CERIAS Weekly Security Seminar - Purdue University

Millions of people spend their day chatting away on their cellphones, ordering groceries from Amazon’s Alexa, making calendar appointments with Apple’s Siri, or posting on Facebook about the last concert they attended. Sharing our personal information via social media platforms or providing it to third party companies has become so common place in our routines that it begs the question, “What, if anything, in our personal lives is really private?” As we grow more comfortable using modern technology to streamline and stay connected, are we risking our right to a reasonable expectation of privacy, a protection garnered by the Fourth Amendment of the U.S. Constitution? Modern innovation has presented the judiciary with unique challenges, as the court balances the legitimate interests of government and the people. We will explore the dynamics of Carpenter v. United States, United States v. Miller, and Smith v. Maryland, and the recent developments surrounding the Golden State Killer and the Arkansas murder case involving Amazon’s Alexa.

US cybersecurity experts determined that Russian hacking group Dragonfly targeted the United States and European utilities with a cyber espionage campaign from 2015 – 2017. This government sponsored group was able to successfully infiltrate core control systems. Cold War espionage methodologies such as "sleeper cells" are now being executed in the cyber domain. Industrial firms including power and water providers have proven to be susceptible to attacks and disruptions that could be used during a significant geopolitical conflict. Antiquated industrial control devices now connected to the internet make utilities in even the most advanced countries susceptible to everyone from hacktivists to cyber criminals to nation states. In these times, the question has shifted from "can they?" to "when will they?". Using Indiana's groundbreaking cybersecurity exercise Crit-Ex as an example, we explore exactly how vulnerable of utilities really are and how insights into incident response and resiliancy are discovered through complex training and exercises. About the speaker: Douglas Rapp is the President of Rofori Corporation, an innovative young technology company that uses meta data tagging and advanced algorithmics to turn unstructured data into signal. Rofori's flagship application is DEFCON cyber, a scalable cybersecurity risk and awareness tool that offers small business enterprise level expertise. He is also President of the Cyber Leadership Alliance, a non-profit organization that convenes leadership in cybersecurity & security in the internet of things to synchronize efforts, promote cybersecurity efforts in the region, foster innovation and promote the economic impact. CLA's CISO forum represents over 20 Billion of private industry in Indiana. Doug is a published author on cybersecurity training, workforce development, and economic development. He is also an entrepreneur in residence for Purdue University. He is an international speaker and has testified before Congress on cybersecurity matters. Doug is a lifelong Hoosier, a former military officer and combat veteran and cybersecurity optimist.

US cybersecurity experts determined that Russian hacking group Dragonfly targeted the United States and European utilities with a cyber espionage campaign from 2015 – 2017. This government sponsored group was able to successfully infiltrate core control systems. Cold War espionage methodologies such as “sleeper cells” are now being executed in the cyber domain. Industrial firms including power and water providers have proven to be susceptible to attacks and disruptions that could be used during a significant geopolitical conflict. Antiquated industrial control devices now connected to the internet make utilities in even the most advanced countries susceptible to everyone from hacktivists to cyber criminals to nation states. In these times, the question has shifted from “can they?” to “when will they?”. Using Indiana’s groundbreaking cybersecurity exercise Crit-Ex as an example, we explore exactly how vulnerable of utilities really are and how insights into incident response and resiliancy are discovered through complex training and exercises.

The field of Information Security is broad with many career paths. The high demands and low supply for security expertise is constantly in the news. How do we fix this? Many people are either intimidated by security or do not realize that their expertise and talent would be a perfect fit for the security industry even if they are in a different field. This talk will bridge that gap and help identify the opportunities available to you. Common questions will be answered such as how to get started, what resources should be utilized, and what exactly does a career in Information Security look like. This presentation will turn the traditional career approach upside down and utilize the "hacker mindset" to our advantage to accelerate our careers, create opportunities, and position ourselves to be successful. About the speaker: Ryan Elkins, Advisor, Cloud and Application Security ArchitectureRyan Elkins leads the cloud and application security architecture programs for Eli Lilly and Company. Elkins has over 10 years of security experience leading programs across the financial, insurance, and pharmaceutical industries. Throughout his career, he has developed multiple application security programs, managed a global security services operations center, designed complex cloud architectures, performed security consulting and penetration testing, and has led a global information security program. Elkins holds the CISSP and CCSP certifications, a bachelors degree in Computer Technology from Kent State University, and a masters degree in Information Security from Nova Southeastern University.

The field of Information Security is broad with many career paths. The high demands and low supply for security expertise is constantly in the news. How do we fix this? Many people are either intimidated by security or do not realize that their expertise and talent would be a perfect fit for the security industry even if they are in a different field. This talk will bridge that gap and help identify the opportunities available to you. Common questions will be answered such as how to get started, what resources should be utilized, and what exactly does a career in Information Security look like. This presentation will turn the traditional career approach upside down and utilize the “hacker mindset” to our advantage to accelerate our careers, create opportunities, and position ourselves to be successful.

Embedded systems are used in every aspect of modern life. The Internet of Things is comprised of millions of these interconnected systems many of which are low cost bare-metal systems, executing without an operating system. These systems rarely employ security protections. Their development assumptions of unrestricted access to all memory and instructions and constraints on runtime, energy, and memory makes applying protections particularly challenging. I will present recent two recent techniques EPOXY (IEEE S&P 2017) and ACES (USENIX Security 2018), that harden bare-metal systems against memory corruption attacks. EPOXY is an LLVM based embedded compiler that uses a novel technique, called privilege overlaying, wherein operations requiring privileged execution are identified and only these operations execute in privileged mode. This provides the foundation on which code-integrity, adapted control-flow hijacking defenses, and protections for sensitive IO are applied. EPOXY also employs fine-grained randomization schemes, that work within the constraints of bare-metal systems to provide further protection against control-flow and data corruption attacks. These defenses prevent code injection attacks and ROP attacks from scaling across large sets of devices. EPOXY’s evaluation on case study applications shows that EPOXY has, on average, a 1.8% increase in execution time and a 0.5% increase in energy usage. ACES is another LLVM-based compiler that automatically infers and enforces inter-component isolation on bare-metal systems, thus applying the principle of least privileges. ACES takes a developer-specified compartmentalization policy and then automatically creates an instrumented binary that isolates compartments at runtime, while handling the hardware limitations of bare-metal embedded devices. ACES evaluation shows that ACES’ compartments can have low runtime overheads (13% on our largest test application), while using 59% less Flash, and 84% less RAM than the Mbed uVisor—the current state-of-the-art compartmentalization technique for bare-metal systems. ACES‘ compartments protect the integrity of privileged data, provide control-flow integrity between compartments.

Embedded systems are used in every aspect of modern life. The Internet of Things is comprised of millions of these interconnected systems many of which are low cost bare-metal systems, executing without an operating system. These systems rarely employ security protections. Their development assumptions of unrestricted access to all memory and instructions and constraints on runtime, energy, and memory makes applying protections particularly challenging. I will present recent two recent techniques EPOXY (IEEE S&P 2017) and ACES (USENIX Security 2018), that harden bare-metal systems against memory corruption attacks. EPOXY is an LLVM based embedded compiler that uses a novel technique, called privilege overlaying, wherein operations requiring privileged execution are identified and only these operations execute in privileged mode. This provides the foundation on which code-integrity, adapted control-flow hijacking defenses, and protections for sensitive IO are applied. EPOXY also employs fine-grained randomization schemes, that work within the constraints of bare-metal systems to provide further protection against control-flow and data corruption attacks.These defenses prevent code injection attacks and ROP attacks from scaling across large sets of devices. EPOXY's evaluation on case study applications shows that EPOXY has, on average, a 1.8% increase in execution time and a 0.5% increase in energy usage.ACES is another LLVM-based compiler that automatically infers and enforces inter-component isolation on bare-metal systems, thus applying the principle of least privileges. ACES takes a developer-specified compartmentalization policy and then automatically creates an instrumented binary that isolates compartments at runtime, while handling the hardware limitations of bare-metal embedded devices. ACES evaluation shows that ACES' compartments can have low runtime overheads (13% on our largest test application), while using 59% less Flash, and 84% less RAM than the Mbed uVisor—the current state-of-the-art compartmentalization technique for bare-metal systems. ACES‘ compartments protect the integrity of privileged data, provide control-flow integrity between compartments. About the speaker: Abe Clements is Senior Member of Technical Staff at Sandia National Laboratories and 4th year PhD student at Purdue University. He started at Sandia in 2010 where he worked primarily in industrial control system cyber security. In 2015 he was selected for Sandia's Doctoral Studies Program and came to Purdue for his doctoral studies. His PhD research focuses on using static and dynamic program analysis to create and deploy memory protection mechanisms for embedded systems. He is co-advised by Saurabh Bagchi (ECE) and Mathias Payer (CS). He holds a B.S. and M.S. Electrical Engineering from Utah State University.

The field of cyber engineering is relatively new as compared to other engineering disciplines such as software, mechanical, and systems. However, as we consistently hear and read about, cyber has rapidly become all-encompassing for every industry, including the Department of Defense. Specifically for DoD and weapons systems, the application of cyber engineering and cyber solutions must account for the entirety of the system life cycle. This requires a cyber test and evaluation strategy be defined from the start of a program and applied throughout the system life cycle, or system "V". This presentation will discuss the cyber requirements and directives as levied by the Department of Defense and how this affects program test and evaluation strategies and implementation across DoD programs. About the speaker: Cristina was born in Germany, raised in Louisiana, and transplanted to Indiana.  She has worked in multiple roles and industries during her career including software development and test in both the automotive and defense industries. She is currently a Principal Cybersecurity Engineer with Raytheon Information, Intelligence, and Services (IIS). Cristina received a Bachelor's of Science in Electrical Engineering and Masters in Interdisciplinary Engineering from Purdue University. She has also received her Masters in Systems Engineering from Johns Hopkins University. Cristina is married and has three children.

The field of cyber engineering is relatively new as compared to other engineering disciplines such as software, mechanical, and systems. However, as we consistently hear and read about, cyber has rapidly become all-encompassing for every industry, including the Department of Defense. Specifically for DoD and weapons systems, the application of cyber engineering and cyber solutions must account for the entirety of the system life cycle. This requires a cyber test and evaluation strategy be defined from the start of a program and applied throughout the system life cycle, or system “V”. This presentation will discuss the cyber requirements and directives as levied by the Department of Defense and how this affects program test and evaluation strategies and implementation across DoD programs.

As more and more Personally Identifiable data is collected or created, the specter of customer privacy issues are looming large. Enterprises need to take a long hard look at the information they are capturing and determine whether the potential value outweighs the potential risk.  How do your current Privacy practices match up against upcoming laws soon to Europe?  Are you prepared to deal with new laws that with fines up to 4% of global revenue? If not, how do you start?  Are you prepared to deal with companies using your data like Facebook, Google, Cambridge Analytica with or without your approval? Takeaways:What does your data mean to you and others?  Understand what the implications of new laws are as well as your risksUnderstand how to comply with upcoming lawsUnderstand the technology at issueUnderstand how contracts and dataflow will be impactedHow can this be beneficial for you personally About the speaker: Leon has over 25 years' experience in Healthcare, Financial Services and Technology companies. He leads Global Security Strategy, Execution, Privacy and Compliance services.Leon is currently CISO of a $3B multi-national company in the auto auction and services space. Providing Security, Privacy & Compliance expertise for over 17,000 employees. Leon has led nationwide support, Web & CRM development efforts, data center builds, infrastructure for SaaS companies in the medical and financial space.Leon has extensive experience in Regulatory, Compliance & Privacy having managed ISO27001, HIPAA, SSAE-16, PCI and NIST system builds and audits. In addition to holding a PMP.Leon is one of a very small group world-wide to hold 6 major Global Privacy certifications including CIPM, CIPP/ C and CIPP/ E, CIPP/ G, CIPP/ US and FIP.

As more and more Personally Identifiable data is collected or created, the specter of customer privacy issues are looming large. Enterprises need to take a long hard look at the information they are capturing and determine whether the potential value outweighs the potential risk.  How do your current Privacy practices match up against upcoming laws soon to Europe?  Are you prepared to deal with new laws that with fines up to 4% of global revenue? If not, how do you start?  Are you prepared to deal with companies using your data like Facebook, Google, Cambridge Analytica with or without your approval?  Takeaways: What does your data mean to you and others?  Understand what the implications of new laws are as well as your risks Understand how to comply with upcoming laws Understand the technology at issue Understand how contracts and dataflow will be impacted How can this be beneficial for you personally

Over the last three decades, several anonymous communication (AC) protocols have been proposed towards improving users' privacy over the internet. Among those, the Tor protocol has been particularly successful. Thanks to its low communication latency and low bandwidth overhead, Tor today is employed by millions of users worldwide. Nevertheless, its anonymity is known to be broken in the presence of global adversaries. AC protocols like the dining cryptographers network provide anonymity even in the presence of global adversaries at the expense of bandwidth overhead, while others such as the mixing network designs improve anonymity at the expense of higher latency.In this work, we investigate the fundamental constraints of anonymous communication (AC) protocols. We analyze the relationship between bandwidth overhead, latency overhead, and sender anonymity or recipient anonymity against the global passive (network-level) adversary. We confirm the trilemma that an AC protocol can only achieve two out of the following three properties: strong anonymity (i.e., anonymity up to a negligible chance), low bandwidth overhead, and low latency overhead.We further study anonymity against a stronger global passive adversary that can additionally passively compromise some of the AC protocol nodes. For a given number of compromised nodes, we derive necessary constraints between bandwidth and latency overhead whose violation make it impossible for an AC protocol to achieve strong anonymity. We analyze prominent AC protocols from the literature and depict to which extent those satisfy our necessary constraints. Our fundamental necessary constraints offer a guideline not only for improving existing AC systems but also for designing novel AC protocols with non-traditional bandwidth and latency overhead choices.

Over the last three decades, several anonymous communication (AC) protocols have been proposed towards improving users' privacy over the internet. Among those, the Tor protocol has been particularly successful. Thanks to its low communication latency and low bandwidth overhead, Tor today is employed by millions of users worldwide. Nevertheless, its anonymity is known to be broken in the presence of global adversaries. AC protocols like the dining cryptographers network provide anonymity even in the presence of global adversaries at the expense of bandwidth overhead, while others such as the mixing network designs improve anonymity at the expense of higher latency. In this work, we investigate the fundamental constraints of anonymous communication (AC) protocols. We analyze the relationship between bandwidth overhead, latency overhead, and sender anonymity or recipient anonymity against the global passive (network-level) adversary. We confirm the trilemma that an AC protocol can only achieve two out of the following three properties: strong anonymity (i.e., anonymity up to a negligible chance), low bandwidth overhead, and low latency overhead. We further study anonymity against a stronger global passive adversary that can additionally passively compromise some of the AC protocol nodes. For a given number of compromised nodes, we derive necessary constraints between bandwidth and latency overhead whose violation make it impossible for an AC protocol to achieve strong anonymity. We analyze prominent AC protocols from the literature and depict to which extent those satisfy our necessary constraints. Our fundamental necessary constraints offer a guideline not only for improving existing AC systems but also for designing novel AC protocols with non-traditional bandwidth and latency overhead choices.

Symposium Closing Keynote - Bits & Bytes, Flesh & Blood, and Adapting for the Next 20 Years About the speaker: Joshua Corman is a Founder of I am The Cavalry (dot org), and formerly served as Chief Strategist for CISA regarding COVID, healthcare, and public safety. He previously served as CSO for PTC, Director of the Cyber Statecraft Initiative for the Atlantic Council, CTO for Sonatype, and other senior roles. He co-founded RuggedSoftware and I am The Cavalry to encourage new security approaches in response to the world's increasing dependence on digital infrastructure. His unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He also serves as an Adjunct Faculty for Carnegie Mellon's Heinz College, and was a member of the Congressional Task Force for Healthcare Industry Cybersecurity.

Security is often implemented through bolt-on assessments including periodic testing that only happens once in a release or even annually. Manual security processes can no longer keep up in today's fast paced world of agile development, devops and constant vulnerabilities. DevSecOps, or Security as Code, is an approach that allows security staff to multiply resources and increase agility and speed. Executed properly it also provides the audit trail necessary to demonstrate control even in the most rigorous regulatory environments. This session will explore this approach in the context of regulated medical device software. We'll explore the integration of Software Composition Analysis (3rd Party Open Source Libraries), Static Source Code Analysis, Dynamic Testing along with automated verification leveraged to reduce the risk of security failures in development and post-market/production operations. About the speaker: Chris Reed, Director of Product Cybersecurity at Eli Lilly and CompanyChris Reed leads the Cybersecurity Program for digital products at Eli Lilly and Company. He has been an information security practitioner for over 15 years including roles designing corporate security protection/detection/response systems, managing security operations, applying security architecture at enterprise scale, leading vendor assessments, leading pen testing and developing security standards and policy. Currently he is focused on establishing the Product Cybersecurity Program including formalizing cybersecurity risk management to ensure adequate cybersecurity controls are designed into medical devices as well as establishing the necessary post-market practices of vulnerability management and incident response for Eli Lilly and Company.