CERIAS Weekly Security Seminar - Purdue University

Understanding the evolution of attacker motivations, and the impact to managing risk in enterprise environments is a key to successfully building cyber security programs in today's IT enterprise. Over the last decade both attacks, and attacker motivations have evolved dramatically. From Hacktivism to Nation State Actors, from Identity Theft Rings to Ransomware-as-a-Service, the motivations, timing, determination, and discipline of attackers has changed dramatically. This presentation will discuss this evolution from early cyber espionage and hacktivism to evolving nation state threats and how motivations drive behavior and risk decision making in enterprise cyber security programs. About the speaker: Jordan Mauriello is a Cyber Security Executive leader currently serving as the Chief Security Officer at Critical Start leading the Managed Detection and Response Business, as well as serving on Critical Start's Board of Directors. With a diverse background ranging from penetration testing and malware reverse engineering to physical security, executive protection and training, Jordan possesses a unique understanding of the impact of information security. His deep technical expertise includes over two decades of experience in Security Operations, Cyber Threat Intelligence and Detection Engineering with a heavy focus on Malware Research and Reverse Engineering.Jordan is a proud U.S. Navy veteran who deployed as a part of Operation Iraqi Freedom, Enduring Freedom, and Joint Task Force Liberia. Additionally he spent time as a communications security and cyber advisor working for the Department of Defense and deployed to the middle east again in support of ongoing operations. After his time in the military and government Jordan moved to the commercial enterprise helping to build and mature Experian's Global Security Operations Center. Since then Jordan has served as CTO at Advanced Threat Analytics, and CSO at Critical Start building an industry leading global Managed Service offering focused on Threat Detection and Response capabilities for enterprise customers.

Understanding the evolution of attacker motivations, and the impact to managing risk in enterprise environments is a key to successfully building cyber security programs in today’s IT enterprise. Over the last decade both attacks, and attacker motivations have evolved dramatically. From Hacktivism to Nation State Actors, from Identity Theft Rings to Ransomware-as-a-Service, the motivations, timing, determination, and discipline of attackers has changed dramatically. This presentation will discuss this evolution from early cyber espionage and hacktivism to evolving nation state threats and how motivations drive behavior and risk decision making in enterprise cyber security programs.

Beyond End-to-End Encryption (BE2EE) technology can protect your data in-transit and at-rest in a consistent way: NUTS may help define this new category. Last year, we presented the technology of NUTS (https://ceri.as/nuts2020). This year, we demonstrate NUTS in action with our Beta version. See secure objects move around in cyberspace without a central reference monitor in a transport agnostic way. The demo will show practical use cases that NUTS enables. The global pandemic drastically altered our way of life and Work-From-Home presents technical challenges that reveal the structural weaknesses of our largest systems. Adversarial threats are now more common place and large outages are frequent. We believe NUTS shows a new path towards a more resilient operating environment for our data. We strongly recommend viewing last year's presentation (https://ceri.as/nuts2020)to better understand the background and approach of the tech.Joining us for this session will be COL (Ret) Robert Banks, USA, PhD. who served as Deputy Director, Current Operations of U.S. Cyber Command with his insights and comments on this technology. Dr. Banks retired from the U.S. Army after a distinguished 37-yearcareer. His previous services include Chief of Operations of the Army Global Network Operation & Security Center, Command of the largest Army Helicopter Battalion of 64 Chinooks covering 8 states, and providing significant contributions at the Joint Staff Cyberspace Division, National Counterintelligence Security Center, Army Defense Industrial Base, Asymmetric Warfare Office - Electronic Warfare, National Guard Bureau, and Co-Chaired the Smart Grid Interoperability Panel, while supporting the Tri-County Electric Cooperative. He holds numerous advanced degrees including a PhD in Information Technology from George Mason University specializing in Hybrid Security Risk Assessment Models. Additionally, he holds the following certifications: CISSP, PSDGP, ITILv3, AWS-CCP, AZURE-AI. About the speaker: Yoon Auh, CISSP, is the founder and CEO of NUTS Technologies Inc., a midwestern deep infrastructure technology startup. He holds multiple US patents around structured security, structured cryptography and secure data management. His firm is breaking new grounds in applying security at the data layer in a portable form to achieve full BE2EE. He graduated from Columbia College in NYC with a BA in Physics and a BS in Engineering Mechanics from Columbia School of Engineering. Yoon's prior career was in finance and technology culminating to a successful career as Head Trader for several world class financial firms. NUTS was created to fill the gaps in technology that don't get addressed in the way it ought to be.

Beyond End-to-End Encryption (BE2EE) technology can protect your data in-transit and at-rest in a consistent way: NUTS may help define this new category. Last year, we presented the technology of NUTS (https://ceri.as/nuts2020). This year, we demonstrate NUTS in action with our Beta version. See secure objects move around in cyberspace without a central reference monitor in a transport agnostic way. The demo will show practical use cases that NUTS enables. The global pandemic drastically altered our way of life and Work-From-Home presents technical challenges that reveal the structural weaknesses of our largest systems. Adversarial threats are now more common place and large outages are frequent. We believe NUTS shows a new path towards a more resilient operating environment for our data. We strongly recommend viewing last year’s presentation (https://ceri.as/nuts2020)to better understand the background and approach of the tech. Joining us for this session will be COL (Ret) Robert Banks, USA, PhD. who served as Deputy Director, Current Operations of U.S. Cyber Command with his insights and comments on this technology. Dr. Banks retired from the U.S. Army after a distinguished 37-yearcareer. His previous services include Chief of Operations of the Army Global Network Operation & Security Center, Command of the largest Army Helicopter Battalion of 64 Chinooks covering 8 states, and providing significant contributions at the Joint Staff Cyberspace Division, National Counterintelligence Security Center, Army Defense Industrial Base, Asymmetric Warfare Office - Electronic Warfare, National Guard Bureau, and Co-Chaired the Smart Grid Interoperability Panel, while supporting the Tri-County Electric Cooperative. He holds numerous advanced degrees including a PhD in Information Technology from George Mason University specializing in Hybrid Security Risk Assessment Models. Additionally, he holds the following certifications: CISSP, PSDGP, ITILv3, AWS-CCP, AZURE-AI.

This talk covers the state of the Art and Practice in Cybersecurity Metrics. The history ranges from the 1970s through the present. Topics include, but are not limited to: Control Objectives, the Orange Book, the Common Criteria, Systems Security Engineering Capability Maturity Model, Common Vulnerability Enumeration, National Vulnerability Database, NIST Pubs such as the Performance Measurement Guide for Information Security, Threat Intelligence Protocols, Exemplar studies such as the Verizon Data Breach Incident Report, Industry Best Practice and Regulatory Assessments, Security Incident and Event Management, Security Analytics, Security Scorecards.

This talk covers the state of the Art and Practice in Cybersecurity Metrics. The history ranges from the 1970s through the present. Topics include, but are not limited to: Control Objectives, the Orange Book, the Common Criteria, Systems Security Engineering Capability Maturity Model, Common Vulnerability Enumeration, National Vulnerability Database, NIST Pubs such as the Performance Measurement Guide for Information Security, Threat Intelligence Protocols, Exemplar studies such as the Verizon Data Breach Incident Report, Industry Best Practice and Regulatory Assessments, Security Incident and Event Management, Security Analytics, Security Scorecards. About the speaker: Jennifer L. Bayuk,Ph.D., is an Independent Cybersecurity Consultant. She also teaches Cybersecurity Risk Management in multiple academic and professional forums and serves as a Private Cybersecurity Investigator and Expert Witness. She has previously been a Wall Street Chief Information Security Officer, a Global Financial Services Cybersecurity Risk Management Officer, a Global Financial Services Technology Risk Management Officer, a Big 4 Information Risk Management Auditor/Consultant,a Manager of Information Technology Internal Audit, a Security Architect, a Bell Labs Security Software Engineer, a Professor of Systems Security Engineering.  In all of these positions, governance using security metrics has been a core component of her job function. Her numerous books, articles, and presentations cover a wide variety of topics in Cybersecurity Management and Engineering. She earned a Ph.D. in Systems Engineering with a dissertation on security metrics: Security as a Theoretical Attribute Construct and is frequently a member of the Metricon program committee(securitymetrics.org)

Anecdotally, most cybersecurity curricula is based on the technical aspects of protecting, defending, and responding to cyber attacks.  While these courses establish a solid foundation in the technical aspects of cybersecurity, what is often missing is establishing a foundation in cybersecurity law. Every individual who puts their hands on a keyboard operates within an uncertain ethical and legal framework. What we do not need is the type of education to produce more lawyers, but rather the type of education to produce more legal-savvy technical workers. Today’s tech workers are exposed to more personal information as well as intellectual property – both targets in cyber attacks. They are expected to protect critical infrastructure and design with security “built in.” Yet, we do a poor job teaching the legal requirements as well as limitations imposed by law on building in privacy protections. For the past four years, the speaker has taught Cybersecurity Law & Policy to several hundred computer science and engineering students as well as those from business, architecture, technology management, and government policy. I began this course by conducting a data analytics exercise on the NIST NICE Framework to determine what work roles require legal training. The results were quite surprising as even very technical roles such as Threat Analysis and System Architecture require knowledge of laws, policies,and ethics as they relate to cybersecurity and privacy as well as knowledge of investigations.  The feedback from graduating students who take on cybersecurity roles is that they are uniquely qualified to understand the necessity of compliance within their respective roles. This presentation will discuss the basis for legal education as well as a roadmap for how to incorporate such legal education within a cybersecurity curriculum to build the workforce necessary for the current cybersecurity environment.

Anecdotally, most cybersecurity curricula is based on the technical aspects of protecting, defending, and responding to cyber attacks.  While these courses establish a solid foundation in the technical aspects of cybersecurity, what is often missing is establishing a foundation in cybersecurity law. Every individual who puts their hands on a keyboard operates within an uncertain ethical and legal framework. What we do not need is the type of education to produce more lawyers, but rather the type of education to produce more legal-savvy technical workers. Today's tech workers are exposed to more personal information as well as intellectual property – both targets in cyber attacks. They are expected to protect critical infrastructure and design with security "built in." Yet, we do a poor job teaching the legal requirements as well as limitations imposed by law on building in privacy protections.For the past four years, the speaker has taught Cybersecurity Law & Policy to several hundred computer science and engineering students as well as those from business, architecture, technology management, and government policy. I began this course by conducting a data analytics exercise on the NIST NICE Framework to determine what work roles require legal training. The results were quite surprising as even very technical roles such as Threat Analysis and System Architecture require knowledge of laws, policies,and ethics as they relate to cybersecurity and privacy as well as knowledge of investigations.  The feedback from graduating students who take on cybersecurity roles is that they are uniquely qualified to understand the necessity of compliance within their respective roles. This presentation will discuss the basis for legal education as well as a roadmap for how to incorporate such legal education within a cybersecurity curriculum to build the workforce necessary for the current cybersecurity environment. About the speaker: Paula S. deWitte, J.D., Ph.D,. P.E., is an Associate Professor of Practice in the Computer Science and Engineering Department at Texas A&M University, College Station and the Maritime Business Administration Department at Texas A&M University, Galveston where she is building the maritime cybersecurity program. As well, she is an Adjunct Professor of Law at the Texas A&M University Law School, Fort Worth.  She is a licensed attorney (Texas) and a registered patent attorney (USPTO). She holds a Bachelors and Masters from Purdue University where in 2015 she was honored as the Distinguished Alumna in the Department of Mathematics, School of Science.  She obtained her Ph.D. in Computer Science from Texas A&M University (1989) and a law degree from St. Mary's University (2008).  She holds a patent on drilling fluids optimization [US Patent US 8812236 B1]. She teaches Cybersecurity Law, Cybersecurity Risk, and Marine Insurance Law. Her research interests are in those areas as well as in building resilient systems especially in the supply chain.

In this session we will talk about applying appropriate security controls to Software as a Service (SaaS) offerings. While it may seem like the SaaS vendors have most of the responsibility for securing these platforms, there are still a number of threats that customers need to worry about themselves. During the session we will walk through various types of SaaS solutions, including a few new surprising categories, and will then talk about the nuances of the Shared Responsibility Model (SRM). We will dive into how to assess the threats to our data, users, and connected systems related to the deployment of SaaS solutions by taking a Threat Modeling approach to the problem. Once we’ve compiled our list of risks we will then talk through practical counter measures that can be implemented to mitigate or reduce risk. The session will then wrap up with a discussion of some existing security tooling that can be considered to further strengthen the defenses around these SaaS solutions today.

In this session we will talk about applying appropriate security controls to Software as a Service (SaaS) offerings. While it may seem like the SaaS vendors have most of the responsibility for securing these platforms, there are still a number of threats that customers need to worry about themselves. During the session we will walk through various types of SaaS solutions, including a few new surprising categories, and will then talk about the nuances of the Shared Responsibility Model (SRM). We will dive into how to assess the threats to our data, users, and connected systems related to the deployment of SaaS solutions by taking a Threat Modeling approach to the problem. Once we've compiled our list of risks we will then talk through practical counter measures that can be implemented to mitigate or reduce risk. The session will then wrap up with a discussion of some existing security tooling that can be considered to further strengthen the defenses around these SaaS solutions today. About the speaker: Aaron is Vice President & Information Security Officer for NBCUniversal's Direct-to-Consumer business unit which includes Fandango, Vudu and the company's new streaming service Peacock.Aaron has over 20 years of extensive experience in software engineering, architecture, design, network and application security. He has spent the past 12 years in various Cyber Security roles where he has led projects in industries including media, defense, energy, and financial services. He has a bachelor of science from Monmouth University where he studied Computer Science and a Masters in Software Engineering from Penn State.

This session provides practical cybersecurity assessment advice. It details the end-to-end process including: scoping, 9 steps to develop work papers, scheduling, on-site assessment, report preparation and presentation. The first assessment example leverages the NIST Cybersecurity Framework to ensure coverage across security domains. Sample scoping questions will be provided, along with tips and examples to add controls based on business processes, insider threat, privacy and fraud. This session also addresses follow-on assessments. Attendees are encouraged to evaluate lines of business and to take deep dives into critical functions. Tips and examples are provided to leverage best practices, creating specific testing procedures. Rather than repeating the same assessment year-over-year, the scoping methodology is risk opportunistic. There is focus on areas that have not been evaluated recently and areas that may require enhanced controls due to presence of valuable data. Albert Einstein’s quote applies here “the definition of insanity is doing something over and over again and expecting different results”. The session will briefly walk through the assessment report framework, providing tips along the way. The assessment presentation phase includes a slide deck framework covering: the threat landscape, assessment methodology, high and moderate-high findings, a Strengths, Weaknesses, Opportunities and Threats (SWOT) slide and next steps.

During the height of the pandemic, it's estimated that digital transformation advanced by as much as seven years, opening the door for hybrid and remote working solutions to thrive. But, the increase in remote work also revealed new threats to devices and applications. In this session, we will discuss:• The post-COVID world and "Zero Trust"• Trusted software becoming less trustworthy• The surprising ways ransomware launches• Identifying Web/SSL VPN vulnerabilities in firewalls• Application of AI and ML in cybersecurity• Countermeasures used to combat these issues About the speaker: Jeremy Rasmussen is a Cybersecurity Expert (Military, Defense, and Private Sector) with 24+ years of experience in developing secure communications systems and providing cybersecurity consulting services throughout the world. Jeremy graduated from college with a Bachelor of Science degree in Computer Science, and holds a Master's Degree in Engineering Management, both from the University of South Florida. Jeremy is also a certified CISSP and White-Hat Ethical Hacker.

During the height of the pandemic, it’s estimated that digital transformation advanced by as much as seven years, opening the door for hybrid and remote working solutions to thrive. But, the increase in remote work also revealed new threats to devices and applications. In this session, we will discuss: • The post-COVID world and “Zero Trust” • Trusted software becoming less trustworthy • The surprising ways ransomware launches • Identifying Web/SSL VPN vulnerabilities in firewalls • Application of AI and ML in cybersecurity • Countermeasures used to combat these issues

Rapid progress in machine learning, computer vision and graphics leads to successive democratization of media manipulation capabilities. While convincing photo and video manipulation used to require substantial time and skill, modern editors bring (semi-) automated tools that can be used by everyone. Some of the most recent examples include manipulation of human faces, e.g., by their replacement or semantic manipulation (expression, age, etc.). At the same time, dissemination of fake news and misinformation campaigns are picking up speed which challenges trust in the society. Our media distribution platforms lack content integrity features as they were designed and optimized for the quality of (human) experience with strict bandwidth / storage constraints. Such an approach fails to recognize an increasing role of automated analysis by machine learning models, e.g, strong lossy compression applied to media assets removes imperceptible statistical traces indicative of content manipulation and is often referred to as media "laundering" process. In this talk, we explore end-to-end optimization of photo acquisition and distribution pipelines for media authentication. We show that feedback from forensic analysis can be used to optimize upstream components like the camera ISP or lossy compression codecs to support media authentication on the receiving end. Modern machine learning tools allow us to discover new approaches to the problem with surprising connections to other fields like information hiding, computational photography, lossy compression and machine learning security. To enable this line of work, we are currently developing a Tensorflow-based open source toolbox for modeling and optimization of various imaging applications (https://github.com/pkorus/neural-imaging).

Rapid progress in machine learning, computer vision and graphics leads to successive democratization of media manipulation capabilities. While convincing photo and video manipulation used to require substantial time and skill, modern editors bring (semi-) automated tools that can be used by everyone. Some of the most recent examples include manipulation of human faces, e.g., by their replacement or semantic manipulation (expression, age, etc.). At the same time, dissemination of fake news and misinformation campaigns are picking up speed which challenges trust in the society. Our media distribution platforms lack content integrity features as they were designed and optimized for the quality of (human) experience with strict bandwidth / storage constraints. Such an approach fails to recognize an increasing role of automated analysis by machine learning models, e.g, strong lossy compression applied to media assets removes imperceptible statistical traces indicative of content manipulation and is often referred to as media "laundering" process. In this talk, we explore end-to-end optimization of photo acquisition and distribution pipelines for media authentication. We show that feedback from forensic analysis can be used to optimize upstream components like the camera ISP or lossy compression codecs to support media authentication on the receiving end. Modern machine learning tools allow us to discover new approaches to the problem with surprising connections to other fields like information hiding, computational photography, lossy compression and machine learning security. To enable this line of work, we are currently developing a Tensorflow-based open source toolbox for modeling and optimization of various imaging applications (https://github.com/pkorus/neural-imaging). About the speaker: Nasir Memon is a professor in the Departmentof Computer Science and Engineering at NYU Tandon.  He is an affiliatefaculty at the computer science department in the Courant Institute ofMathematical Sciences at NYU.  He introduced cyber security studiesto New York University Tandon School of Engineering ands is a founding directorof the Center for Cyber Security, New York University,and the  Center for Cyber Security at New York University AbuDhabi. He is the founder of OSIRIS and CSAW, the worlds largest student run cybersecurity event.  As the Associate Dean for Online Learning,  helaunched the Bridge to Tandon program thatprovides pathways to Non-STEM students to Computer Science and Cyber Security Cyber Fellows program thatprovides a highly affordable, industry partnered online MS in cybersecurity to domestic students and the MS in Cyber Risk and Strategy in collaborationwith NYU Law. He has published more than 300 papers andreceived several best paper awards and awards for excellence in teaching. Hehas been on the editorial boards of several journals, and was theEditor-In-Chief of the IEEE Transactions on Information Security and Forensics.He is an IEEE, IAPR and SPIE Fellow for his contributions to image compressionand media security and forensics. His research interests include digitalforensics, biometrics, data compression, network security and security andhuman behavior.