the cardholder's digital payment experience is frictionless, smooth and secure has never been more important. With approval rates for digital payments at 82% compared to 97% for in-person payments, and globally digital transaction fraud currently four times higher than in-store expected to increase 68% by 2022, intelligence matters more than ever. As more transactions move to the digital world, particularly after COVID-19, on an ever-increasing array of devices, the need to keep up is vital.To help issuers' real-time decisioning, increasing approval quality, improving the cardholder experience and reducing fraud, Mastercard leverages the power of proprietary data, sophisticated modelling and machine learning, combined with Mastercard's global insights and analytics to process thousands of data points and delivers authentication assessment to the cardholder's bank real-time during the payment to help the bank make an informed and robust decision. About the speaker: Warda Khan is Director of Product at Mastercard, working in payments authentication space focusing on Smart Authentication, a machine learning based global service aimed at providing authentication intelligence to banks. She has been at Mastercard for 8 years and worked at the intersection of technology and business gaining experience across launching digital products to creating risk programs that help financial institutions mitigate payments risk. In her free time, Warda likes to spend time with her family, volunteer in the community, read books and, of course, watch Netflix.

Protection against HEMP (High-Altitude Electromagnetic Pulse) and GMD (Geomagnetic Disturbance in a CME/Coronal Mass Ejection context) is a nascent science. Until recently, these have only been the concern of Department of Defense insiders, over-the-top “preppers”, and physics aficionados. Due to current events and an increasing reliance of all facets of 1st world civilization upon ICT (Information & Communications Technology), the discussion of EMP and GMD protections is moving into the mainstream. Lifeline Data Centers, LLC is nearing completion of an 84,000 square foot fully EMP & GMD-protected data center & SCIF facility in Ft. Wayne, Indiana. Mr. Banta will discuss the basic physics of HEMP and GMD, the threats posed by both, and the extreme and expensive challenges of mitigating the effects of both in a data center setting. Mr. Banta presents from the perspective of designer/architect, primary financier, constructor, and owner/operator of such a facility.

Protection against HEMP (High-Altitude Electromagnetic Pulse) and GMD (Geomagnetic Disturbance in a CME/Coronal Mass Ejection context) is a nascent science. Until recently, these have only been the concern of Department of Defense insiders, over-the-top "preppers", and physics aficionados. Due to current events and an increasing reliance of all facets of 1st world civilization upon ICT (Information & Communications Technology), the discussion of EMP and GMD protections is moving into the mainstream. Lifeline Data Centers, LLC is nearing completion of an 84,000 square foot fully EMP & GMD-protected data center & SCIF facility in Ft. Wayne, Indiana. Mr. Banta will discuss the basic physics of HEMP and GMD, the threats posed by both, and the extreme and expensive challenges of mitigating the effects of both in a data center setting. Mr. Banta presents from the perspective of designer/architect, primary financier, constructor, and owner/operator of such a facility. About the speaker: Rich Banta - Rich is co-founder and co-owner of Lifeline Data Centers, LLC since 2001. He holds patents on data center power distribution, data center cooling, and EMP protection. Rich is a contributor to several international standards bodies and to NIST. Rich recently accepted the Chairmanship of the International Data Center Authority® Technical Standards Committee. He is a certified Data Center Authority (DCA)®️. Mr. Banta possesses decades of industry, standardization, and development experience, and is the former Chief Technology Officer of a large hospital system. He is also an ISACA Certified Information Systems Auditor (CISA), ISC Certified Cloud Security Professional (CCSP), and CISSP (Certified Information Systems Security Professional (CISSP). Rich is currently a member of the University of Texas San Antonio DEMSO (Domestic Electromagnetic Spectrum Operations) working group.

We face an existential threat of permanent damage to critical physical components in our national infrastructure as a result of their poor resilience against cybersecurity attack. A Programmable Logic Controller (PLC) commonly provides the control system for such components, e.g., bulk power generators. Our proof-of-concept implementation dramatically mitigates threats to such cyber-physical systems (CPS) by specifically leveraging what NIST 800-160 calls “highly assured, kernel-based operating systems in Programmable Logic Controllers”. We dramatically reduce the attack surface visible to potential attackers to be ~1% of the total compared to competing approaches. Our demonstration refactors the common CPS architectural approach to data and cooperating processes into hierarchically ordered security domains using the widely available OpenPLC project code base. The GEMSOS security kernel verifiably enforces traditional integrity mandatory access control (MAC) policy on all cross-domain flows. GEMSOS is designed for wide-spread delivery as a Reusable Trusted Device, providing the reference monitor for secure single-board, multi-board, and System-on-a-Chip systems. Only a processing component in the highest integrity domain can directly send/receive control signals, enforcing “safe region” operating constraints to prevent physical damage. This very small attack surface protects the critical physical components, making the overall CPS resilient to skilled adversaries’ attacks, even though much larger lower integrity software running in other domains on the same Trusted Device hardware and network infrastructure may be thoroughly compromised. We make available our restructured OpenPLC source to encourage control system manufacturers to deliver verifiable PLC products to, as NIST puts it, “achieve a high degree of system integrity and availability” for control systems. UC Davis is using our demonstration on GEMSOS in their Computer Security Lab, today.