CERIAS Recap: Fireside Chat

Once again, I’ve attended the CERIAS Security Symposium held on the campus of Purdue University. This is one of several posts summarizing the talks I attended.

The end of Christopher Painter’s talk transitioned nicely into the Fireside Chat with Painter and CERIAS Executive Director Gene Spafford. Spafford opened the discussion with a topic he tried to get the first panel to address: privacy. “Many people view security as the most important thing,” Spafford observed, which results in things like CISPA which would allow unlimited and unaccountable sharing of data with government. According to Painter, privacy and security “are not incompatible.” The Obama administration works to ensure civil liberty and privacy protections are built-in. Painter also disagreed with Spafford’s assertion that the U.S. is behind Europe in privacy protection. The U.S. and the E.U. want interoperable privacy rules. They’re not going to be identical, but they should work together. Prosecution of cyber attacks, according to Painter, aids privacy in the long run.

An audience member wanted to know how do to address the risk of attribution and proportional response now that cyber defense is transitioning from passive to active. Painter noted that vigilante justice is dangerous due to the possibility of misattribution and the risk of escalating the situation. “I don’t advocate a self-help approach,” he said.

Another in the audience expressed concern with voluntary standards concern me, observing that compliance is spotty in regulated industries (e.g. health care). He wondered if these voluntary international standards were intended to be guidance or effective? Painter said they are intended to set a “standard of care”. Governments will need to set incentives and mechanisms to foster compliance. Spafford pointed out that there are two types of standards: minimum standards and aspirational standards. Standards can also institutionalize bad behavior, so it is important to set the right standards.

Painter had earlier commented that progress has been structurally. An audience member wondered where the gaps remain. The State Department, according to Painter, is a microcosm of the rest of the Executive Branch. Within State, they’ve gone a good job of getting the parts of the agency working well together. They weren’t cooperating operationally as much as we could, but that’s improved, too. Spafford asked about state-level coooperation. 9/11 drove a great deal of state cooperation, but we’re now beginning to see states participate more in cyber efforts.

One member of the audience said “without accountability, you have no rule of law. How do you have accountability on the Internet?” Painter replied there are two sides to the coin: prevention and response. Response is more difficult. there have been efforts by the FBI and others in the past few years to step up enforcement and response. Spafford pointed out that even if an attack has been traced to another country with good evidence, the local government will sometimes deny it. Can they be held accountable? We have to build the consensus that this is important, said Painter. If you’re outside that consensus you will become isolated. A lot of countries in the developing world are still building capabilities. They want to stop it, but they can’t. Cybercrime is often used to facilitate traditional crime. That might be a lever to help encourage cooperation from other nations.

Fresh off this mornings attack of North Korean social media accounts, the audience wanted to hear comments on  Anonymous attacking governments. “If you’re doing something that’s a crime,” Painter said, “it’s a crime.” Improving attribution can help prevent or prosecute these attackers. The conversation moved to the classification of information when Spafford observed that some accuse goverments of over-classifying information. Painter said that has not been his experience. When people reveal classified information, that damages a lot of efforts. We have to balance speech and protection. The openness of the Internet is key.

Two related questions were asked back to back. The first questioner observed that product manufacturers are good at externalizing the cost of insecurity and asked how producers can be incentivized to produce more secure products. The second question dealt with preventing misuse of technology, with The Onion Router being cited as an example of a program used for both good and bad. Painter said the market for security is increasing, with consumers becoming more willing to pay for security. Industry is looking at how to move security away from the end user in order to make it more transparent. Producers can’t tell how their work will be used, but even when technology is used to obscure attribution, there are other ways to trace criminals (for example, money trails).

One other question asked how we address punishment online. Painter said judges have discretion in sentences and U.S. sentencing laws are “generally pretty rational.”  The penalities in cyberspace are generally tied to the penalties in the digital world. In seeming contradiction, Spafford pointed out that almost everything in the Computer Fraud and Abuse Act is a felony and asked Painter if there is room to have more misdemeanor offenses in federal law? Painter said there are misdemeanor offenses in state and local laws. Generally, Spafford says, policymakers need better understanding of tech, but tech people need better understanding of law.

There were other aspects of this discussion that I struggle to summarize (especially given the lengthy nature of this post). I do think this was the most interesting session of the entire symposium, at least for me. I’ve recently found my interest in law and policy increasing, and I lament the fact that I’ve nearly completed my master’s degree at this point. I actually caught myself thinking about a PhD this morning, which is an absolutely unnecessary idea at this stage in my life.

Other posts from this event:

CERIAS Recap: Thursday keynote

Once again, I’ve attended the CERIAS Security Symposium held on the campus of Purdue University. This is one of several posts summarizing the talks I attended.

Thursday’s keynote address was delivered by Christopher Painter, the Coordinator for Cyber Issues at the U.S. State Department. Mister Painter has a long and distinguished career in law and policy, starting with the U.S. Attorney’s office in Los Angeles, and moving through several roles in the Justice Department. He served as acting Cyber Czar during his time in the White House, and finally ended up in the State Department.

Cyber security issues have started receiving increased attention in recent years. Painter said President Obama came to the White House with a unique understanding of security because his 2008 campaign was hacked. In his 2013 State of the Union address, Mr. Obama became the first president to address cyber security on such a stage.

As Todd Gebhart noted the morning before, conversation has evolved from being purely technical to involving senior policy officials. This requires the technical community to work with the policy community so that they policy is informed. Painter takes heart in observing senior officials discuss cyber security issues beyond the scope of their prepared notes.

Although the State Department has a role in responding to DoS attacks against diplomatic institutions, the primary focus seems to be on fostering international cooperation. The international nature of cyber crime makes it very difficult to combat. Many different targets and intents are involved, as well. Although there have not been any [publicly reported] terrorist attacks on critical infrastructure, the threat exists. There are financial motivations for other cyber crimes. For example, one man spoofed Bloomberg web pages to publish fake articles in order to manipulate the stock price of a company. Although he got cold feet about executing the trade, people lost money in their own trades.

Regardless of the specific incident, the international nature of cyber crime makes it difficult to pursue and prosecute offenders. Some governments are more interested in “regime security”, protecting the interests of their own authoritarian states. The goal of U.S. cyber policy is an open, secure, reliable Internet system. To accomplish this, the State Department is promoting a shared framework of existing norms grounded in existing international law. Larger embassies have created “cyber attache” positions in order to help foster international cooperation.

Other posts from this event:

CERIAS Recap: Panel #1

Once again, I’ve attended the CERIAS Security Symposium held on the campus of Purdue University. This is one of several posts summarizing the talks I attended. This post will also appear on the CERIAS Blog.

With “Big Data” being a hot topic in the information technology industry at large, it should come as no surprise that it is being employed as a security tool. To discuss the collection and analysis of data, a panel was assembled from industry and academia. Alok Chaturvedi, Professor of Management, and Samuel Liles Associate Professor of Computer and Information Technology, both of Purdue Unversity, represented academia. Industry representatives were Andrew Hunt, Information Security Research at the MITRE Corporation, Mamani Older, Citigroup’s Senior Vice President for Information Security, and Vincent Urias, a Principle Member of Technical Staff at Sandia National Laboratories. The panel was moderated by Joel Rasmus, the Director of Strategic Relations at CERIAS.

Professor Chaturvedi made the first opening remarks. His research focus is on reputation risk: the potential damage to an organization’s reputation – particularly in the financial sector. Reputation damage arises from the failure to meet the reasonable expectations of stakeholders and has six major components: customer perception, cyber security, ethical practices, human capital, financial performance, and regulatory compliance. In order to model risk, “lots and lots of data” must be collected; reputation drivers are checked daily. An analysis of the data showed that malware incidents can be an early warning sign of increased reputation risk, allowing organizations an opportunity to mitigate reputation damage.

Mister Hunt gave brief introductory comments. The MITRE Corporation learned early that good data design is necessary from the very beginning in order to properly handle a large amount of often-unstructured data. They take what they learn from data analysis and re-incorporate it into their automated processes in order to reduce the effort required by security analysts.

Mister Urias presented a less optimistic picture. He opened his remarks with the assertion that Big Data has not fulfilled its promise. Many ingestion engines exist to collect data, but the analysis of the data remains difficult. This is due in part to the increasing importance of meta characteristics of data. The rate of data production is challenging as well. Making real-time assertions from data flow at line rates is a daunting problem.

Ms. Older noted that Citigroup gets DDoS attacks every day, though some groups stage attacks on a somewhat predictable schedule. As a result, Citigroup employs a strong perimeter defense. She noted, probably hyperbolically, that it takes 20 minutes to boot her laptop. Despite the large volume of data produced by the perimeter defense tools, they don’t necessarily have good data on internal networks.

Professor Liles focused on the wealth of metrics available and how most of them are not useful. “For every meaningless metric,” he said, “I’ve lost a hair follicle. My beard may be in trouble.” It is important to focus on the meaningful metrics.

The first question posed to the panel was “if you’re running an organization, do you focus on measuring and analyzing, or mitigating?” Older said that historically, Citigroup has focused on defending perimeters, not analysis. With the rise of mobile devices, they have recognized that mere mitigation is no longer sufficient. The issue was put rather succinctly by Chaturvedi: “you have to decide if you want to invest in security or invest in recovery.”

How do organizations know if they’re collecting the right data. Hunt suggested collecting everything, but that’s not always an option, especially in resource-starved organizations. Understanding the difference between trend data and incident data is important, according to Liles, and you have to understand how you want to use the data. Organizations with an international presence face unique challenges since legal restrictions and requirements can vary from jurisdiction-to-jurisdiction.

Along the same lines, the audience wondered how long data should be kept. Legal requirements sometimes dictate how long data should be kept (either at a minimum or maximum) and what kind of data may be stored. The MITRE corporation uses an algorithmic system for the retention and storage medium for data. Liles noted that some organizations are under long-term attack and sometimes the hardware refresh cycle is shorter than the duration of the attack. Awareness of what local log data is lost when a machine is discarded is important.

Because much of the discussion had focused on ways that Big Data has failed, the audience wanted to know of successes in data analytics. Hunt pointed to the automation of certain analysis tasks, freeing analysts to pursue more things faster. Sandia National Labs has been able to correlate events across systems and quantify sensitivity effects.

One audience member noted that as much as companies profess a love for Big Data, they often make minimal use of it. Older replied that it is industry-dependent. Where analysis drives revenue (e.g. in retail), it has seen heavier use. An increasing awareness of analysis in security will help drive future use.

Other posts from this event:

CERIAS Recap: Opening Keynote

Once again, I’ve attended the CERIAS Security Symposium held on the campus of Purdue University. This is the first of several posts summarizing the talks I attended.

The opening keynote was delivered by Todd Gebhart, the co-president of McAfee, Inc. Mr. Gebhart opened by reminding the audience that a “certain individual” who happens to share a name with the company is no longer involved with the McAfee corporation. Gebhart set the stage by addressing why McAfee employees go to work every day. The company focuses on protecting four areas: personal, business, government, and critical infrastructure.

The nature of security has changed over the years. In 1997, updates to antivirus subscriptions were physically mailed on disk to McAfee customers every three months. 17,000 known pieces of malware had been identified. Today, a growth in the number of connected devices has spurred a growth in malware. McAfee estimates one billion devices are connected to the Internet today, a number which is forecast to grow to 50 billion by 2020. Despite improvements in security procedures and products, the rate of growth in malware does not appear to be slowing.

The growth rate is greatest for mobile devices, where “only” 36,000 unique pieces of malware are known to exist (according to a preliminary study, 4% of all mobile apps are designed with mal intent). Consolidation of mobile operating systems into two main players (iOS and Android) has made it easier for malware writers. The nature of the threat on mobile has changed as well. Whereas desktop and server-based attacks were often about gaining control of or denying service to a machine, mobile threats are more focused on the loss of data and devices. The addition of WiFi, while of considerable benefit to users, has opened up a whole new realm of attack vectors that did not exist a few years ago.

Gebhart gave a brief survey of current malware threats in the four sectors listed above. He noted that attacks are no longer about machines; they’re about people and organizations. Accordingly, spam and botnets are becoming less of a concern in favor of malicious URLs. Behavior- and pattern-based attacks allow bad actors to focus their efforts more efficiently, and the development of Hacker-as-a-Service (HaaS) offerings allows for attackers with little-to-no technical knowledge.

The evolving threat has lead to greater awareness among non-technical business leaders. Security companies are now having discussions not only with technical leadership in organizations, but also with high level business and government leaders.

The industry is evolving to face the new and emerging threats. The use of real-time data to make real-time decisions can improve the response to attacks, or perhaps prevent them. Multi-organization cooperation can help defend against so-called “trial-and-error” attacks. Cloud-based threat intelligence allows McAfee to analyze malware traffic across 120 million devices worldwide. Hardware and software vendors are working together (or in the case of Intel, buying McAfee) to develop systems that can detect malware at the hardware interaction layer.

Gebhart closed by saying “it’s an exciting time to be in security” and noting that his company is always looking for talented security researchers and practitioners.

Other posts from this event:

Coming up: LISA ’12

It may seem like I’ve not been writing much lately, but nothing can be further from the truth. It’s just that my writing has been for grad school instead of Blog Fiasco. But don’t worry, soon I’ll be blogging like a madman. That’s right: it’s time for LISA ’12. Once again, I have the privilege of being on the conference blog team and learning from some of the TopPeople[tm] in the field. Here’s a quick look at my schedule (subject to change based on level of alertness, addition of BoFs, etc):







Now I just need to pack my bags and get started on the take-home final that’s due mid-week. Look for posts from me and my team members Matt Simmons and Greg Riedesel on the USENIX Blog.

CCA11: Cloud Computing and Its Applications

Earlier this week, I attended CCA11 at Argonne National Laboratory. I was there to present an extended abstract and take in what I could. I’ve never presented at a conference before (unless you count a short talk to kick off the Condor BoF at LISA ’10, which I don’t) and the subject of my abstract was work that we’ve only partially done, so I was a bit nervous. Fortunately, our work was well-received. It was encouraging enough that I might be talked into writing another paper at some point.

One thing I learned from the poster session and the invited talks is that the definition of “cloud” is just as ambiguous as ever. I continue to hate the term, although the field (however you define it) is doing interesting things. There’s a volunteer effort underway at NASA to use MapReduce to generate on-demand product visualization for disasters. An early prototype for Namibian flooding is at http://matsu.opencloudconsortium.org/.

Perhaps one of the largest concerns is the sheer volume of data. For example, the National Institutes of Health have over two petabytes of genomics data available, but how can you transfer that? Obviously, in most cases a user would only request a subset of data, but if there’s a use case that requires the whole data set, then what? One abstract presenter championed the use of sneakernet and argued that network bandwidth is the greatest challenge going forward.

One application that wasn’t mentioned is the cloud girlfriend. Maybe next year?

Thanks to Andy Howard and Preston Smith for their previous work and for helping me write the abstract.

Marketing LISA ’10

This post is also available on the Usenix blog at http://blogs.usenix.org/?p=520.

You may recall that I’ve been selected to the Blog Team for the Large Installation System Administration (LISA) conference taking place in San Jose in November. As part of my pre-conference duties, I interviewed Anne Dickison, the Director of Marketing for the USENIX Association. As Director of Marketing, much of Anne’s work involves promoting this large annual event. With less than two months left until LISA ’10, Anne and her team have already been hard at work for several months, getting the word out and enlisting the aid of others (including the Blog Team). LISA ’10 work began shortly after LISA ’09 ended, with the Call for Papers. Fortunately, it’s easier than ever to spread the word about large events.

The rise of social media has changed the lives of all marketers. Anne says she relies “heavily on social networking to get the word out.” With a small budget, “barter agreements and word-of-mouth” are invaluable to promoting LISA. Twitter and Facebook have shown themselves to be excellent tools for spreading LISA news, as well as giving attendees a chance to interact with each other before, during, and after the conference.

Last year’s introduction of the blog program was so beneficial that it has been expanded into a “full-fledged team”, and this year there’s a new feature in store. For the first time ever, LISA will have a UStream.tv chat and on-site interviews. Few details are available right now, but Anne said “I think it will be extremely helpful in showcasing the benefits of attending a LISA conference.”

There are many benefits for LISA attendees. A wide variety of technical sessions, training, and vendor exhibits are scheduled, but perhaps the most beneficial events are more informal. Birds of a Feather (BoF) sessions and various activities provide opportunities to cultivate relationships that can be a source of personal and professional interactions long after the conference has wrapped up. Anne says “we try to make it as easy as possible for people to interact, [and] set up systems so that the discussions started at LISA can continue long after the conference, via mediums such as the sage-members mailing list or the Facebook page.”

With such a large amount of effort put into making LISA successful, the payoff is personal for Anne Dickison: “My favorite part of LISA marketing is hearing really positive feedback from a first-time attendee. It’s great to watch new people who’ve never heard of us discover how much fun they can have and information they can learn by attending the conference.” The uniqueness of LISA also allows more creativity than is sometimes permissible in traditional marketing. “It’s probably the most fun event we do,” Anne told me. “I have more leeway in doing fun things like the adventure theme of this year or the puzzle theme of ’05.”

Registration is still open at http://www.usenix.org/events/lisa10/. Many discounts are available, including for hotel and airfare. Discounted is registration is also available to those who register online by October 18.

It’s beginning to look a lot like LISA

We’re just over two months from the Large Installation System Administration (LISA) conference, and the website has recently been updated with details. I’ve never been to this conference before, but as a member of the official blog team, I’ll get to spend the week doing nothing but participating in, and writing about, LISA ’10. Can I write two blog posts and countless tweets every day? It will be a challenge, and I’m sure I’ll be tired of writing by the end, but there should be plenty to write about.

With three days of workshops, 48 training courses, and three days of technical sessions,  there’s plenty to choose from.  I’m especially interested in the talk “Measuring the Value of System Administration” scheduled for Thursday morning.  Of course, each evening there will be Birds of a Feather (BoF) sessions, which I’m told are the most valuable part of the whole LISA experience.  BoFs are an informal meeting of the minds, where admins who do similar work compare notes and pick up new ideas to bring home.  And drink beer.  I’m okay with that.  The BoF schedule is still pretty thin, but no doubt it will fill out as November approaches.

If you’re interested in attending LISA, you can register online at http://www.usenix.org/events/lisa10/registration/.  Registration is available in half-day increments, so you can pay for exactly the amount of conference you want, and if you register by October 18, you get the “early bird discount.”  I hope to see you all in San Jose!