CERIAS Weekly Security Seminar - Purdue University

As we begin 2022, the cost, sophistication, and lethality of cyber-breaches continues to rise. Threat actors, especially state-sponsored, and criminal enterprises are taking advantage of the expanding cyber-attack surface by using their resources to employ more sophisticated means for discovering target vulnerabilities, automating phishing, and finding new deceptive paths for infiltrating malware. This presentation will explore some of the more compelling trends and threats in the cybers ecosystem, the impact of emerging technologies, and potential strategies for mitigation. About the speaker: Chuck Brooks is President of Brooks Consulting International, and Adjunct Faculty at Georgetown University, is a Technology Evangelist, Corporate Executive, Speaker, Writer, Government Relations, Business Development, and Marketing Executive. LinkedIn named Chuck as one of "The Top 5 Tech People to Follow on LinkedIn." He was named as one of the world's "10 Best Cyber Security and Technology Experts" by Best Rated, as a "Top 50 Global Influencer in Risk, Compliance," by Thomson Reuters, "Best of The Word in Security" by CISO Platform, and by IFSEC as the "#2 Global Cybersecurity Influencer." He was featured in the 2020 and 2021 Onalytica "Who's Who in Cybersecurity" – as one of the top Influencers for cybersecurity issues and in Risk management. He was also named "Best in The World in Security" by CISO Platform, one of the "Top 5 Executives to Follow on Cybersecurity" by Executive Mosaic, and as a "Top Leader in Cybersecurity and Emerging Technologies" by Thinkers360. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.

This talk explores over 20 years of building the cybersecurity workforce in the United States with a focus on the evolution, progress made, and challenges ahead. About the speaker: Dr. Melissa Dark has worked in cybersecurity education and workforce development for the past 20 years. Her early work in cybersecurity education focused on the graduate level and has progressively grown down to community college, and now high school, in response to two needs: robust cybersecurity literacy among all cybercitizens and closing the cybersecurity workforce gap. In 2015, she founded DARK Enterprises, Inc., a non-profit which advances the mission of developing, supporting, and stewarding cybersecurity education initiatives in the United States.

This talk explores over 20 years of building the cybersecurity workforce in the United States with a focus on the evolution, progress made, and challenges ahead.

In June 2021, the GFCE and the World Bank came together to identify pathways to bridge the development community to the cybersecurity capacity building community and create mechanisms by which digital development could see the benefits of incorporating cyber security into their projects and initiatives to achieve more resilient outcomes. This report, Integrating Cyber Security into the Digital Development Agenda, highlights some of the key challenges and benefits of incorporating cybersecurity, digital resilience, and cyber capacity building into the broader development agenda. The report also features several best practices and bridging venues and activities that could facilitate tighter alignment and collaboration between the digital development and cybersecurity capacity building communities and among initiative donors and implementors.https://thegfce.org/wp-content/uploads/2021/11/Integrating-Cybersecurity-into-Digital-Development_compressed.pdf  About the speaker: Melissa Hathaway is globally recognized as a thought leader in the fields of cybersecurity and digital risk management and has relationships with thehighest levels of governments and international institutions. She served in two U.S. presidential administrations, spearheading the Cyberspace Policy Review for President Barack Obama and leading the Comprehensive National Cybersecurity Initiative (CNCI) for President George W. Bush. As President of Hathaway Global Strategies, Melissa brings a unique combination of policy and technical expertise, as well as board room experience that allows her to help clients better understand the inter-section of government policy, developing technological and industry trends, and economic drivers that impact acquisition and business development strategies. Ms. Hathaway has a B.A. degree from The American University in Washington, D.C. She has completed graduate studies in international economics and technology transfer policy, and is a graduate of the US Armed Forces Staff College, with a special certificate in Information Operations. She publishes regularly on cybersecurity matters affecting companies and countries; these articles can be found here: https://www.belfercenter.org/person/melissa-hathaway  Francesca Spidalieri is a Cybersecurity Consultant for Hathaway Global Strategies and an Adjunct Professor for Cyber Policy at the University of Maryland's School of Public Policy and at Salve Regina University. She is also the co-principal investigator for the Cyber Readiness Index 2.0 project at the Potomac Institute for Policy Studies, and the Senior Fellow for Cyber Leadership at the Pell Center for International Relations and Public Policy. In addition, Francesca serves as a cybersecurity subject-matter expert for the World Bank, the UN International Telecommunications Union, the Global Forum on Cyber Expertise, the EU CyberNet, and other research institutes in Europe and the U.S. Her academic research and publications have focused on cyber leadership development, cyber risk management, digital transformation, and national cyber preparedness and resilience. Francesca holds an M.A. in International Affairs and Security Studies from The Fletcher School at Tufts University, a B.A. in Political Science and International Relations from the University of Milan, and has completed additional cybersecurity coursework at the U.S. Naval War College's Center for Cyber Conflict Studies. She lectures regularly at cyber-related events in the U.S. and Europe and contributes to journal articles and other publications on cyber policy matters affecting countries and organizations worldwide.  

In June 2021, the GFCE and the World Bank came together to identify pathways to bridge the development community to the cybersecurity capacity building community and create mechanisms by which digital development could see the benefits of incorporating cyber security into their projects and initiatives to achieve more resilient outcomes. This report, Integrating Cyber Security into the Digital Development Agenda, highlights some of the key challenges and benefits of incorporating cybersecurity, digital resilience, and cyber capacity building into the broader development agenda. The report also features several best practices and bridging venues and activities that could facilitate tighter alignment and collaboration between the digital development and cybersecurity capacity building communities and among initiative donors and implementors.https://thegfce.org/wp-content/uploads/2021/11/Integrating-Cybersecurity-into-Digital-Development_compressed.pdf  

 "Do Criminals Dream of Electric Sheep?" Such issue is no longer a domain of futurologists and science-fiction writers, but a serious question asked by the EUROPOL alarmed by how emerging Information Technologies shape the future of crime and law-enforcement. Apart from its obviously positive effects, the technology also impacts and affects the way criminal offenders, terrorists and rogue governments operate at the stages of know-how gathering, planning, preparation and execution of their attacks. The progress in the development of IT and its accessibility is so unprecedentedly high, that– in order not to lag behind – the law-enforcement and intelligence communities need to research and analyze the further and potential advances (and design the potential preventive measures) promptly. The presentation addresses the problem of a lack of forecasting/analytical approach to the study of an impact of emerging and disruptive technologies on the criminal, terrorist and information warfare landscape. The author aims to deliver the most up-to-date analysis of the threats to come, together with a set of plausible solutions on how to deter and mitigate the risk. The presentation will characterize the dangers posed by the potential abuse of Information Technologies by the criminal/terrorist/state actors. The author will deliver an analysis articulating the key factors implicated in events related to the technology abuse, across all stages of the event. The presentation will cover such areas as e.g.: 1) abuse of the open source information for planning, preparation & execution of the attack; 2) hazards associated with the abuse of wearable devices; 3) use of mobile technologies to profile, select and groom potential activists or extremists or to enable human trafficking and sexual exploitation of children; 4) attacks on Internet of Things networks for targeting specific individual/entity or to create mass-level disruption incl. attacks on critical national infrastructure; 5)hijacking of autonomous vehicles; 6) use of drones (aerial, ground operating, hydroid) for surveillance, as weapons, for drugs delivery, as burglary bots, as tools to disrupt civil aviation or military systems; 7) attacks on IP-enabled medical devices; 8) the use of (semi)autonomous robots; 9) the use of the Artificial Intelligence, machine-learning, deep-learning and reinforcement learning techniques for various criminal/terrorist objectives; 10) abuse of blockchain technologies and crypto-currencies (financing of terrorism, money laundering, bribery, financing of illegal activities, extortion/ransomware); 11)abuse of 3D printing technologies; 12) risk associated with Quantum Computing and 5G telecom networks (increased capabilities of criminal/terrorist/cyber-warfare operations).  A special focus will be put on Information Warfare (hybrid and asymmetric threats), where disinformation, misinformation and propaganda are used by nation states in a general scheme of malign foreign influence to disrupt the situation abroad. About the speaker: ]Dr. hab. Kacper Gradon, Ph.D. is the Visiting Fulbright Professor at University of Colorado Boulder and the University College London Honorary Senior Research Fellow at UCL Department of Security and Crime Science. His research expertise includes Future Crimes, cyber crime,criminal analysis and counter-terrorism. His current research is focused on designing the methods for preventing and combating disinformation, misinformation and malign foreign influence. He's a member of the World Health Organization (WHO) working group on infodemiology and the WHO-trained Infodemics Manager. His research interests include the application of Open Source Intelligence and digital & Internet forensics and analysis to forecasting and combating criminal and terrorist acts. He has over 20 years of experience of consultancy and cooperation with Police and Intelligence services in Poland, UK, US and Canada. Graduate of the London Metropolitan Police Specialist Operations Training of Hostage Negotiations, the NCFTA/FBI Dark Web Investigations and the IALEIA Open Source Intelligence courses. Lectured and held visiting professorship positions in the UK, USA, Canada, India, Australia and New Zealand. Participated in over 200 academic and Police conferences and events worldwide. He was the UoW Primary Investigator in the 2014-2017 European Commission FP7 project PRIME (Preventing, Interdicting and Mitigating Extremist Events) dealing with lone-actor extremism and terrorism. He can be reached at k.gradon@ucl.ac.uk and kacper.gradon@colorado.edu 

  “Do Criminals Dream of Electric Sheep?” Such issue is no longer a domain of futurologists and science-fiction writers, but a serious question asked by the EUROPOL alarmed by how emerging Information Technologies shape the future of crime and law-enforcement. Apart from its obviously positive effects, the technology also impacts and affects the way criminal offenders, terrorists and rogue governments operate at the stages of know-how gathering, planning, preparation and execution of their attacks. The progress in the development of IT and its accessibility is so unprecedentedly high, that– in order not to lag behind – the law-enforcement and intelligence communities need to research and analyze the further and potential advances (and design the potential preventive measures) promptly. The presentation addresses the problem of a lack of forecasting/analytical approach to the study of an impact of emerging and disruptive technologies on the criminal, terrorist and information warfare landscape. The author aims to deliver the most up-to-date analysis of the threats to come, together with a set of plausible solutions on how to deter and mitigate the risk. The presentation will characterize the dangers posed by the potential abuse of Information Technologies by the criminal/terrorist/state actors. The author will deliver an analysis articulating the key factors implicated in events related to the technology abuse, across all stages of the event. The presentation will cover such areas as e.g.: 1) abuse of the open source information for planning, preparation & execution of the attack; 2) hazards associated with the abuse of wearable devices; 3) use of mobile technologies to profile, select and groom potential activists or extremists or to enable human trafficking and sexual exploitation of children; 4) attacks on Internet of Things networks for targeting specific individual/entity or to create mass-level disruption incl. attacks on critical national infrastructure; 5)hijacking of autonomous vehicles; 6) use of drones (aerial, ground operating, hydroid) for surveillance, as weapons, for drugs delivery, as burglary bots, as tools to disrupt civil aviation or military systems; 7) attacks on IP-enabled medical devices; 8) the use of (semi)autonomous robots; 9) the use of the Artificial Intelligence, machine-learning, deep-learning and reinforcement learning techniques for various criminal/terrorist objectives; 10) abuse of blockchain technologies and crypto-currencies (financing of terrorism, money laundering, bribery, financing of illegal activities, extortion/ransomware); 11)abuse of 3D printing technologies; 12) risk associated with Quantum Computing and 5G telecom networks (increased capabilities of criminal/terrorist/cyber-warfare operations).  A special focus will be put on Information Warfare (hybrid and asymmetric threats), where disinformation, misinformation and propaganda are used by nation states in a general scheme of malign foreign influence to disrupt the situation abroad.

Securing industrial networks has never been more crucial, but it's not as simple as just patching legacy computers or installing commercial tools. Responding to cybersecurity incidents in critical infrastructure environments poses unique challenges and requires a very unusual set of skills. This lecture will cover key terminology, operational differences, and technology differences between industrial and enterprise environments. Attendees will leave with an essential understanding of the challenges in the space and the skills they will need to develop to make a difference.

Securing industrial networks has never been more crucial, but it's not as simple as just patching legacy computers or installing commercial tools. Responding to cybersecurity incidents in critical infrastructure environments poses unique challenges and requires a very unusual set of skills. This lecture will cover key terminology, operational differences, and technology differences between industrial and enterprise environments. Attendees will leave with an essential understanding of the challenges in the space and the skills they will need to develop to make a difference. About the speaker: Lesley Carhart is a Principal Industrial Incident Responder at the industrial cybersecurity company Dragos, Inc. She has spent more than a decade of her 20+ year IT career specializing in information security, with a heavy focus on response to nation-state adversary attacks. She is recognized as a subject matter expert in the field of cybersecurity incident response and digital forensics.

 Having a satisfying cybersecurity career can feel elusive, even for a seasoned cybersecurity professional.  In this session, we'll talk about things that all security professionals, of all levels and backgrounds, need to know and do, in order to achieve professional success.  We will cover:The importance of networking, and how to leverage them to achieve your career goalsContinuous learning - when, how, and when is it too much?Self-awareness, and why this is the basis for everything you doManaging yourself vs. managing others - when to be a single contributor and when to run a teamHandling Security Stress - why does it happen, and what can be done about itLeaving a legacy, what to do if you want to be remembered for more than the immediate job  About the speaker: Helen Patton is an Advisory CISO at Cisco, where she shares security strategies with the security community. Previously she spent eight years as the CISO at The Ohio State University where she was awarded the 2018 ISE North American Academic/Public Sector Executive of the Year.  Before joining Ohio State she spent ten years in risk and resiliency at JPMorganChase.Helen actively encourages collaboration across and within industries, to enable better information security and privacy practices.  She believes in improving diversity and inclusion in the workforce, and mentors people interested in pursuing careers in security, privacy and risk management.  She advocates for more naps, less Sun Tzu, and is anti-bagpipes.Helen has a Master's degree in Public Policy and has earned various industry certifications.  She serves on the State of Ohio CyberOhio Advisory Board, the Manufacturing and Digital USA Cybersecurity Advisory Board, and the Ohio State University College of Electrical and Computer Engineering Industry Advisory Board. She is a faculty member for the Digital Director's Network, and the Educause Leadership Institute.

 Having a satisfying cybersecurity career can feel elusive, even for a seasoned cybersecurity professional.  In this session, we’ll talk about things that all security professionals, of all levels and backgrounds, need to know and do, in order to achieve professional success.  We will cover: The importance of networking, and how to leverage them to achieve your career goals Continuous learning - when, how, and when is it too much? Self-awareness, and why this is the basis for everything you do Managing yourself vs. managing others - when to be a single contributor and when to run a team Handling Security Stress - why does it happen, and what can be done about it Leaving a legacy, what to do if you want to be remembered for more than the immediate job  

We introduce password strength information signaling as a novel, yet counter-intuitive, defense mechanism against password cracking attacks. Recent breaches have exposed billions of user passwords to the dangerous threat of offline password cracking attacks. An offline attacker can quickly check millions (or sometimes billions/trillions) of password guesses by comparing their hash value with the stolen hash from a breached authentication server. The attacker is limited only by the resources he is willing to invest. Our key idea is to have the authentication server store a (noisy) signal about the strength of each user password for an offline attacker to find. Surprisingly, we show that the noise distribution for the signal can often be tuned so that a rational (profit-maximizing) attacker will crack fewer passwords. The signaling scheme exploits the fact that password cracking is not a zero-sum game i.e., the attacker's profit is given by the value of the cracked passwords minus the total guessing cost. Thus, a well-defined signaling strategy will encourage the attacker to reduce his guessing costs by cracking fewer passwords. We use an evolutionary algorithm to compute the optimal signaling scheme for the defender. As a proof-of-concept, we evaluate our mechanism on several password datasets and show that it can reduce the total number of cracked passwords by up to 12% (resp. 5%) of all users in defending against offline (resp. online) attacks. Joint work with Wenjie Bai and Ben Harsha About the speaker: I am an Assistant Professor in Computer Science at Purdue University. Broadly, my research interests include cryptography, data privacy and security. I like to describe myself as a theoretical computer scientist who is interested in applying fundamental ideas from computer science to address practical problems in usable privacy and security. I am especially interested in developing usable and secure authentication protocols for humans. Are there easy ways for humans to create and remember multiple strong passwords? Can we design secure cryptographic protocols that are so simple that can be run by a human? Prior to joining Purdue I completed my PhD on Usable Human Authentication at Carnegie Mellon University where I was fortunate to be advised by Manuel Blum and Anupam Datta. I also spent a year at Microsoft Research New England as a postdoc.

We introduce password strength information signaling as a novel, yet counter-intuitive, defense mechanism against password cracking attacks. Recent breaches have exposed billions of user passwords to the dangerous threat of offline password cracking attacks. An offline attacker can quickly check millions (or sometimes billions/trillions) of password guesses by comparing their hash value with the stolen hash from a breached authentication server. The attacker is limited only by the resources he is willing to invest. Our key idea is to have the authentication server store a (noisy) signal about the strength of each user password for an offline attacker to find. Surprisingly, we show that the noise distribution for the signal can often be tuned so that a rational (profit-maximizing) attacker will crack fewer passwords. The signaling scheme exploits the fact that password cracking is not a zero-sum game i.e., the attacker's profit is given by the value of the cracked passwords minus the total guessing cost. Thus, a well-defined signaling strategy will encourage the attacker to reduce his guessing costs by cracking fewer passwords. We use an evolutionary algorithm to compute the optimal signaling scheme for the defender. As a proof-of-concept, we evaluate our mechanism on several password datasets and show that it can reduce the total number of cracked passwords by up to 12% (resp. 5%) of all users in defending against offline (resp. online) attacks. Joint work with Wenjie Bai and Ben Harsha

About the speaker: Amit Yoran is Chairman and Chief Executive Officer of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with innovative technologies and a vision of transformative vulnerability management. Prior to joining Tenable, Amit was President of RSA, one of the most successful security companies in the world, where he led their growth and strategy since 2014. Amit came to RSA through the acquisition of his high-growth company, NetWitness, where he was founder and CEO for the market-leading network forensic product provider. Previously, he served as Founding Director of the United States Computer Emergency Readiness Team (US-CERT) program in the U.S. Department of Homeland Security. Amit also founded Riptech in Virginia, one of the first managed security service providers (MSSP) and which was acquired by Symantec in 2002. Amit currently serves as a board member and adviser to several security startups. Amit is an esteemed influencer and leader in the security industry. He is often sought out as a keynote speaker or media spokesperson. His unique blend of public service and private enterprise experience informs his insights, thought leadership, and engaging presentations.

Amit Yoran, "Symposium Closing Keynote"