CERIAS Security Seminar Podcast CERIAS Security Seminar series video podcasts.
- Melissa Dark, “Building the Next Generation Cybersecurity Workforce: Progress and Challenges”by CERIAS on January 12, 2022 at 9:30 pm
This talk explores over 20 years of building the cybersecurity workforce in the United States with a focus on the evolution, progress made, and challenges ahead.
- Melissa Hathaway & Francesca Spidalieri, “Integrating Cybersecurity into Digital Development”by CERIAS on December 8, 2021 at 9:30 pm
In June 2021, the GFCE and the World Bank came together to identify pathways to bridge the development community to the cybersecurity capacity building community and create mechanisms by which digital development could see the benefits of incorporating cyber security into their projects and initiatives to achieve more resilient outcomes. This report, Integrating Cyber Security into the Digital Development Agenda, highlights some of the key challenges and benefits of incorporating cybersecurity, digital resilience, and cyber capacity building into the broader development agenda. The report also features several best practices and bridging venues and activities that could facilitate tighter alignment and collaboration between the digital development and cybersecurity capacity building communities and among initiative donors and implementors.https://thegfce.org/wp-content/uploads/2021/11/Integrating-Cybersecurity-into-Digital-Development_compressed.pdf
- Kacper Gradon, “Future Trends in Cyber Crime and Hybrid Warfare”by CERIAS on December 1, 2021 at 9:30 pm
“Do Criminals Dream of Electric Sheep?” Such issue is no longer a domain of futurologists and science-fiction writers, but a serious question asked by the EUROPOL alarmed by how emerging Information Technologies shape the future of crime and law-enforcement. Apart from its obviously positive effects, the technology also impacts and affects the way criminal offenders, terrorists and rogue governments operate at the stages of know-how gathering, planning, preparation and execution of their attacks. The progress in the development of IT and its accessibility is so unprecedentedly high, that– in order not to lag behind – the law-enforcement and intelligence communities need to research and analyze the further and potential advances (and design the potential preventive measures) promptly. The presentation addresses the problem of a lack of forecasting/analytical approach to the study of an impact of emerging and disruptive technologies on the criminal, terrorist and information warfare landscape. The author aims to deliver the most up-to-date analysis of the threats to come, together with a set of plausible solutions on how to deter and mitigate the risk. The presentation will characterize the dangers posed by the potential abuse of Information Technologies by the criminal/terrorist/state actors. The author will deliver an analysis articulating the key factors implicated in events related to the technology abuse, across all stages of the event. The presentation will cover such areas as e.g.: 1) abuse of the open source information for planning, preparation & execution of the attack; 2) hazards associated with the abuse of wearable devices; 3) use of mobile technologies to profile, select and groom potential activists or extremists or to enable human trafficking and sexual exploitation of children; 4) attacks on Internet of Things networks for targeting specific individual/entity or to create mass-level disruption incl. attacks on critical national infrastructure; 5)hijacking of autonomous vehicles; 6) use of drones (aerial, ground operating, hydroid) for surveillance, as weapons, for drugs delivery, as burglary bots, as tools to disrupt civil aviation or military systems; 7) attacks on IP-enabled medical devices; 8) the use of (semi)autonomous robots; 9) the use of the Artificial Intelligence, machine-learning, deep-learning and reinforcement learning techniques for various criminal/terrorist objectives; 10) abuse of blockchain technologies and crypto-currencies (financing of terrorism, money laundering, bribery, financing of illegal activities, extortion/ransomware); 11)abuse of 3D printing technologies; 12) risk associated with Quantum Computing and 5G telecom networks (increased capabilities of criminal/terrorist/cyber-warfare operations). A special focus will be put on Information Warfare (hybrid and asymmetric threats), where disinformation, misinformation and propaganda are used by nation states in a general scheme of malign foreign influence to disrupt the situation abroad.
- Lesley Carhart, “You Are The Future of Industrial Cybersecurity”by CERIAS on November 17, 2021 at 9:30 pm
Securing industrial networks has never been more crucial, but it’s not as simple as just patching legacy computers or installing commercial tools. Responding to cybersecurity incidents in critical infrastructure environments poses unique challenges and requires a very unusual set of skills. This lecture will cover key terminology, operational differences, and technology differences between industrial and enterprise environments. Attendees will leave with an essential understanding of the challenges in the space and the skills they will need to develop to make a difference.
- Helen Patton, “Navigating the Cybersecurity Profession: Essential Elements for a Satisfying Career”by CERIAS on November 3, 2021 at 8:30 pm
Having a satisfying cybersecurity career can feel elusive, even for a seasoned cybersecurity professional. In this session, we’ll talk about things that all security professionals, of all levels and backgrounds, need to know and do, in order to achieve professional success. We will cover: The importance of networking, and how to leverage them to achieve your career goals Continuous learning – when, how, and when is it too much? Self-awareness, and why this is the basis for everything you do Managing yourself vs. managing others – when to be a single contributor and when to run a team Handling Security Stress – why does it happen, and what can be done about it Leaving a legacy, what to do if you want to be remembered for more than the immediate job
- Jeremiah Blocki, “Password Strength Signaling: A Counter-Intuitive Defense Against Password Cracking”by CERIAS on October 27, 2021 at 8:30 pm
We introduce password strength information signaling as a novel, yet counter-intuitive, defense mechanism against password cracking attacks. Recent breaches have exposed billions of user passwords to the dangerous threat of offline password cracking attacks. An offline attacker can quickly check millions (or sometimes billions/trillions) of password guesses by comparing their hash value with the stolen hash from a breached authentication server. The attacker is limited only by the resources he is willing to invest. Our key idea is to have the authentication server store a (noisy) signal about the strength of each user password for an offline attacker to find. Surprisingly, we show that the noise distribution for the signal can often be tuned so that a rational (profit-maximizing) attacker will crack fewer passwords. The signaling scheme exploits the fact that password cracking is not a zero-sum game i.e., the attacker’s profit is given by the value of the cracked passwords minus the total guessing cost. Thus, a well-defined signaling strategy will encourage the attacker to reduce his guessing costs by cracking fewer passwords. We use an evolutionary algorithm to compute the optimal signaling scheme for the defender. As a proof-of-concept, we evaluate our mechanism on several password datasets and show that it can reduce the total number of cracked passwords by up to 12% (resp. 5%) of all users in defending against offline (resp. online) attacks. Joint work with Wenjie Bai and Ben Harsha
- Amit Yoran, “Symposium Closing Keynote”by CERIAS on October 20, 2021 at 8:30 pm
- Jordan Mauriello, “Understanding Attackers and Motivations”by CERIAS on October 13, 2021 at 8:30 pm
Understanding the evolution of attacker motivations, and the impact to managing risk in enterprise environments is a key to successfully building cyber security programs in today’s IT enterprise. Over the last decade both attacks, and attacker motivations have evolved dramatically. From Hacktivism to Nation State Actors, from Identity Theft Rings to Ransomware-as-a-Service, the motivations, timing, determination, and discipline of attackers has changed dramatically. This presentation will discuss this evolution from early cyber espionage and hacktivism to evolving nation state threats and how motivations drive behavior and risk decision making in enterprise cyber security programs.
- Yoon Auh, “NUTS: The Beta Demo”by CERIAS on October 6, 2021 at 8:30 pm
Beyond End-to-End Encryption (BE2EE) technology can protect your data in-transit and at-rest in a consistent way: NUTS may help define this new category. Last year, we presented the technology of NUTS (https://ceri.as/nuts2020). This year, we demonstrate NUTS in action with our Beta version. See secure objects move around in cyberspace without a central reference monitor in a transport agnostic way. The demo will show practical use cases that NUTS enables. The global pandemic drastically altered our way of life and Work-From-Home presents technical challenges that reveal the structural weaknesses of our largest systems. Adversarial threats are now more common place and large outages are frequent. We believe NUTS shows a new path towards a more resilient operating environment for our data. We strongly recommend viewing last year’s presentation (https://ceri.as/nuts2020)to better understand the background and approach of the tech. Joining us for this session will be COL (Ret) Robert Banks, USA, PhD. who served as Deputy Director, Current Operations of U.S. Cyber Command with his insights and comments on this technology. Dr. Banks retired from the U.S. Army after a distinguished 37-yearcareer. His previous services include Chief of Operations of the Army Global Network Operation & Security Center, Command of the largest Army Helicopter Battalion of 64 Chinooks covering 8 states, and providing significant contributions at the Joint Staff Cyberspace Division, National Counterintelligence Security Center, Army Defense Industrial Base, Asymmetric Warfare Office – Electronic Warfare, National Guard Bureau, and Co-Chaired the Smart Grid Interoperability Panel, while supporting the Tri-County Electric Cooperative. He holds numerous advanced degrees including a PhD in Information Technology from George Mason University specializing in Hybrid Security Risk Assessment Models. Additionally, he holds the following certifications: CISSP, PSDGP, ITILv3, AWS-CCP, AZURE-AI.
- Jennifer Bayuk, “The History of Cybersecurity Metrics”by CERIAS on September 29, 2021 at 8:30 pm
This talk covers the state of the Art and Practice in Cybersecurity Metrics. The history ranges from the 1970s through the present. Topics include, but are not limited to: Control Objectives, the Orange Book, the Common Criteria, Systems Security Engineering Capability Maturity Model, Common Vulnerability Enumeration, National Vulnerability Database, NIST Pubs such as the Performance Measurement Guide for Information Security, Threat Intelligence Protocols, Exemplar studies such as the Verizon Data Breach Incident Report, Industry Best Practice and Regulatory Assessments, Security Incident and Event Management, Security Analytics, Security Scorecards.
- Paula deWitte, “The Need for Legal Education within a Cybersecurity Curriculum”by CERIAS on September 22, 2021 at 8:30 pm
Anecdotally, most cybersecurity curricula is based on the technical aspects of protecting, defending, and responding to cyber attacks. While these courses establish a solid foundation in the technical aspects of cybersecurity, what is often missing is establishing a foundation in cybersecurity law. Every individual who puts their hands on a keyboard operates within an uncertain ethical and legal framework. What we do not need is the type of education to produce more lawyers, but rather the type of education to produce more legal-savvy technical workers. Today’s tech workers are exposed to more personal information as well as intellectual property – both targets in cyber attacks. They are expected to protect critical infrastructure and design with security “built in.” Yet, we do a poor job teaching the legal requirements as well as limitations imposed by law on building in privacy protections. For the past four years, the speaker has taught Cybersecurity Law & Policy to several hundred computer science and engineering students as well as those from business, architecture, technology management, and government policy. I began this course by conducting a data analytics exercise on the NIST NICE Framework to determine what work roles require legal training. The results were quite surprising as even very technical roles such as Threat Analysis and System Architecture require knowledge of laws, policies,and ethics as they relate to cybersecurity and privacy as well as knowledge of investigations. The feedback from graduating students who take on cybersecurity roles is that they are uniquely qualified to understand the necessity of compliance within their respective roles. This presentation will discuss the basis for legal education as well as a roadmap for how to incorporate such legal education within a cybersecurity curriculum to build the workforce necessary for the current cybersecurity environment.
- Aaron Shafer, “Securing SaaS, a Practitioner’s Guide”by CERIAS on September 15, 2021 at 8:30 pm
In this session we will talk about applying appropriate security controls to Software as a Service (SaaS) offerings. While it may seem like the SaaS vendors have most of the responsibility for securing these platforms, there are still a number of threats that customers need to worry about themselves. During the session we will walk through various types of SaaS solutions, including a few new surprising categories, and will then talk about the nuances of the Shared Responsibility Model (SRM). We will dive into how to assess the threats to our data, users, and connected systems related to the deployment of SaaS solutions by taking a Threat Modeling approach to the problem. Once we’ve compiled our list of risks we will then talk through practical counter measures that can be implemented to mitigate or reduce risk. The session will then wrap up with a discussion of some existing security tooling that can be considered to further strengthen the defenses around these SaaS solutions today.
- Gideon Rasmussen, “Adaptive Cybersecurity Risk Assessments”by CERIAS on September 1, 2021 at 8:30 pm
This session provides practical cybersecurity assessment advice. It details the end-to-end process including: scoping, 9 steps to develop work papers, scheduling, on-site assessment, report preparation and presentation. The first assessment example leverages the NIST Cybersecurity Framework to ensure coverage across security domains. Sample scoping questions will be provided, along with tips and examples to add controls based on business processes, insider threat, privacy and fraud. This session also addresses follow-on assessments. Attendees are encouraged to evaluate lines of business and to take deep dives into critical functions. Tips and examples are provided to leverage best practices, creating specific testing procedures. Rather than repeating the same assessment year-over-year, the scoping methodology is risk opportunistic. There is focus on areas that have not been evaluated recently and areas that may require enhanced controls due to presence of valuable data. Albert Einstein’s quote applies here “the definition of insanity is doing something over and over again and expecting different results”. The session will briefly walk through the assessment report framework, providing tips along the way. The assessment presentation phase includes a slide deck framework covering: the threat landscape, assessment methodology, high and moderate-high findings, a Strengths, Weaknesses, Opportunities and Threats (SWOT) slide and next steps.
- Jeremy Rasmussen, “The Changing Cybersecurity Threatscape”by CERIAS on August 25, 2021 at 8:30 pm
During the height of the pandemic, it’s estimated that digital transformation advanced by as much as seven years, opening the door for hybrid and remote working solutions to thrive. But, the increase in remote work also revealed new threats to devices and applications. In this session, we will discuss: • The post-COVID world and “Zero Trust” • Trusted software becoming less trustworthy • The surprising ways ransomware launches • Identifying Web/SSL VPN vulnerabilities in firewalls • Application of AI and ML in cybersecurity • Countermeasures used to combat these issues
- Nasir Memon, “AI, Computational Imaging and the Battle for Media Integrity”by CERIAS on July 28, 2021 at 5:30 pm
Rapid progress in machine learning, computer vision and graphics leads to successive democratization of media manipulation capabilities. While convincing photo and video manipulation used to require substantial time and skill, modern editors bring (semi-) automated tools that can be used by everyone. Some of the most recent examples include manipulation of human faces, e.g., by their replacement or semantic manipulation (expression, age, etc.). At the same time, dissemination of fake news and misinformation campaigns are picking up speed which challenges trust in the society. Our media distribution platforms lack content integrity features as they were designed and optimized for the quality of (human) experience with strict bandwidth / storage constraints. Such an approach fails to recognize an increasing role of automated analysis by machine learning models, e.g, strong lossy compression applied to media assets removes imperceptible statistical traces indicative of content manipulation and is often referred to as media “laundering” process. In this talk, we explore end-to-end optimization of photo acquisition and distribution pipelines for media authentication. We show that feedback from forensic analysis can be used to optimize upstream components like the camera ISP or lossy compression codecs to support media authentication on the receiving end. Modern machine learning tools allow us to discover new approaches to the problem with surprising connections to other fields like information hiding, computational photography, lossy compression and machine learning security. To enable this line of work, we are currently developing a Tensorflow-based open source toolbox for modeling and optimization of various imaging applications (https://github.com/pkorus/neural-imaging).
- David Dill, “A Formal Verifier for the Diem Blockchain Move Language”by CERIAS on July 21, 2021 at 5:30 pm
The Diem blockchain, which was initiated in 2018 by Facebook, includes a novel programming language called Move for implementingsmart contracts. The correctness of Move programs is especially important because the blockchain will host large amounts of assets, those assets are managed by smart contracts, and because there is a history of large losses on other blockchains because of bugs in smart contracts. The Move language is designed to be as safe as we can make it, and it is accompanied by a formal specification and automatic verification tool, called the Move Prover. A project to specify and formally verify as many important properties of the Move standard library is now well underway. This talk will be about the goals of the project and the most interesting insights we’ve had as of the time of the presentation. The entire blockchain implementation, including the Move language, virtual machine, the Move Prover, and near-final various Move modules are available on http://github.com/libra
- Dave Henthorn, “Educating the Next Generation on the Challenges of Securing Critical Infrastructure”by CERIAS on July 14, 2021 at 5:30 pm
Cyberattacks on critical infrastructure such as power plants, dams, and chemical facilities are increasing in both intensity and sophistication, with attackers actively exploiting the cultural divide between the engineers who design and run these facilities and the cybersecurity people who protect them. At Rose-Hulman, we are building a multidisciplinary Critical Infrastructure Laboratory to bring these groups together with the goal of educating the next generation on the difficulties of designing and securing facilities vital to our national and economic security.
- Winn Schwartau, “Security is Probabilistic, Not Deterministic: Get Over It”by CERIAS on July 7, 2021 at 5:30 pm
Since the inception of computer/data/cyber/network securitysome fifty years ago, one recurring question has beset our industry: “How do wesecure it?” By its very nature, that question has propagated as a harmful meme,by implying that a binary deterministic answer is available, or even possible. This talk examines security through a non-deterministiclens, applying probabilistic and analogue functions to discover new approachesto defending anthro-cyber-kinetic systems.
- Neil Daswani, “Big Breaches: Cybersecurity Lessons For Everyone”by CERIAS on June 30, 2021 at 5:30 pm
This talk covers the key lessons learned and root causes from the biggest mega-breaches and the 9,000+ reported breaches over the past 15 years. By analyzing the histories, stories, and deep dives of breaches such as those at Target, JPMorganChase, OPM, Yahoo, Equifax, Facebook, Marriott, Capital One, and the SolarWinds hack, I will also lay the groundwork for a roadmap to recovery based on the root causes.
- Laura Thomas, “National Security Implications of Quantum Technology”by CERIAS on June 23, 2021 at 5:30 pm
Quantum technology will be transformational. When applied, quantum has the power to dramatically improve our society, as well as cause major disruptions on the national security and economic security fronts. This presentation will provide an overview of the fundamentals of quantum technology, to include the three major branches of quantum technology development: quantum computing, quantum sensing, and quantum networking. We will discuss use cases for each and explore where the technology stands today, its commercialization and hardware engineering challenges, and potential pathways for a quantum future.
- Ida Ngambeki, “Understanding the Human Hacker”by CERIAS on June 16, 2021 at 5:30 pm
Social Engineering is employed in 97% of cybersecurity attacks. This makes social engineering penetration testing an important aspect of cybersecurity. Social engineering penetration testing is a specialized area requiring skills and abilities substantially different from other types of penetration testing. Training for social engineering penetration testing as well as understanding what skills, abilities, and personalities make for good social engineers is not well developed. This mixed methods study uses surveys and interviews conducted with social engineering pen testers to examine their pathways into the field, what personality traits contribute to success, what skills and abilities are necessary and what challenges these professionals commonly face. The results are used to make recommendations for training.
- Neil Gong, “Secure Federated Learning”by CERIAS on June 9, 2021 at 5:30 pm
Federated learning is an emerging machine learning paradigm to enable many clients (e.g., smartphones, IoT devices, and edge devices) to collaboratively learn a model, with help of a server, without sharing their raw local data. Due to its communication efficiency and potential promise of protecting private or proprietary user data, and in light of emerging privacy regulations such as GDPR, federated learning has become a central playground for innovation. However, due to its distributed nature, federated learning is vulnerable to malicious clients. In this talk, we will discuss local model poisoning attacks to federated learning, in which malicious clients send carefully crafted local models or their updates to the server to corrupt the global model. Moreover, we will discuss our work on building federated learning methods that are secure against a bounded number of malicious clients.
- Leigh Metcalf, “The Gauntlet of Cybersecurity Research”by CERIAS on June 2, 2021 at 5:30 pm
Good research has scientific principles driving it. Analysts begin research with a goal in mind and at the same time, they need their research to have a solid foundation. This talk will cover common goals in cybersecurity research and also discuss common pitfalls that can undermine the results of the research. The talk will include many examples illustrating the principles.
- Gary McGraw, “Security Engineering for Machine Learning”by CERIAS on May 26, 2021 at 5:30 pm
Machine Learning appears to have made impressive progress on many tasks including image classification, machine translation, autonomous vehicle control, playing complex games including chess, Go, and Atari video games, and more. This has led to much breathless popular press coverage of Artificial Intelligence, and has elevated deep learning to an almost magical status in the eyes of the public. ML, especially of the deep learning sort, is not magic, however. ML has become so popular that its application, though often poorly understood and partially motivated by hype, is exploding. In my view, this is not necessarily a good thing. I am concerned with the systematic risk invoked by adopting ML in a haphazard fashion. Our research at the Berryville Institute of Machine Learning (BIIML) is focused on understanding and categorizing security engineering risks introduced by ML at the design level. Though the idea of addressing security risk in ML is not a new one, most previous work has focused on either particular attacks against running ML systems (a kind of dynamic analysis) or on operational security issues surrounding ML. This talk focuses on the results of an architectural risk analysis (sometimes called a threat model) of ML systems in general. A list of the top five (of 78 known) ML security risks will be presented.
- Steven Furnell, “Cybersecurity Skills – Easy to say, harder to recognise?”by CERIAS on April 28, 2021 at 8:30 pm
There is no doubt that cybersecurity has risen up the agenda in terms of visibility and importance. Everybody wants it. But do they really know what they want? What does cybersecurity include, and to what extent do qualifications and certifications that claim to cover it actually do so? This talk examines what cybersecurity means in terms of the contributing topics, and in particular how these topics can end up looking substantially different depending upon what source we use as our reference point. The discussion then proceeds to examine how this has knock-on impacts in terms of the qualifications and certifications that may be held by our current and future workforce. All are labelled as ‘cybersecurity’, but to what extent are they covering it, and how can those that need support tell the difference?
- Ira Winkler, “You Can Stop Stupid: Human Security Engineering”by CERIAS on April 21, 2021 at 8:30 pm
While users are responsible for initiating 90%+ of losses, it is not their fault. The entire system is what enables the losses, and the entire system must be designed to prevent them. Drawing lessons from safety science, counterterrorism, and accounting, this presentation details how to expect and stop user initiated loss.
- Yimin Chen, “Delving into differential privacy and anomaly detection: a meta-learning perspective”by CERIAS on April 14, 2021 at 8:30 pm
In this talk, we explore security and privacy related to meta-learning, a learning paradigm aiming to learn ‘cross-task’ knowledge instead of ‘single-task’ knowledge. For privacy perspective, we conjecture that meta-learning plays an important role in future federated learning and look into federated meta-learning systems with differential privacy design for task privacy protection. For security perspective, we explore anomaly detection for machine learning models. Particularly, we explore poisoning attacks on machine learning models in which poisoning training samples are the anomaly. Inspired from that poisoning samples degrade trained models through overfitting, we exploit meta-training to counteract overfitting, thus enhancing model robustness.
- Tawei (David) Wang, “The Invisible Risks: An Empirical Analysis on Data Sharing Activities and Systemic Risk among the Data Brokers”by CERIAS on April 7, 2021 at 8:30 pm
Data brokers are the major players in the market of collecting, selling, and sharing online user information. Although their practices have raised tremendous privacy concerns, their data collection and sharing activities are still under the veil. The growth of adverse cybersecurity incidents toward the data brokers has led the regulators, including California and Vermont, to require the data brokers to register and disclose their activities. This paper analyzes the leaked information on the dark web to analyze the data sharing and collection activities among the data brokers. In specific, we cluster the data brokers based on their data collection activities given by their product description to quantify the activity proximity. Next, we empirically examine how activity proximity leads to co-occurrence on the leaked information in the dark web. We further discuss the deterrence effect of the data broker registration on information leakage. Our study contributes to cybersecurity assurance and risk assessment literature by unveiling the shadowy data-collecting and data-sharing market.
- Frederick Scholl, “Cybercrime: A Proposed Solution”by CERIAS on March 31, 2021 at 8:30 pm
Modern cybercrimes are responsible for $400B dollars of losses on an annual basis. Headlines appear regularly announcing major breaches. Yet few people and businesses understand what happened in such incidents and how to avoid being a victim themselves. The security industry does provide analyses of breach statistics, but effective preventative measures can be lost in the numbers. Virtually all breaches result from technology failure combined with people failure. This presentation will look at actual recent cybercrimes in order to document what happened and what could have prevented that incident. Who carried out the breach? What did they do? What was taken? How could it have been stopped? What was the story behind the breach? Attack types include ransomware, business email compromise, intellectual property theft and breach of Personally Identifiable Information. By being more familiar with current successful threats and breaches you will: · Be able to avoid high risk activities, if possible · Be able to be better prepared to stop such an attack against you or your organization · Be able to optimize security spending and resources for actual attack patterns This presentation is designed for both security professionals and business professionals who want to better secure their assets and processes against the increasing number of cyber criminals.
- Jack Daniel, “The Shoulders of InfoSec”by CERIAS on March 24, 2021 at 8:30 pm
The nature of cybersecurity and modern life is such that we feel pressured to run just to keep up, this leaves us no time to look back and reflect on how we got where we are as an industry and field of study, nor to learn about the people who led the way. In this presentation we will dig into the stories of some of the people who were foundational in the field we know call cybersecurity, some well-known, others obscure.