The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Reports and Papers Archive


Browse All Papers »       Submit A Paper »

Adaptive Detection and Policy Transformation for Insider Threats

CERIAS TR 2023-7
Nicholas B. Harrell, Alexander Master, J. Eric Dietz
Download: PDF

Insider threats are among the most costly and prevalent cybersecurity incidents. Modern organizations lack an effective way to detect and deter insider threat events; traditional mitigation approaches that focus on recruitment processes and workplace behavior have proven insufficient. Current analytic detection tools do not map technical indicators to organizational policies. This limitation results in poor risk calculations, rendering inaccurate risk mitigation decisions regarding insider threats. This paper proposes a pragmatic, data-driven approach that uses policy-mapped technical indicators to assess insider threat risk. Our approach provides a quantitative insider threat risk score to facilitate informed decision-making by policymakers. Using computer simulation modeling and synthetic data to iterate common threat scenarios, we increase the probability of detecting an insider threat event. This novel approach provides quantitative analysis with distinct advantages over qualitative risk matrices commonly used in industry to forecast and assess organizational risk.

Added 2024-03-15

Grand Challenges in Trustworthy Computing at 20: A Retrospective Look at the Second CRA Grand Challenges Conference

CERIAS TR 2024-01
Richard DeMillo and Eugene H. Spafford
Download: PDF

A retrospective on the Grand Challenges Worshop sponsored by the Computing Research Association

Added 2024-01-21

Forensic Insights: Analysis and Visualization of Fitbit Cloud Data

CERIAS TR 2023-6
Poorvi Hegde
Download: PDF

Wearable devices are ubiquitous. There are over 1.1 billion wearable devices in the market today. The market is projected to grow at a rate of 14.6% annually till 2030. These devices collect and store a large amount of data. A major amount of this collected data is stored in the cloud. For many years now, law enforcement organizations have been continuously encountering cases that involve a wearable device in some capacity. There have also been examples of how these wearable devices have helped in crime investigations and insurance fraud investigations . The article performs an analysis of 5 case studies and 57 news articles and shows how the framing of wearables in the context of the crimes helped those cases. However, there still isn’t enough awareness and understanding among law enforcement agencies on leveraging the data collected by these devices to solve crimes. Many of the fitness trackers and smartwatches in the market today have more or less similar functionalities of tracking data on an individual’s fitness-related activities, heart rate, sleep, temperature, and stress. One of the major players in the smartwatch space is Fitbit. Fitbit synchronizes the data that it collects, directly to Fitbit Cloud. It provides an Android app and a web application for users to access some of these data, but not all. Application developers on the other hand can make use of Fitbit APIs to use user’s data. These APIs can also be leveraged by law enforcement agencies to aid in digital forensic investigations. There have been previous studies where they have developed tools that make use of Fitbit Web APIs but for various other purposes, not for forensic research. There are a few studies on the topic of using fitness tracker data for forensic investigations . But very few have used the Fitbit developer APIs. Thus this study aims to propose a proof-of-concept platform that can be leveraged by law enforcement agencies to access and view the data stored on the Fitbit cloud on a person of interest. The results display data on 12 categories - activity, body, sleep, breathing, devices, friends, nutrition, heart rate variability, ECG, temperature, oxygen level, and cardio data, in a tabular format that is easily viewable and searchable. This data can be further utilized for various analyses. The tool developed is Open Source and well documented, thus anyone can reproduce the process.

Added 2023-12-15

Closing the Gap: Leveraging AES-NI to Balance Adversarial Advantage and Honest User Performance in Argon2i

CERIAS TR 2023-5
Nicholas Harrell and Nathaniel Krakauer
Download: PDF

The challenge of providing data privacy and integrity while maintaining efficient performance for honest users is a persistent concern in cryptography. Attackers exploit advances in parallel hardware and custom circuit hardware to gain an advantage over regular users. One such method is the use of Application-Specific Integrated Circuits (ASICs) to optimize key derivation function (KDF) algorithms, giving adversaries a significant advantage in password guessing and recovery attacks. Other examples include using graphical processing units (GPUs) and field programmable gate arrays (FPGAs).

We propose a focused approach to close the gap between adversarial advantage and honest user performance by leveraging the hardware optimization AES-NI (Advanced Encryption Standard New Instructions). AES-NI is widely available in modern x86 architecture microprocessors. Honest users can negate the adversary advantage by diminishing the utility of their computational power. We explore the impact of AES-NI on the Argon2i KDF algorithm, a widely-used and recommended password hashing function.

Through our analysis, we demonstrate the effectiveness of incorporating AES-NI in reducing the advantage gained by attackers using ASICs. We also discuss the security and performance trade-offs to provide guidelines for practical implementation in deployed cryptosystems.

Added 2023-11-27

Proactive Vulnerability Identification and Defense Construction -- the Case for CAN

CERIAS TR 2023-4
Khaled Serag Alsharif
Download: PDF

The progressive integration of microcontrollers into various domains has transformed traditional mechanical systems into modern cyber-physical systems. However, the beginning of this transformation predated the era of hyper-interconnectedness that characterizes our contemporary world. As such, the principles and visions guiding the design choices of this transformation had not accounted for many of today’s security challenges. Many designers had envisioned their systems to operate in an air-gapped-like fashion where few security threats loom. However, with the hyper-connectivity of today’s world, many CPS find themselves in uncharted territory for which they are unprepared.

An example of this evolution is the Controller Area Network (CAN). CAN emerged during the transformation of many mechanical systems into cyber-physical systems as a pivotal communication standard, reducing vehicle wiring and enabling efficient data exchange. CAN’s features, including noise resistance, decentralization, error handling, and fault confinement mechanisms, made it a widely adopted communication medium not only in transportation but also in diverse applications such as factories, elevators, medical equipment, avionic systems, and naval applications.

The increasing connectivity of modern vehicles through CD players, USB sticks, Bluetooth, and WiFi access has exposed CAN systems to unprecedented security challenges and highlighted the need to bolster their security posture. This dissertation addresses the urgent need to enhance the security of modern cyber-physical systems in the face of emerging threats by proposing a proactive vulnerability identification and defense construction approach and applying it to CAN as a lucid case study. By adopting this proactive approach, vulnerabilities can be systematically identified, and robust defense mechanisms can be constructed to safeguard the resilience of CAN systems.

We focus on developing vulnerability scanning techniques and innovative defense system designs tailored for CAN systems. By systematically identifying vulnerabilities before they are discovered and exploited by external actors, we minimize the risks associated with cyber-attacks, ensuring the longevity and reliability of CAN systems. Furthermore, the defense mechanisms proposed in this research overcome the limitations of existing solutions, providing holistic protection against CAN threats while considering its performance requirements and operational conditions.

It is important to emphasize that while this dissertation focuses on CAN, the techniques and rationale used here could be replicated to secure other cyber-physical systems. Specifically, due to CAN’s presence in many cyber-physical systems, it shares many performance and security challenges with those systems, which makes most of the techniques and approaches used here easily transferrable to them. By accentuating the importance of proactive security, this research endeavors to establish a foundational approach to cyber-physical systems security and resiliency. It recognizes the evolving nature of cyber-physical systems and the specific security challenges facing each system in today’s hyper-connected world and hence focuses on a single case study.

Added 2023-10-03

Personality Traits and Resistance to Online Trust Exploitation

2023-3
Vaishnavi Mahindra

Social engineering attacks, especially trust exploitation, have become a focus of attention for cybercriminals attempting to manipulate or deceive users to take actions that further expose their vulnerabilities. This has also become a budding field for researchers as these interactions are based on complex social equations that are constantly taken advantage of. Identifying the “weakest link” is a popular method of identifying how these exploits take place, generally by observing when individuals fall for a social engineering attack. However, valuable insights may be used to harden security by observing patterns in users resistant or vigilant to these attacks. Primarily, this trend may be discovered in resistant users’ personality traits. This has been found to be a more accurate indicator of behavior than self-reported intentions. Survey responses (n=120) indicate correlations between high test scores in trust exploitation exercises and Conscientiousness in the Big 5 Personality Model (p<0.001). No significant correlation was seen between self-reported cybersecurity habits and actual security behavior.

Added 2023-07-29

Modeling and Characterization of Internet Censorship Technologies

CERIAS TR 2023-2
Alexander Master
Download: PDF

The proliferation of Internet access has enabled the rapid and widespread exchange of information globally. The world wide web has become the primary communications platform for many people and has surpassed other traditional media outlets in terms of reach and influence. However, many nation-states impose various levels of censorship on their citizens’ Internet communications. There is little consensus about what constitutes “objectionable” online content deserving of censorship. Some people consider the censor activities occurring in many nations to be violations of international human rights (e.g., the rights to freedom of expression and assembly). This multi-study dissertation explores Internet censorship methods and systems. By using combinations of quantitative, qualitative, and systematic literature review methods, this thesis provides an interdisciplinary view of the domain of Internet censorship. The author presents a reference model for Internet censorship technologies: an abstraction to facilitate a conceptual understanding of the ways in which Internet censorship occurs from a system design perspective. The author then characterizes the technical threats to Internet communications, producing a comprehensive taxonomy of Internet censorship methods as a result. Finally, this work provides a novel research framework for revealing how nation-state censors operate based on a globally representative sample. Of the 70 nations analyzed, 62 used at least one Internet censorship method against their citizens. The results reveal worldwide trends in Internet censorship based on historical evidence and Internet measurement data.

Added 2023-07-19

A WireGuard Exploration

CERIAS TR 2021-3
Alexander Master, Christina Garman
Download: PDF

Internet users require secure means of communication. Virtual Private Networks (VPNs) often serve this purpose, for consumers and businesses. The research aims of this paper were an analysis and implementation of the new VPN protocol WireGuard. The authors explain the cryptographic primitives used, build server and client code implementations of WireGuard peers, and present the benefits and drawbacks of this new technology. The outcome was a functional WireGuard client and server implementation, capable of tunneling all Internet traffic through a cloud-based virtual private server (VPS), with minimal manual configuration necessary from the end user. The code is publicly available.

Added 2023-03-01

Ranking Social Engineering Attack Vectors in The Healthcare and Public Health Sector

CERIAS TR 2023-1
Gaurav Sachdev
Download: PDF

The National Institute of Standards and Technology defines social engineering as an attack vector that deceives an individual into divulging confidential information or performing unwanted actions. Different methods of social engineering include phishing, pretexting, tailgating, baiting, vishing, SMSishing, and quid pro quo. These attacks can have devastating effects, especially in the healthcare sector, where there are budgetary and time constraints. To address these issues, this study aimed to use cybersecurity experts to identify the most important social engineering attacks to the healthcare sector and rank the underlying factors in terms of cost, success rate, and data breach. By creating a ranking that can be updated constantly, organizations can provide more effective training to users and reduce the overall risk of a successful attack. This study identified phishing attacks via email, voice and SMS to be the most important to defend against primarily due to the number of attacks. Baiting and quid pro quo consistently ranked as lower in priority and ranking.

Added 2023-02-04

Comparing Social Engineering Training in the Context of Healthcare

Giovanni Ordonez

Social Engineering attacks have been a rising issue in recent years, affecting a multitude of industries. One industry that has been of great interest to hackers is the Healthcare industry due to the high value of patient information. Social Engineering attacks are mainly common because of the ease of execution and the high probability of victimization. A popular way of combatting Social Engineering attacks is by increasing the user’s ability to detect indicators of attack, which requires a level of cybersecurity education. While the number of cybersecurity training programs is increasing, Social Engineering attacks are still very successful. Therefore, education programs need to be improved to effectively increase the ability of users to notice indicators of attack. This research aimed to answer the question - what teaching method results in the greatest learning gains for understanding Social Engineering concepts? This was done by investigating text-based,  gamification, and adversarial thinking teaching methods. These three teaching methods were used to deliver lessons on an online platform to a sample of Purdue students. After conducting analysis,  both text-based and adversarial thinking showed significant improvement in the understanding of Social Engineering concepts within the student sample. After conducting a follow-up test, a single teaching method was not found to be better among the three teaching methods. However, this study did find two teaching methods that can be used to develop training programs to help decrease the total number of successful Social Engineering attacks across industries.

Added 2022-05-03

Investigating Cyber Performance: An Individual Differences Study

CERIAS TR 2021-2
Kelly A. Cole
Download: PDF
Added 2021-09-15

Curriculum Guidance Document Industrial Control Systems

CERIAS TR 2021-01
Subia Ansari, Marlo Basil-Camino, Douglas C. Rapp, Isslam Alhasan, Ida Ngambeki, Eugene H. Spafford
Download: PDF
Added 2021-09-03

The Most Common Control Deficiencies in CMMC non-compliant DoD contractors

Vijay Sundararajan, Arman Ghodousi

This article presents the most commonly identified Security Control Deficiencies (SCD) faced, the attacks mitigated by addressing these SCD, and remediations suggested to 127 DoD contractors in order to bring them into compliance with the newly formed CMMC guidelines, the requirements and significance of cybersecurity compliance for small-midsized businesses.

Added 2021-03-02

Comparing Learning Gains in Cryptography Concepts Taught Using Different Instructional Conditions and Measuring Cognitive Processing Activity of Cryptography Concepts

CERIAS TR 2019-5
Joseph W. Beckman
Download: PDF

Information security practitioners and researchers who possess sufficient depth of conceptual understanding to reconstitute systems after attacks or adapt information security concepts to novel situations are in short supply. Education of new information security professionals with sufficient conceptual depth is one method by which this shortage can be reduced. This study reports research that instructed two groups of ten undergraduate, pre-cryptography students majoring in Computer Science in cryptography concepts using representational understanding first and representational fluency first instructional treatment methods. This study compared learning results between the treatment groups using traditional paper-based measures of cognitions and fMRI scans of brain activity during cryptography problem solving. Analysis found no statistical difference in measures of cognitions or in cognitive processing, but did build a statistical model describing the relationships between explanatory variables and cryptography learning, and found common areas of cognitive processing of cryptography among the study’s twenty subjects.

Added 2020-01-06

Cybersecurity for Android Applications

Scott R. Moore

This research contributes to effective risk communication for mobile devices. Mobile devices are becoming near-universal in presence, and the use of these devices comes with some risk. However, the average user does not understand these risks. Users who do not comprehend these dangers have a greater likelihood of suffering negative consequences than those who do understand the dangers. A means of alerting users to possible risks associated with an app is the permissions screen displayed with an app. In this study, I examined how this risk information is presented, and I compared two methods of Android interfaces. A survey was conducted with 756 participants recruited through Amazon Mechanical Turk. Each survey contained a simulation of the Google Play Store and instructed participants to role-play the task of downloading an app. Afterwards, each participant was questioned about which permissions were seen and what the function of each of those permissions are. The survey compared performance of users with the interfaces of Android 5.0 and Android 6.0 and found that, while each version has its own strengths, neither version was superior to the other across all domains. Android 5.0 showed better performance with informing users which permissions access their device, whereas Android 6.0 did better with presenting the functions of the permissions. The specific permissions associated with an app were a significant factor in determining whether a user could recall the permission name or definition, as some permissions are understood more easily recalled than others. In addition, Android 6.0 is shown to be more intuitive to use than Android 5.0. Although a pilot study showed users favored Android 6 over Android 5, the present study shows no clear evidence that Android 6 has a more effective permissions interface than Android 5.

Added 2019-08-30