CERIAS Weekly Security Seminar - Purdue University

How does an organization know which security controls, applications, or programs to implement, when everything is a threat and every system is vulnerable? Looking at cybersecurity through a risk management lens is one way of reducing the noise of the threat environment. This presentation will discuss why having a Cyber Risk Management (CRM) program is a critical piece to an effective cybersecurity program. This presentation discuss the various Cyber Risk Management frameworks, the building blocks of an effective CRM program, regulatory & standards bodies driving cyber-risk management, metrics, CRM life cycle, and finally, how CRM fits into the overall Enterprise Risk Management program. At the end of the presentation the attendees will have the building blocks to start building a Cyber Risk Management program in their organizations. Additionally, this presentation will look at a few case studies through the cyber risk lens and how a CRM program would have aided in identifying those issues and risks. About the speaker: Nick Sturgeon currently serves as a Director of Information Security for IU Health and IU School of Medicine. His responsibilities include supporting the IU School of Medicine cyber risk management program and leading IU Health's Security Research & Red Team. Nick has worked in Information Technology for over 15 years, with 10 years in Cybersecurity, nine years in Law Enforcement, and 10 years in State Government. Nick earned his Bachelor of Science in Management Information Systems from Indiana State in 2003 and a Master of Science in Cyber Forensics from Purdue 2015. Nick has extensive experience in incident response, digital investigations, criminal investigations, digital media recovery, criminal law, data governance, end point protection, network & log analysis, vulnerability management, security operations, incident management, project management, as an instructor, and service implementation of managed security services. Throughout his career he has supported multiple industries and sectors including, academia, State\Local\Tribal\Territorial (SLTT) Governments, healthcare, Information Technology and manufacturing. In addition to his current duties, Nick is a host on two podcasts, is a part time Information Security Instructor at UTSA and Adjunct Professor at the University of Southern Indiana. He also serves as a board member for the Cyber Resilience Institute, Ohio River valley Chapter of the Cloud Security Alliance, and the National Council of Registered ISAOs.

The upcoming smart transportation systems which consist of connected autonomous vehicles, are poised to transform our everyday life. The sustainability and growth of these systemsto their full potential will significantly depend on the robustness of these systems against securityand privacy threats. Unfortunately, the communication protocols employed in these systems lackmainstream network security capabilities due to energy constraints of the deployed platforms andbandwidth constraints of the communication medium. In this talk, I will present the results of myefforts in anatomizing the two vital communication protocols employed in the smart transportation:(1) vehicle-to-everything (V2X) communication protocol which is utilized to facilitate wirelesscommunication among connected vehicles, and (2) controller area network (CAN) protocol whichis utilized within an autonomous vehicle to enable real-time control of critical automotivecomponents including brakes. For each of these two protocols, I will first describe the inquisitiveapproach which led to the discovery of the new security vulnerabilities. Then, through theexperiments on real-world systems, I will demonstrate how these vulnerabilities can be exploitedto launch malicious attacks which evade the state-of-the-art defense mechanisms employed inthese systems. I will conclude the talk by discussing novel countermeasures which are requiredto mitigate these fundamental vulnerabilities and prevent their exploitation.

The upcoming smart transportation systems which consist of connected autonomous vehicles, are poised to transform our everyday life. The sustainability and growth of these systemsto their full potential will significantly depend on the robustness of these systems against securityand privacy threats. Unfortunately, the communication protocols employed in these systems lackmainstream network security capabilities due to energy constraints of the deployed platforms andbandwidth constraints of the communication medium. In this talk, I will present the results of myefforts in anatomizing the two vital communication protocols employed in the smart transportation:(1) vehicle-to-everything (V2X) communication protocol which is utilized to facilitate wirelesscommunication among connected vehicles, and (2) controller area network (CAN) protocol whichis utilized within an autonomous vehicle to enable real-time control of critical automotivecomponents including brakes. For each of these two protocols, I will first describe the inquisitiveapproach which led to the discovery of the new security vulnerabilities. Then, through theexperiments on real-world systems, I will demonstrate how these vulnerabilities can be exploitedto launch malicious attacks which evade the state-of-the-art defense mechanisms employed inthese systems. I will conclude the talk by discussing novel countermeasures which are requiredto mitigate these fundamental vulnerabilities and prevent their exploitation. About the speaker: Dr. Vireshwar Kumar is a Postdoctoral Research Associate in the Department of Computer Science at Purdue University. Vireshwar earned his B.Tech. in Electrical Engineering at IndianInstitute of Technology Delhi in 2009, and Ph.D. degree in Computer Engineering at Virginia Techin 2016. He was the recipient of the outstanding Ph.D. student award by the Center for EmbeddedSystems for Critical Applications at Virginia Tech. He also had a short stint as a Project Assistantin the Department of Electrical Communication Engineering at Indian Institute of Science in 2010.His research interests include discovering and mitigating security vulnerabilities in thecommunication protocols employed in cyber-physical systems, e.g., smart home, smarttransportation and smart city. Vireshwar's research work has featured in top-tier security venuesincluding ACM Conference on Computer and Communications Security (CCS) and IEEETransactions on Information Forensics and Security (TIFS). He has also served on the TPC offlagship conferences including IEEE Conference on Communications and Network Security(CNS) and IEEE International Symposium on Dynamic Spectrum Access Networks (DySPAN).

Our reliance on Cyber-Physical Systems (CPS) is growing. As CPS infrastructure becomes exposed to the contested world through networks, CPS security becomes much more important. In a CPS, the cyber components manage the physical components. We propose that the overall goal for CPS resiliency is to have the physical systems behave properly regardless of fault and disruption. Our approach to CPS resiliency focuses on the physical components. Specifically, the inertia of the physical components provide a natural but limited resilience, and is capable of tolerating short-term disruption without affecting the health and safety of the CPS. This and the fact CPS have a large difference between physical and cyber time scales, enables a unique approach to CPS resiliency. This talk will present our approach of engineering the cyber components to be brittle against attack, which consequently forces cyber attacks and related disruptions to be short-lived and within tolerance of the physical system’s inertia.

Our reliance on Cyber-Physical Systems (CPS) is growing. As CPS infrastructure becomes exposed to the contested world through networks, CPS security becomes much more important. In a CPS, the cyber components manage the physical components. We propose that the overall goal for CPS resiliency is to have the physical systems behave properly regardless of fault and disruption. Our approach to CPS resiliency focuses on the physical components. Specifically, the inertia of the physical components provide a natural but limited resilience, and is capable of tolerating short-term disruption without affecting the health and safety of the CPS. This and the fact CPS have a large difference between physical and cyber time scales, enables a unique approach to CPS resiliency. This talk will present our approach of engineering the cyber components to be brittle against attack, which consequently forces cyber attacks and related disruptions to be short-lived and within tolerance of the physical system's inertia. About the speaker: Mr. Mickelson is a Principal in MITRE's Naval Program Division.  Matt has spent twenty years integrating emerging technologies, including cyber, AI, and autonomy, to improve some of the world's largest organizations.  He has given invited talks in academia and industry.  He was a keynote at last years IEEE ICTAI conference and recently an invited speaker for the National Cyber Security Alliance at the NASDAQ.  As a child, he convinced his parents they needed a color TV, and ever since, he has had a passion for identifying and developing disruptive technology.  Now, he actively coordinates advanced research programs in cybersecurity at the Office of Naval Research (ONR).

A long-standing challenge in analyzing information leaks within mobile apps is to automatically identify the code operating on sensitive data. With all existing solutions relying on System APIs (e.g., IMEI, GPS location) or features of user interfaces (UI), the content from app servers, like user’s Facebook profile, payment history, fall through the crack. In this talk, I will introduce ClueFinder, a novel semantics-driven solution for automatic discovery of sensitive user data, including those from the server side. ClueFinder utilizes natural language processing (NLP) to automatically locate the program elements (variables, methods, etc.) of interest, and then performs a learning-based program structure analysis to accurately identify those indeed carrying sensitive content. Using this new technique, we analyzed over 400k popular apps, an unprecedented scale for this type of research. Our findings brings to light the pervasiveness of information leaks, and the channels through which the leaks happen, including unintentional over-sharing across libraries and aggressive data acquisition behaviors.

A long-standing challenge in analyzing information leaks within mobile apps is to automatically identify the codeoperating on sensitive data. With all existing solutions relying on System APIs (e.g., IMEI, GPS location) or features of user interfaces (UI), the content from app servers, like user's Facebook profile, payment history, fall through the crack. In this talk, I will introduce ClueFinder, a novel semantics-driven solution for automatic discovery of sensitive user data, including those from the server side. ClueFinder utilizes natural language processing (NLP) to automatically locate the program elements (variables, methods, etc.) of interest, and then performs a learning-based program structure analysis to accurately identify those indeed carrying sensitive content. Using this new technique, we analyzed over 400k popular apps, an unprecedented scale for this type of research. Our findings brings to light the pervasiveness of information leaks, and the channels through which the leaks happen, including unintentional over-sharing across libraries and aggressive data acquisition behaviors. About the speaker: Dr. Yuhong Nan is a Post-Doctoral Research Associate at Purdue University. He earned his Ph.D. in the School of Computer Science from Fudan University, China, with the honor of the 2018 ACM SIGSAC China Doctoral Dissertation Award. His research interests span privacy leakage detection in mobile and IoT platforms, security enhancement for IoT systems, as well as cyber-attack investigation with audit logs.

Imagine a world where data is currency. A world where the majority of the data is owned and traded by 6 international data barons who are constantly at war with each other. In this world, rogue AI persecutes whole segments of the population while nations become Petri dishes for mind control. Most people move about daily life oblivious to the knowledge that someone is controlling them, telling them where to go, what to buy, and even how to vote.  If you object, millions of cameras track you and pick you out of a crowd where you are intercepted by the authorities and taken off to be reprogrammed. Sound like the Minority Report? The Matrix? Black Mirror? Welcome to 2020.   The data revolution and convergence are making the industrial revolution look like a blip on the radar when it comes to change. Join me as we discuss complex issues surrounding ethics in a new world. Who gets to collect and control data? How is AI influenced by data reflecting undesirable human behavior? Should we influence that data to reflect the values we aspire to? If so, who gets to decide the value system? What is the line between advertising and social engineering and is it eroding the concepts of free will and democracy? Is anyone even thinking about this? These are the ethical questions  that are being decided (or not decided) today that will shape your tomorrow.

Imagine a world where data is currency. A world where the majority of the data is owned and traded by 6 international data barons who are constantly at war with each other. In this world, rogue AI persecutes whole segments of the population while nations become Petri dishes for mind control. Most people move about daily life oblivious to the knowledge that someone is controlling them, telling them where to go, what to buy, and even how to vote.  If you object, millions of cameras track you and pick you out of a crowd where you are intercepted by the authorities and taken off to be reprogrammed. Sound like the Minority Report? The Matrix? Black Mirror? Welcome to 2020. The data revolution and convergence are making the industrial revolution look like a blip on the radar when it comes to change. Join me as we discuss complex issues surrounding ethics in a new world. Who gets to collect and control data? How is AI influenced by data reflecting undesirable human behavior? Should we influence that data to reflect the values we aspire to? If so, who gets to decide the value system? What is the line between advertising and social engineering and is it eroding the concepts of free will and democracy? Is anyone even thinking about this? These are the ethical questions  that are being decided (or not decided) today that will shape your tomorrow. About the speaker: Douglas Rapp, CISM is a cybersecurity catalyst. Throughout his career, you will find him squarely at the center of countless firsts. These include writing the first State level cyber incident response plan, leading the Crit-Ex National Exercise, establishing the Region 5 Cyber Protection Team, and establishing Indiana's first Cyber Working Group which later evolved into both the Indiana Cybersecurity Executive Council and the Cyber Leadership Alliance. Doug has served as the Advisor to the State of Indiana for Cybersecurity and authored Indiana's Cybersecurity Economic Development Plan. He has started, scaled, and pivoted cybersecurity businesses and serves as a consultant and Entrepreneur in Residence for Purdue University. His most recent accomplishment was creating a statewide immersion cybersecurity workforce development program and raising $3M USD in commitments to student financial assistance. Doug is a published author, international speaker, and has testified before Congress on cybersecurity workforce development. A decorated combat Veteran, his greatest accomplishment is having raised two amazing children and having been trusted with America's sons and daughters.

Distinguished social psychologist Geert Hofstede observed the “dominance of technology over culture is an illusion. The software of the machines may be globalized, but the software of the minds that use them is not.”  The role of culture in the thought process is so prevalent, yet unstated, that many cultural beliefs and biases are accepted as truths.  These cultural beliefs and biases are commonly infused into behavioral norms identifying behaviors that can be observed.  While historically,these observations have taken place in the physical realm, this talk discusses the findings of cultural markers in the cyber realm. Dr. Sample presents and discusses recent interdisciplinary, evidence-based research using culture-based models of various cyber actors (attackers, defenders and victims)to explain observations in cybersecurity behaviors. These studies were performed over the past several years using public data found in the Zone-H archives. The mining of the Zone-H archives with over 10 million records of raw data allowed for research into behaviors, choices and reasons. By using Hofstede’s cultural framework to define culture along with some basic inferential statistics, specific digital identifiers were associated with cultural dimensions, allowing for more accurate modeling of cyber actors based on cultural values.  The results supported Nisbett’s observation that people “think the way they do because of the nature of the societies they live in”. The  discussion centers on the six dimensions of culture, the values associated with each dimension and examples of those values in cyber space. The six cultural dimensions measure views on values of self-determination, collectivism, aggression,nurturing, uncertain outcomes, holism, instant gratification, and levels of societal openness.  The behavioral traits that associate with the cultural values are behavioral traits that are consistent with cyber behaviors.

Distinguished social psychologist Geert Hofstede observed the "dominance of technology over culture is an illusion. The software of the machines may be globalized, but the software of the minds that use them is not."  The role of culture in the thought process is so prevalent, yet unstated, that many cultural beliefs and biases are accepted as truths.  These cultural beliefs and biases are commonly infused into behavioral norms identifying behaviors that can be observed.  While historically,these observations have taken place in the physical realm, this talk discusses the findings of cultural markers in the cyber realm.Dr. Sample presents and discusses recent interdisciplinary, evidence-based research using culture-based models of various cyber actors (attackers, defenders and victims)to explain observations in cybersecurity behaviors. These studies were performed over the past several years using public data found in the Zone-H archives. The mining of the Zone-H archives with over 10 million records of raw data allowed for research into behaviors, choices and reasons. By using Hofstede's cultural framework to define culture along with some basic inferential statistics, specific digital identifiers were associated with cultural dimensions, allowing for more accurate modeling of cyber actors based on cultural values.  The results supported Nisbett's observation that people "think the way they do because of the nature of the societies they live in".The  discussion centers on the six dimensions of culture, the values associated with each dimension and examples of those values in cyber space. The six cultural dimensions measure views on values of self-determination, collectivism, aggression,nurturing, uncertain outcomes, holism, instant gratification, and levels of societal openness.  The behavioral traits that associate with the cultural values are behavioral traits that are consistent with cyber behaviors. About the speaker: Dr. Char Sample is the Chief Cybersecurity Research Scientist for the Cybercore division at Idaho National Laboratory. Dr. Sample is a visiting academic at the University of Warwick, Coventry, UK and a guest lecturer at Bournemouth University, Rensselaer Polytechnic University and Royal Holloway University. Dr. Sample has over 20 years experience in the information security industry. Dr. Sample's research focuses on deception, and the role of cultural values in cybersecurity events. More recently she has begun researching the relationship between human cognition and machines. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are data resilience, cyber-physical systems and industrial control systems.

Cellular technologies enable a wide array of critical services, from personal communication, autonomous vehicles and telemedicine to critical infrastructures, such as smart grid electricity distribution. Unfortunately, security and user privacy for such complex networks are often considered as afterthoughts. These lead to inadequate security evaluation early on the development cycle that fails to identify missing security and privacy guarantees in protocol designs. To make matters worse, unsafe practices and operational oversights stemming from poor input sanitization and unvetted simplification of complex protocol interactions further contribute to the deviation of deployments from designs. In this talk, I will highlight how my research addresses these problems by developing principled techniques for analyzing design specifications and deployments of complex cellular network protocols.   I will first present a new adversarial reasoning technique combining the capabilities of a symbolic model checker and a cryptographic protocol verifier that enabled us to identify 20+ new vulnerabilities in 4G and 5G cellular network design specifications. I will then discuss three new side-channel attacks in 4G and 5G networks uncovered with our dedicated probabilistic reasoning technique. Next, I will talk about a fuzzing technique which is more effective than the state-of-the-art in reasoning about syntactic and semantic correctness of an implementation when binary instrumentation is not realizable and direct feedback on code coverage information is missing. Finally, I will conclude with a discussion on challenges in adapting and scaling our current approaches for a holistic analysis of 5G and next-generation cellular networks, and IoT systems.

Cellular technologies enable a wide array of critical services, from personal communication, autonomous vehicles and telemedicine to critical infrastructures, such as smart grid electricity distribution. Unfortunately, security and user privacy for such complex networks are often considered as afterthoughts. These lead to inadequate security evaluation early on the development cycle that fails to identify missing security and privacy guarantees in protocol designs. To make matters worse, unsafe practices and operational oversights stemming from poor input sanitization and unvetted simplification of complex protocol interactions further contribute to the deviation of deployments from designs. In this talk, I will highlight how my research addresses these problems by developing principled techniques for analyzing design specifications and deployments of complex cellular network protocols. I will first present a new adversarial reasoning technique combining the capabilities of a symbolic model checker and a cryptographic protocol verifier that enabled us to identify 20+ new vulnerabilities in 4G and 5G cellular network design specifications. I will then discuss three new side-channel attacks in 4G and 5G networks uncovered with our dedicated probabilistic reasoning technique. Next, I will talk about a fuzzing technique which is more effective than the state-of-the-art in reasoning about syntactic and semantic correctness of an implementation when binary instrumentation is not realizable and direct feedback on code coverage information is missing. Finally, I will conclude with a discussion on challenges in adapting and scaling our current approaches for a holistic analysis of 5G and next-generation cellular networks, and IoT systems. About the speaker: Syed Rafiul Hussain is a Postdoctoral Researcher in the Department of Computer Science at Purdue University from where he also received his Ph.D. in December 2018. His research interests broadly lie in network and system security with a focus on the fundamental improvement of security and privacy analysis of emerging networks and cyber-physical systems, including cellular networks and Internet-of-Things.  His papers have received awards and nominations, including ACSAC'19 distinguished paper award, NDSS'19 distinguished paper award honorable mention, and ACM SIGBED EWSN'17 best paper award nomination. He has been inducted twice in the Hall of Fame Mobile Security Research by GSMA for his contribution in identifying 20+ new protocol flaws in 4G and 5G cellular networks. His findings led to several changes in the 4G and 5G cellular protocol designs and in operational networks. His work has been featured by mass media outlets worldwide, including the New York Times, Washington Post, Forbes, MIT Technology Review, and The Register.

The Virtual Reality (VR) market could surpass $ 40 Billion by 2020. The U.S. Military recently closed a deal worth $ 480 Million for the Microsoft HoloLens Mixed Reality (MR) device. Oculus has already released the first immersive VR system that is mobile with no wires and no need for a high-end gaming PC for $399. While these are exciting times, an important question needs to be investigated: Are we ensuring the security and privacy of these systems? In this talk I will present various experiments and findings we conducted in our lab related to the security and forensics of consumer grade immersive VR systems. I will show you how we are able to move people in physical spaces without their knowledge or consent, as well as other attacks that we coined and implemented related to immersive VR. Furthermore, we will also explore the forensic artifacts these systems produce.

The Virtual Reality (VR) market could surpass $ 40 Billion by 2020. The U.S. Military recently closed a deal worth $ 480 Million for the Microsoft HoloLens Mixed Reality (MR) device. Oculus has already released the first immersive VR system that is mobile with no wires and no need for a high-end gaming PC for $399. While these are exciting times, an important question needs to be investigated: Are we ensuring the security and privacy of these systems? In this talk I will present various experiments and findings we conducted in our lab related to the security and forensics of consumer grade immersive VR systems. I will show you how we are able to move people in physical spaces without their knowledge or consent, as well as other attacks that we coined and implemented related to immersive VR. Furthermore, we will also explore the forensic artifacts these systems produce. About the speaker: Dr. Ibrahim(Abe) Baggili is the Elder Family Endowed Chair of Computer Science &Cybersecurity at the Tagliatela College of Engineering, Department of Computer &Electrical Engineering and Computer Science at the University of New Haven, CT, specializing in Cybersecurity& Forensics. He is also a European Alliance for Innovation Fellow, and a CT40 under 40. He serves as the Assistant Dean and is the founder of theUniversity of New Haven's Cyber Forensics Research and Education Group (UNHcFREG). Abeis also the former editor-in-chief of the Journal of Digital Forensics,Security and Law (JDFSL). He received his BSc, MSc and PhD all from PurdueUniversity where he worked as a researcher in CERIAS. He is the program lead onthe Center of Academic Excellence in Cyber Operations, designated by theNational Security Agency – one of only 21 programs nationally with thatprestigious designation, and is also the Principle Investigator for theCyberCorps Scholarship for Service program at the university. Abe is also theco-founder of the X Reality Safety Initiative (XRSI.ORG). Abe co-authoredover 70 publications including books, peer reviewed articles, and conferencepapers and has received millions of dollars in funding for his work from avariety of sources including the NSF, NSA, DHS and MITRE. Most recently, workwith his students showed security issues in mobile social messagingapplications that affect over 1 billion people worldwide. Most recently histeam also found major Virtual Reality exploits that affect people globally. Hisresearch interests include cybersecurity and forensics from technical, social,and psychological perspectives. He has worked closely with law enforcement andprivate sector and has published work on real challenges facing cybercriminalinvestigators and has presented at a number of conferences worldwide. Abe hasalso led the creation of the Artifact Genome Project (https://agp.newhaven.edu) which is used by government organizations and private sector byover 178 organizations in 27 countries.Abe's work hasalso been featured in news outlets and on TV worldwide in over 20 languages.  To learn moreabout Abe and his work you can visit http://www.baggili.com and http://www.unhcfreg.com.