CyLab

Despite the reported attacks on critical systems, operational techniques such as malware analysis are not used to inform early lifecycle activities, such as security requirements engineering.  In our CERT research, we speculated that malware analysis reports (found in databases such as Rapid 7), could be used to identify misuse cases that pointed towards overlooked security requirements.  If we could identify such requirements, we thought they could be incorporated into future systems that were similar to those that were successfully attacked.  We defined a process, and then sponsored a CMU MSE Studio Project to develop a tool.   We had hoped that the malware report databases were amenable to automated processing, and that they would point to flaws such as those documented in the CWE and CAPEC databases.  It turned out to not be so simple.  This talk will describe our initial proposal, the MSE Studio project and tool, student projects at other universities, and the research remaining to be done in both the requirements and architecture areas.

Nancy R. Mead is a Fellow and Principal Researcher at the Software Engineering Institute (SEI).  Mead is an Adjunct Professor of Software Engineering at Carnegie Mellon University.  She is currently involved in the study of security requirements engineering and the development of software assurance curricula.  She also served as director of software engineering education for the SEI from 1991 to 1994. Her research interests are in the areas of software security, software requirements engineering, and software architectures.

Prior to joining the SEI, Mead was a senior technical staff member at IBM Federal Systems, where she spent most of her career in the development and management of large real-time systems.  She also worked in IBM's software engineering technology area and managed IBM Federal Systems' software engineering education department.  She has developed and taught numerous courses on software engineering topics, both at universities and in professional education courses.

Mead is a Fellow of the Institute of Electrical and Electronic Engineers, Inc. (IEEE) and the IEEE Computer Society, and a Distinguished Member of the ACM. She received the 2015 Distinguished Education Award from the IEEE Computer Society Technical Council on Software Engineering.  Mead has more than 150 publications and invited presentations, and presently serves on the Editorial Board for the International Journal on Secure Software Engineering. She has been a member of numerous editorial boards, advisory boards and committees. Dr. Mead earned here PhD in mathematics from the Polytechnic Institute of New York and BA and MS in mathematics from New York University.

The strategic miscalculation of Iraq’s Weapons of Mass Destruction (WMD) threat in 2003 provides a staggering example of how even very experienced leaders can be blinded by the foundational psychological effects that give rise to bias.  This historical example further begs the question, ‘Could modern predictive analytics, such as machine learning, close the WMD information gap, if faced today?’

Army leaders want to understand the benefits and limitations of advancements in predictive analytics as well as in behavioral psychology in order to understand the implications for decision-making competence.  U.S. commanders need both a structured approach for decision-making (ways), and the ability to leverage advanced analytical capability (means) in order to achieve operational understanding (ends).  This talk offers a structured approach to decision-making that embeds a methodology for Red Teaming to address foundational behavioral psychology effects. 

In addition, I will offer a strategy for deploying tailored technical teams to provide commanders with access to relevant data, resources and skills to perform advanced analytical methods, including machine learning.  It is in applying technological advances in big data to the crucible of ground combat that the Army can fulfill its role for the nation, and maintain competitive advantage.

Colonel Mary Lou Hall is a United States Army War College Fellow in the Institute for Politics and Strategy in the Dietrich College at Carnegie Mellon University.  Most recently, she served as a political-military analyst on the Joint Staff, J-8, in the Studies Analysis and Gaming Division. A native of Richmond, Virginia, Colonel Hall graduated from West Point in 1992 and has served in a variety of personnel, manpower and operations research assignments in several locations including Fort Lewis, WA, Camp Casey, Republic of South Korea, West Point, NY and Kabul, Afghanistan, as well as on the Army and Joint Staffs in Washington, D.C. She holds a BS in Mechanical Engineering from the United States Military Academy and Masters degrees in Engineering Management from Saint Martin’s University in Lacey, WA, and in Operations Analysis from the Naval Postgraduate School, Monterey, CA. Colonel Hall specializes in Operations Research because she is passionate about making better decisions. Colonel Hall has been married to Colonel Andrew Hall since 1992 and they have two children, Cadet Catherine Hall (USMA ‘19) and Oscar, who is a freshman at Georgetown Preparatory High School.

Over 300 years ago, an English carpenter realized that the key to safely navigating the ocean was being able to precisely measure time.  He dedicated his life to building clocks that remained steady in rough water and across a wide range of temperatures. Since then, timing and localization technologies have continued to push the limits of technology resulting in systems like GPS and instruments that are able peer into the nature of gravitational waves.   Unfortunately, existing localization technologies based on satellites and WiFi tend to perform poorly indoors or in urban environments. In the context of enclosed spaces, precise synchronization and localization has the potential to enable applications ranging from asset tracking, indoor navigation and augmented reality all the way to highly optimized beam forming for improved spatial capacity of wireless networks and enhancing network security.

In this talk, I will provide a brief overview of the state-of-the-art with respect to indoor location tracking and discuss two new systems that that are able to precisely localize mobile phones as well as low-power tags.  The first is a hybrid Bluetooth low-energy and near ultrasonic beaconing platform that is able to provide sub-meter accuracy to standard smartphones.  The platform leverages the phone’s IMU as well as constraints derived from building floor plans to not only localize its self, but also apply range-based SLAM techniques for bootstrapping its own infrastructure. The second platform leverages emerging Chip Scale Atomic Clocks (CSACs) and ultra wide-band (UWB) radios to create distributed networks that are able to coordinate at a level that used to be only possible with large, power-hungry and cost prohibitive atomic clocks. With sub-nanosecond time synchronization accuracy and extremely low drift rates, it is possible to dramatically reduce communication guard-bands and perform accurate speed-of-light Time-of-Arrival (TOA) measurements across distributed wireless networks.

Anthony Rowe is an Associate Professor in the Electrical and Computer Engineering Department at Carnegie Mellon University. His research interests are in networked real-time embedded systems with a focus on wireless communication. His most recent projects have related to large-scale sensing for critical infrastructure monitoring, indoor localization, building energy-efficiency and technologies for microgrids. His past work has led to dozens of hardware and software systems, four best paper awards and several widely adopted open-source research platforms. He earned a Ph.D in Electrical and Computer Engineering from CMU in 2010, received the Lutron Joel and Ruth Spira Excellence in Teaching Award in 2013 and the CMU CIT Early Career Fellowship and the Steven Ferves Award for Systems Research in 2015.

Today’s consumer-facing online services are measured by the size and growth of their user account base, as users are both contributors of content as well as a channel for monetization.  Despite being their backbone, these user accounts are also their “Achilles heel” — well-organized crime rings leverage compromised or fraudulent accounts to hide amongst billions of benign users, waging a variety of large-scale attacks.

In this talk, I will present the anatomy of modern attacks and the sophisticated attack techniques that we have observed across a number of services, including social networking, gaming, financial, ecommerce and other vertical markets.  I will then discuss the new challenges we face to defend against these attacks in the billion user era.  Finally I’ll outline the directions pursued by DataVisor through unsupervised big data analytics to detect and mitigate large attack campaigns early, without prior knowledge of attack patterns.

Yinglian Xie is the CEO and co-founder of DataVisor, a leading big-data fraud detection provider in identifying large attack campaigns before they conduct any damage.  She received her Ph.D. in Computer Science from CMU, and has been working in the area of Internet security and privacy for over 10 years.  Prior to founding DataVisor, Yinglian was a researcher at Microsoft Research Silicon Valley, where she successfully developed a series of new technologies in Microsoft products.  These include social graphing techniques for user authentication in Microsoft Hotmail and algorithms to detect fraudulent transactions for Xbox that saved the company millions of dollars per year.  She holds over 20 patents for her work and has been widely published in top conferences and served on the committees of many of them.  Yinglian’s work has helped improve the security of billions of online users.

Most computing systems still rely on user-chosen passwords to authenticate access to data and systems.  But passwords are hard to use, easy to guess, and tricky to securely store.  In practice one sees high failure rates of (legitimate) password login attempts, as well as a never-ending stream of damaging password database compromises.  I will present a sequence of new results that target making password authentication systems better.

We will look at how to address concerns in three areas: (1) usability by way of easy-to-deploy typo-tolerant password authentication validated using experiments at Dropbox; (2) hardening password storage against cracking attacks via our new Pythia crypto service; and, time allowing, (3) building cracking-resistant password vaults via a new cryptographic primitive called honey encryption.

The talk will cover joint work with Anish Athayle, Devdatta Akawhe, Joseph Bonneau, Rahul Chatterjee, and Ari Juels.

Thomas Ristenpart is an Associate Professor at Cornell Tech and a member of the Computer Science department at Cornell University. Before joining Cornell Tech in May 2015, he spent four years as an Assistant Professor at the University of Wisconsin-Madison. His research spans a wide range of computer security topics, with a recent focus on cloud computing security, as well as topics in applied and theoretical cryptography.

His work has been featured in numerous publications including the New York Times, The MIT Technology Review, ABC News, and U.S. News and World Report. He completed his Ph.D. at UC San Diego in 2010. His awards include the UC San Diego Computer Science and Engineering Department Dissertation Award, an NSF CAREER Award, the Best Paper Award at USENIX Security 2014, and a Sloan Research Fellowship.

The growing frequency and severity of cybersecurity incidents has led government and private sector organizations to seek better ways to protect their systems and information. Many of these organizations have begun by adopting risk management  frameworks as a way of structuring their approach to security. But risk management is only effective if it is informed by deep understanding of attacks and the ways to  defend against them. The history and structure of successful software security programs shows how technical understanding can be integrated into risk management decisions. This talk will summarize the history of a typical software security program and outline principles by which understanding of attacks and defenses combined with continuous improvement leads to effective risk management.

Steven B. Lipner is the creator and long-time leader of the Microsoft Security Development Lifecycle (SDL). The SDL was the first scalable and effective approach to achieving security assurance for large-scale software systems and has been applied by Microsoft and numerous other development organizations.

Early in his career, Mr. Lipner made contributions that helped set the direction of computer security research. He originated the approach of using a Virtual Machine Monitor to achieve multilevel security, and managed the team that developed the fundamental model for multilevel security and the first security kernel that implemented that model. He was a key industry contributor to the “Orange Book” that guided government evaluations of commercial operating system security. Mr. Lipner is a member of the National Cybersecurity Hall of Fame (Class of 2015).

Android's graphical authentication mechanism requires users to unlock their devices by “drawing” a pattern that connects a sequence of contact points arranged in a 3x3 grid. Prior studies have shown that human-generated patterns are far less complex than one would desire; large portions can be trivially guessed with sufficient training. Custom modifications to Android, such as CyanogenMod, offer ways to increase the grid size beyond 3x3, and in this paper we ask the question: Does increasing the grid size increase the security of human-generated patterns? To answer this question, we conducted two large studies, one in-lab and one online, and found that while there is some added security for increasing the grid size, guessing larger portions of 4x4 patterns requires only 2-bits more entropy than guessing the same ratio of 3x3 patterns, and the entropy is still on the order of  cracking random 3-digit PINs. These results suggest that while there may be some benefit to expanding the grid size to 4x4, the majority of patterns will remain trivially guessable and insecure against broad guessing attacks. Additionally, as this study offered an opportunity to collect data using different methodologies, in-lab and on-line, and with a relatively diverse demographic group, we present results on differences in provided patterns for the two major groups as well demographic differences, in particular between genders. 

Adam J. Aviv is an Assistant Professor of Computer Science at the United States Naval Academy in Annapolis, MD. His primary research area is in usability on mobile devices with a particular focus on graphical passwords, and he has studied Android's graphical password system extensively over his career. He has also published broadly in the areas of computer security and privacy, network security, and applied cryptography. He received his Ph.D. from the University of Pennsylvania, studying with Matt Blaze and Jonathan M. Smith.

Distributed Denial of Service (DDoS) attacks continue to grow in size, frequency, and complexity, and can affect any resource on the Internet, from the largest to the smallest, at any time.  Motivations for attacks vary widely, from the personal to online activism to political or economic espionage to organized crime.  In spite of their pervasiveness, the commercial or political sensitivities of DDoS attack targets often mean that the precise nature and impact of these attacks are hidden from view.  Likewise, network operators are frequently reluctant to share details of their defense strategies for fear of giving attackers an added advantage.  While understandable, this results in a siloing of expertise, preventing effective collaboration between network operators and the security research community to provide better strategies to defeat these attacks. Arbor Networks has been working with network operators, both service providers and enterprises, for the last 15 years to develop effective protection strategies for these attacks.  This talk will pull back the curtain on DDoS attack experience and practice, providing an overview of Arbor Network's latest research into DDoS attack trends and discuss current operational best practices for how global network operators detect and mitigate DDoS attacks.

Scott Iekel-Johnson, PhD, is Sr. Product Manager for DDoS products at Arbor Networks. Arbor's DDoS products and cloud mitigation service are used in over 107 countries by all tier-1 and over 70% of tier-2 ISPs, as well as hundreds of the world's largest enterprises, to protect their critical infrastructure and their customers from DDoS attacks. This makes Arbor the most commonly used DDoS protection technology in the world. Arbor's large install base also provides it with visibility into over 60 Tbps of global Internet traffic from 300 providers around the world, giving Arbor unique insights into global Internet traffic and threat trends

The past few years have seen a focus on cybersecurity risk management by executive leadership that increasingly have a fiduciary requirement to establish a risk appetite and manage their cybersecurity risk profile. High-profile retail breaches like Target demonstrated the inherent risks of third party connections. Destructive corporate breaches like those at Sony, Sands Casino, and Saudi Aramco demonstrated the initiative of nation-states to attack private corporations for political reasons. The root cause of every one of these breaches can be attributed not to technical failures, but to a failure in governance—a shortcoming to manage cybersecurity risks. Cybersecurity risk appetite is quickly becoming an integrated function to an organizations holistic enterprise risk management program. Organizations frequently have many of the right technical tools deployed to manage cybersecurity risk, but are not instrumented and deployed in the most effective way. This talk will provide real-world insights to instrumenting cybersecurity risk appetite as a risk management tool.

Dr. Earl Crane is the Founder and the Chief Executive Officer of Emergent Network Defense, Inc. (END). Dr. Crane has advised the President of the United States as the Director for Federal Cybersecurity Policy on the White House National Security Council, Wall Street executives and multiple Fortune 100 corporations on their cyber defensive strategies. Dr. Crane led the implementation of the Department of Homeland Security’s information security strategy, and has taught hundreds of cybersecurity masters students and executives through Carnegie Mellon’s Heinz College and CISO Certificate program. He earned his Ph.D. from George Washington University, a Masters of Information System Management at Carnegie Mellon University and a B.S. in mechanical engineering at Carnegie Mellon University. He is helping organizations engage in cybersecurity discussions with impact to their real-world challenges and enable executives to reduce their corporate cybersecurity risk.

Pages

Subscribe to CyLab