CERIAS Weekly Security Seminar - Purdue University

This talk will discuss how we engineer trust among agents, humans, and algorithms to develop solutions to significant practical problems, including Trustworthy AI in multiple applications, Resilience in systems, and a framework for Artificial Conscience to control AI, which we extend to system security. Trustworthiness of AI solutions is emerging as a must for the best use of AI. Using our trust system, we have developed metrics for acceptance, explainability, and fairness of AI solutions having humans in the loop. Furthermore, we introduce the concept of Trustability, which captures the probability of a system keeping the required QoS performance under a specific attack tree. Finally, we present our framework for Artificial Conscience, where AI algorithms are controlled by agents who negotiate with each other using our trust engine to output a solution with maximum" Artificial Feeling." This framework can be easily implemented in any AI system where multiple metrics are involved, including system security scenarios. About the speaker: Arjan Durresi is a Professor of Computer Science at Indiana University Purdue University in Indianapolis, Indiana. He has published over 100 papers in journals, over 220 articles in conference proceedings, and twelve book chapters. His research interests include Trust Engineering, System Security, Trustworthy Artificial Intelligence, AI Control, Network Architectures and Protocols, and Quantum Computing. NSF, USD, states, universities, and industry sources funded his research. He was named among the top 2% of scientists on Stanford's list in September 2021and updated in October 2022.

Examines Chinese views on the importance of information as the new currency of international power, and discusses how the PLA's restructuring supports PLA efforts at planning for future "informationized local wars." About the speaker: Dean Cheng is a non-resident Senior Fellow with the Potomac Institute for Policy Studies and a Senior Advisor with the US Institute of Peace. He recently retired from the Heritage Foundation as the Senior Research Fellow for Chinese political and security affairs. He specializes in Chinese military and foreign policy, and has written extensively on Chinese military doctrine, technological implications of its space program, and "dual use" issues associated with China's industrial and scientific infrastructure. He is the author of "Cyber Dragon: Inside China's Information Warfare and Cyber Operations."

Increasingly, the United States is becoming more and more dependent on Space-based technologies and systems. Our adversaries are well aware of this and have become much more aggressive in their attempts to understand, infiltrate and interfere with Space-based operations, while watching the corresponding impacts to ground-based critical infrastructure. Mr. Keen will discuss that increasing dependency and the associated cyber aspect, then extrapolate that into the upstream and downstream impacts to terrestrial critical infrastructure that occur as a result of Space-based events. Finally, he will discuss how the expanding presence of Space-based operations presents an increasing and dangerous cyber threat to both the Space-based and terrestrial-based critical infrastructure systems as they become even more co-dependent moving forward. About the speaker: Currently a Senior Advisor on Space and Cybersecurity within the National Risk Management Center, Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security, Ronald Keen is a retired Air Force officer with an extensive background in intelligence and space systems operations, as well as critical infrastructure protection. Concluding a distinguished military career, Ron accepted the position as a Division Director in the Indiana State government directing research and testifying on issues within the utility regulatory environment with an emphasis on energy, cybersecurity and critical infrastructure. He accepted his current position with the Department after retiring from State government service. Ron earned his Bachelors at Southwest Texas State University and is a graduate of Embry Riddle Aeronautical University with a Masters in Aeronautical Science. A published author, Ron and his wife, Susan,have five children.

To secure connected products, developers and manufacturers must use tools and processes that are purpose built to analyze the complex binaries found within connected devices and embedded systems. Beyond the capabilities of traditional security tooling, dedicated product security (software supply chain security) tools must run in the specialized languages, systems, and deployment cycles for these connected devices. In this talk hosted by Finite State's Jason Ortiz, we will examine where traditional security falls short in analyzing the composition of a device, detecting its vulnerabilities, assessing the severity of those vulnerabilities, prioritizing and conducting response actions. In this session, you will learn how traditional tools can't always see the opaque threats that live inside connected devices, explore Software Bill of Materials (SBOMs) and how to generate them, and discover how to build a product security strategy that leads to more secure products and software supply chains. About the speaker: Jason Ortiz is Engineering Manager at Finite State and has over 10 years of experience in the US Intel Community and more than five years in commercial cyber security services. In his role, Jason leads the team that develops necessary interfaces between the Finite State Platform and data for use by customers and partners in their business context. Jason is also President of the Indiana InfraGard Members Alliance, a partnership between the FBI and the private sector that facilitates public-private collaboration and information sharing, and a proud Boiler alum!

For 5 years, we have experimented with technology, people, and process controls at RELX, all designed to create an integrated framework for phishing mitigation. I'll speak about technology we've adopted (and that we haven't). I'll speak about failures in industry efforts (e.g., digital signatures). I'll speak about behavioral science and how we have adopted its concepts to drive behavior change. I'll speak about the "human is the weakest link/humans are our strongest link" debate raging in the industry today. I'll tell you where we still struggle as a company and as an industry. This topic will drive conversation, because everyone gets phishing emails; and everyone thinks they have a solution. About the speaker: Aurobindo Sundaram is the Head of Information Assurance & Data Protection at RELX, a global provider of information and analytics for professional and business customers across industries. He works closely with the company's Board of Directors, Group & division CEOs and functional heads, Chief Technology Officers, and Chief Information Security Officers to articulate and implement RELX's global information security program. His remit extends across 30,000+ employees, offices in 40+ countries, and customers in 180+ countries. Aurobindo has graduate degrees in computer science and management and is a CISSP.

The rise of enterprise cloud computing has brought an even greater emphasis on data. According to an analysis compiled by Statista, two zettabytes of data were created, captured, copied, and consumed globally in 2010. That figure will reach 97 zettabytes this year and 181 zettabytes by 2025. As the adoption of cloud computing continued to evolve, so did how enterprises approached securing their data. Today, enterprises find their data scattered throughout their various cloud systems, and they have lost visibility into where their sensitive data resides. The problems are about whether there are any shadow data stores that developers left abandoned? Who can access all of the enterprise data on these clouds, and are there excessive privileges? What data is at risk of being breached and falling out of regulatory compliance? Moreover, the growing complexity of cloud computing is a big part of why breached data records have risen (according to the Identity Theft Resource Center) from 16 million in 2010 to more than 155 million today. A recent survey from IDC found that 98% of organizations they queried reported at least one cloud data breach in the past 18 months. With all these challenges, cybersecurity professionals are faced with the daunting task of understanding where their organization's critical or regulated data exists across cloud platforms. The process of identifying and securing cloud data is called the Data Security Posture Management. In this talk, we will go over certain techniques for discovering, analyzing and securing data in various cloud platforms. We will then look at challenging problems that are opening up more avenues for further investigation, and research. About the speaker: Dr. Mummoorthy Murugesan is currently the founding Director of Engineering at Normalyze Inc. Earlier, he worked at Teradata R&D where he developed the incremental planning and execution of queries. He has worked in start-ups such as Netskope, and Turn to build highly scalable systems. At Netskope, he built the data management platform for the CASB (cloud access security broker) product. Before Normalyze, he led the cloud infrastructure initiatives for Workday's Prism analytics. Dr. Murugesan's interests span data, analytics, security and cloud infrastructure. He received his Ph.D. in Computer Science from Purdue University, and Masters degree from Syracuse University.

Cybersecurity is inherently complicated due to the dynamic nature of the threats andever-expanding attack surfaces.  Ironically,this challenge is exacerbated by the rapid advancement of many new technologieslike Internet of Things (IoT) devices, 5G infrastructure, cloud-basedcomputing, etc.  This is where artificialintelligence (AI) and machine learning (ML) techniques can be called intoservice, and provide potential solutions in terms of threat detection andmitigation responses in a rapidly changing environment.  On contrary, humans are often limited by theirinnate inability to process information and fail to recognize/respond to attackpatterns in the multi-dimensional, multi-faceted world.  The recent DARPA AlphaDogFight has proven AIpilots can defeat even the best human pilot in air-to-air combat.  This prompted our engineers to develop aminimum viable product (MVP) that demonstrates the value of a multi-agent reinforcementlearning (MARL) architecture in a simulated cyber wargaming environment.   By using our simulation framework, we essentially"trained" the learning agents to produce the optimum combination/permutation ofcyber attack vectors in a given scenario. This cyber wargaming engine allows our analysts to examine tactics,techniques and procedures (TTPs) potentially employed by our adversaries.  Once these vulnerabilities are analyzed, ourcyber protection team (CPT) can close security gaps in the system. About the speaker: Ambrose Kam is a Lockheed Martin Fellow with over 25 years of experience in the Department of Defense (DoD) industry. He is one of the earliest pioneers at applying modeling, simulation, and operations analysis techniques to threat modeling and cyber resiliency assessment. He regularly gives lectures at MIT, Georgia Tech, and industry consortiums like the Military Operations Research Society (MORS) and National Defense Industry Association (NDIA). Ambrose has been quoted in major publications including Forbes, The Economist, etc, and has co-authored a book in Simulation and Wargames. As a subject matter expert, he represents Lockheed Martin in industry standards organizations like ISO, LOTAR, and INCITS. His most recent efforts in wargaming, Machine Learning/Deep Learning, Cyber Digital Twin, and Blockchain earned him patents and trade secret awards. In 2017, Ambrose won the prestigious Asian American Engineer of the Year (AAEOY) award for his technical leadership and innovations. He holds several advanced degrees from MIT and Cornell University as well as a Bachelor of Science degree from the University at Buffalo.

Whether you're implementing security policy or developing products, considering the human element is critical. Yet security professionals often fall victim to misconceptions and pitfalls that undermine users' ability to reach their full security potential. Grounded in real-world examples and human-centered research, this talk will explore how to recognize and overcome these pitfalls towards improving security through user empowerment. About the speaker: Julie Haney is a computer scientist and lead for the Usable Cybersecurity program at the National Institute of Standards and Technology (NIST). She conducts research about the human element of cybersecurity, including the usability and adoption of security solutions, work practices of security professionals, and people's perceptions of privacy and security. Previously, Julie spent over 20 years working in the U.S. Department of Defense as a security professional and technical director primarily in the cyber defense mission. She has a PhD and M.S. in Human-Centered Computing from University of Maryland, Baltimore County, an M.S. in Computer Science from University of Maryland, and a B.S. in Computer Science from Loyola University Maryland.

The Move Prover (MVP) is a formal verifier for smart contracts written In the Move programming language. MVP has an expressive specification language, and is fast and reliable enough that it can be run routinely by developers and in integration testing. Besides the simplicity of smart contracts and the Move language, three implementation approaches are responsible for the practicality of MVP: (1) an alias-free memory model, (2)fine-grained invariant checking, and (3) monomorphization. The entirety of the Move code for the Diem blockchain has been extensively specified and can be completely verified by MVP in a few minutes. Changes in the Diem framework must be successfully verified before being integrated into the open source repository on GitHub. About the speaker: Dr. Meng Xu is an Assistant Professor in the Cheriton School of Computer Science at the University of Waterloo, Canada. His research is in the area of system and software security, with a focus on delivering high-quality solutions to practical security programs, especially in finding and patching vulnerabilities in critical computer systems. This usually includes research and development of automated program analysis/ testing / verification tools that facilitate the security reasoning of critical programs.

People face increasing dangers from cyber enemies. At the same time, cyber pros are suffering from stress, burnout and "hamster wheel"syndrome. They experience many difficulties every day in easily protecting people and companies from danger.There is a different option. Cyber pros have the opportunity of better work-life balance, more rewarding careers and achieving their personal missions to better protect people and companies – by making cybersecurity as reliable as electricity. How? The same way as other business functions do – with curiosity,critical thinking, system thinking and industrial-strength design thinking. The same way business innovation created products that delight us in daily life.The same way music, sports and cooking bring us joy. The same way military battles are won. It takes learning to think counter intuitively and to change. But there's a twist, business innovators have education,method and coaching at the individual, team and organizational levels.Compared to other business functions, cyber pros are setup to fail. The support system for cyber pros is missing!The good news is, it's readily fixable! That starts with putting people in the center of cybersecurity – empowering cyber pros to more easily protect people from danger, accelerating authentic Zero Trust and making cybersecurity as reliable as electricity. Join us to learn and map-out your action plan. About the speaker: Brian Barnier is the co-founder of Think.Design.Cyber and the think-tank, CyberTheory Institute that bridges the gap between boards,business leaders, cybersecurity leaders and compliance.Brian has pioneered critical, systems and industrial design thinking in the cybersecurity discipline and the use of life-like scenario analysis to address critical issues of evolving threats/attacks, eliminate bad methods that cause breaches, waste money and resources and burnout cyber pros,affecting culture and retention.He is the author of The Operational Risk Handbook (Harriman House, Great Britain, 2011) used as a textbook by the London Institute of Banking & Finance. In 2020, Brian's paper with expert Prachee Kale,"Cybersecurity: The Endgame -- Part 1" was honored as the 2020 Article of the Year in the Taylor and Francis EDPACs journal. Brian has earned coveted achievement awards from two of ISACA's most significant chapters. In 2021, he earned the highly distinguished Joseph J. Wasserman Award presented by ISACA New York Metro Chapter. In 2015, he received the V. Lee Conyers Award from ISACA Greater Washington DC.Deep in professional guidance, he is a co-author of ISACA's Risk IT and COBIT, and the Shared Assessments Program. ISACA's IT Audit Framework 2020 points to his work in risk assessment. He is one of the first three "Fellows" of OCEG -- the Open Compliance & Ethics Group – the organization that created "Governance, Risk and Compliance." Prachee Kale is the co-founder of Think.Design.Cyber, a Founding Executive Fellow of CyberTheory Institute and a multi-disciplinary professional with a 17 year, "4D" career spanning: Cybersecurity& Tech, Business Strategy, Diversity & Inclusion and Executive Coaching.Prachee's current work is focused on 1) coaching introverted cyber professionals (who account for 60%+ of cyber workforce) to build their brand and become strong leaders without changing their personalities and, 2)bringing critical, systems and design thinking to cybersecurity organizations so they can accelerate Zero Trust implementation, drive demonstrable business outcomes and cost savings, improve culture and reduce burnout.Her article "Cybersecurity: The End Game Part 1" in the Taylor and Francis EDPACs journal was honored as "2020 Article of the Year."In cybersecurity, she has managed strategic investments of over $150 million, reduced spend by 20+%, eliminated antagonistic culture and demonstrated 90% retention rate for more than 3 years Prachee's business strategy experience comes from working on business and ops/tech transformations, enterprise risk and regulatory mandates, in management consulting and the World Bank.As a leader in the DEI dept., she is accelerating diversity and ESG initiatives. Prachee is the Executive Sponsor for the Women Leaders program focused on increasing representation of women of all backgrounds.She earned an M.S. in Bioinformatics from George Washington University, which is about building tech for biological research. She wrote code, conducted scientific experiments on HIV viruses, and did PCR tests (yep,those). Think invasive viruses, the pandemic and cybersecurity!

Data deidentification aims to provide data owners with edible cake: to allow them to freely use, share, store and publicly release sensitive record data without risking the privacy of any of the individuals in the data set.   And, surprisingly, given some constraints, that’s not impossible to do.    However, the behavior of a deidentification algorithm depends on the distribution of the data itself.    Privacy research often treats data as a black box---omitting formal data-dependent utility analysis, evaluating over simple homogeneous test data, and using simple aggregate performance metrics.   As a result, there’s less work formally exploring detailed algorithm interactions with realistic data contexts.   This can result in tangible equity and bias harms when these technologies are deployed; this is true even of deidentification techniques such as cell-suppression which have been in widespread use for decades.   At worst, diverse subpopulations can be unintentionally erased from the deidentified data.  Successful engineering requires understanding both the properties of the machine and how it responds to its running environment.  In this talk I’ll provide a basic outline of distribution properties such as feature correlations, diverse subpopulations, deterministic edit constraints, and feature space qualities (cardinality, ordinality), that may impact algorithm behavior in real world contexts.  I’ll then use new (publicly available) tools from the National Institute of Standards and Technology to show unprecedentedly detailed performance analysis for a spectrum of recent and historic deidentification techniques on diverse community benchmark data.   We’ll combine the two and consider a few basic rules that help explain the behavior of different techniques in terms of data distribution properties.  But we’re very far from explaining everything—I’ll describe some potential next steps on the path to well-engineered data privacy technology that I hope future research will explore.  A path I hope some CERIAS members might join us on later this year.    This talk will be accessible to anyone who’s interested—no background in statistics, data, or recognition of any of the above jargon is required.

Data deidentification aims to provide data owners with edible cake: to allow them to freely use, share, store and publicly release sensitive record data without risking the privacy of any of the individuals in the data set.   And, surprisingly, given some constraints, that's not impossible to do.    However, the behavior of a deidentification algorithm depends on the distribution of the data itself.   Privacy research often treats data as a black box---omitting formal data-dependent utility analysis, evaluating over simple homogeneous test data, and using simple aggregate performance metrics.   As a result, there's less work formally exploring detailed algorithm interactions with realistic data contexts.   This can result in tangible equity and bias harms when these technologies are deployed; this is true even of deidentification techniques such as cell-suppression which have been in widespread use for decades.   At worst, diverse subpopulations can be unintentionally erased from the deidentified data. Successful engineering requires understanding both the properties of the machine and how it responds to its running environment.  In this talk I'll provide a basic outline of distribution properties such as feature correlations, diverse subpopulations, deterministic edit constraints, and feature space qualities (cardinality, ordinality), that may impact algorithm behavior in real world contexts.  I'll then use new (publicly available) tools from the National Institute of Standards and Technology to show unprecedentedly detailed performance analysis for a spectrum of recent and historic deidentification techniques on diverse community benchmark data.   We'll combine the two and consider a few basic rules that help explain the behavior of different techniques in terms of data distribution properties.  But we're very far from explaining everything—I'll describe some potential next steps on the path to well-engineered data privacy technology that I hope future research will explore.  A path I hope some CERIAS members might join us on later this year.  This talk will be accessible to anyone who's interested—no background in statistics, data, or recognition of any of the above jargon is required. About the speaker: Christine Task is a CERIAS alumna, who earned her PhD in Computer Science at Purdue University in 2015, and joined Knexus Research Corporation later that year.  Since then she has led the first National Challenges in Differential Privacy for the National Institute of Standards and Technology, contributed to 2020 Census Differentially Private Disclosure Avoidance System, served as technical lead for non-DP Synthetic Data projects for the US Census Bureau's American Community Survey, American Housing Survey and American Business Survey, been co-lead on the United Nation's UNECE Synthetic Data Working Group, and led the development of the SDNist data deidentification benchmarking library.  Back in 2012, as a doctoral student at Purdue, she gave a CERIAS seminar titled "Practical Beginner's Guide to Differential Privacy", whose success was very valuable to her career.   Having begun a decade ago, she was thrilled to be invited back to present what amounts to an update on that work.

Business executives leverage cybersecurity programs to understand residual risk. That helps them make informed decisions to mitigate risk to an acceptable level. This session provides guidance to improve program maturity in stages. Maturity Level 1. Minimal Compliance Development of an information security programshould begin with a reputable baseline such as the NIST Cybersecurity Framework. A framework communicates the minimum controls required to protect an organization. It is also necessary to include control requirements from applicablelaws, regulations and contractual obligations. Compliance with external requirements is also a minimalistic approach when designing a program. Maturity Level 2. Common Controls Control frameworks provide mid-level guidance and are not intended to be prescriptive. That is by design. This level of maturity addresses common security safeguards that are not specified in the control framework. It is necessary to identify and implement them. Gap analysis: Deploy controls based on proven methodologies such as the 20 CIS Controls. - Patching - Penetration testing - Web application firewall Establish a risk-based approach for implementing controls. Maturity Level 3. Risk Management It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape. We discuss 'Threat Landscape and Controls Analysis' and a Risk Register process. Maturity Level 4. Strong Risk management At this level the organization begins to demonstrate ownership of the cybersecurity program from an operational risk perspective. When management communicates low risk tolerance, that is synonymous with a commitment to strong risk management. - The cybersecurity program maintains controls specific to line of business products, services and assets - An operational risk management function maintains a risk scenarios inventory and conducts quantitative risk analysis - Incident response and business continuity exercises are conducted annually to include senior executives, lines of business leaders, information technology, legal, public relations and critical suppliers A multi-generational plan can be used to improve program maturity. Strong risk management pays dividends over time with low occurrence of harsh negative events. When incidents do occur, controls are in place to limit business impact.

Business executives leverage cybersecurity programs to understand residual risk. That helps them make informed decisions to mitigate risk to an acceptable level. This session provides guidance to improve program maturity in stages.Maturity Level 1.Minimal Compliance Development of an information security programshould begin with a reputable baseline such as the NIST Cybersecurity Framework.A framework communicates the minimum controls required to protect an organization. It is also necessary to include control requirements from applicablelaws, regulations and contractual obligations. Compliance with external requirements is also a minimalistic approach when designing a program. Maturity Level 2.Common Controls Control frameworks provide mid-level guidance and are not intended to be prescriptive. That is by design. This level of maturity addresses common security safeguards that are not specified in the control framework. It is necessary to identify and implement them. Gap analysis: Deploy controls based on proven methodologies such as the 20 CIS Controls. - Patching- Penetration testing- Web application firewallEstablish a risk-based approach for implementing controls.Maturity Level 3.Risk Management It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape. We discuss 'Threat Landscape and Controls Analysis' and a Risk Register process. Maturity Level 4.Strong Risk management At this level the organization begins to demonstrate ownership of the cybersecurity program from an operational risk perspective. When management communicates low risk tolerance, that is synonymous with a commitment to strong risk management.- The cybersecurity program maintains controls specific to line of business products, services and assets - An operational risk management function maintains a risk scenarios inventory and conducts quantitative risk analysis - Incident response and business continuity exercises are conducted annually to include senior executives, lines of business leaders, information technology, legal, public relations and critical suppliersA multi-generational plan can be used to improve program maturity. Strong risk management pays dividends over time with low occurrence of harsh negative events. When incidents do occur, controls are in place to limit business impact. About the speaker: Gideon Rasmussen is a Cybersecurity Management Consultant with over 20 years of experience in corporate and military organizations. Gideon has designed and led programs including Information Security (CISO), PCI - Payment Card Security, Third Party Risk Management, Application Security and Information Risk Management. Has diverse cybersecurity industry experience within banking, insurance, pharmaceuticals, DoD/USAF, state government, advertising and talent management.Gideon has authored over 30 information security articles. He is a veteran of the United States Air Force, a graduate of the FBI Citizens Academy and a recipient of the Microsoft Most Valuable Professional award. Gideon has also completed the Bataan Memorial Death March (4 occurrences).

  Students: This is a hybrid event. You are encouraged to attend in-person in STEW G-52 As computing advances are making profound changes in our society, they also expose us to new security threats. While the impact of cyber attacks was often in our digital life in the past, our cyber world is increasingly intertwined with the physical world. Compromised safety-critical systems or critical infrastructures can have life and death implications. In this talk, I will highlight two research directions within my research group. First, on the system security front, I will discuss our efforts to ensure system availability on safety-critical embedded systems. Second, on the cyber-physical security front, I will present our recent work on IoT security. Finally, I will discuss our ongoing work and future directions.