The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)


Page Content

Panel 2: NSTIC, Trusted Identities and the Internet (Panel Summary)

Wednesday, April 3rd, 2013
Panel Members:
  • Cathy Tilton, VP Standards and Technology, Daon Solutions
  • Elisa Bertino, Professor, Computer Science and CERIAS Fellow, Purdue University
  • Stephen Elliot, Associate Professor, Technology Leadership & Innovation and CERIAS Fellow, Purdue University
  • Stuart S. Shapiro, Principal Information Privacy and Security Engineer, The MITRE Corporation
Moderator: Keith Watson, Information Assurance Research Engineer, CERIAS
Summary by Ruchith Fernando

Cathy Tilton was the first to present her views and she opened with an introduction to NSTIC. She mentioned that NSTIC strategy document came out in April 2011 is an outcome the President’s cyber security review.

Daon’s objective is “Enhancing commercial participation cross sector in the identity ecosystem” in collaboration with AARP, PayPal, Purdue University IT Department, American Association of Airport Executives and a major bank.

Daon pilot study consists of 4 components:
  • Technology component: This is based on a risk based multi factor authentication capability solution that leverages mobile devices called IdentityX. Based on the risk level of the transaction, the relying party would dynamically invoke some combination of authentication methods.
  • Research component: Deon teamed with the Purdue Biometric Lab in analyzing data coming from operational pilots to evaluate usability, accessibility, privacy, security, user acceptance and performance of the solution in various environments.
  • Trust frameworks: A research effort attempting to identify what gaps exists in trying to fit IdentityX solution to existing trust frameworks.
  • Operational Pilot: There are 5 relying parties from different sectors. Some with large and smaller subscriber bases implementing different use cases.

Professor Stephen Elliot presented his work at the Purdue Biometrics Laboratory where they have been working with a focus on testing and evaluation various biometrics since 2001. There is a multi faceted approach to the testing philosophy in this project which involves “in lab” testing, surveys and “in the wild” testing.

In lab testing is where there is a controlled environment where users carry out controlled transactions. These tests are carried out on three different operating systems, and evaluate interoperability by assessing whether users remember how to use the device and whether they can transfer that knowledge into another operating system. These sessions are recorded and are conducted over 4 to 6 weeks.

In the wild testing attempts to mimic various real life scenarios where the test subjects are given a mobile device for a month. The focus groups involved in testing include elderly, disabled and able-bodied individuals where there are about 10 to 15 participants in each group.

Professor Elisa Bertino was the next to present her views. She defined digital identity and introduced the concepts of strong identifiers and weak identifiers. Strong identifiers identify an individual uniquely. Weak identifiers are those that do not identify a person uniquely. Depending on the context an identifier may be a strong or a weak identifier.

Security and interoperability are concerns: In most identity management systems, the user is redirected to an identity provider when authenticating with a relying party. But this leads to privacy issues where the identity provider learns information about the user’s transactions. Protocols developed in VeryIDX project uses an identity token given to the user by the identity provider, which can be used without further interactions with the identity provider. Those protocols are very different with different information and different interaction models. Therefore achieving interoperability with other protocols is a challenge.

Linkability: When a user carries out two transactions with two different relying parties, the two relying parties may be able to use information they collect to identify that they are interacting with the same user. This further applies to the user carrying out two transactions with the same relying party.

Stuart S. Shapiro expressed his views on two main issues.

NSTIC This promotes selective attribute disclosure. In the case where individual subscribes to an online newspaper, from the subscriber’s privacy perspective, as long as the service provider can verify that he/she is a valid subscriber there is no need for any other identity information. But based on the business model, the service provider may need to know certain demographic data about the individual to be able to target advertisements and to be able to charge for advertisements. This is the issue of “Functional Minimums vs. Business Model Minimums”. Business models may require much more information than what is covered in functional requirements. NSTIC does not clearly address this issue.

Service providers are “not interested in individuals but are interested in categories”: This categorization may be either benign or harmful to individuals. Therefore even with privacy preservation techniques, if an individual can be categorized, this might lead to the leak of critical identity information.

This was the conclusion of the presentations by the panelists and the audience raised several questions:

Q: FIPS 2001 seems to be very applicable to your study.

Cathy Tilton: With regard to FIPS 2001, we are not doing anything with regard to smart card credentials. We are however looking at the ICAM (Identity, Credential, and Access Management) certification related to trust framework providers and identity providers.

Q: I assume you are trying to certify the protection of data bearing processes. Please explain how you are doing it on inherently insecure mobile device without a trust anchor.

Cathy Tilton: We include a private key in the keychain of the phone. We consider the phone an untrusted device. We use the key to set up a mutually authenticated TLS session with the phone. When this secure channel is established one can use this channel to collect information on the phone and send it back to the server where verification is performed.

Q: What about jailbroken devices?

Cathy Tilton: The device is considered untrusted. When secure elements are commercially available on mobile devices we will make use of those. Our approach has been BYOD (bring your own device) model for usability and familiarity. Therefore we have to manage with the capabilities and security features of those devices.

Q: How does liability fit into NSTIC?

Cathy Tilton: In our situation we are really more of a credential provider. Therefore it is a shared responsibility. Most of our relying parties already have all their identity information about their subscriber base. They do not share that information with us and they do the identity proofing. What they are looking from us is a strong credential. What becomes critical is the binding of the credential to the identity.

Prof. Bertino: The problem of liability is a very debated question. In software engineering who is liable for software mistakes? Identity management is very much the same. It is software, which needs to be secured to be working properly.

Q: How does NSTIC accommodate potential issues such as forcing users under duress to authenticate sensitive transactions?

Cathy Tilton: In our solution we have provisions to a “duress pin” where the relying party handles it according to their policy.

Stuart S. Shapiro: In a certain context duress is the status quo right now. In some cases, users lie about the requested information to obtain the service and avoid providing real identity information. If the certified attributes are required then there will be no option to lie. In such cases duress can increase rather than decrease.

Q: How do you see we achieve tradeoff between the fact that we have to reveal certain information about ourselves while certain generalized categories already reveal so much information about us?

Prof. Bertino: Services should provide customers the choice of revealing information and provide alternatives such as paying for those services. Systems should be flexible to support such options. Sometimes categorization can be benign, but for example, if a user is in the wrong passenger profile then he/she might have trouble getting through airport security. Even if a user is a very private user but he/she simply possess a certain feature in a population he/she might be automatically classified. I think this is separate problem and I don’t think NSTIC has to solve this.

Cathy Tilton: NSTIC from the supports both pseudonymous and anonymous credentials since there are many transactions that do not require any more information.

Q: How is the biometric data stored on the server? Is there anything equivalent to secure password hashes for biometrics data?

Cathy Tilton: All biometrics protected using all mechanisms that are normally used to protect data at rest such as encryption and audited access behind a firewall. If the cryptographic mechanisms fail, certain biometrics can leak information. But biometrics are not stored alongside identity information. When acting as a credential provider we have no identifying information associated with biometrics.

Q: What are the methods available to verify aliveness of a subject.

Cathy Tilton: Our aliveness support includes using photographs of different angles of a face and a challenge response mechanism with random and longer phrases for voice authentication. We are working on using video as well.

Q: What are interesting open research problems?

Prof. Elliot: There are many research problems with a lot of challenges in areas such as mobile usability testing.

Prof. Bertino: There’s a lot of work to be done in the anonymity techniques for digital identity and linkability analysis.

Stuart S. Shapiro: More sophisticated privacy risk modeling techniques are required. Need techniques for integrating privacy in an engineering sense.

Panel 1: Security Analytics, Analysis, and Measurement (Panel Summary)


Wednesday, April 3rd, 2013

Panel Members:

  • Alok Chaturvedi, Professor, Management, Purdue University
  • Samuel Liles, Associate Professor, Computer and Information Technology, Purdue University
  • Andrew Hunt, Information Security Researcher, the MITRE Corporation
  • Mamani Older, Senior Vice President, Information Security, Citigroup
  • Vincent Urias,Principle Member of Technical Staff, Sandia National Laboratories

Moderator: Joel Rasmus, Director of Strategic Relations, CERIAS

Summary by Ben Cotton

With “Big Data” being a hot topic in the information technology industry at large, it should come as no surprise that it is being employed as a security tool. To discuss the collection and analysis of data, a panel was assembled from industry and academia. Alok Chaturvedi, Professor of Management, and Samuel Liles Associate Professor of Computer and Information Technology, both of Purdue University, represented academia. Industry representatives were Andrew Hunt, Information Security Research at the MITRE Corporation, Mamani Older, Citigroup’s Senior Vice President for Information Security, and Vincent Urias, a Principle Member of Technical Staff at Sandia National Laboratories. Joel Rasmus, the Director of Strategic Relations at CERIAS, moderated the panel.

Professor Chaturvedi made the first opening remarks. His research focus is on reputation risk: the potential damage to an organization’s reputation – particularly in the financial sector. Reputation damage arises from the failure to meet the reasonable expectations of stakeholders and has six major components: customer perception, cyber security, ethical practices, human capital, financial performance, and regulatory compliance. In order to model risk, “lots and lots of data” must be collected; reputation drivers are checked daily. An analysis of the data showed that malware incidents can be an early warning sign of increased reputation risk, allowing organizations an opportunity to mitigate reputation damage.

Mister Hunt gave brief introductory comments. The MITRE Corporation learned early that good data design is necessary from the very beginning in order to properly handle a large amount of often-unstructured data. They take what they learn from data analysis and re-incorporate it into their automated processes in order to reduce the effort required by security analysts.

Mister Urias presented a less optimistic picture. He opened his remarks with the assertion that Big Data has not fulfilled its promise. Many ingestion engines exist to collect data, but the analysis of the data remains difficult. This is due in part to the increasing importance of meta characteristics of data. The rate of data production is challenging as well. Making real-time assertions from data flow at line rates is a daunting problem.

Professor Liles focused on the wealth of metrics available and how most of them are not useful. “For every meaningless metric,” he said, “I’ve lost a hair follicle. My beard may be in trouble.” It is important to focus on the meaningful metrics.

The first question posed to the panel was “if you’re running an organization, do you focus on measuring and analyzing, or mitigating?” Older said that historically, Citigroup has focused on defending perimeters, not analysis. With the rise of mobile devices, they have recognized that mere mitigation is no longer sufficient. The issue was put rather succinctly by Chaturvedi: “you have to decide if you want to invest in security or invest in recovery.”

How do organizations know if they’re collecting the right data? Hunt suggested collecting everything, but that’s not always an option, especially in resource-starved organizations. Understanding the difference between trend data and incident data is important, according to Liles, and you have to understand how you want to use the data. Organizations with an international presence face unique challenges since legal restrictions and requirements can vary from jurisdiction-to-jurisdiction.

Along the same lines, the audience wondered how long data should be kept. Legal requirements sometimes dictate how long data should be kept (either at a minimum or maximum) and what kind of data may be stored. The MITRE Corporation uses an algorithmic system for the retention and storage medium for data. Liles noted that some organizations are under long-term attack and sometimes the hardware refresh cycle is shorter than the duration of the attack. Awareness of what local log data is lost when a machine is discarded is important.

Because much of the discussion had focused on ways that Big Data has failed, the audience wanted to know of successes in data analytics. Hunt pointed to the automation of certain analysis tasks, freeing analysts to pursue more things faster. Sandia National Labs has been able to correlate events across systems and quantify sensitivity effects.

One audience member noted that as much as companies profess a love for Big Data, they often make minimal use of it. Older replied that it is industry-dependent. Where analysis drives revenue (e.g. in retail), it has seen heavier use. An increasing awareness of analysis in security will help drive future use.

On Competitions and Competence


This is a follow-up to my last post here, about the "cybersecurity profession" and education. I was moderating one of the panels at the most recent CERIAS Symposium, and a related topic came up.

Let's start with some short mental exercises. Limber up your cerebellum. Stretch out and touch your cognitive centers a few times. Ready?

There's another barn on fire! Quick, get a bucket brigade going -- we need to put the fire out before everything burns. Again. It is getting so tiring watching all our stuff burn while we're trying to run a farm here. Too bad we can only afford the barns constructed of fatwood. But no time to think of that -- a barn's burning again! 3rd time this week!

Hey, you people over there tinkering with designs for sprinkler systems and concrete barns -- cut it out! We can't spare you to do that -- too many barns are burning! And you, stop babbling about investigating and arresting arsonists -- we don't have time or money for that: didn't you hear me? Another barn is burning!

Now, hurry up. We're going to have a contest to find who can pass this pail of water the quickest. Yes, it is a small, leaky pail, but we have a lot of them, so that is what we're going to use in the contest. The winners get to be closest to the flames and have a name tag that says "fire prevention specialist." No, we can't afford larger buckets. And no, you can't go get a hose -- we need you in the line. Damnit! The barn's burning!

Sounds really stupid, doesn't it? Whoever is in charge isn't doing anything to address the underlying problem of poor barn construction. It doesn't really match the notion of what a fire prevention specialist might really do. And it certainly doesn't provide deep career preparation for any of those contestants... it may even condemn them to a future of menial bucket passing because we're putting them on the line with no training or qualification beyond being able to pass a bucket.

Let's try another one.

Imagine that every car and automobile in the country has been poorly designed. They almost all leak coolant and burn oil. They're trivial to steal. They are mostly cheap junkers, all built on the same frame with the same engines, accessories, and tires -- even the ones sold to the police and military (actually, they're the same cars, but with different paint). The big automakers are rolling out new models every year that they advertise as being more efficient and reliable, but that is simply hype to get you to buy a new car because the new features also regularly break down. There are a few good models available, but they are quite a bit more expensive; those more expensive ones often (but not always) break down less, are more difficult to steal, and get far better mileage. Their vendors also don't have a yearly model update, and many consumers aren't interested in them because those cars don't take the common size of tire or fuzzy dice for the mirror.

The auto companies have been building this way for decades. They sell their products around the world, and they're a major economic force. Everyone needs a car, and they shell out money for new ones on a regular basis. People grumble about the poor quality and the breakdowns, but other than periodic service bulletins, there are few changes from year to year. Many older, more decrepit cars are on the road because too many people (and companies) cannot afford to buy new ones that they know aren't much better than the old ones. Many people argue -- vociferously -- against any attempt to put safety regulations on the car companies because it might hurt such an important market segment.

A huge commercial enterprise has sprung up around fixing cars and adding on replacement parts that are supposedly more reliable. People pour huge amounts of money into this market because they depend on the cars for work, play, safety, shopping, and many other things. However, there are so many cars, and so many update bulletins and add-ons, there simply aren't enough trained mechanics to keep up -- especially because many of the add-ons don't work, or require continual adjustment.

What to do? Aha! We'll encourage young people in high school and maybe college to become "automotive specialists." We'll publish all sorts of articles with doom and gloom as a result of the shortage of people going into auto repair. We especially need lots more military mechanics.

So...we'll have competitions! We'll offer prizes to the individuals (or teams) that are able to change the oil of last year's model the most quickly, or who can most efficiently hotwire a pickup truck, take it to the garage, change the tires, and return it. The government will support these competitions. They'll get lots of press. Some major professional organizations and even universities will promote these. Of course we'll hire lots of mechanics that way! (Women aren't interested in these kinds of competition? We won't worry about that now. People who are poor with wrenches won't compete? No problem -- we'll fill in with the rest.)

Meanwhile, the government and major companies aren't really doing anything to fix the actual engineering of the automobiles. There are a few comprehensive engineering programs at universities around the country, but minimal focus and resources are applied there, and little is said about applying their knowledge to really fixing transportation. The government, especially the military, simply wants more mechanics and cheaper cars -- overall safety and reliability aren't a major concern.

Pretty stupid, huh? But there does seem to be a trend to these exercises.

Let's try one more.

We have a large population that needs to be fed. They've grown accustomed to cheap, fast-food. Everyone eats at the drive-thru, where they get a burger or compressed chicken by-product or mystery-meat taco. It's filling, and it keeps them going for the day. It also leads to obesity, hypertension, cardiac problems, diabetes, and more. However, no one really blames the fast-food chains, because they are simply providing what people want.

It isn't exactly what people should have, and is it really what everyone wants? No, there are better restaurants with healthy food, but that food is more expensive and many people would go hungry if they had to eat at those places given the current economic model. Of course, if they didn't need to spend so much on medicine and hospital stays, a healthier diet is actually cheaper. Also, those better places aren't easy to find -- small (or no) advertising budgets, for instance.

The government has contracted with the chains for food, and even serves it at every government office and on every military base. The chains thus have a fair amount of political clout so that every time someone raises the issue about how unhealthy the food is, they get muffled by the arguments "But it would be too expensive to eat healthy" and "Most people don't like that other food and can't even find it!"

We have a crisis because the demand for the fast-food is so great that there aren't enough fry cooks. So, the heads of major military organizations and government agencies observe we are facing a crisis because, without enough fry cooks, our troops will be overwhelmed by better fed people from China. Government officials and industry people agree because they can't imagine any better diet (or are so enamored of fried potatoes that they don't want anything else).

How do they address the crisis? By mounting advertising campaigns to encourage young people to enter the exciting world of "cuisine awareness." We make it seem glamorous. Private organizations offer certifications in "soda making" and "ketchup bottle maintenance" that are awarded after 3-day seminars. DOD requires anyone working in food service to have one of these certificates -- and that's basically all. We see educational institutes and small colleges offering special programs in "salad bar maintenance." The generals and admirals keep showing up at meetings proclaiming how important it is that we get more burger-flippers in place before we have a "patty melt Pearl Harbor."

The government launches a program to certify schools as centers of "Cuisine Awareness Exellence" if they can prove they have at least 5 cookbooks in the library, a crockpot, and two faculty who have boiled water. Soon, there are hundreds of places designated with this CAE, from taco trucks and hot dog stands to cordon bleu centers -- but lots are only hot dog stands. None of them are given any recipes, cooks, or financial support, of course -- simply designating them is enough, right?

When all of that isn't seen to be enough, the powers-that-be offer up contests that encourage kids to show up and cook. Those who are able to most quickly defrost a compressed cake of Soylent Red, cook it, stick it in a bun, and serve it up in a bag with fries is declared the winner and given a job behind someone's grill. Actually, each registered contestant gets a jaunty paper cap and offer of an immediate job cooking for the military (assuming they are U.S. citizens; after all, we know what those furriners eat sure isn't food!) And gosh, how could they aspire to be anything BUT a fry cook for the next 40 years -- no need to worry about any real education before they take the jobs.

Meanwhile, those studying dietetics, preventative health care, sustainable agriculture, haute cuisine, or other related topics are largely ignored -- not to mention the practicing experts in these fields. The people and places of study for those domains are ignored by the officials, and many of the potential employers in those areas are actually going out of business because of lack of public interest and support. The advice of the experts on how to improve diet is ignored. Find that disconcerting? Here -- have a deep-fried cherry pie and a chocolate ersatz-dairy item drink to make you feel better.

Did you sense a set of common threads (assuming you didn't blow out your cortex in the exercise)?

First, in every case, a mix of short-sighted and ultimately stupid solutions are being undertaken. In each, there are large-scale efforts to address pressing problems that largely ignore fundamental, systemic weaknesses.

Second, there are a set of efforts putatively being made to increase the population of experts, but only with those who know how to address a current, limited problem set. Fancy titles, certificates, and seminars are used to promote these technicians. Meanwhile, longer-term expertise and solutions are being ignored because of the perceived urgency of the immediate problems and a lack of understanding of cost and risk.

Third, longer-term disaster is clearly coming in each case because of secondary problems and growth of the current threats.

Why did this come up with my post and panel on cybersecurity? I would hope that would be obvious, but if not, let me suggest you go back to read my prior post, then read the above examples, again. Then, consider:

  • Nationally, we are investing heavily in training and recruiting "cyber warriors" but pitifully little towards security engineers, forensic responders, and more. It is an investment in technicians, not in educated expertise.
  • We have a marketplace where we continue to buy poorly-constructed products then pay huge amounts for add-on security and managing response; meanwhile, we have knowledgeable users complaining that they can't afford the up-front cost required to replace shoddy infrastructure with more robust items
  • Rather than listen to experts, we let business and military interests drive the dialog
  • We have well-meaning people who somehow think that "contests" are useful in resolving part of the problem

One of the most egregious aspects is this last item -- the increasing use of competitions as a way of drawing people to the field. Competitions, by their very nature, stress learned behavior to react to current problems that are likely small deviations from past issues. They do not require extensive grounding in multiple fields. Competitions require rapid response instead of careful design and deep thought -- if anything, they discourage people who exhibit slow, considerate thinking -- discourage them from the contests, and possibly from considering the field itself. If what is being promoted are competitions for the fastest hack on a WIntel platform, how is that going to encourage deep thinkers interested in architecture, algorithms, operating systems, cryptology, or more?

Competitions encourage the mindset of hacking and patching, not of strong design. Competitions encourage the mindset of quick recovery over the gestalt of design-operate-observe-investigate-redesign. Because of the high-profile, high-pressure nature of competitions, they are likely to discourage the philosophical and the careful thinkers. Speed is emphasized over comprehensive and robust approaches. Competitions are also likely to disproportionately discourage women, the shy, and those with expertise in non-mainstream systems. In short, competitions select for a narrow set of skills and proclivities -- and may discourage many of the people we most need in the field to address the underlying problems.

So, the next time you hear some official talk about the need for "cyber warriors" or promoting some new "capture the flag" competition, ask yourself if you want to live in a world where the barns are always catching fire, the cars are always breaking down, nearly everyone eats fast food, and the major focus of "authorities" is attracting more young people to minimally skilled positions that perpetuate that situation...until everything falls apart. The next time you hear about some large government grant that happens to be within 100 miles of the granting agency's headquarters or corporate support for a program of which the CEO is an alumnus but there is no history of excellence in the field, ask yourself why their support is skewed towards building more hot dog stands.

Those of us here at CERIAS, and some of our colleagues with strategic views elsewhere, remind you that expertise is a pursuit and a process, not a competition or a 3-day class, and some of us take it seriously. We wish you would, too.

Your brain may now return to being a couch potato. grin