| Tech Talk #3: Stephen Elliot (Summary) Posted: 12 Apr 2013 02:01 PM PDT Associate Professor Stephen Elliott, Industrial Technology, Purdue University Director, Biometric Standards, Performance and Assurance Laboratory Summary by Kelley Misata Title: Advances in Biometric Testing Starting the conversation Stephen reminded the audience that what makes biometrics such an interesting field is the unpredictability of the humans in the testing and evaluations processes. In traditional biometric testing environments researchers work with algorithms and established metrics and methodologies. However, as biometrics testing moves to operational environments there are more uncertainties to content with and therefore making it hard to do. Considering these two important testing environments, what biometric researchers are now trying to do is to understand further how a biometric system performs in any environment and identify what (or who) could the possible cause of errors. As Stephen pointed out, there have been several papers addressing how individual error impacts biometric performance and the potential causes of these errors. Some of these errors are now being traced to gaps in biometrics testing including training (e.g. "How do you train someone who is difficult to train or doesn't want to be trained?"), accessibility (e.g. "Are the performance results different in a operation environment than collected in a lab?"), usability (e.g. "Can the system be used efficiently, effectively and consistently by a large population?") and the complexities of the human factors on biometric testing performance. Raising the question, is the error always subject centric?</> In order to fill in some these gaps, Stephen and his graduate students are looking at the traditional biometric modes and metrics to determine if they are suitable in today's testing and evaluation environments. During the CERIAS tech talk Stephen spotlighted the research of three of his graduate students: 1. The Concept of Stability Thesis by Kevin O'Connor - the examination of finger print stability across force levels; 2. The Case of Habituation by Jacob Hasselgren - quantitatively measuring habituation in biometrics testing environments; and 3. Human Biometric Sensor Interaction highlighting Michael Brokly's research on test administrator errors in biometrics, including the effects of operator train, workloads of both test administrators and test operators, fatigue and stress. The biometrics community continues to investigate these questions in order to understand how the vast array of players in a operational data collection environment impact performance. In his closing statements, Stephen reiterated the complexities and challenges in biometrics testing and how researchers are looking deeper into the factors affecting performance beyond a simple ROC/DET curve. |
| Featured Commentary: The Honorable Mark Weatherford, DHS Deputy Under Secretary for Cybersecurity Posted: 12 Apr 2013 01:39 PM PDT Thursday April 4, 2013 Summary by Marquita A. Moreland During the introduction, Professor Spafford discussed Mark Weatherford's experience prior to becoming Deputy Under Secretary for cybersecurity at DHS. He mentioned that Mr.Weatherford was CIO of the state of Colorado and California and director of security for the electric power industry. He made it known that Mr.Weatherford has won a number awards and spent a lot of time in cybersecurity in the navy. He also mentioned that under sequestration rules Mr.Weatherford was not allowed to travel. Mr.Weatherford desired to be present, but he could not attend, so he decided to create a video. Mark Weatherford began his commentary with the For Want of a Nail rhyme because he believes it is a good way on how to approach the business of security. Mr.Weatherford expressed his appreciation for Professor Spafford, thanking him for how much he has helped advance the topic of cybersecurity and the development of some of the national security leaders. Mr. Weatherford proceeded to state that "we're in business where ninety nine percent secure, means you're still one hundred percent vulnerable." An example he used was from 2008, when a large mortgage company that is no longer in business, was concerned with the loss of their client's information. They decided to disable the USB ports from thousands of machines to prevent employees from copying data. They missed one machine, which was used by an analyst to load and sell customer's data over a two year period. Cybersecurity threat, DHS's role in cybersecurity, the President's Executive Order on cybersecurity, and the lack of cyber talent across the nation are the four topics that Mr.Weatherford briefly explained. Cybersecurity Threat: The danger of a cyber attack is the number one threat facing the United State, bigger than the threat of Al Qaeda. There is a lack of security practices, and water, electricity and gas are dangerously vulnerable for cyber attacks. The banking and finance industry has been under a series of DDOS attacks since last summer. Almost every week there are a new set of banks under siege, such as the Shamoon attack on Saudi Aramco and the attack on Qatari RasGas. In February of this year the emergency broadcast system in four states were attacked, with a message that said the nation was being attacked by zombies. The fact that someone can get into these systems raises safety and security concerns. The office of cybersecurity and communication (CS&C) has the largest cybersecurity role in DHS. They help secure the federal civilian agency networks in the executive branch primarily the .gov domain. They also provide help with the privacy sector in the .com domain, with a focus on critical infrastructure. They lead and coordinate the response of cyber events. They work on national and international cybersecurity policies. There are five divisions; Network Security Deployment, Federal Network Resilience, Stakeholder Engagement and Cyber Infrastructure Resilience, the Office of Emergency Communications, and the National Cybersecurity and Communications Integration Center. Last year U.S. CERT resolved over 200,000 incidents involving different sectors, and ICS-CERT responded onsite to 177 incidents. President's Cybersecurity Executive Order (EO): The EO was announced during the State of Union speech. There were two paragraphs regarding cybersecurity in the President's State of Union Speech. Mr. Weatherford mentioned when he was CIO, he worked every year to try and get at least a single sentence in the Governor State of State speech but was unsuccessful. The EO significance will help achieve: Establishment of an up to date cybersecurity framework. Enhancement of information sharing amongst stakeholders by: Expanding the voluntary DHS Enhanced Cybersecurity Services program (ECS). Expediting the classified and unclassified threat reporting information for private sectors. Expediting the issuance of security clearances of critical infrastructure members in the private sector. Cyber Challenges: Mr.Weatherford stated that "the common denominator to all the work we do is the requirement for well trained and experienced cyber professionals." DHS sponsors Scholarship for Service (SFS) with the National Science Foundation. DHS co-sponsored the National Centers of Academic Excellence (CAE). Purdue was one of the first seven universities in the nation designated as a CAE in 1999. The lack of qualified people is one of the biggest problem and Mr.Weatherford's suggestions are: Make people want to choose cyber security. Government, academia and industry need to work together to change the public perception and to figure out how to make cybersecurity "cool". Mr.Weatherford closed this commentary by stating "DHS wants to be your partner in cybersecurity whether you're in the government, academia or the private sector. No one can go it alone in this business and be successful, so think of us as partners and colleagues, we really can help." |
| Panel 3: Security Education and Training (Panel Summary) Posted: 12 Apr 2013 01:17 PM PDT Thursday, April 4th, 2013 Panel Members: Diana Burley, Associate Professor of Human and Organizational Learning, George Washington University Melissa Dark, Professor, Computer and Information Technology, CERIAS Fellow, Purdue University Allan Gray, Professor and Director, Center for Food and Agricultural Business and Land O'Lakes Chair in Food and Agribusiness, Purdue University Marcus K. Rogers, Professor, Computer and Information Technology, CERIAS Fellow, Purdue University Ray Davidson, Professor of Practice and Dean of Academic Affairs, SANS Technology Institute Moderator: Professor Eugene Spafford, Executive Director, CERIAS Summary by Rohit Ranchal Current technological advances and shortage of cyber security professionals require us to focus on cyber security education. The main challenge is that how to fit the identified needs in a practical education or training program. Going by the modern trends and popularity of MOOCs (Massive Open Online Courses), it is very important to consider online and distance education for cyber security. One important requirement is to have a business model in place to structure the MOOCs because right now they are just doing information dissemination. We need a structured curriculum, which can take advantage of the freely available MOOCs. The current trend of security problems suggests that we are moving away from the traditional problems like protocol vulnerabilities and reviewing RFCs to fix them. Most problems such as policy based vulnerabilities, social engineering etc occur at application level and end user level. So it is important to have exposure to the changing problems and understanding the associated legal and regulatory environment. Professionals need to be trained for organizational dynamics such as budgeting and investments, which are important to the business. Having awareness of bigger issues is also important along with the technical expertise. One important thing to consider in Information Security Education is the target population. When we consider about educating everyone in the security awareness space, we focus on campaigns, reaching into k-12, educating elderly people, talking about cyber security war etc. But the instruction language is not particularly persuasive. It is very important to think about the instruction language when the target audience is masses of people. Our current education system focuses on Professionalization. Professionalization is a social phenomenon. A cyber security professional is someone who has to deal with high levels of uncertainty and high levels of complexity. A professional can have a specific technical background or expertise or can have skills in the interdisciplinary space. The framework proposed by National Initiative for Cyber Security Education lists seven high- level job roles including some non-technical job roles as well. Cyber security professionals are not only in cyber security profession only but they are in hybrid roles in the interdisciplinary space. Thus the professionals should be educated and trained in such a way that they can carry out multiple tasks in their hybrid roles. Professionalization could also mean credentialing, education/degree, codes of ethics, certification, training, apprenticeship, etc. Professionalization can be debated in terms of various aspects such as applied vs theoretical knowledge, concepts vs technologies, vocational training vs degree education, immediate needs vs future needs, generalists vs specialists etc. We need to consider all these aspects. The underlying point is that Professionalization induces a change in behavior. An important way to achieve that is through apprenticeship and mentoring. Apprenticeship and mentoring is strictly followed in some other professions on the completion of degree to acquire the practical training and on successful completion, the person is considered a professional. We need to bring back apprenticeship and mentoring in the security education curriculum. But things in security space are changing so rapidly that no matter how much education is given, the professionals will have to deal with high level of uncertainty and complexity. One way to ensure this is to have people who are excited about the profession and are willing to constantly learn and enjoy it. Professionalization should not be considered as something where one can arrive like an end-point. The obvious question is that how to find such people. Some institutes like SANS Technology Institute and (ISC)2 focus to address this problem through certification. But how can we measure if the certifications have any real value? It depends upon the training, knowledge and experience that goes into the certification. There are many different types of certifications from weekend certifications to highly specialized certifications. Another thing to consider is that certification implies that a professional has some valuable knowledge today but doesn't say anything about tomorrow when the threats, situations and environment change. There is a shortfall of individuals at present but how can we ensure that our education system can balance that need for today with the need for professionals who are able to learn, analyze and synthesize challenges of tomorrow that are not yet known. If we look at other professions, many of them require licensing. Professionals in such professions have to renew their licensing to stay active with the current technologies and skills. Another difference is that the cyber security professionals don't have the same liability if something goes wrong e.g. a system gets hacked, as compared to some other professions for e.g. if a bridge falls down, then you can talk to the civil engineer. Consider if we have all the security jobs require a certification and an organization hires a professional without certification for building a system that gets broken then there can be terrible consequences such as lawsuits. Also you have to consider that building a system requires system designers, developers and users. Its not easy to declare someone liable. The liability model is not appropriate at present but we should move in that direction. An important concern while education and training security professionals is that how to prevent them from turning bad such as ethical hackers becoming unethical hackers. The argument is that there is a high risk in case of information dissemination only but with education that risk is lowered. The goal of education is not just to give knowledge but to provide the context, the morality, the ethics and to teach that there are consequences to actions. Education is a socialization and culturization process that induces the change in behavior. The education curriculums should be designed in such a way that the mentor can effectively measure that change in the behavior. While addressing the education problem, it is important to understand that the governments tend to be reactionary and focus on present problems rather than being visionary so it is very important for the universities and industries to be visionary and drive the education and training that focuses on the future and not past. |
| Panel 2: NSTIC, Trusted Identities and the Internet (Panel Summary) Posted: 12 Apr 2013 11:25 AM PDT Wednesday, April 3rd, 2013 Panel Members: Cathy Tilton, VP Standards and Technology, Daon Solutions Elisa Bertino, Professor, Computer Science and CERIAS Fellow, Purdue University Stephen Elliot, Associate Professor, Technology Leadership & Innovation and CERIAS Fellow, Purdue University Stuart S. Shapiro, Principal Information Privacy and Security Engineer, The MITRE Corporation Moderator: Keith Watson, Information Assurance Research Engineer, CERIAS Summary by Ruchith Fernando Cathy Tilton was the first to present her views and she opened with an introduction to NSTIC. She mentioned that NSTIC strategy document came out in April 2011 is an outcome the President's cyber security review. Daon's objective is "Enhancing commercial participation cross sector in the identity ecosystem" in collaboration with AARP, PayPal, Purdue University IT Department, American Association of Airport Executives and a major bank. Daon pilot study consists of 4 components: Technology component: This is based on a risk based multi factor authentication capability solution that leverages mobile devices called IdentityX. Based on the risk level of the transaction, the relying party would dynamically invoke some combination of authentication methods. Research component: Deon teamed with the Purdue Biometric Lab in analyzing data coming from operational pilots to evaluate usability, accessibility, privacy, security, user acceptance and performance of the solution in various environments. Trust frameworks: A research effort attempting to identify what gaps exists in trying to fit IdentityX solution to existing trust frameworks. Operational Pilot: There are 5 relying parties from different sectors. Some with large and smaller subscriber bases implementing different use cases. Professor Stephen Elliot presented his work at the Purdue Biometrics Laboratory where they have been working with a focus on testing and evaluation various biometrics since 2001. There is a multi faceted approach to the testing philosophy in this project which involves "in lab" testing, surveys and "in the wild" testing. In lab testing is where there is a controlled environment where users carry out controlled transactions. These tests are carried out on three different operating systems, and evaluate interoperability by assessing whether users remember how to use the device and whether they can transfer that knowledge into another operating system. These sessions are recorded and are conducted over 4 to 6 weeks. In the wild testing attempts to mimic various real life scenarios where the test subjects are given a mobile device for a month. The focus groups involved in testing include elderly, disabled and able-bodied individuals where there are about 10 to 15 participants in each group. Professor Elisa Bertino was the next to present her views. She defined digital identity and introduced the concepts of strong identifiers and weak identifiers. Strong identifiers identify an individual uniquely. Weak identifiers are those that do not identify a person uniquely. Depending on the context an identifier may be a strong or a weak identifier. Security and interoperability are concerns: In most identity management systems, the user is redirected to an identity provider when authenticating with a relying party. But this leads to privacy issues where the identity provider learns information about the user's transactions. Protocols developed in VeryIDX project uses an identity token given to the user by the identity provider, which can be used without further interactions with the identity provider. Those protocols are very different with different information and different interaction models. Therefore achieving interoperability with other protocols is a challenge. Linkability: When a user carries out two transactions with two different relying parties, the two relying parties may be able to use information they collect to identify that they are interacting with the same user. This further applies to the user carrying out two transactions with the same relying party. Stuart S. Shapiro expressed his views on two main issues. NSTIC This promotes selective attribute disclosure. In the case where individual subscribes to an online newspaper, from the subscriber's privacy perspective, as long as the service provider can verify that he/she is a valid subscriber there is no need for any other identity information. But based on the business model, the service provider may need to know certain demographic data about the individual to be able to target advertisements and to be able to charge for advertisements. This is the issue of "Functional Minimums vs. Business Model Minimums". Business models may require much more information than what is covered in functional requirements. NSTIC does not clearly address this issue. Service providers are "not interested in individuals but are interested in categories": This categorization may be either benign or harmful to individuals. Therefore even with privacy preservation techniques, if an individual can be categorized, this might lead to the leak of critical identity information. This was the conclusion of the presentations by the panelists and the audience raised several questions: Q: FIPS 2001 seems to be very applicable to your study. Cathy Tilton: With regard to FIPS 2001, we are not doing anything with regard to smart card credentials. We are however looking at the ICAM (Identity, Credential, and Access Management) certification related to trust framework providers and identity providers. Q: I assume you are trying to certify the protection of data bearing processes. Please explain how you are doing it on inherently insecure mobile device without a trust anchor. Cathy Tilton: We include a private key in the keychain of the phone. We consider the phone an untrusted device. We use the key to set up a mutually authenticated TLS session with the phone. When this secure channel is established one can use this channel to collect information on the phone and send it back to the server where verification is performed. Q: What about jailbroken devices? Cathy Tilton: The device is considered untrusted. When secure elements are commercially available on mobile devices we will make use of those. Our approach has been BYOD (bring your own device) model for usability and familiarity. Therefore we have to manage with the capabilities and security features of those devices. Q: How does liability fit into NSTIC? Cathy Tilton: In our situation we are really more of a credential provider. Therefore it is a shared responsibility. Most of our relying parties already have all their identity information about their subscriber base. They do not share that information with us and they do the identity proofing. What they are looking from us is a strong credential. What becomes critical is the binding of the credential to the identity. Prof. Bertino: The problem of liability is a very debated question. In software engineering who is liable for software mistakes? Identity management is very much the same. It is software, which needs to be secured to be working properly. Q: How does NSTIC accommodate potential issues such as forcing users under duress to authenticate sensitive transactions? Cathy Tilton: In our solution we have provisions to a "duress pin" where the relying party handles it according to their policy. Stuart S. Shapiro: In a certain context duress is the status quo right now. In some cases, users lie about the requested information to obtain the service and avoid providing real identity information. If the certified attributes are required then there will be no option to lie. In such cases duress can increase rather than decrease. Q: How do you see we achieve tradeoff between the fact that we have to reveal certain information about ourselves while certain generalized categories already reveal so much information about us? Prof. Bertino: Services should provide customers the choice of revealing information and provide alternatives such as paying for those services. Systems should be flexible to support such options. Sometimes categorization can be benign, but for example, if a user is in the wrong passenger profile then he/she might have trouble getting through airport security. Even if a user is a very private user but he/she simply possess a certain feature in a population he/she might be automatically classified. I think this is separate problem and I don't think NSTIC has to solve this. Cathy Tilton: NSTIC from the supports both pseudonymous and anonymous credentials since there are many transactions that do not require any more information. Q: How is the biometric data stored on the server? Is there anything equivalent to secure password hashes for biometrics data? Cathy Tilton: All biometrics protected using all mechanisms that are normally used to protect data at rest such as encryption and audited access behind a firewall. If the cryptographic mechanisms fail, certain biometrics can leak information. But biometrics are not stored alongside identity information. When acting as a credential provider we have no identifying information associated with biometrics. Q: What are the methods available to verify aliveness of a subject. Cathy Tilton: Our aliveness support includes using photographs of different angles of a face and a challenge response mechanism with random and longer phrases for voice authentication. We are working on using video as well. Q: What are interesting open research problems? Prof. Elliot: There are many research problems with a lot of challenges in areas such as mobile usability testing. Prof. Bertino: There's a lot of work to be done in the anonymity techniques for digital identity and linkability analysis. Stuart S. Shapiro: More sophisticated privacy risk modeling techniques are required. Need techniques for integrating privacy in an engineering sense. |
| Panel 1: Security Analytics, Analysis, and Measurement (Panel Summary) Posted: 12 Apr 2013 11:04 AM PDT Wednesday, April 3rd, 2013 Panel Members: Alok Chaturvedi, Professor, Management, Purdue University Samuel Liles, Associate Professor, Computer and Information Technology, Purdue University Andrew Hunt, Information Security Researcher, the MITRE Corporation Mamani Older, Senior Vice President, Information Security, Citigroup Vincent Urias,Principle Member of Technical Staff, Sandia National Laboratories Moderator: Joel Rasmus, Director of Strategic Relations, CERIAS Summary by Ben Cotton With "Big Data" being a hot topic in the information technology industry at large, it should come as no surprise that it is being employed as a security tool. To discuss the collection and analysis of data, a panel was assembled from industry and academia. Alok Chaturvedi, Professor of Management, and Samuel Liles Associate Professor of Computer and Information Technology, both of Purdue University, represented academia. Industry representatives were Andrew Hunt, Information Security Research at the MITRE Corporation, Mamani Older, Citigroup's Senior Vice President for Information Security, and Vincent Urias, a Principle Member of Technical Staff at Sandia National Laboratories. Joel Rasmus, the Director of Strategic Relations at CERIAS, moderated the panel. Professor Chaturvedi made the first opening remarks. His research focus is on reputation risk: the potential damage to an organization's reputation – particularly in the financial sector. Reputation damage arises from the failure to meet the reasonable expectations of stakeholders and has six major components: customer perception, cyber security, ethical practices, human capital, financial performance, and regulatory compliance. In order to model risk, "lots and lots of data" must be collected; reputation drivers are checked daily. An analysis of the data showed that malware incidents can be an early warning sign of increased reputation risk, allowing organizations an opportunity to mitigate reputation damage. Mister Hunt gave brief introductory comments. The MITRE Corporation learned early that good data design is necessary from the very beginning in order to properly handle a large amount of often-unstructured data. They take what they learn from data analysis and re-incorporate it into their automated processes in order to reduce the effort required by security analysts. Mister Urias presented a less optimistic picture. He opened his remarks with the assertion that Big Data has not fulfilled its promise. Many ingestion engines exist to collect data, but the analysis of the data remains difficult. This is due in part to the increasing importance of meta characteristics of data. The rate of data production is challenging as well. Making real-time assertions from data flow at line rates is a daunting problem. Professor Liles focused on the wealth of metrics available and how most of them are not useful. "For every meaningless metric," he said, "I've lost a hair follicle. My beard may be in trouble." It is important to focus on the meaningful metrics. The first question posed to the panel was "if you're running an organization, do you focus on measuring and analyzing, or mitigating?" Older said that historically, Citigroup has focused on defending perimeters, not analysis. With the rise of mobile devices, they have recognized that mere mitigation is no longer sufficient. The issue was put rather succinctly by Chaturvedi: "you have to decide if you want to invest in security or invest in recovery." How do organizations know if they're collecting the right data? Hunt suggested collecting everything, but that's not always an option, especially in resource-starved organizations. Understanding the difference between trend data and incident data is important, according to Liles, and you have to understand how you want to use the data. Organizations with an international presence face unique challenges since legal restrictions and requirements can vary from jurisdiction-to-jurisdiction. Along the same lines, the audience wondered how long data should be kept. Legal requirements sometimes dictate how long data should be kept (either at a minimum or maximum) and what kind of data may be stored. The MITRE Corporation uses an algorithmic system for the retention and storage medium for data. Liles noted that some organizations are under long-term attack and sometimes the hardware refresh cycle is shorter than the duration of the attack. Awareness of what local log data is lost when a machine is discarded is important. Because much of the discussion had focused on ways that Big Data has failed, the audience wanted to know of successes in data analytics. Hunt pointed to the automation of certain analysis tasks, freeing analysts to pursue more things faster. Sandia National Labs has been able to correlate events across systems and quantify sensitivity effects. One audience member noted that as much as companies profess a love for Big Data, they often make minimal use of it. Older replied that it is industry-dependent. Where analysis drives revenue (e.g. in retail), it has seen heavier use. An increasing awareness of analysis in security will help drive future use. |
0 comments:
Post a Comment