Wednesday, April 3, 2013
Summary by Gaspar Modelo-Howard
Why do we, as cybersecurity professionals, go to work each day? Mr. Gebhart reflected on this question to start his presentation, suggesting a very clear and concise answer. It is to protect the many things and people that are so important to our lives. Security professionals need to protect the families from threats like cyber bullies or identity thieves, risks associated to financial information, attacks to the new business ideas and our critical infrastructure, and to help protect those that protect us, such as law enforcement and first responders. This is why a multidisciplinary approach, such as what CERIAS follows and to which Mr. Gebhart pointed out, is required to come up with the ideas and solutions to achieve our goal as cybersecurity professionals.
In the early days of malware, it could have been considered a nuisance. After all, there were about 17,000 pieces of malware in 1997 and for some people antivirus software could be updated every few months. But malware has been growing at a rapid pace. McAfee stores more than 120M samples of malware software in its database, up from 80M in 2011. The growth is also fast in the mobile landscape. There were 2K unique pieces of mobile malware in 2011, while last year it grew to 36K. And as the mobile market becomes more popular and we move from multiple operating systems to just two today, Google’s Android and Apple’s iOS, there will still be room for growth for malware. McAfee’s stats show that (1) Android is the most targeted operating system for malware, (2) many application stores for phones host malware, and (3) half of all iOS phones are jail broken.
Other trends explain the always changing landscape of information technology and therefore security. For example, the growth in the number of devices connected to the Internet and their changing profiles. There are approximately 1B devices today, and that number should reach 50B by 2020. People think about computers and phones when asked about which electronic devices are connected to the Internet. But there are many others such as automobiles, televisions, dishwashers, and refrigerators that are being connected every day, helping to put the control of our lives at our fingertips: how much energy we consume, what do we eat or how we communicate and with whom.
So today’s risks are more about the devices and data stored, rather than just malware, and everybody is at risk. At the personal level, there are always reports of attacks aimed at individuals. Mr. Gebhart recounted Operation High Roller that targeted corporate bank accounts and wealthy people by using a variant of the Zeus Trojan horse. At the business level, he talked about the incident known as Operation Aurora, discovered by McAfee Labs, where attackers were after intellectual property from 150 companies. It is also common nowadays to hear about state sponsored cyberattacks on businesses. For example, McAfee believes is one of the most attacked companies in the world (given their condition as both a security services provider and a consumer) as they see many, frequent attacks around the world, ran by well-funded, professional organizations.
One of the most concerning areas at risk is critical infrastructure and governments around the world show growing concern about malware. The Stuxnet malware seemed to come from a spies’ movie as it was created as a stealthy, offensive tool to cause harm. The Citadel trojan is another example of how incisive and targeted malware can be, attacking individual organizations, while also harvesting credentials and passwords from users. So the malware found nowadays in the wild is more targeted and automated, which explains the growing concern on highly important systems such as critical infrastructure. Additionally, the commercialization of malware keeps increasing. Hackers as a Service (HAAS) and off-the-shelf malware are too common now, so malicious code and people’ services are openly being sold.
Mr. Gebhart suggested that new partnerships are required to deal with malware; it is no longer only a technical issue. This pointed back to his early comment of dealing with cybersecurity in a multidisciplinary approach. An organization’s board should be involved and new strategies need to be created. Whereas malware used years ago to be a topic that would only include a mid-level business manager, now is a high-level management discussion topic everywhere you go. It is in everybody’s mind, with people not limiting the conversation to the technical aspects of an attack, but also talking about the impact to the business. Today, it is required to include those that make the decisions for the business in order to opportunely defend against malware and to plan for security.
Innovation is also paramount in order to successfully protect the systems and Mr. Gebhart mentioned several current initiatives. For example, companies are increasingly using cloud-based threat intelligence systems to deal with real-time and historical data, and at increasing quantities. McAfee monitoring systems receive about 56B events a month from 120M devices. Many of the events are hashed and sent to their systems on the cloud to determine if they are malicious or not, allowing McAfee to block (if necessary) similar traffic. The response capabilities have also improved, as now there exists the algorithms to classify the events, determining which ones to handle, and to respond fast.
The DeepSAFE Technology is another innovation example, coming from the partnership between McAfee and Intel. The jointly-developed technology serves as a foundation for new hardware-assisted security products. Today’s malware detection software sits above the operating system, whereas DeepSAVE will operate without such restriction and closer to the hardware, offering a different vantage point to detect, block, and remediate hidden attacks such as Stuxnet and SpyEye.
To close his presentation, Mr. Gebhart mentioned to not forget who we are working for and to protect the global access to information and the identities of our users. It is an exciting time to be involved in cybersecurity with the changing landscapes of information technology and security. Computing has come a long way in the last few decades but we still have to build the trust around it so people can confidently rely on computing.
As Christopher Painter, Coordinator for Cyber Issues within the US Department of State, began his keynote address to the CERIAS Symposium audience he humorously admitted, "Today I’m flying without a net", a PowerPoint presentation net that is. This set the tone for an informal and informative discussion about the changing threat landscape in cyberspace.
In the early 1990s Christopher Painter began his federal career as an Assistant U.S. Attorney in Los Angeles; a time when most people were not that interested in cyber crime and the issues we are facing today where unimaginable. These issues weren’t on the forefront of most people’s minds which provided Mr. Painter an opportunity to dive in and get involved at all levels of cyber investigations happening at the time. Mr. Painter led some of the early and most infamous cyber crime cases including the prosecution of Kevin Mitnick; one of the most wanted cyber criminals in the United States.
Through his work leading case and policy discussions of the Computer Crime and Intellectual Property Section of the US Department of Justice, Mr. Painter has become a leading expert in international cyber issues. However, through this impressive journey he shared with the CERIAS audience, one of the most marked times during his career was with President Obama in 2009. Reminding the audience of the campaign hacking incident that raised the awareness of cyber threats to the office of the President, Mr. Painter discussed how the shift in focus on cyber issues was starting to occur. Now charged with identifying the gaps in national cyber policies, Mr. Painter led a research initiative which resulted in over 60 interviews engaging individuals from government, private industry, academia and civic society the results of this study became the premise for President Obama’s landmark speech on cyber security in May 2009.
Over the past 5 years the conversations in cyber security have evolved dramatically. Initially these conversations were so highly technical in nature that government officials handed them to the technical community to find the solutions. Today, with cyber issues expanding beyond domestic boundaries it was quickly realized that in order for solutions to be sustainable they needed the "push" of the senior policy makers and CEOs from the private sectors. As Mr. Painter stated, "We have come a long way even though the challenges continue to mount, we need to remember we still have a long way to go."
Today, the cyber security threat landscape has changed from the days of the "lone gunman hackers" to the now organized, transnational groups. Cyber security professionals are facing mounting challenges in international laws, forensic processes and the introduction of new actors in the arena of bad guys. However, reflecting back again to President Obama’s 2009 speech on cyber security, Mr. Painter recall’s the President reference to the “economic threat of cyber crime”; an important distinction from merely addressing cyber crime as a security threat to identifying cyber crime as an economic threat to the country.
Public awareness is changing and so are the conversations within the U.S. government. Remembering President Obama’s 2013 State of the Union address, Mr. Painter remarked, “this was to a national audience who are not cyber folks - it is another great example of how the cyber issues have transitioned to be government issues.” This landmark speech resulted in a new sergeant of collaboration and coordinating among government agencies; "This is a big shift in how these groups are running interagency meetings as there is a new commonality and purpose to these issues."
Looking toward the future, world will continue to grabble with the constantly changing cyber threat landscape and the equitably of these issues in the physical world. These are global challenges globally. As result, in partnership with the Department of Homeland Security, Mr. Painter and his team are bringing technical information and training to over 100 countries; working to help technologically advancing countries to mitigate the increasing and complex cyber threats around the world. Concurrently, they are evaluating key policies issues including 1. international security - the US has taken the lead in establishing an international law through systems that build confidence in transparency; 2. cyber security due-diligence-challenging the international community to continue to develop national policies, build institutions and foster the due diligence process; 3. identification cyber crimes; 4. internet governance - through existing technical organizations and a multi-stakeholder approach; and 5. internet freedom - principles around openness and transparency online.
As the audiences starts to process this incredible professional journey along with the changing landscape in cyber space, Mr. Painter closed his keynote address illustrating the efforts him and his team in working closely with inter-agencies within the US government, private sectors and academia around the world. Also, actively conducting important dialogues and advancing the key cyber issues with governments in Brazil, South Africa, Korea, Japan and Germany to name a few; bringing the issues of cyber security strategies, the changing landscape and key policy issues to these emerging countries.
Starting the conversation Stephen reminded the audience that what makes biometrics such an interesting field is the unpredictability of the humans in the testing and evaluations processes. In traditional biometric testing environments researchers work with algorithms and established metrics and methodologies. However, as biometrics testing moves to operational environments there are more uncertainties to content with and therefore making it hard to do. Considering these two important testing environments, what biometric researchers are now trying to do is to understand further how a biometric system performs in any environment and identify what (or who) could the possible cause of errors.
As Stephen pointed out, there have been several papers addressing how individual error impacts biometric performance and the potential causes of these errors. Some of these errors are now being traced to gaps in biometrics testing including training (e.g. "How do you train someone who is difficult to train or doesn’t want to be trained?"), accessibility (e.g. "Are the performance results different in a operation environment than collected in a lab?"), usability (e.g. "Can the system be used efficiently, effectively and consistently by a large population?") and the complexities of the human factors on biometric testing performance. Raising the question, is the error always subject centric?>
In order to fill in some these gaps, Stephen and his graduate students are looking at the traditional biometric modes and metrics to determine if they are suitable in today’s testing and evaluation environments. During the CERIAS tech talk Stephen spotlighted the research of three of his graduate students: 1. The Concept of Stability Thesis by Kevin O’Connor - the examination of finger print stability across force levels; 2. The Case of Habituation by Jacob Hasselgren - quantitatively measuring habituation in biometrics testing environments; and 3. Human Biometric Sensor Interaction highlighting Michael Brokly’s research on test administrator errors in biometrics, including the effects of operator train, workloads of both test administrators and test operators, fatigue and stress.
The biometrics community continues to investigate these questions in order to understand how the vast array of players in a operational data collection environment impact performance. In his closing statements, Stephen reiterated the complexities and challenges in biometrics testing and how researchers are looking deeper into the factors affecting performance beyond a simple ROC/DET curve.
During the introduction, Professor Spafford discussed Mark Weatherford's experience prior to becoming Deputy Under Secretary for cybersecurity at DHS. He mentioned that Mr.Weatherford was CIO of the state of Colorado and California and director of security for the electric power industry. He made it known that Mr.Weatherford has won a number awards and spent a lot of time in cybersecurity in the navy.
He also mentioned that under sequestration rules Mr.Weatherford was not allowed to travel. Mr.Weatherford desired to be present, but he could not attend, so he decided to create a video.
Mark Weatherford began his commentary with the For Want of a Nail rhyme because he believes it is a good way on how to approach the business of security. Mr.Weatherford expressed his appreciation for Professor Spafford, thanking him for how much he has helped advance the topic of cybersecurity and the development of some of the national security leaders.
Mr. Weatherford proceeded to state that "we're in business where ninety nine percent secure, means you’re still one hundred percent vulnerable." An example he used was from 2008, when a large mortgage company that is no longer in business, was concerned with the loss of their client’s information. They decided to disable the USB ports from thousands of machines to prevent employees from copying data. They missed one machine, which was used by an analyst to load and sell customer’s data over a two year period.
Cybersecurity threat, DHS’s role in cybersecurity, the President’s Executive Order on cybersecurity, and the lack of cyber talent across the nation are the four topics that Mr.Weatherford briefly explained.
President’s Cybersecurity Executive Order (EO):
Mr.Weatherford closed this commentary by stating "DHS wants to be your partner in cybersecurity whether you’re in the government, academia or the private sector. No one can go it alone in this business and be successful, so think of us as partners and colleagues, we really can help."
Thursday, April 4th, 2013
Moderator: Professor Eugene Spafford, Executive Director, CERIAS
Summary by Rohit Ranchal
Current technological advances and shortage of cyber security professionals require us to focus on cyber security education. The main challenge is that how to fit the identified needs in a practical education or training program. Going by the modern trends and popularity of MOOCs (Massive Open Online Courses), it is very important to consider online and distance education for cyber security. One important requirement is to have a business model in place to structure the MOOCs because right now they are just doing information dissemination. We need a structured curriculum, which can take advantage of the freely available MOOCs.
The current trend of security problems suggests that we are moving away from the traditional problems like protocol vulnerabilities and reviewing RFCs to fix them. Most problems such as policy based vulnerabilities, social engineering etc occur at application level and end user level. So it is important to have exposure to the changing problems and understanding the associated legal and regulatory environment. Professionals need to be trained for organizational dynamics such as budgeting and investments, which are important to the business. Having awareness of bigger issues is also important along with the technical expertise.
One important thing to consider in Information Security Education is the target population. When we consider about educating everyone in the security awareness space, we focus on campaigns, reaching into k-12, educating elderly people, talking about cyber security war etc. But the instruction language is not particularly persuasive. It is very important to think about the instruction language when the target audience is masses of people.
Our current education system focuses on Professionalization. Professionalization is a social phenomenon. A cyber security professional is someone who has to deal with high levels of uncertainty and high levels of complexity. A professional can have a specific technical background or expertise or can have skills in the interdisciplinary space. The framework proposed by National Initiative for Cyber Security Education lists seven high- level job roles including some non-technical job roles as well. Cyber security professionals are not only in cyber security profession only but they are in hybrid roles in the interdisciplinary space. Thus the professionals should be educated and trained in such a way that they can carry out multiple tasks in their hybrid roles. Professionalization could also mean credentialing, education/degree, codes of ethics, certification, training, apprenticeship, etc. Professionalization can be debated in terms of various aspects such as applied vs theoretical knowledge, concepts vs technologies, vocational training vs degree education, immediate needs vs future needs, generalists vs specialists etc. We need to consider all these aspects. The underlying point is that Professionalization induces a change in behavior. An important way to achieve that is through apprenticeship and mentoring. Apprenticeship and mentoring is strictly followed in some other professions on the completion of degree to acquire the practical training and on successful completion, the person is considered a professional. We need to bring back apprenticeship and mentoring in the security education curriculum. But things in security space are changing so rapidly that no matter how much education is given, the professionals will have to deal with high level of uncertainty and complexity. One way to ensure this is to have people who are excited about the profession and are willing to constantly learn and enjoy it. Professionalization should not be considered as something where one can arrive like an end-point. The obvious question is that how to find such people.
Some institutes like SANS Technology Institute and (ISC)2 focus to address this problem through certification. But how can we measure if the certifications have any real value? It depends upon the training, knowledge and experience that goes into the certification. There are many different types of certifications from weekend certifications to highly specialized certifications. Another thing to consider is that certification implies that a professional has some valuable knowledge today but doesn’t say anything about tomorrow when the threats, situations and environment change. There is a shortfall of individuals at present but how can we ensure that our education system can balance that need for today with the need for professionals who are able to learn, analyze and synthesize challenges of tomorrow that are not yet known.
If we look at other professions, many of them require licensing. Professionals in such professions have to renew their licensing to stay active with the current technologies and skills. Another difference is that the cyber security professionals don’t have the same liability if something goes wrong e.g. a system gets hacked, as compared to some other professions for e.g. if a bridge falls down, then you can talk to the civil engineer. Consider if we have all the security jobs require a certification and an organization hires a professional without certification for building a system that gets broken then there can be terrible consequences such as lawsuits. Also you have to consider that building a system requires system designers, developers and users. Its not easy to declare someone liable. The liability model is not appropriate at present but we should move in that direction.
An important concern while education and training security professionals is that how to prevent them from turning bad such as ethical hackers becoming unethical hackers. The argument is that there is a high risk in case of information dissemination only but with education that risk is lowered. The goal of education is not just to give knowledge but to provide the context, the morality, the ethics and to teach that there are consequences to actions. Education is a socialization and culturization process that induces the change in behavior. The education curriculums should be designed in such a way that the mentor can effectively measure that change in the behavior.
While addressing the education problem, it is important to understand that the governments tend to be reactionary and focus on present problems rather than being visionary so it is very important for the universities and industries to be visionary and drive the education and training that focuses on the future and not past.