CERIAS Weekly Security Seminar - Purdue University

Chuck Brooks, Leading Trends and Emerging Technologies for Cybersecurity in 2022

As we begin 2022, the cost, sophistication, and lethality of cyber-breaches continues to rise. Threat actors, especially state-sponsored, and criminal enterprises are taking advantage of the expanding cyber-attack surface by using their resources to employ more sophisticated means for discovering target vulnerabilities, automating phishing, and finding new deceptive paths for infiltrating malware. This presentation will explore some of the more compelling trends and threats in the cybers ecos...

Melissa Dark, "Building the Next Generation Cybersecurity Workforce: Progress and Challenges"

This talk explores over 20 years of building the cybersecurity workforce in the United States with a focus on the evolution, progress made, and challenges ahead.

Melissa Dark, Building the Next Generation Cybersecurity Workforce: Progress and Challenges

This talk explores over 20 years of building the cybersecurity workforce in the United States with a focus on the evolution, progress made, and challenges ahead. About the speaker: Dr. Melissa Dark has worked in cybersecurity education and workforce development for the past 20 years. Her early work in cybersecurity education focused on the graduate level and has progressively grown down to community college, and now high school, in response to two needs: robust cybersecurity literacy among al...

Melissa Hathaway & Francesca Spidalieri, Integrating Cybersecurity into Digital Development

In June 2021, the GFCE and the World Bank came together to identify pathways to bridge the development community to the cybersecurity capacity building community and create mechanisms by which digital development could see the benefits of incorporating cyber security into their projects and initiatives to achieve more resilient outcomes. This report, Integrating Cyber Security into the Digital Development Agenda, highlights some of the key challenges and benefits of incorporating cybersecurit...

Melissa Hathaway &amp; <span>Francesca Spidalieri</span><span></span>, "Integrating Cybersecurity into Digital Development"

In June 2021, the GFCE and the World Bank came together to identify pathways to bridge the development community to the cybersecurity capacity building community and create mechanisms by which digital development could see the benefits of incorporating cyber security into their projects and initiatives to achieve more resilient outcomes. This report, Integrating Cyber Security into the Digital Development Agenda, highlights some of the key challenges and benefits of incorporating cybersecur...

Melissa Hathaway & <span>Francesca Spidalieri</span><span></span>, "Integrating Cybersecurity into Digital Development"

In June 2021, the GFCE and the World Bank came together to identify pathways to bridge the development community to the cybersecurity capacity building community and create mechanisms by which digital development could see the benefits of incorporating cyber security into their projects and initiatives to achieve more resilient outcomes. This report, Integrating Cyber Security into the Digital Development Agenda, highlights some of the key challenges and benefits of incorporating cyb...

Kacper Gradon, Future Trends in Cyber Crime and Hybrid Warfare

 "Do Criminals Dream of Electric Sheep?" Such issue is no longer a domain of futurologists and science-fiction writers, but a serious question asked by the EUROPOL alarmed by how emerging Information Technologies shape the future of crime and law-enforcement. Apart from its obviously positive effects, the technology also impacts and affects the way criminal offenders, terrorists and rogue governments operate at the stages of know-how gathering, planning, preparation and execution of their att...

Kacper Gradon, "Future Trends in Cyber Crime and Hybrid Warfare"

  “Do Criminals Dream of Electric Sheep?” Such issue is no longer a domain of futurologists and science-fiction writers, but a serious question asked by the EUROPOL alarmed by how emerging Information Technologies shape the future of crime and law-enforcement. Apart from its obviously positive effects, the technology also impacts and affects the way criminal offenders, terrorists and rogue governments operate at the stages of know-how gathering, planning, preparation and execution of...

Lesley Carhart, "You Are The Future of Industrial Cybersecurity"

Securing industrial networks has never been more crucial, but it's not as simple as just patching legacy computers or installing commercial tools. Responding to cybersecurity incidents in critical infrastructure environments poses unique challenges and requires a very unusual set of skills. This lecture will cover key terminology, operational differences, and technology differences between industrial and enterprise environments. Attendees will leave with an essential understanding of the ch...

Lesley Carhart, You Are The Future of Industrial Cybersecurity

Securing industrial networks has never been more crucial, but it's not as simple as just patching legacy computers or installing commercial tools. Responding to cybersecurity incidents in critical infrastructure environments poses unique challenges and requires a very unusual set of skills. This lecture will cover key terminology, operational differences, and technology differences between industrial and enterprise environments. Attendees will leave with an essential understanding of the chal...

Helen Patton, "Navigating the Cybersecurity Profession: Essential Elements for a Satisfying Career"

 Having a satisfying cybersecurity career can feel elusive, even for a seasoned cybersecurity professional.  In this session, we’ll talk about things that all security professionals, of all levels and backgrounds, need to know and do, in order to achieve professional success.  We will cover: The importance of networking, and how to leverage them to achieve your career goals Continuous learning - when, how, and when is it too much? Self-awareness, and why this is the basis for everything ...

Helen Patton, Navigating the Cybersecurity Profession: Essential Elements for a Satisfying Career

 Having a satisfying cybersecurity career can feel elusive, even for a seasoned cybersecurity professional.  In this session, we'll talk about things that all security professionals, of all levels and backgrounds, need to know and do, in order to achieve professional success.  We will cover:The importance of networking, and how to leverage them to achieve your career goalsContinuous learning - when, how, and when is it too much?Self-awareness, and why this is the basis for everything you doMa...

Jeremiah Blocki, "Password Strength Signaling: A Counter-Intuitive Defense Against Password Cracking"

We introduce password strength information signaling as a novel, yet counter-intuitive, defense mechanism against password cracking attacks. Recent breaches have exposed billions of user passwords to the dangerous threat of offline password cracking attacks. An offline attacker can quickly check millions (or sometimes billions/trillions) of password guesses by comparing their hash value with the stolen hash from a breached authentication server. The attacker is limited only by the res...

Jeremiah Blocki, Password Strength Signaling: A Counter-Intuitive Defense Against Password Cracking

We introduce password strength information signaling as a novel, yet counter-intuitive, defense mechanism against password cracking attacks. Recent breaches have exposed billions of user passwords to the dangerous threat of offline password cracking attacks. An offline attacker can quickly check millions (or sometimes billions/trillions) of password guesses by comparing their hash value with the stolen hash from a breached authentication server. The attacker is limited only by the resources h...

Amit Yoran, Symposium Closing Keynote

About the speaker: Amit Yoran is Chairman and Chief Executive Officer of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with innovative technologies and a vision of transformative vulnerability management. Prior to joining Tenable, Amit was President of RSA, one of the most successful security companies in the wo...

Amit Yoran, "Symposium Closing Keynote"

Jordan Mauriello, Understanding Attackers and Motivations

Understanding the evolution of attacker motivations, and the impact to managing risk in enterprise environments is a key to successfully building cyber security programs in today's IT enterprise. Over the last decade both attacks, and attacker motivations have evolved dramatically. From Hacktivism to Nation State Actors, from Identity Theft Rings to Ransomware-as-a-Service, the motivations, timing, determination, and discipline of attackers has changed dramatically. This presentation will dis...

Jordan Mauriello, "Understanding Attackers and Motivations"

Understanding the evolution of attacker motivations, and the impact to managing risk in enterprise environments is a key to successfully building cyber security programs in today’s IT enterprise. Over the last decade both attacks, and attacker motivations have evolved dramatically. From Hacktivism to Nation State Actors, from Identity Theft Rings to Ransomware-as-a-Service, the motivations, timing, determination, and discipline of attackers has changed dramatically. This presentation will d...

Yoon Auh, "NUTS: The Beta Demo"

Beyond End-to-End Encryption (BE2EE) technology can protect your data in-transit and at-rest in a consistent way: NUTS may help define this new category. Last year, we presented the technology of NUTS (https://ceri.as/nuts2020). This year, we demonstrate NUTS in action with our Beta version. See secure objects move around in cyberspace without a central reference monitor in a transport agnostic way. The demo will show practical use cases that NUTS enables. The global pandemic drastica...

Yoon Auh, NUTS: The Beta Demo

Beyond End-to-End Encryption (BE2EE) technology can protect your data in-transit and at-rest in a consistent way: NUTS may help define this new category. Last year, we presented the technology of NUTS (https://ceri.as/nuts2020). This year, we demonstrate NUTS in action with our Beta version. See secure objects move around in cyberspace without a central reference monitor in a transport agnostic way. The demo will show practical use cases that NUTS enables. The global pandemic drastically alte...

Jennifer Bayuk, The History of Cybersecurity Metrics

This talk covers the state of the Art and Practice in Cybersecurity Metrics. The history ranges from the 1970s through the present. Topics include, but are not limited to: Control Objectives, the Orange Book, the Common Criteria, Systems Security Engineering Capability Maturity Model, Common Vulnerability Enumeration, National Vulnerability Database, NIST Pubs such as the Performance Measurement Guide for Information Security, Threat Intelligence Protocols, Exemplar studies such as the Verizo...

Jennifer Bayuk, "The History of Cybersecurity Metrics"

This talk covers the state of the Art and Practice in Cybersecurity Metrics. The history ranges from the 1970s through the present. Topics include, but are not limited to: Control Objectives, the Orange Book, the Common Criteria, Systems Security Engineering Capability Maturity Model, Common Vulnerability Enumeration, National Vulnerability Database, NIST Pubs such as the Performance Measurement Guide for Information Security, Threat Intelligence Protocols, Exemplar studies such as ...

Paula deWitte, The Need for Legal Education within a Cybersecurity Curriculum

Anecdotally, most cybersecurity curricula is based on the technical aspects of protecting, defending, and responding to cyber attacks.  While these courses establish a solid foundation in the technical aspects of cybersecurity, what is often missing is establishing a foundation in cybersecurity law. Every individual who puts their hands on a keyboard operates within an uncertain ethical and legal framework. What we do not need is the type of education to produce more lawyers, but rather the t...

Paula deWitte, "The Need for Legal Education within a Cybersecurity Curriculum"

Anecdotally, most cybersecurity curricula is based on the technical aspects of protecting, defending, and responding to cyber attacks.  While these courses establish a solid foundation in the technical aspects of cybersecurity, what is often missing is establishing a foundation in cybersecurity law. Every individual who puts their hands on a keyboard operates within an uncertain ethical and legal framework. What we do not need is the type of education to produce more lawyers, but rather the...

Aaron Shafer, "Securing SaaS, a Practitioner’s Guide"

In this session we will talk about applying appropriate security controls to Software as a Service (SaaS) offerings. While it may seem like the SaaS vendors have most of the responsibility for securing these platforms, there are still a number of threats that customers need to worry about themselves. During the session we will walk through various types of SaaS solutions, including a few new surprising categories, and will then talk about the nuances of the Shared Responsibility Model (SRM...

Aaron Shafer, Securing SaaS, a Practitioner's Guide

In this session we will talk about applying appropriate security controls to Software as a Service (SaaS) offerings. While it may seem like the SaaS vendors have most of the responsibility for securing these platforms, there are still a number of threats that customers need to worry about themselves. During the session we will walk through various types of SaaS solutions, including a few new surprising categories, and will then talk about the nuances of the Shared Responsibility Model (SRM). ...

Gideon Rasmussen, "Adaptive Cybersecurity Risk Assessments"

This session provides practical cybersecurity assessment advice. It details the end-to-end process including: scoping, 9 steps to develop work papers, scheduling, on-site assessment, report preparation and presentation. The first assessment example leverages the NIST Cybersecurity Framework to ensure coverage across security domains. Sample scoping questions will be provided, along with tips and examples to add controls based on business processes, insider threat, privacy and fraud. ...

Jeremy Rasmussen, "The Changing Cybersecurity Threatscape"

During the height of the pandemic, it’s estimated that digital transformation advanced by as much as seven years, opening the door for hybrid and remote working solutions to thrive. But, the increase in remote work also revealed new threats to devices and applications. In this session, we will discuss: • The post-COVID world and “Zero Trust” • Trusted software becoming less trustworthy • The surprising ways ransomware launches • Identifying Web/SSL VPN vulnerabilities in firewalls...

Jeremy Rasmussen, The Changing Cybersecurity Threatscape

During the height of the pandemic, it's estimated that digital transformation advanced by as much as seven years, opening the door for hybrid and remote working solutions to thrive. But, the increase in remote work also revealed new threats to devices and applications. In this session, we will discuss:• The post-COVID world and "Zero Trust"• Trusted software becoming less trustworthy• The surprising ways ransomware launches• Identifying Web/SSL VPN vulnerabilities in firewalls• Application of...

Nasir Memon, AI, Computational Imaging and the Battle for Media Integrity

Rapid progress in machine learning, computer vision and graphics leads to successive democratization of media manipulation capabilities. While convincing photo and video manipulation used to require substantial time and skill, modern editors bring (semi-) automated tools that can be used by everyone. Some of the most recent examples include manipulation of human faces, e.g., by their replacement or semantic manipulation (expression, age, etc.). At the same time, dissemination of fake news and...

Nasir Memon, "AI, Computational Imaging and the Battle for Media Integrity"

Rapid progress in machine learning, computer vision and graphics leads to successive democratization of media manipulation capabilities. While convincing photo and video manipulation used to require substantial time and skill, modern editors bring (semi-) automated tools that can be used by everyone. Some of the most recent examples include manipulation of human faces, e.g., by their replacement or semantic manipulation (expression, age, etc.). At the same time, dissemination of fake ...

David Dill, A Formal Verifier for the Diem Blockchain Move Language

The Diem blockchain, which was initiated in 2018 by Facebook, includes a novel programming language called Move for implementingsmart contracts. The correctness of Move programs is especially important because the blockchain will host large amounts of assets, those assets are managed by smart contracts, and because there is a history of large losses on other blockchains because of bugs in smart contracts. The Move language is designed to be as safe as we can make it, and it is accompanied by ...

David Dill, "A Formal Verifier for the Diem Blockchain Move Language"

The Diem blockchain, which was initiated in 2018 by Facebook, includes a novel programming language called Move for implementingsmart contracts. The correctness of Move programs is especially important because the blockchain will host large amounts of assets, those assets are managed by smart contracts, and because there is a history of large losses on other blockchains because of bugs in smart contracts. The Move language is designed to be as safe as we can make it, and it is accompa...

Dave Henthorn, Educating the Next Generation on the Challenges of Securing Critical Infrastructure

Cyberattacks on critical infrastructure such as power plants, dams, and chemical facilities are increasing in both intensity and sophistication, with attackers actively exploiting the cultural divide between the engineers who design and run these facilities and the cybersecurity people who protect them. At Rose-Hulman, we are building a multidisciplinary Critical Infrastructure Laboratory to bring these groups together with the goal of educating the next generation on the difficulties of desi...

Dave Henthorn, "Educating the Next Generation on the Challenges of Securing Critical Infrastructure"

Cyberattacks on critical infrastructure such as power plants, dams, and chemical facilities are increasing in both intensity and sophistication, with attackers actively exploiting the cultural divide between the engineers who design and run these facilities and the cybersecurity people who protect them. At Rose-Hulman, we are building a multidisciplinary Critical Infrastructure Laboratory to bring these groups together with the goal of educating the next generation on the difficulti...

Winn Schwartau, "Security is Probabilistic, Not Deterministic: Get Over It"

Since the inception of computer/data/cyber/network securitysome fifty years ago, one recurring question has beset our industry: “How do wesecure it?” By its very nature, that question has propagated as a harmful meme,by implying that a binary deterministic answer is available, or even possible. This talk examines security through a non-deterministiclens, applying probabilistic and analogue functions to discover new approachesto defending anthro-cyber-kinetic systems.

Winn Schwartau, Security is Probabilistic, Not Deterministic: Get Over It

Since the inception of computer/data/cyber/network securitysome fifty years ago, one recurring question has beset our industry: "How do wesecure it?" By its very nature, that question has propagated as a harmful meme,by implying that a binary deterministic answer is available, or even possible. This talk examines security through a non-deterministiclens, applying probabilistic and analogue functions to discover new approachesto defending anthro-cyber-kinetic systems. About the speaker: Winn h...

Neil Daswani, "Big Breaches: Cybersecurity Lessons For Everyone"

This talk covers the key lessons learned and root causes from the biggest mega-breaches and the 9,000+ reported breaches over the past 15 years.  By analyzing the histories, stories, and deep dives of breaches such as those at Target, JPMorganChase, OPM, Yahoo, Equifax, Facebook, Marriott, Capital One, and the SolarWinds hack, I will also lay the groundwork for a roadmap to recovery based on the root causes. 

Neil Daswani, Big Breaches: Cybersecurity Lessons For Everyone

This talk covers the key lessons learned and root causes from the biggest mega-breaches and the 9,000+ reported breaches over the past 15 years.  By analyzing the histories, stories, and deep dives of breaches such as those at Target, JPMorganChase, OPM, Yahoo, Equifax, Facebook, Marriott, Capital One, and the SolarWinds hack, I will also lay the groundwork for a roadmap to recovery based on the root causes.  About the speaker: Dr. Neil Daswani is Co-Director of the Stanford Advanced Security...

Laura Thomas, "National Security Implications of Quantum Technology"

Quantum technology will be transformational. When applied, quantum has the power to dramatically improve our society, as well as cause major disruptions on the national security and economic security fronts. This presentation will provide an overview of the fundamentals of quantum technology, to include the three major branches of quantum technology development: quantum computing, quantum sensing, and quantum networking. We will discuss use cases for each and explore where the technology st...

Laura Thomas, National Security Implications of Quantum Technology

Quantum technology will be transformational. When applied, quantum has the power to dramatically improve our society, as well as cause major disruptions on the national security and economic security fronts. This presentation will provide an overview of the fundamentals of quantum technology, to include the three major branches of quantum technology development: quantum computing, quantum sensing, and quantum networking. We will discuss use cases for each and explore where the technology stan...

Ida Ngambeki, "Understanding the Human Hacker"

Social Engineering is employed in 97% of cybersecurity attacks. This makes social engineering penetration testing an important aspect of cybersecurity. Social engineering penetration testing is a specialized area requiring skills and abilities substantially different from other types of penetration testing. Training for social engineering penetration testing as well as understanding what skills, abilities, and personalities make for good social engineers is not well developed. This ...

Ida Ngambeki, Understanding the Human Hacker

Social Engineering is employed in 97% of cybersecurity attacks. This makes social engineering penetration testing an important aspect of cybersecurity. Social engineering penetration testing is a specialized area requiring skills and abilities substantially different from other types of penetration testing. Training for social engineering penetration testing as well as understanding what skills, abilities, and personalities make for good social engineers is not well developed. This mixed meth...

Neil Gong, "Secure Federated Learning"

Federated learning is an emerging machine learning paradigm to enable many clients (e.g., smartphones, IoT devices, and edge devices) to collaboratively learn a model, with help of a server, without sharing their raw local data. Due to its communication efficiency and potential promise of protecting private or proprietary user data, and in light of emerging privacy regulations such as GDPR, federated learning has become a central playground for innovation.  However, due to i...

Neil Gong, Secure Federated Learning

Federated learning is an emerging machine learning paradigm to enable many clients (e.g., smartphones, IoT devices, and edge devices) to collaboratively learn a model, with help of a server, without sharing their raw local data. Due to its communication efficiency and potential promise of protecting private or proprietary user data, and in light of emerging privacy regulations such as GDPR, federated learning has become a central playground for innovation. However, due to its distributed natu...

Leigh Metcalf, The Gauntlet of Cybersecurity Research

Good research has scientific principles driving it. Analysts begin research with a goal in mind and at the same time, they need their research to have a solid foundation. This talk will cover common goals in cybersecurity research and also discuss common pitfalls that can undermine the results of the research. The talk will include many examples illustrating the principles. About the speaker: Leigh Metcalf has 30 years of experience in STEM where she is an expert in not just one, but two co...

Leigh Metcalf, "The Gauntlet of Cybersecurity Research"

Good research has scientific principles driving it. Analysts begin research with a goal in mind and at the same time, they need their research to have a solid foundation. This talk will cover common goals in cybersecurity research and also discuss common pitfalls that can undermine the results of the research. The talk will include many examples illustrating the principles.

Gary McGraw, "Security Engineering for Machine Learning"

Machine Learning appears to have made impressive progress on many tasks including image classification, machine translation, autonomous vehicle control, playing complex games including chess, Go, and Atari video games, and more. This has led to much breathless popular press coverage of Artificial Intelligence, and has elevated deep learning to an almost magical status in the eyes of the public. ML, especially of the deep learning sort, is not magic, however.  ML has become so popula...

Gary McGraw, Security Engineering for Machine Learning

Machine Learning appears to have made impressive progress on many tasks including image classification, machine translation, autonomous vehicle control, playing complex games including chess, Go, and Atari video games, and more. This has led to much breathless popular press coverage of Artificial Intelligence, and has elevated deep learning to an almost magical status in the eyes of the public. ML, especially of the deep learning sort, is not magic, however.  ML has become so popular that its...

Steven Furnell, Cybersecurity Skills – Easy to say, harder to recognise?

There is no doubt that cybersecurity has risen up the agenda in terms of visibility and importance.  Everybody wants it. But do they really know what they want?  What does cybersecurity include, and to what extent do qualifications and certifications that claim to cover it actually do so?  This talk examines what cybersecurity means in terms of the contributing topics, and in particular how these topics can end up looking substantially different depending upon what source we use as our refere...