CERIAS Weekly Security Seminar - Purdue University

Good research has scientific principles driving it. Analysts begin research with a goal in mind and at the same time, they need their research to have a solid foundation. This talk will cover common goals in cybersecurity research and also discuss common pitfalls that can undermine the results of the research. The talk will include many examples illustrating the principles. About the speaker: Leigh Metcalf has 30 years of experience in STEM where she is an expert in not just one, but two completely different fields, Mathematics and Cybersecurity. In Mathematics, she has a PhD specializing in Algebraic Topology. She also spent many years working at technology companies, including startups, at established businesses, and now, she uses all that she learned at those companies to work for a Federally Funded Research and Development Center located at Carnegie Mellon University as a researcher in Cybersecurity. She the primary author of a book (Cybersecurity and Applied Mathematics, Elsevier), the co-author on a second book in preparation on Science and Cybersecurity. Leigh is also the co-Editor-in-Chief of a new academic journal (ACM Digital Threats: Research and Practice, https://dtrap.acm.org).

Machine Learning appears to have made impressive progress on many tasks including image classification, machine translation, autonomous vehicle control, playing complex games including chess, Go, and Atari video games, and more. This has led to much breathless popular press coverage of Artificial Intelligence, and has elevated deep learning to an almost magical status in the eyes of the public. ML, especially of the deep learning sort, is not magic, however.  ML has become so popular that its application, though often poorly understood and partially motivated by hype, is exploding. In my view, this is not necessarily a good thing. I am concerned with the systematic risk invoked by adopting ML in a haphazard fashion. Our research at the Berryville Institute of Machine Learning (BIIML) is focused on understanding and categorizing security engineering risks introduced by ML at the design level.  Though the idea of addressing security risk in ML is not a new one, most previous work has focused on either particular attacks against running ML systems (a kind of dynamic analysis) or on operational security issues surrounding ML. This talk focuses on the results of an architectural risk analysis (sometimes called a threat model) of ML systems in general.  A list of the top five (of 78 known) ML security risks will be presented.

Machine Learning appears to have made impressive progress on many tasks including image classification, machine translation, autonomous vehicle control, playing complex games including chess, Go, and Atari video games, and more. This has led to much breathless popular press coverage of Artificial Intelligence, and has elevated deep learning to an almost magical status in the eyes of the public. ML, especially of the deep learning sort, is not magic, however.  ML has become so popular that its application, though often poorly understood and partially motivated by hype, is exploding. In my view, this is not necessarily a good thing. I am concerned with the systematic risk invoked by adopting ML in a haphazard fashion. Our research at the Berryville Institute of Machine Learning (BIIML) is focused on understanding and categorizing security engineering risks introduced by ML at the design level.  Though the idea of addressing security risk in ML is not a new one, most previous work has focused on either particular attacks against running ML systems (a kind of dynamic analysis) or on operational security issues surrounding ML. This talk focuses on the results of an architectural risk analysis (sometimes called a threat model) of ML systems in general.  A list of the top five (of 78 known) ML security risks will be presented. About the speaker: Gary McGraw is co-founder of the Berryville Institute of Machine Learning. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series.  Dr. McGraw has also written over 100 peer-reviewed scientific publications. Gary serves on the Advisory Boards of Code DX, Maxmyinterest, Runsafe Security, and Secure Code Warrior.  He has also served as a Board member of Cigital and Codiscope (acquired by Synopsys) and as Advisor to Black Duck (acquired by Synopsys), Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). Gary produced the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine for thirteen years. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the Luddy School of Informatics, Computing, and Engineering.

There is no doubt that cybersecurity has risen up the agenda in terms of visibility and importance.  Everybody wants it. But do they really know what they want?  What does cybersecurity include, and to what extent do qualifications and certifications that claim to cover it actually do so?  This talk examines what cybersecurity means in terms of the contributing topics, and in particular how these topics can end up looking substantially different depending upon what source we use as our reference point.  The discussion then proceeds to examine how this has knock-on impacts in terms of the qualifications and certifications that may be held by our current and future workforce.  All are labelled as ‘cybersecurity’, but to what extent are they covering it, and how can those that need support tell the difference?

There is no doubt that cybersecurity has risen up the agenda in terms of visibility and importance.  Everybody wants it. But do they really know what they want?  What does cybersecurity include, and to what extent do qualifications and certifications that claim to cover it actually do so?  This talk examines what cybersecurity means in terms of the contributing topics, and in particular how these topics can end up looking substantially different depending upon what source we use as our reference point.  The discussion then proceeds to examine how this has knock-on impacts in terms of the qualifications and certifications that may be held by our current and future workforce.  All are labelled as ‘cybersecurity', but to what extent are they covering it, and how can those that need support tell the difference? About the speaker: Steven Furnell is a professor of cyber security at the University of Nottingham in the United Kingdom.  He is also an Adjunct Professor with Edith Cowan University in Western Australia and an Honorary Professor with Nelson Mandela University in South Africa.  His research interests include usability of security and privacy, security management and culture, and technologies for user authentication and intrusion detection.  He has authored over 330 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society and Computer Insecurity: Risking the System.  Prof.  Furnell is the current Chair of Technical Committee 11 (security and privacy) within the International Federation for Information Processing, and a member of related working groups on security management, security education, and human aspects of security.  He is the editor-in-chief of Information and Computer Security, as well as an associate editor for various other journals including Computers & Security and The Computer Journal.  His activities also include extensive contributions to international conferences in the security field, including keynote talks, event chairing, and programme committee memberships.  In terms of professional affiliations, Prof. Furnell is a senior member of the IEEE and the ACM, and a fellow of BCS, the Chartered Institute for IT.   He is also a Fellow and board member of the Chartered Institute of Information Security and chairs the academic partnership committee.

While users are responsible for initiating 90%+ of losses, it is not their fault. The entire system is what enables the losses, and the entire system must be designed to prevent them. Drawing lessons from safety science, counterterrorism, and accounting, this presentation details how to expect and stop user initiated loss.

While users are responsible for initiating 90%+ of losses, it is not their fault. The entire system is what enables the losses, and the entire system must be designed to prevent them. Drawing lessons from safety science, counterterrorism, and accounting, this presentation details how to expect and stop user initiated loss. About the speaker: Ira Winkler, CISSP, is the President of Secure Mentem and Author of the forthcoming books You Can Stop Stupid and Security Awareness for Dummies. He is considered one of the world's most influential security professionals and was named "The Awareness Crusader" by CSO magazine in receiving their CSO COMPASS Award.

In this talk, we explore security and privacy related to meta-learning, a learning paradigm aiming to learn 'cross-task' knowledge instead of 'single-task' knowledge. For privacy perspective, we conjecture that meta-learning plays an important role in future federated learning and look into federated meta-learning systems with differential privacy design for task privacy protection. For security perspective, we explore anomaly detection for machine learning models. Particularly, we explore poisoning attacks on machine learning models in which poisoning training samples are the anomaly. Inspired from that poisoning samples degrade trained models through overfitting, we exploit meta-training to counteract overfitting, thus enhancing model robustness.

In this talk, we explore security and privacy related to meta-learning, a learning paradigm aiming to learn 'cross-task' knowledge instead of 'single-task' knowledge. For privacy perspective, we conjecture that meta-learning plays an important role in future federated learning and look into federated meta-learning systems with differential privacy design for task privacy protection. For security perspective, we explore anomaly detection for machine learning models. Particularly, we explore poisoning attacks on machine learning models in which poisoning training samples are the anomaly. Inspired from that poisoning samples degrade trained models through overfitting, we exploit meta-training to counteract overfitting, thus enhancing model robustness. About the speaker: Yimin Chen is now a postdoctoral researcher in Computer Science department in Virginia Tech. Currently his research mainly focuses on differential privacy, anomaly detection, adversarial example, and private learning. Before he worked on security and privacy of mobile computing systems for his PhD study. He obtained a PhD degree from Arizona State University in 2018, a MPhil degree from Chinese University of Hong Kong in 2013, and a BS degree from Peking University in 2010.

Data brokers are the major players in the market of collecting, selling, and sharing online user information. Although their practices have raised tremendous privacy concerns, their data collection and sharing activities are still under the veil. The growth of adverse cybersecurity incidents toward the data brokers has led the regulators, including California and Vermont, to require the data brokers to register and disclose their activities. This paper analyzes the leaked information on the dark web to analyze the data sharing and collection activities among the data brokers. In specific, we cluster the data brokers based on their data collection activities given by their product description to quantify the activity proximity. Next, we empirically examine how activity proximity leads to co-occurrence on the leaked information in the dark web. We further discuss the deterrence effect of the data broker registration on information leakage. Our study contributes to cybersecurity assurance and risk assessment literature by unveiling the shadowy data-collecting and data-sharing market.

Data brokers are the major players in the market of collecting, selling, and sharing online user information. Although their practices have raised tremendous privacy concerns, their data collection and sharing activities are still under the veil. The growth of adverse cybersecurity incidents toward the data brokers has led the regulators, including California and Vermont, to require the data brokers to register and disclose their activities. This paper analyzes the leaked information on the dark web to analyze the data sharing and collection activities among the data brokers. In specific, we cluster the data brokers based on their data collection activities given by their product description to quantify the activity proximity. Next, we empirically examine how activity proximity leads to co-occurrence on the leaked information in the dark web. We further discuss the deterrence effect of the data broker registration on information leakage. Our study contributes to cybersecurity assurance and risk assessment literature by unveiling the shadowy data-collecting and data-sharing market. About the speaker: Tawei (David) Wang is currently an Associate Professor and Driehaus Fellow at DePaul University. He received his Ph.D. from Krannert Graduate School of Management, Purdue University in 2009. His research interests are information security management and IT management. His papers have appeared in several leading journals, including Information Systems Research, Decision Support Systems, European Journal of Information Systems, Information and Management, Information Systems Journal, Journal of Accounting and Public Policy, Journal of Banking and Finance, Journal of Information Systems, among others. His articles have been downloaded more than 40,000 times through Science Direct. He was a speaker at events hosted by the  Institute of Internal Auditors and Institute of Management Accountants, and a panelist in a cyber risk workshop hosted by the Federal Reserve Bank Charlotte. He was selected to be the KPMG James Marwick Professor in Residence in 2018.

Modern cybercrimes are responsible for $400B dollars of losses on an annual basis. Headlines appear regularly announcing major breaches. Yet few people and businesses understand what happened in such incidents and how to avoid being a victim themselves. The security industry does provide analyses of breach statistics, but effective preventative measures can be lost in the numbers. Virtually all breaches result from technology failure combined with people failure. This presentation will look at actual recent cybercrimes in order to document what happened and what could have prevented that incident. Who carried out the breach? What did they do? What was taken? How could it have been stopped? What was the story behind the breach? Attack types include ransomware, business email compromise, intellectual property theft and breach of Personally Identifiable Information. By being more familiar with current successful threats and breaches you will: · Be able to avoid high risk activities, if possible · Be able to be better prepared to stop such an attack against you or your organization · Be able to optimize security spending and resources for actual attack patterns This presentation is designed for both security professionals and business professionals who want to better secure their assets and processes against the increasing number of cyber criminals.

Modern cybercrimes are responsible for $400B dollars of losses on an annual basis. Headlines appear regularly announcing major breaches. Yet few people and businesses understand what happened in such incidents and how to avoid being a victim themselves. The security industry does provide analyses of breach statistics, but effective preventative measures can be lost in the numbers. Virtually all breaches result from technology failure combined with people failure.This presentation will look at actual recent cybercrimes in order to document what happened and what could have prevented that incident. Who carried out the breach? What did they do? What was taken? How could it have been stopped? What was the story behind the breach? Attack types include ransomware, business email compromise, intellectual property theft and breach of Personally Identifiable Information. By being more familiar with current successful threats and breaches you will:· Be able to avoid high risk activities, if possible· Be able to be better prepared to stop such an attack against you or your organization· Be able to optimize security spending and resources for actual attack patternsThis presentation is designed for both security professionals and business professionals who want to better secure their assets and processes against the increasing number of cyber criminals. About the speaker: Frederick W.Scholl is an accomplished global information security risk manager with a unique record of accomplishment in business and technology.  He is one of the few people in the cybersecurity industry with business experience from start-up to board member, and security experience from practitioner to manager.  He is now Cybersecurity Program Manager and Associate Teaching Professor at Quinnipiac University.  He started the online Cybersecurity Master's degree program there in 2018.  Dr. Scholl earned a BS and Ph.D. in Electrical Engineering from Cornell University.  He completed an Internet Law Program from Harvard and holds CISM, CISSP, ITIL and CHP security certifications. He is listed in 2020 "Who's Who in America".

The nature of cybersecurity and modern life is such that we feel pressured to run just to keep up, this leaves us no time to look back and reflect on how we got where we are as an industry and field of study, nor to learn about the people who led the way. In this presentation we will dig into the stories of some of the people who were foundational in the field we know call cybersecurity, some well-known, others obscure.

The nature of cybersecurity and modern life is such that we feel pressured to run just to keep up, this leaves us no time to look back and reflect on how we got where we are as an industry and field of study, nor to learn about the people who led the way.In this presentation we will dig into the stories of some of the people who were foundational in the field we know call cybersecurity, some well-known, others obscure. About the speaker: Jack Daniel is the Community Advocate for Tenable, is a co-founder of Security BSides, a community builder, storyteller, technologist, historian, mentor, and security professional. He has over 20 years' experience in network and system administration and security, and has worked in a variety of practitioner and management positions. Jack is a technology community activist, a podcaster, and a frequent speaker at technology and security events.