CERIAS Weekly Security Seminar - Purdue University

More than half the stored data in the world resides on hard drives. Yes, a 50+ year old technology is storing our photos, music, research, taxes, and more— and nobody blinks an eye. Given that over one zettabyte of hard drive storage shipped in 2020, this storage media is not going away anytime soon. We at Backblaze manage over 200,000 hard drives to store over 1.3 Exabytes of data. Since 2013 we have tracked every hard drive we've used and each day we record their SMART stats, giving us a unique trove of data that we have regularly analyzed over nearly a decade to learn about hard drives from the inside out. We know how often they fail by model, manufacturer, and size. We can answer the question, do hard drives failure rates follow the bathtub curve? We know how temperature affects hard drives. We can show you how machine learning capabilities could be used to predict hard drive failure. We can even provide a life expectancy forecast for all our hard drives. One more thing, we've open-sourced the data so you can do all of this yourself, just for fun. About the speaker: Andy Klein has 25 years of experience in the cloud storage, email security, and network security fields. At Backblaze he dives into terabytes of hard drive SMART data to deliver quarterly and annual Drive Stats reports detailing hard drive failure rates and other unique facts, figures, and insights. Prior to Backblaze Andy has worked at Symantec, Checkpoint, PGP, and PeopleSoft, as well as startups throughout Silicon Valley. He has presented at the Federal Trade Commission, RSA, MSST, SNIA/SDC, and other security and cloud storage events in the US and Europe.

More than half the stored data in the world resides on hard drives. Yes, a 50+ year old technology is storing our photos, music, research, taxes, and more— and nobody blinks an eye. Given that over one zettabyte of hard drive storage shipped in 2020, this storage media is not going away anytime soon. We at Backblaze manage over 200,000 hard drives to store over 1.3 Exabytes of data. Since 2013 we have tracked every hard drive we’ve used and each day we record their SMART stats, giving us a unique trove of data that we have regularly analyzed over nearly a decade to learn about hard drives from the inside out. We know how often they fail by model, manufacturer, and size. We can answer the question, do hard drives failure rates follow the bathtub curve? We know how temperature affects hard drives. We can show you how machine learning capabilities could be used to predict hard drive failure. We can even provide a life expectancy forecast for all our hard drives. One more thing, we’ve open-sourced the data so you can do all of this yourself, just for fun.

Precis: The United States encountered digital cyberspace with the gradual rise of digital technology, treating cyberspace as an electromagnetic domain. China encountered cyberspace more swiftly, surpassing several years ago the United States in the number of people connected in cyberspace (now approximately one billion people), treating cyberspace as a domain of human behavior. For the United States, cybersecurity pertains to the protection of information and the systems that depend on information technology. For China, cybersecurity reflects a need to impose acceptable human behavior on this new cyberspace domain. How is China attempting to reshape the international system through this new domain and its own understanding of cybersecurity? This talk will describe the rise of cyberspace and discuss the implications for the United States, its allies, and its partners as they attempt to defend their values and interests in an evolving international system. About the speaker: Samuel Sanders Visner is the Vice Chair of the Board Directors of the Space Information Sharing and Analysis Center (Space ISAC). He is also a Technical Fellow at the MITRE Corporation, serving as one of the Corporation's thought leaders for cybersecurity, space systems, and national security. Sam served previously as the Director of the National Cybersecurity Federally Funded Research and Development Center (MITRE), sponsored by the National Institute of Science and Technology. Sam was appointed in 2020 as a member of the Board of Directors of the Oak Ridge Associated Universities. Sam is an adjunct professor of Science and Technology in International Affairs at Georgetown University, where he teaches a course on cybersecurity policy, operations, and technology.Sam is a member of the Council on Foreign Relations and the Atlantic Council and is a member of the Intelligence Community Studies Board of the National Academy of Sciences, serving the Office of the Director of National Intelligence. Sam served previously as a member of the Army Science Board. Sam also served previously as Senior Vice President at ICF (General Manager, Cybersecurity and Resilience), Vice President at CSC (General Manager, CSC Global Cybersecurity), Senior Vice President at SAIC, and as Chief of Signals Intelligence Programs at theNational Security Agency, from which he received the Agency's highest award for civilian service in recognition of work done to transform the Agency's signals intelligence infrastructure following 9/11. Sam also served as a member of the Board of Directors, CVG/Avtec (2008-2010). Sam holds a bachelor's degree in International Politics from Georgetown University and a master's degree in Telecommunications from George Washington University. Sam served twice on the Intelligence, Surveillance, and Reconnaissance Task Force of the Defense Science Board, and has published articles on national and cybersecurity in World Politics Review, the Georgetown Journal of International Affairs, and the Defense Intelligence Journal. Sam is cleared TS/SCI.

Precis: The United States encountered digital cyberspace with the gradual rise of digital technology, treating cyberspace as an electromagnetic domain. China encountered cyberspace more swiftly, surpassing several years ago the United States in the number of people connected in cyberspace (now approximately one billion people), treating cyberspace as a domain of human behavior. For the United States, cybersecurity pertains to the protection of information and the systems that depend on information technology. For China, cybersecurity reflects a need to impose acceptable human behavior on this new cyberspace domain. How is China attempting to reshape the international system through this new domain and its own understanding of cybersecurity? This talk will describe the rise of cyberspace and discuss the implications for the United States, its allies, and its partners as they attempt to defend their values and interests in an evolving international system.

The electric power grid is a complex cyber-physical system that forms the lifeline of a modern society. Its reliable and secure operation is of paramount importance to national security and economic well-being. The power grid today is a highly automated network, wherein a variety of communication networks and information systems are interconnected to the physical grid for the purpose of monitoring, protection, control, and market functions. The increased reliance on information and communications technology in the smart gird significantly increases the vulnerabilities, which further underscores the importance of cyber security. As a result, cyber-physical system security of the power grid is a critical area encompassing vulnerability assessment, anomaly detection, and mitigation for substations and the Supervisory Control and Data Acquisition systems. The purpose of this presentation is to provide new concepts and testbed-based methodologies for the integrated cyber-power systems. Future research directions will be discussed. About the speaker: Chen-Ching Liu is American Electric Power Professor and Director, Power and Energy Center, at Virginia Tech. During 1983-2017, he was on the faculty of University of Washington, Iowa State University, University College Dublin (Ireland), and Washington State University. Professor Liu received an IEEE Third Millennium Medal in 2000 and the Power and Energy Society Outstanding Power Engineering Educator Award in 2004. In 2013, Dr. Liu received a Doctor Honoris Causa from Polytechnic University of Bucharest, Romania. He chaired the IEEE Power and Energy Society Fellow Committee, Technical Committee on Power System Analysis, Computing and Economics, and Outstanding Power Engineering Educator Award Committee. Chen-Ching is the U.S. Representative on the CIGRE Study Committee D2, Information Systems and Telecommunication. Professor Liu is a Fellow of the IEEE, Member of Virginia Academy of Science, Engineering, and Medicine, and Member of the U.S. National Academy of Engineering.

The electric power grid is a complex cyber-physical system that forms the lifeline of a modern society. Its reliable and secure operation is of paramount importance to national security and economic well-being. The power grid today is a highly automated network, wherein a variety of communication networks and information systems are interconnected to the physical grid for the purpose of monitoring, protection, control, and market functions. The increased reliance on information and communications technology in the smart gird significantly increases the vulnerabilities, which further underscores the importance of cyber security. As a result, cyber-physical system security of the power grid is a critical area encompassing vulnerability assessment, anomaly detection, and mitigation for substations and the Supervisory Control and Data Acquisition systems. The purpose of this presentation is to provide new concepts and testbed-based methodologies for the integrated cyber-power systems. Future research directions will be discussed.

The Metaverse is coming. What is the Metaverse? A massive, infinitely scalable, shared virtual world where land, buildings, bots, avatars and other property can be bought sold and persist. Think of it as the future convergence of all of today's virtual worlds, interconnected with a single settlement layer for totally interoperable transactions.The Metaverse will be accessible by billions via any web browser, mobile device or virtual reality system. All indications are that the metaverse is destined to become a driving force in how humanity interacts with each other. It will influence education, healthcare, government, commerce, and entertainment. How big will the Metaverse be? One indicator is the recent announcement by Mark Zuckerberg that he is shifting Facebook to be a Metaverse company. With all the other major players in delivering Metaverse capabilities today this will very quickly become a trillion dollar market. It will also be an incredibly enticing target for the criminal element.The Metaverse needs the involvement of the security community in ways few are conceptualizing today. This presentation will provide security practitioners with foundational knowledge that will help accelerate the contributions of security professionals to this rapidly developing shared virtual space. About the speaker: Bob Gourley is an experienced enterprise CTO with extensive past performance in optimizing technology in support of global businesses. As CTO of OODA he leads engagements focused on improving the security and functionality of enterprise IT. He also advises clients on technology due diligence and leads the technology research and reporting activities at OODAloop.com Bob is the former CTO for the Defense Intelligence Agency. Bob has received the Infoworld top CTO award and was named one of the top 100 "Tech Titans" in DC by Washingtonian magazine.

The Metaverse is coming. What is the Metaverse? A massive, infinitely scalable, shared virtual world where land, buildings, bots, avatars and other property can be bought sold and persist. Think of it as the future convergence of all of today's virtual worlds, interconnected with a single settlement layer for totally interoperable transactions. The Metaverse will be accessible by billions via any web browser, mobile device or virtual reality system. All indications are that the metaverse is destined to become a driving force in how humanity interacts with each other. It will influence education, healthcare, government, commerce, and entertainment.   How big will the Metaverse be? One indicator is the recent announcement by Mark Zuckerberg that he is shifting Facebook to be a Metaverse company. With all the other major players in delivering Metaverse capabilities today this will very quickly become a trillion dollar market. It will also be an incredibly enticing target for the criminal element. The Metaverse needs the involvement of the security community in ways few are conceptualizing today. This presentation will provide security practitioners with foundational knowledge that will help accelerate the contributions of security professionals to this rapidly developing shared virtual space.

The complexities of and losses from a shoddily created cyberspace substrate continue to hollow the economies and national power of consolidated democracies.  As China rises as a strategically focused and digitally aggressive authoritarian giant, it is critical that democratic leaders both understand the reality they face and how an institutional alternative may be created to avoid being weak cyber powers in the future. This presentation offers two models: the ‘Cybered Conflict' model to lay the foundation explanation for the weakness in national cyber power of democracies, and the ‘Cyber Operational Resilience Alliance (CORA) model to explain how this existentially threatening trend may be turned around through allied action to jointly ensure cyber resilience. Finally the talk will outline very briefly how the CORA model may be used analytically to improve the cyber resilience alliance potential of national cyber strategies, and to identify organizations capable of contributing to more robust collective cyber defenses across sectors and allied democratic nations. About the speaker: With engineering, economics, and comparative complex organization theory/political science degrees, Dr. Chris C. Demchak is the RDML Grace M. Hopper Professor of Cyber Security and a member of the Cyber and Innovation Policy Institute, U.S. Naval War College. In her research on cyberspace as a globally shared insecure complex ‘substrate', Demchak takes a systemic approach to emergent structures, comparative institutional evolution, adversaries' use of systemic cybered tools, virtual worlds/gaming for operationalized organizational learning, and designing systemic resilience against imposed surprise.

The complexities of and losses from a shoddily created cyberspace substrate continue to hollow the economies and national power of consolidated democracies.  As China rises as a strategically focused and digitally aggressive authoritarian giant, it is critical that democratic leaders both understand the reality they face and how an institutional alternative may be created to avoid being weak cyber powers in the future. This presentation offers two models: the ‘Cybered Conflict’ model to lay the foundation explanation for the weakness in national cyber power of democracies, and the ‘Cyber Operational Resilience Alliance (CORA) model to explain how this existentially threatening trend may be turned around through allied action to jointly ensure cyber resilience. Finally the talk will outline very briefly how the CORA model may be used analytically to improve the cyber resilience alliance potential of national cyber strategies, and to identify organizations capable of contributing to more robust collective cyber defenses across sectors and allied democratic nations.

Threat modeling is an extremely valuable tool in the secure software development pipeline. Some studies suggest it has greater impact on security posture than other more widely practiced security activities. There are many different frameworks, models, and methodologies that have been developed in an attempt to make threat modeling easier. Yet, despite these efforts, popular approaches to threat modeling are often still considered too cumbersome, structured, or time consuming to fit with modern DevOps and CI/CD development.In 2020, a group of 15 security professional released the Threat Modeling Manifesto to formalize decades of combined experience into a declared vision of what threat modeling truly is and what makes it important. Learn from one of these authors about how to break with the complex models and return to the values and principles of what threat modeling should be. Discover how this often-over-looked activity can be implemented in development pipelines and make them more efficient while improving overall security of software. See practical examples of how the manifesto serves as a guide to design a methodology that fits your needs and avoid common pitfalls that often derail this critical activity. About the speaker: Alyssa Miller, Business Information Security Officer (BISO) for S&P Global, directs the security strategy for the Ratings division, connecting corporate security objectives to business initiatives. She blends a unique mix of technical expertise and executive presence to bridge the gap that can often form between security practitioners and business leaders. Her goal is to change how we look at the security of our interconnected way of life and focus attention on defending privacy and cultivating trust.A life-long hacker, Alyssa has a passion for technology and security. She bought her first computer herself at age 12 and quickly learned techniques for hacking modem communications and software. Her serendipitous career journey began as a software developer which enabled her to pivot into security roles. Beginning as a penetration tester, her last 15 years have seen her grow as a security leader with experience across a variety of organizations. She regularly advocates for improved security practices and shares her research with business leaders and industry audiences through her international public speaking engagements, online content, and other media appearances.

Threat modeling is an extremely valuable tool in the secure software development pipeline. Some studies suggest it has greater impact on security posture than other more widely practiced security activities. There are many different frameworks, models, and methodologies that have been developed in an attempt to make threat modeling easier. Yet, despite these efforts, popular approaches to threat modeling are often still considered too cumbersome, structured, or time consuming to fit with modern DevOps and CI/CD development. In 2020, a group of 15 security professional released the Threat Modeling Manifesto to formalize decades of combined experience into a declared vision of what threat modeling truly is and what makes it important. Learn from one of these authors about how to break with the complex models and return to the values and principles of what threat modeling should be. Discover how this often-over-looked activity can be implemented in development pipelines and make them more efficient while improving overall security of software. See practical examples of how the manifesto serves as a guide to design a methodology that fits your needs and avoid common pitfalls that often derail this critical activity.

Cyber-physical systems are delivering an increasing portion of the infrastructure services at the heart of our economy and national security, and you don't have to look far for examples of technology-enabled, industrial control, and the internet-of-things in the core operations of healthcare, food and agriculture, energy, transportation, or manufacturing. Further, one has only to look at the contemporary examples of our systems under stress, such as the JBS and Colonial Pipeline cyber attacks, to understand the fragile risk ecosystem confronting infrastructure owners and operators of cyber-physical systems.In fact, the title of this talk is purposely a catch-22, meaning that just as infrastructure resilience is inherently dependent on safe and secure cyber-physical systems, so too is the collective work to see cyber and physical security achieve resilience. About the speaker: Dr. David Mussington serves as the Executive Assistant Director (EAD) for the Infrastructure Security Division (ISD) at the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) as of February 2021. As EAD, he helps lead CISA's efforts to secure the nation's critical infrastructure in coordination with government and the private sector. His priorities for ISD include vulnerability and risk assessments; securing soft targets and crowded places; training and exercises; and securing high-risk chemical facilities.Prior to joining CISA, Dr. Mussington was Professor of the Practice and Director for the Center for Public Policy and Private Enterprise at the School of Public Policy for the University of Maryland. At RAND Corporation he led counter terrorism and cyber security studies for the Department of Defense, the Department of Transportation, and Amtrak. He later took on the role of Chief of Corporate Security for Amtrak where he was the senior official overseeing infrastructure protection, counter terrorism, and emergency response programs.Later at the Institute for Defense Analyses (IDA), he was assistant director of the Information Technology and Systems Division (ITSD), and directed cybersecurity studies for DHS, the Office of the Director of National Intelligence, the Federal Communications Commission, and the North Atlantic Treaty Organization. Moreover in 2010, Dr. Mussington was senior adviser for cyber policy in the U.S. Department of Defense (DOD), later serving on the Obama administration's National Security Council staff as Director for surface transportation security policy. In the former role, he led preparation and release of the 2011 Defense Strategy for Operating in Cyberspace, which was DOD's first enterprise-wide cyber strategy document.Dr. Mussington has a Doctorate in Political Science from Canada's Carleton University. He also received a Bachelor of Arts and a Master of Arts degree in Economics and Political Science from the University of Toronto. He undertook post-doctoral work at Harvard's Belfer Center where he was a MacArthur Scholar, and at the U.K.'s International Institute for Strategic Studies (IISS).

Cyber-physical systems are delivering an increasing portion of the infrastructure services at the heart of our economy and national security, and you don’t have to look far for examples of technology-enabled, industrial control, and the internet-of-things in the core operations of healthcare, food and agriculture, energy, transportation, or manufacturing. Further, one has only to look at the contemporary examples of our systems under stress, such as the JBS and Colonial Pipeline cyber attacks, to understand the fragile risk ecosystem confronting infrastructure owners and operators of cyber-physical systems. In fact, the title of this talk is purposely a catch-22, meaning that just as infrastructure resilience is inherently dependent on safe and secure cyber-physical systems, so too is the collective work to see cyber and physical security achieve resilience.

As we begin 2022, the cost, sophistication, and lethality of cyber-breaches continues to rise. Threat actors, especially state-sponsored, and criminal enterprises are taking advantage of the expanding cyber-attack surface by using their resources to employ more sophisticated means for discovering target vulnerabilities, automating phishing, and finding new deceptive paths for infiltrating malware. This presentation will explore some of the more compelling trends and threats in the cybers ecosystem, the impact of emerging technologies, and potential strategies for mitigation.