Wednesday, April 6, 2011

Panel Members:

• Gerhard Eschelbeck, Webroot
• Lorraine Kisselburgh, Purdue
• Ryan Olson, Verisign
• Tim Roddy, McAfee
• Mihaela Vorvoreanu, Purdue

Panel Summary by Preeti Rao

The panel was moderated by Keith Watson, Research Engineer, CERIAS, Purdue University

Keith kick-started the panel with an interesting introduction to the term Web 2.0. He talked about how he framed its definition, gathering facts from Wikipedia, Google searches, comments and likes from Facebook, tweets from Twitter while playing Farmville, Poker on the Android phone!

All the panelists gave short presentations on Web 2.0 security challenges and solutions. These presentations introduced the panel topic from different perspectives - marketing, customer demands, industry/market analysis, technological solutions, academic research and user education.

Mihaela Vorvoreanu from Purdue University, who gave the first presentation, chose to use Andrew McAfee’s definition of Enterprise 2.0: a set of emerging social software collaborative platforms. She noted that the emphasis is on the word “platform” as opposed to “communication channels” because platforms are public and they support one-to-one communication which is public to all others, thus making it many-to-many communication.

She talked about the global study on Web 2.0 use in organizations which was commissioned by McAfee Inc, and reported by faculty at Purdue University. This study defined Web 2.0 to include consumer social media tools like Facebook, Twitter, YouTube and Enterprise 2.0 platforms. The study was based on a survey of over 1000 CIOs and CEOs in 17 countries, sample balanced by country, organization size, industry sector. The survey results were complimented with in-depth interviews with industry experts, analysts, academicians to get a comprehensive view of Web 2.0 adoption in organizations globally, its benefits and security concerns. While overall organizations reported great benefits and importance to using Web 2.0 in several business operations, the major concern was security - reported by almost 50% of the respondents. In terms of security vulnerabilities, social networking tools were reported to be the top threat followed by Webmail, content sharing sites, streaming media sites and collaborative platforms. Specific threats that organizations perceive from employee use of Web 2.0 included malware, virus, information over-exposure, spyware, data leaks. 70% of the respondents had security incidents in the past year and about 2 million USD were lost due to security incidents. The security measures reported by organizations included firewall protection, web filtering, gateway filtering, authentication and social media policies.

She presented a broad, global view of organizational uses, benefits and security concerns of Web 2.0.

Lorraine Kisselburgh from Purdue University continued to present the results from McAfee’s report. She discussed an interesting paradox that the study found.

Overall, there is a positive trend with significant adoption rate (75%) of Web 2.0 tools world-wide. There are also significant concerns among those who haven’t adopted the technology. 50% of non adopters report security concerns, followed by productivity, brand and reputation concerns. Not all tools have the same perceived value or even same concerns/risks/threats. Social networking tools and streaming media sites are considered most risky. Nearly half of the organizations banned Facebook. 42% banned IM, 38% banned YouTube. Collaborative platforms and content sharing tools are considered as less risky and their perceived value/usefulness is high when compared to social tools. But survey of those organizations who have adopted report the real value of social tools to be quite high - helpful in increasing communication, improving brand marketing etc. In fact social tools realized greater value than webmail etc.

So, the paradox is: social tools (social networking and streaming media sites) are mostly considered highly risky from a security standpoint, perceived least valuable to organizations, but yet they realize great value among adopters.

This reflects the continuing tensions between how the value of social media tools is perceived vs realized by organizations. This is also in-line with some historical trends in adopting new/unknown, emerging technologies. Example: email. The tensions are also because of where the technology is located and where to address risk: internal tools vs external on the cloud. It also has to do with recognizing organizational tools vs people tools.

Tim Roddy from McAfee addressed his comments on Web 2.0 security from a buying organization standpoint, giving it a product marketing perspective, about selling web security solutions. He commented that initially people were concerned about malware coming in to the organizations through email. Now the model and dynamics have changed and it has an influence on how we investigate our products and how we see our customers using security solutions from a business standpoint. His comments focussed on two areas: 1) stopping malicious software from coming in 2) having customizable controls for people using social media tools.

He pointed out that about 3 years ago, his customers were using their products to block access to sites like Twitter, Facebook because they saw no value in using them in businesses. But periodic McAfee surveys show a dramatic change in this trend. Organizations are allowing access to these tools; this trend is also driven by the younger generation of employees in the organizations demanding access. While it was a URL filtering solution that was used 3 years back to just block for eg, social networking sites category, now it is changed because they allow access to those websites.

So, how do we allow safe productive access?

There is a dramatic increase/acceleration in malware; they are automated, targeted and smarter now. Therefore web security efforts need to be proactive. By proactive security, it means not only to stop malware with signature analysis but include effective behavioral analysis to break the chains/patterns of attacks. McAfee’s Gateway Anti-Malware strategies focus on these.

Secondly, organizations allow access to social media tools now; but no one filters the apps in those tools to make sure they are legitimate. For eg: are the game apps on Facebook legitimate and secure? Such apps are one of the most common ways of attacks. The solution is to customize controls. Industries, especially finance and healthcare, are worried about leakage of data. Say, an employee sends his SSN through a LinkedIn message. Can it be blocked/filtered? Security solution efforts are now bi-directional – to proactively monitor and filter what is coming in as malware and what is going out as data leakage.

Lastly, the security concerns for use of mobile/handheld devices are growing. There is a great need to secure these devices, especially if corporately owned. It needs to have the same level of regulations and be compliant to corporate network standards.

Gerhard Eschelbeck from Webroot talked about why securing Web 2.0 a big deal and how we got there.

First gen of web apps were designed for static content to be displayed by browser. All execution processing was on server side and mostly trusted content. There were no issues about client/side browser side execution so the number of attacks happening was significantly less. The only worry then was to protect the servers. Now, the security concerns are mainly because of interactive content in Web 2.0. Fundamentally the model changes from 1-way-data from server to client to 2-way interactive model. Browser has become part of this execution environment. Billions of users’ browsers that are a part of this big ecosystem are exposed to attacks.

There is a major shift from code execution purely on server-side to distributed model of code execution using ajax and interactive, dynamic client side web page executions. While useful in many ways, it introduces new vulnerabilitie and this is the root cause for Web 2.0 security concerns.

He highlighted four areas of concerns:

1. User created, user defined content which is not trusted content
2. To bring desktop look and feel to the Web 2.0 applications, interactive features like mouse rollovers, popups have caused significant amount of interaction between server and client and this causes more vulnerabilities
3. Syndication of content and mashups of various sites
4. Offline capabilities of some applications now lead to storage of information on one of those billions of desktops

All these have led to increased security exposure points in turn leading to vulnerabilities.

Ryan Olson from Verisign talked about malware issues with Web 2.0.People are sharing a lot of their personal information online which they weren’t doing earlier. Access to personal information of people has become easy now, and is available to friends on social networks, or even anyone who has access to that friend’s account. A lot of organizations now have started using a security question/answer as a form of authentication after login/password. Answers to questions like user’s mother’s maiden name or high school name can be easily found on social networking sites. Most of such questions can be answered by looking at the user’s personal data that is available online, often without much authentication. This way Web 2.0 offers more vectors for malware. It offers many ways of communicating with people hence opening up to a lot of new entry points that we now need to monitor. Earlier it was mostly email and IM but now each of these social networks allow an attacker to send message, befriend and build trust. There are additional avenues provided by these tools to social-engineer the user into revealing some information about self, by exploiting the trust between user and his friends. A lot of malware are successful purely through social engineering attacks, by befriending them or enticing them and then extracting information. Primary solution to this problem is to educate people about the consequences of revealing personal information and the value of trust.

Questions from audience and discussions with the panel:

Keith Watson: How much responsibility should be held with the Web 2.0 providers (organizations like Facebook, Twitter) in providing secure applications? How much responsibility should be held with the users and educating them about safe usage? Is there a balance between user education and application provider responsibility?

Discussions:

TR: Just like any application provider, the companies do have a lot of responsibility; but educating the users is also equally important. Users are putting so much information out on the Web (for eg: Oh, I am in the airport). People should be made to realize how much and what to share.

RO: It should be a shared responsibility. It is the market that drives Web 2.0 to become more secure. For example, the competition between social network providers to provide a malware-free, secure application drives everything. If one social network is not as secure then users will just migrate to the next one. This way market will help and continue to put pressure on people in turn the providers to make secure applications.

LK: While it has to be a shared responsibility, it also has to do with recognizing the value of social media tools and encouraging its participation in businesses. Regarding user education, what we have found in some privacy research is that understanding the audience of these tools - who has access, what are they accessing, to whom are you disclosing, and being able to visualize who is listening helps the users in deciding what and how much information to disclose. Framing this through technology, system design would be helpful from an educational standpoint.

MV noted that there could be unintended, secondary audience always listening. She took a cultural approach to explain/understand social media tools. Each tool may be viewed as a different country – Facebook is a country, Twitter is another country. Just like how people from one country aren’t familiar with another country’s culture, and they may use travel guidebooks, travel information for help, users of social media tools need to be educated about the different social media tools and their inherent cultures.

GE: While the tourism and travel industry comparison is good, it doesn’t quite work always in the cyberworld because it is different. There is no differentiation anymore between dark and bright corners; even a site which “looks” safe might be a target of an awful attack Educational element is important but the technological safety belt is much needed. Securing is also hard for the fact that server-side component is usually from provider but client-side/browsers are with the people. It is important how we provide browser protection to users and reduce Web 2.0 attacks.

Brent Roth: What are your thoughts on organizations adopting mechanisms/models like the “no script add- on in Firefox”?

Discussions:

RO: This model would work really well for people who have some security knowledge/background, but doesn’t work for a common man. We need to look at smarter models for general public that make decisions about good and bad by putting the user in the safety belt.

TR: Websites get feeds and ads. While some may be malicious, they also drive the revenue. McAfee’s solutions block parts of the sites/pages which could be malicious. Behavioral analysis techniques help. It has to be a granular design solution.

RO: If all scripts are blocked then what about the advertisers? If we block all advertisers, the Internet falls because they drive the revenue. Yes, a lot of malware comes from ads and scripts but you cannot just completely block everything.

Malicious script analytics, risk profiling need to be done. The last line of defense is always at the browser end. User education is as important as having a technology safety belt to secure Web 2.0.

Tuesday, April 5, 2011

Panel Members:

• Paul Ratazzi, Air Force Research Laboratories
• Saurabh Bagchi, Purdue
• Hal Aldridge, Sypris Electronics
• Sanjai Narain, Telcordia
• Cristina Nita-Rotaru, Purdue
• Vipin Swarup, MITRE

Panel Summary by Christine Task

In Panel #3: “Fighting Through: Mission Continuity Under Attack”, each of the six panelists began by describing their own perspective on the problem of organizing real-time responses and maintaining mission continuity during an attack. They then addressed three questions from the audience.

Paul Ratazzi offered his unique insight as the technical advisor for the Cyber Defense and Cyber Science Branches at the Air Force Research Laboratory in Rome, NY. He noted that military organizations are necessarily already experienced at “guaranteeing mission essential functions in contested environments” and suggested that the cyber-security world could learn from their general approach. He divided this approach into four stages: Avoid threats (including hardening systems, working on information assurance, and minimizing vulnerabilities in critical systems), survive attacks (develop new, adaptive, real-time responses to active attacks), understand attacks (forensics), and recover from attacks (build immunity against similar future attacks). Necessary developments to meet these guidelines are improved understanding of requirements for critical functions (systems engineering) and real-time responses that go beyond our current monitor/detect/respond pattern. As a motivation for the latter, he gave the example of a fifth generation fighter, nicknamed a ‘flying network’. When its technological systems are under attack, looking through the log file afterwards is “too little, too late”.

Dr. Saurabh Bagchi of CERIAS and the Purdue School of Electrical and Computer Engineering described an innovative NSF-funded research project which offered real-time responses to attacks on large-scale, heterogeneous distributed systems. These systems involve a diverse array of third-party software and often offer a wide variety of vulnerabilities to an attacker. Additionally, attacks across these systems can spread incredibly quickly using trust relationships and privilege escalation, eventually compromising important internal resources. Any practical reaction must occur in machine-time. Dr. Bagchi’s research chose the following strategies: Use bayesian-inference to guess which components are currently compromised at a given time, and from that information estimate which are most likely to be attacked next. Focus monitoring efforts on those components precieved as at risk. Use knowledge of the distributed system to estimate the severity of the attack in progress, and respond appropriately with real-time containment steps such as randomizing configurations or restricting access to resources. Finally, he emphasized the importance of learning from each attack. Long-term responses should abstract the main characteristics of the attack and prepare defenses suited to any similar attacks in the future.

Dr. Sanjai Narain, a Senior Research Scientist in Information Assurance and Security at Telcordia Research, described his own work on distributed systems defense—a novel, concrete solution for the type of immediate containment suggested by Dr. Bagchi. Although the high-level abstraction of a network as a graph is relatively straightforward, the actual configuration space can be incredibly complex with very many variables to set at each node. ConfigAssure is an application which eliminates configuration errors by using SAT constraint solvers to find configurations which satisfy network specifications. For any given specification, there are likely many correct configurations. In order to successfully attack a network, an attacker must gain some knowledge of its layout (such as the location of gateway routers). By randomizing the network configuration between different correct solutions to the specification, an attacker can be prevented from learning anything useful about the network while the users themselves remain unaware of any changes.

Dr. Cristina Nita-Rotaru, an Assistant Director of CERIAS and an Associate Professor in the Department of Computer Science at Purdue, introduced an additional concern with maintaining mission continuity: maintaining continuity of communication. She offered the recent personal example of having her credit cards compromised while traveling. She was very quickly informed of this problem by her credit card companies and was thus able to make a risk-assessment of the situation and form a reasonable response (disabling one card while continuing to use the less vulnerable one until she could return home). When an attack compromises channels of communication, for example by taking out the network which would be used to communicate—as in jamming wireless networks, the information necessary to make a risk-assessment and form containment strategies is not available. Thus when considering real-time reactions to attacks, it’s important to make sure the communication network is redundant and resilient.

Dr. Hal Aldridge, the Director of Engineering at Sypris Electronics and a previous developer of unmanned systems for space and security applications at Northrop Grumman and NASA, discussed the utility of improving key-management systems to respond to real-time attacks. Key management systems which are agile and dynamic can help large organizations react immediately to threats. In a classic system with one or few secrets which are statically set, the loss of a key can be catastrophic. However, a much more robust solution is a centralized cryptographic key management system which uses a large, accurate model of the system to enable quickly changing potentially compromised keys, or using key changes to isolate potentially compromised resources. He briefly described his work on such a system.

Dr. Vipin Swarup, Chief Scientist for Mission Assurance Research in MITRE’s Information Security Division, emphasized one final very important point about real-time system defense: high-end threats are likely to exist inside the perimeter of the system. Our ability to prevent predictable low-end threats from entering the perimeter of our systems is reasonably good. However, we must also be able to defend against strategic, targeted, adaptive attacks which are able to launch from inside our security system. In this case, as the panel has discussed, the key problem is resiliency; we must be able to launch our real-time response from within a compromised network. Dr. Swarup summarized three main guidelines for approaching this problem: reduce threats (by deterring and disrupting attackers), reduce vulnerabilities (as Ratazzi described, understand system needs and protect critical resources), and reduce consequences (have a reliable response). Any real-time response strategy must take into account that the attacker will also be monitoring and responding to the defender, must be able to build working functionality on top of untrusted components, and must have a more agile response-set than simply removing compromised components.

After these introductions, there was time to address three questions to the panel [responses paraphrased].

“What time-scale should we consider when reconfiguring and reacting to an attack?”

Swarup: Currently we’re looking at attacks that flood a network in a day, and require a month to clean up [improvement is needed]. However, some attacks are multi-stage and take considerable time to execute [stuxnet]—these can be responded to on a human time scale.

Aldridge: It can take a lot of time to access all of the components in the network which need reconfiguring after an attack [some will be located in the ‘boonies’ of the network].

Bagchi: It can take seconds for a sensor to rest, while milliseconds are what’s needed.

“What are some specific attacks which require real-time responses?”

Aldridge: If you lose control of a key in the field, the system needs to eliminate the key easily and immediately.

Nita-Rotaru: When you are sending data on an overlay network, you need to be able to reroute automatically if a node becomes non-functional.

Narain: If you detect a sniffing attack, you can reroute or change the network-architecture to defend against it.

Ratazzi: Genetic algorithms can be used to identify problems at runtime and identify a working solution.

“What design principles might you add to the classic 8 to account for real-time responses/resiliency?”

Swarup & Nita-Rotaru: Assume all off-the-shelf mobile devices are compromised, focus on using them while protecting the rest of the system using partitioning and trust relationships, and by attempting to get trusted performance of small tasks over small periods of time in potentially compromised environment. Complete isolation [from/of compromised components] is probably impossible.

Ratazzi & Bagchi: minimize non-essential functionality of critical systems, focus on composing small systems to form larger ones, using segmentation-separate tools and accesses for separate functions-where possible to reduce impact of attack.

Tuesday, April 5, 2011

Panel Members:

• Victor Raskin, Purdue
• Greg Shannon, CERT
• Edward B. Talbot, Sandia National Labs
• Marcus K. Rogers, Purdue

Panel Summary by Pratik Savla

Edward Talbot initiated the discussion by presenting his viewpoint on Cyber security. He described himself as a seasoned practitioner in the field of cyber security. He highlighted his concerns for cyber security. The systems have become too complicated to provide an assurance of having no vulnerabilities. It is an asymmetrical problem. For an intruder, it may just take one door to penetrate the system but for the person managing the system, he/she would need to manage a large number of different doors. Any digital system can be hacked and any digital system that can be hacked will be hacked if there is sufficient value in that process. Talbot described problems in three variations: near-term, mid-term and long term. He used a fire-fighting analogy going back two centuries when on an average a U.S. city would be completely gutted and destroyed every five years. If the firefighters were asked about their immediate need, they would say more buckets are required. But, if they were asked what to do to prevent this from happening again, they had no answer. Talbot placed this concern into three time-frames: near-term, mid-term and long term. The first time frame involves the issue of what to do today to prevent this situation. The second timeframe tries to emphasize that it is important to be ahead of the game. The third timeframe involves the role of science. In this context, the development of a fire science program in academia. To summarize, he pointed out that the thinking that gets one into a problem is insufficient to get one out of the problem.

Talbot quoted a finding from the JASON report on the science of cyber security which stated that the highest priority should be assigned to the establishment of research protocols to enable reproducible experiments. Here, he stated that there is a science of cyber security. He concluded by comparing the scenario to being in the first step of a 12-step program (borrowing from Alcoholics Anonymous). It means to stop managing an unmanageable situation and instead developing a basis to rethink what one does.

Rogers focused on the the question: Do we have foundations that are scientifically based that can help answer some of the questions in form of research? Are we going in the right direction? This lead to a fundamental question: how we define a scientific foundation? What defines science? He highlighted some common axioms or principles such as body of knowledge, testable hypotheses, rigorous design and testing protocols and procedures, metrics and measurements, unbiased results and their interpretation, informed conclusions, repeatability as well as feedback into theory that are found across different disciplines. The problems that one comes across are non-existence of natural laws, man-made technologies in constant flux, different paradigms of research such as observational, experimental and philosophical, non-common language, extent of reliability and reproducibility of metrics, difference in approach such as applied versus basic, studying symptoms as opposed to causes. Cyber security is informed by a lot of disciplines such as physics, epidemiology, computer science, engineering, immunology, anthropology, economics and behavioral sciences.

The JASON report on the science of cyber security came out with strategies that are areas such as modeling and simulation which involved biological, decisional, inferential, medical as well as behavioral models that could be considered when viewing it on a scientific foundation. He emphasized that cyber security problems lend themselves to a scientific based approach. He stressed that there will be a scientific foundation for cyber security only if it is done correctly and only when one is conscious about what constituted a scientific foundation. Even solutions such as just-in-time, near-term and long-term can be based on a scientific foundation.

He pointed out that currently the biggest focus was on behavioral directive. In other words, how do we predict what will happen 20 years from now if employee ‘X’ is hired?

Shannon addressed the question: How do we apply the scientific method? Here, he presented the software engineering process. He discussed its various components by describing the different issues each one addresses. Firstly, what data do we have? What do we know? What can we rely on? What is something that we can stand on which is reasonably solid? Secondly, why do we have data that is prone to exploitation? He highlighted reasons such as lack of technology as well as mature technology, lack of education and lack of capacity. Here, he concluded that these hypotheses do not seem to stand the test of data as the data indicated we have always had problems. He then stated some alternative hypothesis such as market forces, people and networks that can be considered. He stressed on the point that solutions are needed based on what people and systems do, not what we wish they would do. The stumbling block for such a case is the orthodoxy of cyber security which means being in the illusion that by just telling people to do the right thing and using the right technology would lead to a solution to a problem. It is analogous to an alchemist who would state that just by telling the lead to turn gold, it would become gold. He stressed that we need to understand what is going on and what is really possible. The key message was that if there is a science that is built on data, it would involve much more than just theory.

Raskin took a more general view of cyber science by offering some of his thoughts on the subject. He said that he did not agree to the “American” definition of science which defines it as a small sub-list of disciplines where experiments can be run and immediate verification is possible as he considered it to be too narrow. He conformed to the notion of science wherein any academic discipline that is well-defined is a science. He presented a schematic of the theory-building process. It involved components such as phenomena which corresponded to a purview of the theory, theory, methodology and the description, which is a general philosophical term for results. The theory is connected to the methodology and a good theory would indicate why it can help guide the methodology. He asked why we were not questioning what we were doing. The first thought was related to the issue of data provenance i.e. why are you doing what are you doing? The second thought focused on the question of how we deal with different sciences that all part of cyber science. A mechanism that can help address that is that of rigorous application. He disagreed with the notion that combining two things without any import/export of sub-components leads to some worthy result. He stated that from the source field, components such as data, theory and methods should be imported to the target field. Only the problems of the source field should be excluded from being imported. The second thought emphasized about forming a linkage between the two fields; source and target by a common application. He concluded that without a theory, one does not know what one is doing and one does not know why one is doing it? It does not imply that there is no theory in existence. On the contrary, anything that is performed has an underlying theory and one may not be having any clue about that theory.

A question about complexity theory brought up an example of a bad scientific approach wherein the researcher adds more layer of complexity or keeps changing the research question but does not ever question the underlying theory which may be flawed.

Tuesday, April 5, 2011

Panel Members:

• David W. Baker, MITRE
• Chris Clifton, Purdue
• Stephen Dill, Lockheed Martin
• Julia Taylor, Purdue

Panel Summary by Nikhita Dulluri

In the first session of the CERIAS symposium, the theme of ‘Traitor Tracing and Data Provenance’ was discussed. The panelists spoke extensively about the various aspects relating to tracing the source of a given piece of data and the management of provenance data. The following offers a summary of the discussion in this panel.

With increasing amounts of data being shared among various organizations such as health care centers, academic institutions, financial organizations and government organizations, there is need to ensure the integrity of data so that the decisions based on this data are effective. Providing security to the data at hand does not suffice, it is also necessary to evaluate the source of the data for its trust-worthiness. Issues such as which protection method was used, how the data was protected, and whether it was vulnerable to any type of attack during transit might influence how the user uses the data. It is also necessary to keep track of different types of data, which may be spread across various domains. Identification of the context of the data usage i.e., why a user might want to access a particular piece of data or the intent of data access is also an important piece of information to be kept track of.

Finding the provenance of data is important to evaluate its trustworthiness; but this may in-turn cause a risk to privacy. In case of some systems, it may be important to hide the source of information in order to protect its privacy. Also, data or information transfer does not necessarily have to be on a file to file exchange basis- there is also a possibility that the data might have been paraphrased. Data which has a particular meaning in a given domain may mean something totally different in another domain. Data might also be given away by people unintentionally. The question now would be how to trace back to the original source of information. A possible solution suggested to this was to pay attention to the actual communication, move beyond the regions where we are comfortable and to put a human perspective on them, for that is how we communicate.

Scale is one of the major issues in designing systems for data provenance. This problem can be solved effectively for a single system, but the more one tries to scale it to a higher level, the less effective the system becomes. Also, deciding how much provenance is required is not an easy question to answer, as one cannot assume that one would know how much data the user would require. If the same amount of information as the previous transaction was provided, then one might end up providing excess (or insufficient) data than what is required.

In order to answer the question about how to set and regulate policies regarding the access of data, it is important to monitor rather than control the access to data. Policies when imposed at a higher level are good, if there is a reasonable expectation that people will act accordingly to the policy. It is important not to be completely open about what information will be tracked or monitored, as, if there is a determined attacker, this information would be useful for him to find a way around it.

The issue of data provenance and building systems to manage data provenance has importance in several different fields. In domains where conclusions are drawn based on a set of data and any alterations to the data would change the decisions made, data provenance is of critical importance. Domains such as the DoD, Health care institutions, finance, control systems and military are some examples.

To conclude, the problem of data provenance and building systems to manage data provenance is not specific to a domain or a type of data. If this problem can be solved effectively in one domain, then it can be extended and modified to provide the solution to other domains as well.

Tuesday, April 5, 2011

Keynote Summary by Mark Lohrum

Neal Ziring, the current technical director for the Information Assurance Directorate at the NSA, was given the honor of delivering the opening keynote for the 2011 CERIAS Symposium on April 5th at Purdue University. He discussed the trends in cyber threats from the 1980s to today and shifts of defenses in response to those threats. He noted that, as a society, we have built a great information network, but unless we can trust it and be defended against possible threats, we will not see the full potential of a vast network. Ziring’s focus, as an NSA representative, was primarily from a perspective of preserving national interests regarding information security.

Ziring discussed trends in threats to information security. In the 1980s, the scope of cyber threats was rather simple. Opposing nations wished to obtain information from servers belonging to the U.S., so the NSA wished to stop them. This was fairly straightforward. Since the 1980s, threats have become far more complex. The opponents may not be simply opposing countries; they may be organized criminals, rouge hackers, hacktivists, or more. Also in years past, much expertise was required to complete attacks. Now, not so much expertise is required, which results in more threat actors. In the past, attacks were not very focused. Someone would write a virus and see how many computers in a network in can effect, almost as if it were a competition. Now, attacks are far more focused on achieving a specific goal aimed at a specific target. Ziring cited a statistic that around 75% of viruses are targeted at less than 50 individual computers. Experts in information security must understand the specific goals of a threat actor so attacks can be predicted.

Ziring also discussed shifts in information security. The philosophy used to be to simply protect assets, but now the philosophy includes defending against known malicious code and hunting for not yet known threats. Another shift is that the NSA has become increasingly dependent upon commercial products. In the past, defenses were entirely built internally, but that just does not work against the ever-changing threats of today. Commercial software advances at a rate far faster than internal products can be developed. The NSA utilizes a multi-tiered security approach because all commercial products contain certain shortcomings. Where one commercial product fails to protect against a threat, another product should be able to counter that threat; this concept is used to layer security software to fully protect assets.

A current concern in information security is the demand for mobility. Cell phones have become part of everyday life, as we as a society carry them everywhere. As these are mobile networking computers, the potential shortcomings of security on these devices is a concern. If they are integrated with critical assets, a security hole is exposed. Similarly, cloud computing creates a concern. Integrity of information on servers which the NSA does not own must be ensured.

Ziring brought up a couple of general points to consider. First, information security requires situational awareness. Knowing the current status of critical information is necessary to defending it properly, and knowing the status of the security system consistently is required. Currently, many security systems are audited every several years, but it may be better to continuously check the status of the security system. And secondly, operations must be able to operate on a compromised network. The old philosophy was to recover from a network compromise, then resume activity. The new philosophy, because networks are so massive, is to be able to run operations while the network is in a compromised state.

Ziring concluded by discussing the need to create academic partnerships. Academic partnerships can help the NSA have access to the best researchers, newer standards, and newer technologies. Many of the current top secure systems would not have been possible without academic partnerships. It is impossible for the NSA to employ more people than the adversaries, but it is possible to outthink and out-innovate them.

Wednesday, March 31, 2010

Panel Members:

• David Bell, Retired, Co-author Bell-La Padula Security Model
• Joe Pekny, Purdue University
• Kenneth Brancik, Northrop Grumman
• Petros Mouchtaris, Telcordia

Summary by Utsav Mittal

The panel was started by Petros Mouchtaris. He said that applying for funding is not that bad although the researcher gets a lot of rejections, but then also once the funding comes through it gives the researcher a lot of control about the areas he wants to work in. He said in the last 10 years most of their funding came from DARPA, initially the funding was for long-term small projects. He said that a smaller, long-term project gives more time to foster basic research about abstract ideas.

Joe Pekny, who has worked in Discovery park for about 10 years, said that the fundamental principle about generating funding is about that “Research follows impact.” He said that difference between getting and not getting funding is between the ability of the researcher to relate his potential and ability to provide impact. He also talked about the research opportunities in electronic medical records and about privacy issues in videos surveillance that is widely used.

He mentioned some tactics that help in order to monetize the research impact:

1. Leverage: He mentioned that everyone wants a big grant which runs long, but that is not always possible, so the researcher should leverage whatever opportunities that he has to have the biggest advantage.

2. Interdisciplinary: He said that this is important, as many problems that we face today are of a complex nature and no single idea can crack the problem, so different smart minds from different areas should work on it.

3. Minimalistic: Joe said that a minimalistic team should be assembled in order to crack the problem, there should not be too many people working on the project.

4. Relationships: Joe stressed the importance of fostering long standing relationships for generating funding.

5. Entrepreneurship: Joe mentioned that money never comes in the form that a person wants it to, so a researcher should have the spirit of entrepreneurship.

6. Operations v. Philanthropy: He meant that if a organization thinks that the researcher has the potential to solve an operations problem then it would shell out billions and fund it. On the other hand if they do not believe in the potential then they may give money as philanthropy.

7. Vision: Joe said that an enduring, fundamental over arching vision is needed for a researcher to be successful. A researcher should have creativity and innovation is every situation.

Kenneth Brancik shared his experiences about research funding in the last 30 years. He related his life experience and its help in increasing his “situational awareness.”” He said that technology is an enabler for business. He said we should think out of the box and be aware about the “situational awareness” related to cyber security. He said that a researcher, in order to understand the complex cyber security problems, should:

1. Think out of the box
2. Understand the business impact related to it.
3. Use a wide angle lens to look at the picture.

David Bell started his talk by quoting Mark Twain and about people being lost in “Power Point Age” which cracked the audience up. David shared his experiences that he had working with ARPA and other federal agencies. He also mentioned about various projects like “Blacker.” He mentioned that in the earlier research was “Tethered research.” People were not very sure what they were working on, all they knew was that they are working on some advanced technology. His current take on federal funding was that it has dropped from 1.3% to 1%, and a lot needs to be done in the area of cyber security.

Wednesday, March 31, 2010

Summary by Robert Winkworth

“Everything I Needed to Know About Security I Learned in 1974”

Security luminary David Bell concluded this year’s Information Security Symposium with a lecture in which he argued that while the speed and size of computers has changed greatly across the decades, the principles underlying the issue of security have been remarkably constant.

With the exception of one noted MULTICS covert channel hack, the speaker asserted no fundamentally new innovation in computer security appeared from 1974 until 2005 (when he retired.) Dr. Bell had done a great deal of conceptual modeling, particularly near the beginning of his career. This, he explained, influenced his later work in security. In 1971, Bell, having read many classic MULTICS papers, felt even then that “all the good stuff” had already been done and made public. He recalled, with some amusement, that government facilities did not always share his awareness of these facts. Material freely available in research libraries, when cited in military security reports, often becomes classified as though somehow it might be made secret anew.

Commenting on the 1972 Anderson Report, Dr. Bell noted that a core collection of only about a dozen critical infiltration tactics proved successful in almost every documented penetration test. Clearly by better abstracting these procedures into general categories of attack we could better understand and predict them. So, Bell was called to produce a mathematical model of computer security, but no other details of his assignment were specified. This, he explained, turns the technical process of testing and setting conditions in the machine into a cultural process of negotiating policies. “Security” is not meaningful until defined. Likewise, threats to security must be discussed before we can discuss their remedies. General principles of a security model are not useful until somehow applied, and Bell prefers to see these concrete examples before signing off on a policy, however academically sound it may seem.

Along with Len La Padula, David Bell is probably most widely recognized for his contribution to the Bell-La Padula Model of secure systems. This widely influential set of conceptual tools appears frequently in the fundamentals of IA curricula at Purdue and probably throughout the world.

Our host was critical of those that see security as a personnel problem, noting that this approach fails to recognize the technical weaknesses that remain regardless of the people involved. And coordinating the technology is possible; Bell shows us computer systems that have never suffered a documented breach and never required a security patch. Unfortunately, the process of replacing an existing infrastructure is difficult, particularly for an entrenched bureaucracy, so the challenge facing many security modelers is producing a plan that outlines not only the destination but all the intermediary steps necessary to transform an existing system to one that approaches the level of security desired.

Many evaluators are assigned to networks the technology of which they cannot explain. Since they cannot articulate an effective policy for interactions between such a network and its trusted neighbors, a common reaction to this is to simply isolate them. As internetworking becomes pervasive, however, this cannot remain a practical strategy. Networks must be connected, but such connections introduce weaknesses if they are not thoroughly documented and regulated. How we can possibly manage the explosive complexity of internetworks remains a daunting question.

“We are not safe and secure today,” concludes our eminent guest. Those that claim otherwise are “either misinformed or lying.” Bell called upon us to implement more of the sound ideas in information assurance that hitherto have existed only as concept, and to fully acknowledge the extent to which models such as BLP have not been fully embodied.

Gene Spafford was on hand for today’s session, and asked for Dr. Bell’s comments on the software solutions of Rogers and Green Hills (two of the best-rated security platforms.) Bell found both quite sound. He was concerned, however, that neither had achieved the market “traction” that he would like to see. He provided some examples of how each could be more effectively introduced to companies that might use them in live networks.

As of March 31, 2010, the media presented in this lecture is available.

Wednesday, March 31, 2010

Summary by Gaspar Modelo-Howard

Day two opened with a keynote from Under Secretary Beers, who has had a long and interesting career of over 34 years, including military service and working as staff member for the National Security Council, under four U.S. Presidents. During his talk, he provided an introduction of the National Protection and Programs Directorate (NPPD) and DHS, discussed the importance and role of cyber security to protect the overall security of the United States, how DHS is continually evolving to meet the changing landscape and its mission, and current challenges and problems faced by NPPD.

Under Secretary Beers began with a discussion of the responsibilities of DHS and NPPD in particular. DHS has five goals or missions, listed here in no particular order: (1) counterterrorism, (2) securing U.S. borders, (3) immigration, (4) response to disasters, and (5) cyber security. This last goal refers to protecting cyberspace for civilian side of government and working with private sector to achieve physical Critical Information Infrastructure Protection (CIIP).

DHS is a pretty new department, formed in late 2002, so they are currently embarking on the transformation of its workforce. Main reason is a number of professional disciplines were brought together to start the Department but there were at time very few professionals to start DHS. So it is an evolving organization. Currently, NPPD has equal number of private contractors and federal employees working in the Directorate but there are several initiatives to fill more permanent positions. In terms of cyber security, the Department is looking to hire 1,000 people in cyber security in the next 3 years. They also expect to increase NPPD cyber security workforce to 260 by end of FY 2010.

Under Secretary Beers mentioned the difficulty faced when hiring cyber security specialists is that academic institutions do not currently produce enough graduates to meet the federal demand. Such statement considers that not all of the needs are for pure technical positions. Much to the surprise and amusement of the audience, the Under Secretary mentioned there are not enough lawyers in DHS. It takes a long time for DHS leaders to get legal advice on some topics because there are more questions than the lawyers can answer. Some of this would also be rectified by having better laws relating to cyber security.

Generally speaking, DHS and NPPD in particular, are looking to draw knowledge and experience from math, science and cyber security communities to build a strong federal department. DHS objective is to forge stronger links with educational institutions such as Purdue University, to better prepare itself to deal with cyber security matters.

During his presentation, Under Secretary Beers made an important point to help define the national cyber security strategy: 85% of cyberspace in U.S. exists outside the government. That is why the Directorate works closely with private sector. For example, the Office of Infrastructure Protection (IP) takes 18 critical sectors of the American economy (water, power, finance, etc.) and work with them to develop security plans (standards, strategies, best practices) and improve preparedness to respond to emergencies. Mr. Beers also stressed the role cyber security plays within DHS, as it is part of every other part. Cyber security works as a cross sector, for example between the communication and information sectors.

The Under Secretary noted that cyber threats are increasing on a daily basis and they also include physical attacks, because of the potential impact they can have in cyberspace. He shared two examples: (1) a bond trading company which had to evacuate during the first World Trade Center attack of 1993 and (2) the train derailment and fire in Baltimore, 2001. In the first story, the investment company had to evacuate the World Trade Center but did not backup systems off-site. It took a presidential order to allow them to re-enter the building since the fire marshal had prohibited anyone from doing so. In the train story, the fire disrupted communication links going thru the same tunnel where the disaster occurred. Such cables were major Internet links that slowed down service around the US.

NPDD cyber security daily operations include monitoring of attacks, protecting the .gov domain and monitoring Internet connections from/to government networks. US-CERT, the cyber security operational arm within NPDD, uses the Einstein intrusion detection program to work on these responsibilities. (I think it was cool that he mentioned Einstein as usually high-ranking U.S. Government officials avoid such topics). Mr. Beers also noted that under President Obama’s cyber security 60-day review, DHS had to create a Computer Emergency Response Team (CERT) plan to deal with cyber security threats and crisis. It has been done and involved government at different levels (federal, state, local) and private sector. Also, DHS opened last October the National Cyber security and Communications Integration Center to improve national efforts to address threats and incidents affecting U.S. critical cyber infrastructure.

To finish his presentation, the Under Secretary talked about several of the current and future cyber security challenges faced by DHS. First, they are currently working on developing systems that make it possible for different cyber security players to share information. This is a common problem when requesting or managing information from different sources, for example the private sector, because such information is highly sensitive to its owner. Second, DHS is also increasingly responsible for cyber security awareness and outreach initiatives. They are working with academic institutions to foster and identify potential government employees. Third, in terms of global involvement, US-CERT is partnering with similar institutions in other countries to work on international incidents and to create stronger ties. DHS is fully aware of the interconnectivity of networks, regardless of physical location. It actively participates in the annual Meridian Conference for international CIIP collaboration and invites representatives of foreign countries to their biennial Cyber Storm exercises.

In the Q&A session, a member of the audience asked Mr. Beers if he could prioritize DHS cyber security needs in terms of the human capital. This is important as cyber security is an interdisciplinary field and there is need for professionals with technical and non-technical backgrounds. Mr. Beers listed three needs: (1) people with computer science background to operate the cyber security centers; (2) people with system design and administration skills; (3) people with business background to deal with contracting issues and proficiency to understand technical requirements. This last group is important as government has a responsibility to define as clear and specific as possible the requirements and objectives so other sectors can determine how to comply. He then mentioned that government might have to start training centers as there are not enough graduates coming from college.

As a follow up question to his comment on cyber security savvy lawyers, he was asked if real problem is that U.S. does not have the appropriate laws to protect its cyber infrastructure and also if DHS is advocating for new legal frameworks. Mr. Beers agreed that a better legal framework is required and DHS is indeed advocating for this to happen. In a later question, he also pointed out that legal and cyber security communities need to further discuss issues affecting both sides and such exchanges should also happen outside the government (because of restrictions a federal employee might have by law).

The next two questions were about international efforts taken by DHS, citing the United Nations is working on developing cyber security laws and best practices. The Under Secretary mentioned that DHS cannot work at international level and that time has come for State Department to step up.

A question then was made regarding the difficulties when physical and cyber security communities interact. Mr. Beers noted it is a recurring but expected problem when working with entities from public and private sectors. Sometimes they find cases where both exist under one directorate, but in general this is not the case and it is part of the evolution of security.

A member of audience asked about briefing on current and future strategies with U.S. Cyber Command and NSA. The Under Secretary mentioned that major elements of collaboration are still under development. There are discussions on having DHS deputy and employees at Cyber Command and NSA and vice versa.

A final question was made on comparing costs of training employees in cyber security with costs of scholarship, suggesting the second option might be cheaper. Therefore there might be an incentive to increase number of scholarships. Mr. Beers agreed to the suggestion and said DHS is looking into additional opportunities to fund students/institutions but was also quick to point out that not every cyber security professional has to come from an academic setting.

Overall, it was an interesting talk by the Honorable Beers, providing an overview of the structure, mission and challenges faced by NPPD and DHS. He stressed out the importance of cyber security as part of the primary mission of the Department and the relevance of working with different partners to successfully achieve the mission.

Tuesday, March 30, 2010

Panel Members:

• Mike McConnell, Booz Allen Hamilton
• Rand Beers, DHS
• Eugene H. Spafford, CERIAS

Summary by Derril Lucci

The fireside chat saw Admiral John McConnell, the Honorable Rand Beers, and Professor Eugene Spafford discuss some of the issues in security today. One of the first topics covered was how technology will change business and society. Admiral McConnell made a point to mention that once every 50 years, a new technology comes along that revolutionizes the way in which things are done. Among the examples included the gin mill and the textile industry. Another topic that was discussed was the need for a new internet. What is meant by this is a need for an internet that can go through a trusted third party. This new idea, they believe, will make for a safer internet. This lead to the debate about the innovation of cyberspace versus security. Security can be viewed as a restriction to the innovation of cyberspace because it is a tradeoff between standards and regulation. Admiral McConnell also discussed a potential threat to our banks. He said that every day, $7 trillion dollars is moved by two banks in New York City. If these transmissions are ever interrupted, coupled with a well timed terrorist attack, it could topple both the U.S. banking and the global banking industry. This is why both Admiral McConnell and Secretary Beers have lobbied for action by the government to set up a plan to prevent this. However, they both stressed that the U.S. government has a history of dragging its feet when it comes to this matter, and they feel that the U.S. will not do anything until the event has already occurred. Furthermore, Secretary Beers called for academic institutions to come together and decide where we want to go, as a Network/Cyber security community. Admiral McConnell said that it is up to future generations to devise schemes to lower the risk of attacks by those who wish to change the world order.

Tuesday, March 30, 2010

Panel Members:

• Nicolas Christin, Carnegie Mellon University
• Cassio Goldschmidt, Symantec Corporation
• Aaron Massey, North Carolina State University
• Melissa Dark, Purdue University

Summary by Preeti Rao

March 31, 2010, Tuesday afternoon’s panel discussion at the Eleventh Annual CERIAS Symposium was on Information Security Ethics. The panel consisted of four pioneers from academia and industry - Nicolas Christin from Carnegie Mellon University, Cassio Goldschmidt from Symantec Corporation, Aaron Massey from North Carolina State University and Melissa Dark from Purdue University.

Melissa Dark introduced the panel and put forth the thought that Information Security Ethics is a really messy topic because it involves a variety of stakeholders. Identifying all the stakeholders, their competing interests and balancing the competing interests is not an easy trade-off. There are a number of incentives and disincentives to be considered. Information security ethics is interesting when discussed with respect to certain scenarios and the panel chose to do that.

The first presentation was from Nicolas Christin and he presented on Peer-to-Peer Networks, Incentives and Ethics.

He started off by talking about Peer-to-peer (P2P) networks in general, their interdisciplinary nature, their benefits and costs. He quoted that P2P traffic is a very sizable amount of load and that 30 to 70% of internet traffic is from P2P networks. They carry a bad reputation because of copyrighted materials dissemination. But they have numerous benefits too ñ software distributors save on infrastructure by distributing free and proprietary software to legitimate users through P2P networks. Another advantage is in censorship resilience.

Christin identified five stakeholders in P2P networks and discussed about their ethical dilemmas and competing interests. End users, content providers or copyright holders, electronics manufacturers, software developers and internet service providers (ISPs) were the five stakeholders he talked about. While end users tend to download content for free, content providers or copyright holders are worried about unauthorized replication of their content. Electronic manufacturers benefit from digital media portability on P2P networks — electronics like iPods would not have been this successful if people did not get music for free or for very low cost. Software developers potentially benefit from increased P2P use. ISPs have interesting ethical dilemmas. While ISPs benefit due to increased bandwidth usage from users downloading content, a number of users are into copyright infringement — downloading content for free through P2P networks through the bandwidth provided by these ISPs. Sometimes ISPs assist companies of content providers. He quoted a very good example of Comcast. Is it ethical to download TV shows using Comcast’s Internet, or watch the TV shows using Comcast’s cable TV service?

He summarized the competing interests and ethical dilemmas of the stakeholders identified on P2P networks as end users producing and downloading infringing content, content industry poisoning P2P networks, content industry launching Denial of service attacks on P2P hosts, ISPs advertising access to movies, promising users that they will get access to the movies, and then filtering out BitTorrent traffic, electronics manufacturers advertising ripping and copying capabilities of the devices.

He left the audience with a set of intriguing questions. Is downloading content ethical or unethical? How do we decide what is ethical and unethical in Information Security? What are the criteria to be applied to make this decision? Are the decisions ever ethically justified? The bottom line is the unclear set of incentives.

The second presentation was on Responsibility for the Harm and Risk of Software Security Flaws by Cassio Goldschmidt.

He identified five stakeholders in analyzing the situation of software security flaws. The stakeholders were Independent Software Vendors (ISVs), Users, Government, Software Vulnerabilities and Security Researchers.

He quoted Microsoft’s example as an ISV and how users always blame ISVs for faulty software. For software industries, the weakest links are software developers and software testers. ISVs are doing a lot to build secure software they have started training classes to teach how to write secure code and how to secure every stage of SDLC and test life cycle. But, software by nature is vulnerable, no matter what. Users buy software because of its features; when a user is ready to buy software there is no way he can make out whether that software is secure. Goldschmidt argued that managing software security is very difficult when one cannot compare two pieces of software are more secure; hence we cannot expect users to buy and use “secure software”. There are many non-technical users who do not know the importance software or system security. Users definitely have something to do with the software vulnerabilities.

He talked about security researchers and vulnerability disclosures. There are conflicting interests and possible risks in security researchers disclosing software vulnerabilities. Before one does a full disclosure of vulnerabilities, one needs to think about how people and media would take advantage of it. He quoted an example of the concept of Microsoft’s “Patch Tuesday” and the following “Exploit Wednesday”. Sometimes software industries buy products from companies because of strategic partnerships, long term relations, money, etc. The decision is not always based on security.

Government has a role to play in promoting software security. But if the government enacts laws to enforce software security, there will be serious financial issues for the ISVs. For example, software development process would become very expensive for start-ups. He concluded that enacting laws for software security can be hard.

He summarized — software is dynamic. People have yet to understand the meaning of software. Some call it a product. Some call it a service. Some even call it free speech because it has a language and associated grammar. The problem of software security is very complex. It needs attention and awareness.

The third presentation was from Aaron Massey on Behavioral Advertising Ethics.

Behavioral advertising which targets custom-made advertisements to users based on their behavior profiles uses technologies like cookies, web bugs and deep packet inspection. Massey opined that Behavioral Advertising Ethics is interesting and overlaps with Advertising, Privacy and Technology domains. He quoted examples of some ethical dilemmas associated with these domains:

• Advertising: Is it ethical to target ads based on user’s profile/history For Example: a door salesman posing questions to customer to know more about their preferences and suggesting products based on gathered information.

• Privacy: For example, a Facebook program which tracked user A’s online shopping history and displayed ads on user B’s (friend of user A) homepage suggesting to buy the product bought by user A. Is this a probable privacy breach for user A?

• Technology: Where does the ethical value lie? And, is it in the technology itself? Is it in the use of technology, or is it in the design? As an example, take a hammer. It can be used in a constructive or destructive way and the design does not restrict the purpose of usage.

Considering these questions when building a behavioral advertising technology, is there a way we can make it secure without compromising the utility of the technology?

Melissa Dark summed up the panel presentations considering the three keys for information security ethics: the stakeholders, their competing interests and tradeoffs, the incentives and disincentives. She mentioned that incentives and disincentives have been long standing norms and expectations. We need to think about how these norms and expectations affect ethics, how our mindsets affect the larger ethical debate. She opened the floor for questions.

Questions and Discussions

Question 1: Often with online shopping and ethics, users usually do not have many options. Either you buy the product or leave it. For example, the Facebook scenario discussed earlier. In such situations, if you disagree with the ethics then how can you affect the changes? Usually most companies just have ethics externally posed on them.

Aaron Massey: There are privacy policies that are in place and FTC enforces these privacy policies. If a company violates its privacy policy, though as an individual you cannot sue the company, you can file a complaint to the FTC. FTC would review company’s business practices and take necessary actions. Companies like Facebook, Google work with FTC right from the beginning to get everything right.

Melissa Dark: Masses can make use of consumerism and market forces. She mentioned that there are 45 Data Breach Disclosure state laws, but no single federal law in the US for handling data breach disclosures. The usage of right language to talk about information security is very important.

Victor Raskin: Supported Melissa on that and said the language, the framework used to talk about information security is very important.

Eugene Spafford: Awareness is equally important for software security. Our current mission should be to make security visible.

Audience: Informal collective action (example - blogosphere) is very powerful, can be used as a weapon against unethical actions.

Aaron Massey: Danger and the slippery slope is the connotation in ethics.

Question 2: What are the roles of users, government in realizing information security? In Australia, ISPs are now restricting access to end users on certain resources because a recent law put liability on the ISPs to take corrective action; the end users are just notified.

Nicolas Christin: There are similar laws on P2P networks. But again, managing the tradeoff between ISPs and users is critical. Users can easily conceal their actions and ISPs have to make a decision on restricting their users. Ethical and legal dilemmas are happening because the legal scholars who usually write the laws usually have no technology background.

Eugene Spafford: It is hard to strike the right balance and create good laws.

Question 3: Educational institutions are not doing a good job teaching how to write secure software. What should an institution do to give good security education?

Melissa Dark: Public institutions have a lot of masters to serve. They take tax payer money and are under many obligations. Yet security education curriculum is being modified and improved constantly. There has been tremendous growth in the past decade. There is still a lot more to be done for security education.

Audience: College education is just once, but industry education and training needs to be constantly revised.

Nicolas Christin: Security education: should it be industry driven or college education driven? In college education, the main goal is to train students to get good jobs. University respond to market demands. Selling security and security education is hard. Knowing how to write secure code needs lot of training and experience. For a new graduate the most important thing is to secure a job, need not necessarily be a secure software coding job.

Aaron Massey: Even before security education: what is security? How do you measure security? Should you concentrate on secure programming, testing or design?

Eugene Spafford: Purdue CERIAS is doing a great job in giving security education. But still, lot of awareness is needed.

Question 4: What is ethical software or ethical coding? Does the society have a role to play in making the society ethical?

Aaron Massey: Society is addressing ethical questions. For example, the FTC is holding workshops on how to treat privacy online. There is no single solution yet.

Question 5: What are the best practices from other disciplines that can be adopted into Infosec ethics? Do other disciplines have a generic framework? Aaron Massey: Healthcare legislations, HIPAA are evolving. Generic framework is a good domain to look at. Investigations are on in this regard. Professional code of ethics is as applied to a profession. But Information security profession, its demands and roles are not yet clearly defined.

Question 6: How does ethics depend on the perception of truth? How can advertising be a win-win situation, if advertising is just informational and not manipulative? Does anyone read the privacy policies where information is there, but not consumable?

Aaron Massey: Research is being done and people are coming up with Nutritional labels for privacy policies ñ an alternative way of understanding privacy policies instead of reading a lot of privacy policy text.

Audience: An idea based on agricultural domain: suppose companies identify themselves as data-collection free companies and certify themselves as ones who do not collect information about people, would that help?

Nicolas Christin: There are companies that produce privacy practices in machine readable form so that you do not have to read the whole document. Companies are trying different methods for privacy policy reading.