CERIAS Weekly Security Seminar - Purdue University

The software development process, or software supply chain, is quite complex and involves a number of independent actors. Due to this ever-growing complexity has led to various software supply chain compromises: from XCodeGhost injecting malware on millions of apps, to the highly-publicized SolarWinds Compromise. In this talk, Santiago will introduce various research challenges, as well as attempts from both Open Source and Industry --- such as SigStore, CoSign and in-toto --- to protect millions of users across the globe.

The software development process, or software supply chain, is quite complex and involves a number of independent actors. Due to this ever-growing complexity has led to various software supply chain compromises: from XCodeGhost injecting malware on millions of apps, to the highly-publicized SolarWinds Compromise. In this talk, Santiago will introduce various research challenges, as well as attempts from both Open Source and Industry --- such as SigStore, CoSign and in-toto --- to protect millions of users across the globe. About the speaker: Dr. Torres-Arias' current research focuses on securing the software development life-cycle. Previously, his research focused on secure password storage mechanisms and update systems. He is the team lead of in-toto, a framework to secure the software development life-cycle, as well as PolyPasswordHasher, a password storage mechanism that's incredibly resilient to offline password cracking. He also contributes to The Update Framework (TUF), which is the software update system being integrated on a variety of projects like Docker, CPAN, and others.

A discussion about where we are in the commercial SDN/NFV world today and where we are headed.  What are the next generation threats beyond where we are today and how software definability may be a asset in the defender's toolkit. Also looking at the intersection point between SDN/NFV and AI/ML. How this changes the defense calculus and alters the attack surface. What capabilities we need to develop in the practitioner, consumer and defender worlds. About the speaker: Greg Akers was the Senior Vice President & CTO of Advanced Security Research & Government and Chief Technology Officer within the Security & Trust Organization (STO) group at Cisco.  With more than two decades of executive experience, Akers brought a wide range of technical and security knowledge to this role.  A major focus of his group was to expand security awareness and launch product resiliency initiatives throughout Cisco's development organization to deliver high-quality and secure products to customers.  He also served as executive sponsor of the Cisco Disability Awareness Network.Akers joined Cisco in 1993. He held a variety of technical, managerial and executive roles at Cisco. These have included networking engineer,Vice President for the Worldwide Technical Assistance Center, Senior Vice President-CTO Services and Senior Vice President-Global Governments Solutions Group.  He also holds the CCIE certification. In addition, Akers is an Internet security and critical infrastructure protection advisor to Cisco customers and to the U.S. government. He regularly advises and directs activities relative to technology and security matters of domestic and international importance.  Akers has also advised the U.S. Department of Defense and the federal intelligence community for more than fifteen years.  Before joining Cisco, Akers' career included more than 15 years of designing, building, and running large networks for Fortune 100 companies.  He has held senior technical and leadership roles at Fechheimer Brothers, a holding of Berkshire Hathaway, and Procter and Gamble.  Akers holds a bachelor of science degree in chemical engineering from the University of Akron.

A discussion about where we are in the commercial SDN/NFV world today and where we are headed.  What are the next generation threats beyond where we are today and how software definability may be a asset in the defender’s toolkit. Also looking at the intersection point between SDN/NFV and AI/ML. How this changes the defense calculus and alters the attack surface. What capabilities we need to develop in the practitioner, consumer and defender worlds.

In a growing interdependent market place,it is nearly impossible to develop every part or component in house.  Electronics are nearly entirely manufactured offshore. Concerns have risen about the trust worthiness of electronics that may contain extra or potentially malicious functionality.  Traditional supply chain risk management only deals with the suppliers ability to deliver a product on time and within budget.  Cyber aspects focus on the trustworthiness of the product that was delivered.  Those vendor that they themselves are procuring products, such as test systems,subtractive or additive manufacturing, are now concerned that the products they are producing are affected by Cyber Supply Chain Risk Management (C-SCRM).

In a growing interdependent market place,it is nearly impossible to develop every part or component in house.  Electronics are nearly entirely manufactured offshore. Concerns have risen about the trust worthiness of electronics that may contain extra or potentially malicious functionality.  Traditional supply chain risk management only deals with the suppliers ability to deliver a product on time and within budget.  Cyber aspects focus on the trustworthiness of the product that was delivered.  Those vendor that they themselves are procuring products, such as test systems,subtractive or additive manufacturing, are now concerned that the products they are producing are affected by Cyber Supply Chain Risk Management (C-SCRM). About the speaker: Mr. Randall Brooks is a Principal Engineering Fellow for Raytheon Technologies (NYSE: RTX). He is the Director of the Raytheon Cyber Center of Excellence. Brooks represents the company within the U.S. International Committee for Information Technology Standards Cyber Security 1 (CS1) and the Cloud Security Alliance (CSA). He has more than20 years of experience in Cybersecurity with a recognized expertise in software assurance (SwA) and secure development life cycles (SDLCs). In addition to holding eight patents, Mr.Brooks is a CISSP, CSSLP, ISSEP, ISSAP, ISSMP, and CCSK. He graduated from Purdue University with a Bachelor's of Science from the School of Computer Science.

Join Caroline Wong, Cobalt.io's head of Security and People, for a unique perspective on the role of humans in cybersecurity. About the speaker: Caroline Wong is the Chief Strategy Officer at Cobalt.io. Wong's close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager and day-to-day leadership roles at eBay and Zynga. She teaches cybersecurity courses on LinkedIn Learning and is a member of the Forbes Technology Council. Wong was named 2019 Cyber Educator of the Year in the 6th Annual Cyberjutsu Awards. She authored the popular textbook Security Metrics: A Beginner's Guide, published by McGraw-Hill. Wong graduated from U.C. Berkeley with a BS in electrical engineering and computer sciences and holds a certificate in finance and accounting from Stanford University Graduate School of Business.

Join Caroline Wong, Cobalt.io's head of Security and People, for a unique perspective on the role of humans in cybersecurity.

Self-determination is the key to human thriving; it's also the enemy of both dictatorships and monopolies. It's no coincidence that commercial imperatives of tech monopolies create the infrastructure for political oppression. The public-private-partnership from hell looks like this: companies install surveillance and other system of control to extract higher rents from their customers and ward off competitors. Then states seize that surveillance and control apparatus to gain and consolidate power.That's the bad news. The good news is that it means that those of us fighting dictatorships have natural allegiances with those fighting monopolies -- and vice versa. About the speaker: Cory Doctorow (craphound.com) is a science fiction author, activist, and journalist. He is the author of RADICALIZED and WALKAWAY, science fiction for adults, a YA graphic novel called IN REAL LIFE, the nonfiction business book INFORMATION DOESN'T WANT TO BE FREE, and young adult novels like HOMELAND, PIRATE CINEMA and LITTLE BROTHER. His latest book is POESY THE MONSTER SLAYER, a picture book for young readers. His next book is ATTACK SURFACE, an adult sequel to LITTLE BROTHER. He maintains a daily blog at Pluralistic.net. He works for the Electronic Frontier Foundation, is a MIT Media Lab Research Affiliate, is a Visiting Professor of Computer Science at Open University, a Visiting Professor of Practice at the University of North Carolina's School of Library and Information Science and co-founded the UK Open Rights Group.Born in Toronto, Canada, he now lives in Los Angeles.Photo source: https://en.wikipedia.org/wiki/Cory_Doctorow#/media/File:Cory_Doctorow_portrait_by_Jonathan_Worth_2.jpg" by Jonathan Worth

Self-determination is the key to human thriving; it's also the enemy of both dictatorships and monopolies. It's no coincidence that commercial imperatives of tech monopolies create the infrastructure for political oppression. The public-private-partnership from hell looks like this: companies install surveillance and other system of control to extract higher rents from their customers and ward off competitors. Then states seize that surveillance and control apparatus to gain and consolidate power. That's the bad news. The good news is that it means that those of us fighting dictatorships have natural allegiances with those fighting monopolies -- and vice versa.

In December 2020, FireEye discovered a supply chain attack against the SolarWinds Orion network management system.  The impact of this event has caused the cybersecurity community to reevaluate how we think about threats coming from the software supply chain.  At Lawrence Livermore National Laboratory we have been developing software assurance tools for many years to automate the analysis of software to enable asset owners and operators to make sound decisions about the software in their environments.  In this presentation, I will describe this effort, talk about some of our tools, and discuss ways to mitigate future supply chain attacks. About the speaker: Levi Lloyd is a cybersecurity researcher at Lawrence Livermore National Laboratory where he works in the Cyber and Infrastructure Resilience program.  His interests include software assurance, binary analysis and reverse engineering, malware analysis, and network traffic analysis and defense.  He has been involved in the creation of several frameworks aimed at doing cybersecurity analyses at scale.

In December 2020, FireEye discovered a supply chain attack against the SolarWinds Orion network management system.  The impact of this event has caused the cybersecurity community to reevaluate how we think about threats coming from the software supply chain.  At Lawrence Livermore National Laboratory we have been developing software assurance tools for many years to automate the analysis of software to enable asset owners and operators to make sound decisions about the software in their environments.  In this presentation, I will describe this effort, talk about some of our tools, and discuss ways to mitigate future supply chain attacks.

Over fifty years, I've led a lot of security projects that I thought would change the world. Many of them crashed and burned at great cost in money and reputation. There were some common threads including reliance on government claims about the market and on minimal secure systems built from scratch. This talk will describe some failures, some lessons learned the hard way, and how they paid off. About the speaker: Steve Lipner is the executive director of SAFECode, a nonprofit focused on software assurance. He was the creator of theWindows Security Push and the creator and long-time leader of the Microsoft Security Development Lifecycle (SDL). Steve has more than a half century of experience in computer and network security as a researcher, engineer, and development manager, He is chair of the United States Government's Information Security and Privacy Advisory Board, and a member of the National Academy of Engineering and the National Cybersecurity Hall of Fame.

Over fifty years, I’ve led a lot of security projects that I thought would change the world. Many of them crashed and burned at great cost in money and reputation. There were some common threads including reliance on government claims about the market and on minimal secure systems built from scratch. This talk will describe some failures, some lessons learned the hard way, and how they paid off.

The Internet of Things (IoT) is the notion that nearly everything we use, from gym shorts to streetlights, will soon be connected to the Internet. Industry and financial analysts have predicted that the number of Internet-enabled devices will increase from 11 billion to upwards of 25 billion in coming years. Regardless of the number, the end result looks to be a mind-boggling explosion in Internet connected stuff. Yet, there has been relatively little attention paid to how we should go about regulating smart devices, and still less about how cybersecurity should be enhanced. Similarly, now that everything from refrigerators to stock exchanges can be connected to a ubiquitous Internet, how can we better safeguard privacy across networks and borders? This talk will explore these issues by pulling from the recently published book, ‘The Internet of Things: What Everyone Needs to Know.’ Our discussion will also be couched by the findings of a recent report for the Indiana Executive Council on Cybersecurity entitled, ‘State of Hoosier Cybersecurity 2020.’