CERIAS Security Seminar Podcast CERIAS Security Seminar series video podcasts.
- Steven Furnell, “Cybersecurity Skills – Easy to say, harder to recognise?”by CERIAS on April 28, 2021 at 8:30 pm
There is no doubt that cybersecurity has risen up the agenda in terms of visibility and importance. Everybody wants it. But do they really know what they want? What does cybersecurity include, and to what extent do qualifications and certifications that claim to cover it actually do so? This talk examines what cybersecurity means in terms of the contributing topics, and in particular how these topics can end up looking substantially different depending upon what source we use as our reference point. The discussion then proceeds to examine how this has knock-on impacts in terms of the qualifications and certifications that may be held by our current and future workforce. All are labelled as ‘cybersecurity’, but to what extent are they covering it, and how can those that need support tell the difference?
- Ira Winkler, “You Can Stop Stupid: Human Security Engineering”by CERIAS on April 21, 2021 at 8:30 pm
While users are responsible for initiating 90%+ of losses, it is not their fault. The entire system is what enables the losses, and the entire system must be designed to prevent them. Drawing lessons from safety science, counterterrorism, and accounting, this presentation details how to expect and stop user initiated loss.
- Yimin Chen, “Delving into differential privacy and anomaly detection: a meta-learning perspective”by CERIAS on April 14, 2021 at 8:30 pm
In this talk, we explore security and privacy related to meta-learning, a learning paradigm aiming to learn ‘cross-task’ knowledge instead of ‘single-task’ knowledge. For privacy perspective, we conjecture that meta-learning plays an important role in future federated learning and look into federated meta-learning systems with differential privacy design for task privacy protection. For security perspective, we explore anomaly detection for machine learning models. Particularly, we explore poisoning attacks on machine learning models in which poisoning training samples are the anomaly. Inspired from that poisoning samples degrade trained models through overfitting, we exploit meta-training to counteract overfitting, thus enhancing model robustness.
- Tawei (David) Wang, “The Invisible Risks: An Empirical Analysis on Data Sharing Activities and Systemic Risk among the Data Brokers”by CERIAS on April 7, 2021 at 8:30 pm
Data brokers are the major players in the market of collecting, selling, and sharing online user information. Although their practices have raised tremendous privacy concerns, their data collection and sharing activities are still under the veil. The growth of adverse cybersecurity incidents toward the data brokers has led the regulators, including California and Vermont, to require the data brokers to register and disclose their activities. This paper analyzes the leaked information on the dark web to analyze the data sharing and collection activities among the data brokers. In specific, we cluster the data brokers based on their data collection activities given by their product description to quantify the activity proximity. Next, we empirically examine how activity proximity leads to co-occurrence on the leaked information in the dark web. We further discuss the deterrence effect of the data broker registration on information leakage. Our study contributes to cybersecurity assurance and risk assessment literature by unveiling the shadowy data-collecting and data-sharing market.
- Frederick Scholl, “Cybercrime: A Proposed Solution”by CERIAS on March 31, 2021 at 8:30 pm
Modern cybercrimes are responsible for $400B dollars of losses on an annual basis. Headlines appear regularly announcing major breaches. Yet few people and businesses understand what happened in such incidents and how to avoid being a victim themselves. The security industry does provide analyses of breach statistics, but effective preventative measures can be lost in the numbers. Virtually all breaches result from technology failure combined with people failure. This presentation will look at actual recent cybercrimes in order to document what happened and what could have prevented that incident. Who carried out the breach? What did they do? What was taken? How could it have been stopped? What was the story behind the breach? Attack types include ransomware, business email compromise, intellectual property theft and breach of Personally Identifiable Information. By being more familiar with current successful threats and breaches you will: · Be able to avoid high risk activities, if possible · Be able to be better prepared to stop such an attack against you or your organization · Be able to optimize security spending and resources for actual attack patterns This presentation is designed for both security professionals and business professionals who want to better secure their assets and processes against the increasing number of cyber criminals.
- Jack Daniel, “The Shoulders of InfoSec”by CERIAS on March 24, 2021 at 8:30 pm
The nature of cybersecurity and modern life is such that we feel pressured to run just to keep up, this leaves us no time to look back and reflect on how we got where we are as an industry and field of study, nor to learn about the people who led the way. In this presentation we will dig into the stories of some of the people who were foundational in the field we know call cybersecurity, some well-known, others obscure.
- Santiago Torres-Arias, “Practical software Supply Chain Security and Transparency”by CERIAS on March 17, 2021 at 8:30 pm
The software development process, or software supply chain, is quite complex and involves a number of independent actors. Due to this ever-growing complexity has led to various software supply chain compromises: from XCodeGhost injecting malware on millions of apps, to the highly-publicized SolarWinds Compromise. In this talk, Santiago will introduce various research challenges, as well as attempts from both Open Source and Industry — such as SigStore, CoSign and in-toto — to protect millions of users across the globe.
- Greg Akers, “SDN/NFV in the ICS, SCADA and Manufacturing World as a Cyber Security Tool”by CERIAS on March 10, 2021 at 9:30 pm
A discussion about where we are in the commercial SDN/NFV world today and where we are headed. What are the next generation threats beyond where we are today and how software definability may be a asset in the defender’s toolkit. Also looking at the intersection point between SDN/NFV and AI/ML. How this changes the defense calculus and alters the attack surface. What capabilities we need to develop in the practitioner, consumer and defender worlds.
- Randall Brooks, “Cyber Supply Chain Risk Management (SCRM) and its impact on information and Operational Technology (IT/OT)”by CERIAS on March 3, 2021 at 9:30 pm
In a growing interdependent market place,it is nearly impossible to develop every part or component in house. Electronics are nearly entirely manufactured offshore. Concerns have risen about the trust worthiness of electronics that may contain extra or potentially malicious functionality. Traditional supply chain risk management only deals with the suppliers ability to deliver a product on time and within budget. Cyber aspects focus on the trustworthiness of the product that was delivered. Those vendor that they themselves are procuring products, such as test systems,subtractive or additive manufacturing, are now concerned that the products they are producing are affected by Cyber Supply Chain Risk Management (C-SCRM).
- Caroline Wong, “Security Industry Context”by CERIAS on February 24, 2021 at 9:30 pm
Join Caroline Wong, Cobalt.io’s head of Security and People, for a unique perspective on the role of humans in cybersecurity.
- Cory Doctorow, “Technology, Self-Determination, and the Future of the Future”by CERIAS on February 17, 2021 at 9:30 pm
Self-determination is the key to human thriving; it’s also the enemy of both dictatorships and monopolies. It’s no coincidence that commercial imperatives of tech monopolies create the infrastructure for political oppression. The public-private-partnership from hell looks like this: companies install surveillance and other system of control to extract higher rents from their customers and ward off competitors. Then states seize that surveillance and control apparatus to gain and consolidate power. That’s the bad news. The good news is that it means that those of us fighting dictatorships have natural allegiances with those fighting monopolies — and vice versa.
- Levi Lloyd, “Securing the Software Supply Chain”by CERIAS on February 10, 2021 at 9:30 pm
In December 2020, FireEye discovered a supply chain attack against the SolarWinds Orion network management system. The impact of this event has caused the cybersecurity community to reevaluate how we think about threats coming from the software supply chain. At Lawrence Livermore National Laboratory we have been developing software assurance tools for many years to automate the analysis of software to enable asset owners and operators to make sound decisions about the software in their environments. In this presentation, I will describe this effort, talk about some of our tools, and discuss ways to mitigate future supply chain attacks.
- Steve Lipner, “Lessons Learned – Fifty Years of Mistakes in Cybersecurity”by CERIAS on February 3, 2021 at 9:30 pm
Over fifty years, I’ve led a lot of security projects that I thought would change the world. Many of them crashed and burned at great cost in money and reputation. There were some common threads including reliance on government claims about the market and on minimal secure systems built from scratch. This talk will describe some failures, some lessons learned the hard way, and how they paid off.
- Scott Shackelford, “The Internet of Things: What Everyone Needs to Know”by CERIAS on January 27, 2021 at 9:30 pm
The Internet of Things (IoT) is the notion that nearly everything we use, from gym shorts to streetlights, will soon be connected to the Internet. Industry and financial analysts have predicted that the number of Internet-enabled devices will increase from 11 billion to upwards of 25 billion in coming years. Regardless of the number, the end result looks to be a mind-boggling explosion in Internet connected stuff. Yet, there has been relatively little attention paid to how we should go about regulating smart devices, and still less about how cybersecurity should be enhanced. Similarly, now that everything from refrigerators to stock exchanges can be connected to a ubiquitous Internet, how can we better safeguard privacy across networks and borders? This talk will explore these issues by pulling from the recently published book, ‘The Internet of Things: What Everyone Needs to Know.’ Our discussion will also be couched by the findings of a recent report for the Indiana Executive Council on Cybersecurity entitled, ‘State of Hoosier Cybersecurity 2020.’
- Adwait Nadkarni, “Building Practical Security Systems for the Post-App Smart Home”by CERIAS on January 20, 2021 at 9:30 pm
Modern end-user computing platforms such as smartphones (e.g., Android and iOS)and smart home systems (e.g., SmartThings and NEST) provide programmable interfaces for third-party integration, enabling expressive and popular functionality that is often manifested in applications, or apps. Thus, for the last decade, designing security systems to analyze apps for vulnerabilities or unwanted behavior has been a major focus within the security community. This approach has continued well into the smart home, with researchers developing systems inspired by lessons from Android security to inspect IoT apps developed for popular platforms such as SmartThings. However, emerging characteristics of smart home ecosystems indicate that IoTapps may not represent automation in real homes, and may even be unavailable in the near future. That is, while API misuse by third-party developers is an important problem, the approach of analyzing/instrumenting IoT apps may not offer an effective or sustainable solution. In this talk, I will describe the challenges for research in the backdrop of the unsuitability of IoTapps for practical security analysis, and motivate three alternate research directions. First, I will describe the need to develop an alternative artifact for security analysis that is representative of automation usage in the wild. To this end, I will introduce Helion, a system that uses statistical language modeling to generate natural home automation scenarios, i.e., realistic event sequences that are closely aligned with the real home automation usage in end-user homes,which can be used for security or safety analysis. Second, I will illustrate the need to improve the security of mobile companion apps, which often form the weakest link in smart home deployments, and the important position of security analysis/compliance tools in ensuring the development of secure companion apps. To this end, I will present the mSE framework, which automatically and rigorously evaluates static program analysis-based security systems using mutation testing. Our work on mSE (and its successor, MASC) culminated in the discovery of critical security flaws in popular tools such as FlowDroid, CryptoGuard, Argus, and Coverity that affect the reliability and soundness of their analysis. Finally, I will conclude the talk by describing our current efforts to build system-level defenses into IoT platforms that are agnostic to IoTapps, i.e., independent of their visibility or mutability, thereby potentially providing a lasting solution to API misuse by third-party developers.
- Lorrie Cranor, “Security and Privacy for Humans”by CERIAS on December 9, 2020 at 9:30 pm
Traditionally, security and privacy research focused mostly on technical mechanisms and was based on the naive assumptions that Alice and Bob were capable, attentive, and willing to jump through any number of hoops to communicate securely. However, about 20 years ago that started to change when a seminal paper asked “Why Johnny Can’t Encrypt” and called for usability evaluations and usable design strategies for security. Today a substantial body of interdisciplinary literature exists on usability evaluations and design strategies for both security and privacy. Nonetheless, it is still difficult for most people to encrypt their email, manage their passwords, and configure their social network privacy settings. In this talk I will highlight some of the lessons learned from the past 20 years of usable privacy and security research, and explore where the field might be headed.
- Kimberly Ferguson-Walter, “Maximizing Cyber Deception to Improve Security: An Empirical Analysis”by CERIAS on December 2, 2020 at 9:30 pm
The threat of cyber attacks is a growing concern across the world, leading to an increasing need for sophisticated cyber defense techniques that leverage the defender’s “home field advantage”. We designed the Tularosa Study to understand how defensive deception, both cyber and psychological, affects cyber attackers. Over 130 professional red teamers participated in a network penetration test over two days in which both the presence of and explicit mention of deceptive defensive techniques were controlled. To our knowledge, this represents the largest study of its kind ever conducted on a skilled red team population. The design was conducted with a battery of questionnaires (e.g., experience, personality, etc.) and cognitive tasks (e.g., fluid intelligence, working memory, etc.), allowing for the characterization of a “typical” red teamer, as well as physiological measures (e.g., galvanic skin response, heart rate, etc.) to be correlated with the cyber events. Preliminary results support a new finding that the combination of the presence of deception and the true information that deception is present has the greatest effect on cyber attackers, when compared to a control condition in which no deception was used.Special PanelImmediately following Dr. Ferguson-Walter’s seminar, join CERIAS for a unique opportunity to hear six professionals from NSA — including two Purdue alumni — who will share their careers and experiences as cybersecurity researchers and practitioners. The panelists will describe opportunities for students and graduates, and answer questions from the audience about their work and life at NSA. [Note: Only US citizens are able to work at the NSA.]Topic: What is it like to work at the National Security Agency (NSA) Register in advance for this webinar: https://purdue-edu.zoom.us/webinar/register/WN_mRCKeiU9TbqNJNxcogddsA After registering, you will receive a confirmation email containing information about joining the webinar.Eric Bryant is currently serving as a Director of Cybersecurity Operations in the NSA/CSS Cybersecurity Operations Center (NCSOC). In this capacity, he is responsible for leading a diverse team working around the clock to prevent and eradicate cybersecurity threats to the nation. He also serves as NSA’s Academic Liaison to Purdue University, where he graduated with a degree in computer science and is an alumni of CERIAS. Dr. Josiah Dykstra is a Technical Fellow and Senior Executive in the Cybersecurity Collaboration Center of the National Security Agency. He holds a Ph.D. in computer science and previously served at NSA as a cyber operator and researcher. Dr. Dykstra is interested in cybersecurity science and how humans intersect with technology. He is the author of numerous peer-reviewed research papers and one book.Dr. Kimberly Ferguson-Walter is a Senior Research Scientist with NSA’s Laboratory for Advanced Cybersecurity Research where her research focuses on the intersection of computer security, artificial intelligence, and human behavior. She has been focused on adaptive cybersecurity at the NSA for the past ten years and is the lead for the Research Directorate’s deception for cyber-defense effort. She has a Ph.D. in computer science and is currently on joint-duty assignment to the Naval Information Warfare Center Pacific to perform collaborative research and facilitate strategic alignment and technology transfers.Natalie Janiszewski is a Higher Education Outreach Advocate with NSA’s office of Academic Engagement. Natalie brings over 25 years of educational experience to her role at NSA. She is responsible for maintaining strong relationships with academic institutions to influence curriculum and encourage activities in NSA’s mission-critical areas: science, technology. engineering, math, intelligence analysis, language and cybersecurity. Natalie taught classes in a graduate program for educational technology. Her passion lies in designing environments that facilitate durable, actionable learning for students. Joel Klasa graduated from Purdue in May 2020 with a degree in computer science and participated in the NSA co-op program throughout his time at Purdue. Upon graduation, he was hired into a development program at the agency and has a current focus of machine learning and artificial intelligence in cybersecurity.Dr. Celeste Lyn Paul is a senior researcher and technical leader at the National Security Agency. Her work has focused on a broad range of topics including emerging technologies, human factors in security, and more recently, securing cyberspace in outer space. 5:30pm EDT:
- Sivaram Ramanathan, “Improving the Accuracy of Blocklists by Aggregation and Address Reuse Detection”by CERIAS on November 18, 2020 at 9:30 pm
IP address blocklists are a useful source of information about repeat attackers. Such information can be used to prioritize which traffic to divert for deeper inspection (e.g., repeat offender traffic), or which traffic to serve first (e.g., traffic from sources that are not blocklisted). But blocklists also suffer from overspecialization — each list is geared towards a specific purpose — and they may be inaccurate due to misclassification or stale information. We propose BLAG, a system that evaluates and aggregates multiple blocklists feeds, producing a more useful, accurate and timely master blocklist, tailored to the specific customer network. BLAG uses a sample of the legitimate sources of the customer network’s inbound traffic to evaluate the accuracy of each blocklist over regions of address space. It then leverages recommendation systems to select the most accurate information to aggregate into its master blocklist. Finally, BLAG identifies portions of the master blocklist that can be expanded into larger address regions (e.g. /24 prefixes) to uncover more malicious addresses with minimum collateral damage. Our evaluation of blocklists of various attack types and three ground-truth datasets shows that BLAG achieves high specificity up to 99%, improves recall by up to 114 times compared to competing approaches, and detects attacks up to 13.7 days faster, which makes it a promising approach for blocklist generation. Although performance of blocklists can be improved, they need to be used carefully. Blocklists can potentially lead to unjust blocking to legitimate users due to IP address reuse, where more users could be blocked than intended. IP addresses can be reused either at the same time (Network Address Translation) or over time (dynamic addressing). We present two new techniques to identify reused addresses. We built a crawler using the BitTorrent Distributed Hash Table to detect NATed addresses and use the RIPE Atlas measurement logs to detect dynamically allocated address spaces. We then analyze 151 publicly available IPv4 blocklists to show the implications of reused addresses and find that 53–60% of blocklists contain reused addresses having about 30.6K–45.1K listings of reused addresses. We also find that reused addresses can potentially affect as many as 78 legitimate users for as many as 44 days.
- Abhilasha Bhargav-Spantzel, “Fearless Computing”by CERIAS on November 11, 2020 at 9:30 pm
“Wouldn’t it be great if we could download anything, explore anything and build anything without the annoying feeling that you are going to get hacked?” This was a question from my kids, who are currently in elementary school. Have you experienced similar questions from kids and adults alike? Computing is becoming such an integral part of our lives, wouldn’t it be great to use compute resources fully for all aspects of our lives. This includes work, education, healthcare and finance; be creative and innovate without the constant fear of backlash? This is what we mean by fearless computing: where we investigate how the very design of compute has security and privacy features built into the design of the platform. We will also explore how through education and awareness we can help nurture the freedom of thought and innovation to not only protect ourselves but create a cyber talent that builds the next generation systems and solutions. Join us for a discussion on the technology and solutions that helps us work towards our vision for fearless computing.
- Kelley Misata, “Results from the Field: Cybersecurity in Nonprofits and Why it Matters”by CERIAS on November 4, 2020 at 9:30 pm
The last time you gave to a favorite charity, did you think about their cybersecurity? Do you sit on the board of a nonprofit? Are nonprofits using your cybersecurity solutions? The “wild” of the Internet and continually evolving threat landscape force nonprofits to defend themselves against intrusion and cyber-attacks. Breaking down the myths and assumptions about nonprofits’ cybersecurity, this session spotlights approaches and exciting results from local nonprofit organizations of all sizes. Join us with your favorite nonprofit in mind and walk away with new information about this overlook business sector and why it matters.
- Yoon Auh, “NUTS: eNcrypted Userdata Transit & Storage; Viewing Data as an Endpoint™ (DaaE) using Structured Cryptography”by CERIAS on October 28, 2020 at 8:30 pm
Can objects be truly secured independently without resorting to a massive central reference monitor? It’s a great question and we will discuss a solution to it called NUTS. During this talk, we’ll take data structures, message protocols and applied cryptography and toss them into the cauldron of reality, sprinkle in some DNA and data management to brew up some Security at the Data Perimeter towards crafting Data as the Endpoint. It sounds like a bad witch’s brew of epic proportions but once we cast the spell, you will see the integration of many CS/CISSP concepts you’ve learned over the years and new ways to use it. Our goal is to make sure that the private individual has the best applied cryptographic technologies at their disposal for free in an unobtrusive way. By the way, a nut is the only secure data structure we know of that can help mitigate insider threats in a purely cryptographic way independent of reference monitors. We’ll also show you how the NUTS Ecosystem can provide Alice with a ransom-ware resistant ‘hot’ system at home using just 2 computers.
- Jeff Man, “Why Attack When You Can Defend”by CERIAS on October 21, 2020 at 8:30 pm
MITRE ATT&CK® seems to be the“next big thing”. Every time I hear about it I can’t help but wonder, “how doyou prevent all these attacks in the first place? Shouldn’t that be the endgame?” To that end, I set out to map all the recommended “Mitigations” for allthe “Techniques” detailed in ATT&CK to see how many are already addressedby what is required in the Payment Card Industry Data Security Standard (PCIDSS). My hypothesis was all of them. The results were interesting and a little surprising, and I’m still trying to figure out how to best use the results and subsequently ATT&CK itself. I will present my findings in the briefing andhopefully generate a discussion about what to do with the results.
- Courtney Falk, “The Pod People Campaign: Driving User Traffic via Social Networks”by CERIAS on October 14, 2020 at 8:30 pm
Users of social networks are having their accounts subverted. Threat actors are gaining unauthorized access to large numbers of accounts and inserting links to suspicious websites. Shared command-and-control infrastructure is used across 70+ different social networks, suggesting a coordinated campaign to drive user traffic. The actors behind this campaign, and the end goal for driving user traffic, remains uncertain. The campaign remains active with changing indicators. The fact that this campaign spans so many different social networks makes determining the scope of the overall problem difficult. Using Goodreads as an example, we detail how the attack is constructed.
- Michael Clark, “From Machine Learning Threats to Machine Learning Protection Requirements”by CERIAS on October 7, 2020 at 8:30 pm
Researchers from academia and industry have identifiedinteresting threat vectors against machine learning systems. These threatsexploit intrinsic vulnerabilities in the system, or vulnerabilities that arisenaturally from how the system works rather than being the result of a specificimplementation flaw. In this talk, I present recent results in threats tomachine learning systems from academia and industry, including some of our ownresearch at Riverside Research. Knowing about these threats is only half thebattle, however. We must determine how to transition both the understandinggained by developing attacks and specific defenses into practice to ensure thesecurity of fielded systems. In this talk I leverage my experience working onstandards committees to present an approach for leveraging machine learningprotection requirements on systems that use machine learning.
- Osman Ismael, “TCB: From Assumption to Assurance”by CERIAS on September 23, 2020 at 8:30 pm
The TCB has been very precisely defined since 1979, but in practice its implementation and application in today modern software stack is very blurry. This talk describes a very common application and how to consider its associated TCB, after explosive the problems it will propose an alternative to better release and execute software with unbreakable guarantee.
- Warda Zahid Khan, “Authentication: Behind The Scenes When You Click “Check Out””by CERIAS on September 16, 2020 at 8:30 pm
The payments ecosystem is evolving fast and making sure the cardholder’s digital payment experience is frictionless, smooth and secure has never been more important. With approval rates for digital payments at 82% compared to 97% for in-person payments, and globally digital transaction fraud currently four times higher than in-store expected to increase 68% by 2022, intelligence matters more than ever. As more transactions move to the digital world, particularly after COVID-19, on an ever-increasing array of devices, the need to keep up is vital. To help issuers’ real-time decisioning, increasing approval quality, improving the cardholder experience and reducing fraud, Mastercard leverages the power of proprietary data, sophisticated modelling and machine learning, combined with Mastercard’s global insights and analytics to process thousands of data points and delivers authentication assessment to the cardholder’s bank real-time during the payment to help the bank make an informed and robust decision.
- Rich Banta, “EMP Threat & Protection”by CERIAS on September 9, 2020 at 8:30 pm
Protection against HEMP (High-Altitude Electromagnetic Pulse) and GMD (Geomagnetic Disturbance in a CME/Coronal Mass Ejection context) is a nascent science. Until recently, these have only been the concern of Department of Defense insiders, over-the-top “preppers”, and physics aficionados. Due to current events and an increasing reliance of all facets of 1st world civilization upon ICT (Information & Communications Technology), the discussion of EMP and GMD protections is moving into the mainstream. Lifeline Data Centers, LLC is nearing completion of an 84,000 square foot fully EMP & GMD-protected data center & SCIF facility in Ft. Wayne, Indiana. Mr. Banta will discuss the basic physics of HEMP and GMD, the threats posed by both, and the extreme and expensive challenges of mitigating the effects of both in a data center setting. Mr. Banta presents from the perspective of designer/architect, primary financier, constructor, and owner/operator of such a facility.
- Roger Schell, “Dramatically Reducing Attack Surface Using Integrity MAC Security Kernel”by CERIAS on September 2, 2020 at 8:30 pm
We face an existential threat of permanent damage to critical physical components in our national infrastructure as a result of their poor resilience against cybersecurity attack. A Programmable Logic Controller (PLC) commonly provides the control system for such components, e.g., bulk power generators. Our proof-of-concept implementation dramatically mitigates threats to such cyber-physical systems (CPS) by specifically leveraging what NIST 800-160 calls “highly assured, kernel-based operating systems in Programmable Logic Controllers”. We dramatically reduce the attack surface visible to potential attackers to be ~1% of the total compared to competing approaches. Our demonstration refactors the common CPS architectural approach to data and cooperating processes into hierarchically ordered security domains using the widely available OpenPLC project code base. The GEMSOS security kernel verifiably enforces traditional integrity mandatory access control (MAC) policy on all cross-domain flows. GEMSOS is designed for wide-spread delivery as a Reusable Trusted Device, providing the reference monitor for secure single-board, multi-board, and System-on-a-Chip systems. Only a processing component in the highest integrity domain can directly send/receive control signals, enforcing “safe region” operating constraints to prevent physical damage. This very small attack surface protects the critical physical components, making the overall CPS resilient to skilled adversaries’ attacks, even though much larger lower integrity software running in other domains on the same Trusted Device hardware and network infrastructure may be thoroughly compromised. We make available our restructured OpenPLC source to encourage control system manufacturers to deliver verifiable PLC products to, as NIST puts it, “achieve a high degree of system integrity and availability” for control systems. UC Davis is using our demonstration on GEMSOS in their Computer Security Lab, today.
- Jeremiah Sahlberg, “From Compliance in the Classroom to Compliance on the Street, Important Lessons That Every Cybersecurity Professional Must Know”by CERIAS on August 26, 2020 at 8:30 pm
From compliance in the classroom to compliance on the street, important lessons that every cybersecurity professional should know. We’ll cover proven approaches for compliance and risk assessment for a variety of industries, and present specific scenarios and strategies for addressing real challenges facing organizations with PCI, HITRUST, FedRAMP, CMMC and Privacy. Below are some of the examples that we will cover. Scope creep (All) Setting deadlines and addressing missing evidence (All) Building out compensating controls (PCI) Conflict of Interest (FedRAMP) Internal Organizational Politics (Risk Assessment) Defensive Interviewees(All) Ethics and Responsible Reporting (All)