2011 lecture ia orientation
Upcoming SlideShare
Loading in...5
×
 

2011 lecture ia orientation

on

  • 3,612 views

 

Statistics

Views

Total Views
3,612
Views on SlideShare
3,610
Embed Views
2

Actions

Likes
0
Downloads
26
Comments
0

1 Embed 2

http://static.slidesharecdn.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Expect to see a similar evolution within Virtual Worlds to that on the rest of the internet – attacks will become monetized
  • Evolution of threats on the Internet – we can expect to see the same evolution in Virtual worlds.
  • The nutshell: a fake pastor from Nigeria tries to con a stranger out of money only to end up with a horrific tattoo instead. In a supposed bid for financial assistance to help Pakistani earthquake survivors this scammer tried to trick the wrong individual. The scambusters write back that he could have up to $150,000 if only he were a member of the church. The scammer bites, of course, and is told that he’ll simply have to get a tattoo showing his devotion to the church. Sure enough, he gets the tattoo and sends pictures! At this point things get strange: the scambusters fake being another scammer who has hacked into the good church’s email system. They finally get the scammer to “work for them” and admit what he is doing. Before it is finished, the scambusters have the name and address of the scammer and leave him waiting (forever) for his funds).

2011 lecture ia orientation 2011 lecture ia orientation Presentation Transcript

  • 4/11/2011 Information Security and Risk Management in Context The Context Dr. Barbara Endicott-Popovsky
  • Center for Information Assurance and Cybersecurity (NSA/DHS CAE-R) CIAC The Center for Information Assurance and Cybersecurity at the University of Washington  
    • Promotes multi-disciplined, regional collaboration
    • Produces innovative research
    • Provides CNSS-accredited educational programs
    • Develops well-prepared information assurance professionals
    http://ciac.ischool.washington.edu/
    • Barbara Endicott-Popovsky, Director Center for Information Assurance and Cybersecurity Faculty, Information School and CS UW Institute of Technology Tacoma Email: endicott@u.washington.edu Office: Suite 400 RCB Phone: 206-284-6123 Website: http://faculty.washington.edu/endicott
    • Barbara Endicott-Popovsky (Pittsburgh, Pennsylvania) is the Director of the Center for Information Assurance and Cybersecurity at the University of Washington, Seattle, WA, USA, with a joint faculty appointment in the Information School and the Computer Science Department at the UW Institute of Technology Tacoma. She previously held executive positions with The Boeing Company, Seattle, WA. Her current research interests into the Unintended Consequences of the Information Age includes impacts of technology on the legal structure include the calibration of low layer network devices, network forensic readiness methodologies, security vulnerabilities in critical infrastructure.
    • She earned her Ph.D. in computer science at U. Idaho, Moscow, ID, USA, (2007); She has an MS in information systems engineering from Seattle Pacific University, Seattle, WA, USA (1987); and an MBA from the University of Washington, Seattle, WA, USA (1985), and a BA in Liberal Arts from the University of Pittsburgh, Pittsburgh, PA, USA (1967). Ms. Endicott-Popovsky is a member of the IEEE, a founding member of the NW Regional Computer Forensics Cooperative, Principal Investigator on numerous grants, producer of the televised Unintended Consequences of the Information Age Lecture series. She has served on organizing committees for the Information Security Compliance and Risk Management Institute, the International Workshop on Systematic Approaches to Digital Forensic Engineering and the Recent Advances in Intrusion Detection (RAID) conference and is on the editorial board of a Special Edition of the Journal on Educational Resources in Computing.
  • NSA/DHS NIETP Program: “ Growing” information security professionals in our universities
  • UW/West Coast opportunity
  • Center for Information Assurance and Cybersecurity NSA-CAE-R
  • Multi-Disciplined IA Approach Goal of System Policy Security Awareness Training Procedures & Practices Mechanisms Secure System IA Audit Feedback Business School—IT iSchool Evans School—Internet Center Law School—Shidler Center Business School—IT iSchool Evans School Law School Tech Comm-Eng iSchool Computer Science Elect Engr Business School—IT iSchool Tech Comm-Eng
  • Academics
    • As an NSA-designated Center, the CIAC offers certificates, courses workshops in Information Assurance
      • UW Certificates
        • Information Assurance & Cybersecurity h ttp://www.extension.washington.edu/ext/certificates/inf/inf_gen.asp
        • IT Security http://www.extension.washington.edu/ext/certificates/iss/iss_gen.asp
        • Network Engineering http://www.extension.washington.edu/ext/certificates/dac/dac_crs.asp
      • Classes
        • Information Ethics, Security, and Privacy
      • Workshops
        • ISCRMI
        • IP3 Seminars
        • CISSP Bootcamps
  • Research
    • The CIAC partners with industry and government:
    • Theory, Conceptual Models
      • Adding the 4 th R
      • Theoretical Framework for Organizational Network Forensic Readiness
    • Projects and Grants
      • PNNL: Next Generation Honeypots
      • China/Microsoft: IA Compliance Framework
    • Publications
      • Deception Taxonomy (for honeypots)
      • Drive-by Downloads
    • Directed research, IP, Consulting
      • WSDOT
      • Compliance-Ready Networks
  • Pacific Northwest National Laboratory
    • As the Center’s research partner, the PNNL expands the capacity and capabilities of the University of Washington to do classified and sensitive research and provides a foundation for a regional research center in information assurance.
    • Deborah Frincke , Initiative Lead for the Information and Infrastructure Integrity Initiative (I4), and Chief Scientist (Cyber Security capability ), Computational & Statistical Analytics Division
    • Nat’l Security Directorate
    • Troy Thompson, Research Engineer
    • Frank Greitzer , Chief Scientist (Cognitive Informatics R & D Area) , Computational and Information Sciences Directorate.
    • Glenn Fink , Senior Research Scientist , Information and Infrastructure Integrity Initiative (I4), Computational & Statistical Analytics Division, National Security Directorate
  • Center Contributors
    • Mike Simon : CTO, Creation Logic, Asso Dir. Applied Research CIAC, Pres. Infragard Seattle Chapter
    • Kirk Bailey , UW CISO, CISSP, Agora Leader, CISO UW, Security 7 Award
    • John Christiansen , Christiansen IT Law< HIPPA, legal and regulatory compliance
    • David Dittrich , Sr Security Engineer Researcher, Applied Physics , research on Distributed Denial of Service attack tools
    • Ernie Hayden , CISSP, CEH, CISO pioneering CISO positions, previously with the Port of Seattle
    • Seth Shapiro , CPCU, ARM, AIS, Are , Enterprise risk management and information security management
    • Joe Simpson , IA Consultant , systems engineering and the application of systems engineering to IA.
    • Merike Kaeo , Double Shot Security, Internet governance and protocol expertise
    Academic Researchers Practitioner Researchers
    • Electrical Engineering
    • Radha Poovendran , Asso. Dir. Research, CIAC, Asso. Prof. Comm. & Networking, Dir. UW Network Security Lab
    • Ming-Ting Sun , Prof, EE, Machine learning, video processing
    • Information School
    • Barbara Endicott-Popovsky, Dir. Ctr for IA & cybersecurity, Res.Asso. Prof., digital forensics, secure code, enterprise IA
    • Computer Science and Engineering
    • Henry M. Levy , Wissner-Slivka Chair, Spyware/Security, OS
    • Steve Gribble , Torode Family Endowed Career Dev.Prof CS, Spyware/Security projects, OS
    • Tadayoshi Kohno , Asst. Prof. CSE, Security in pervasive computing; electronic voting, wireless security and privacy UWIT Tacoma
    • Sam Chung , Asso. Professor, secure code
    • Mathematics
    • Neal Koblitz , Prof. Mathematics, Cryptography, theory of numbers, security issues in genus-2 hyperelliptic cryptography, co-inventor elliptic curve cryptography
    • Law
    • Jane Winn , Charles I. Stone Prof of Law, Electronic commerce law developments in the US, EU, China
  • Current Center Activities Funded Projects White Papers
    • Next Generation Honeypots
      • An assessment of using virtualization for network instrumentation, deception and measurement will be incorporated into recommendations for next generation honeypot design.
    • Secure Coding Project
      • Recognizing the need for college-level, secure coding curriculum, the CIAC is piloting a program that will train Puget Sound faculty for two years, reaching over 1200 students. Success will be determined by internal and external evaluation. Once externally evaluated, curriculum modules will be disseminated inside and outside the region.
    • IA Compliance Framework
      • A lack of regulatory controls and subsequent enforcement in China has focused outsourcing discussions on this growing challenge. An IA governance framework, adapted from industry, is proposed as a control to mitigate.
    • Cyber Warrior
      • Defining recruiting profiles, mentoring and management strategies for the cyber defenders
    • Virtual World Security
      • Defining and developing unique aspects of Virtual World security
    • Systems Engineering in IA
      • Developing implementation models for allocating systems engineering goals throughout an organization.
    • IPSEC Interoperability
      • Defining IPSEC terminology, reconciling IETF RFC’s, implementing IPSEC procedures, recommending best practices
    • Trust along the Supply Chain
      • Defining role of trust and IA in building supply chain relationships
  • Cyber Warrior: Effectively Defending Cyberspace
    • Motivation
      • Dearth of cyber defenders
      • New MOS’s under development
      • Industry-expressed frustrations:
          • Identification and recruiting challenges
          • Training out-of-the-box thinking
          • Stress burnout to incident response
    • Need for “cockpit” studies
    • Preliminary work begun
  • Welcome to Cybersecurity Island http://www.youtube.com/watch?v=fvYOaf-9n-o
  • Asset Protection Model
    • Incorporates threat and systems perspective with target [CMISS]
    • Establishes standard organizational basis for learning and analysis
    • Provides cognitive support as well as a static and dynamic view of the model information
  • IPSec Interoperability for Boeing-led Working Group
    • Project Overview : Testing interoperability issues during IPSec VPN configuration on different vendors’ products.
      • Begun last year closely analyzing products of different vendors(Sonicwall, Fortigate, StoneSoft).
      • Identified /compared parameters each vendor uses for hashing, encryption and authentication during IPSec VPN configuration.
      • Reviewed unique approach for configuring IPSec VPN proposed by ICSA lab
      • Compared this approach with default method available in each vendors product for configuring IPSec.
    • Research divided into two phases:
    • Homogenous Environment :
      • Configured and tested IPSec configuration between two same-vendor devices (e.g ., Sonicwall device at both endsof IPsec tunnel).
      • Used common method of configuring IPSec Vpn  developed by ICSA lab .
      • Verified that one unique method doesn’t work for all vendors.
    • Heterogeneous Environment:  
      • Proposing to configure / test the IPSec VPN tunnel between different vendors' product (e.g., Sonicwall at one end and Fortigate at other end).
      • Matrix of options developed and method to configure IPSec VPN tunnel.
      • Will begin testing shortly.
  • Trust along Supply Chain
    • Application: Drug trial outsourcing to China
    • Microsoft / UW governance model developed
    • Collaborations:
        • Interdisciplinary: Law / medical school
        • Cross cultural: UW / China
        • Industry partner: Microsoft
    APEA 2010
  • Securing the Future Innovative Integration
    • Key Collaborations
    • Diverse Disciplines
    • Emerging Technologies
    • Organizational & Technical Management
    • Technical Approaches
    • Information Assurance Processes
  • Outreach
    • The CIAC sponsors community lectures and workshops.
      • The Unintended Consequences of the Information Age Lecture Series http://www.uwtv.org/programs/displayseries.aspx?fid=2121
      • Pacific Rim Collegiate Cyber Defense Contest (PRCCDC) http://ciac.ischool.washington.edu/?page_id=234
      • The Annual Information Security Compliance and Risk Management Institute http://www.engr.washington.edu/epp/infosec/index.html
      • NWSec – Tacoma http://students.washington.edu/greyhat/NWSec_at_UWT_Website_v1.5/FEB_15-16_2007_NWSec_at_UWT_Website_v1.5/nwsecPresenters.html
  • Unintended Consequences of the Information Age
    • A lecture series exploring controversial issues emerging in our &quot;point and click” world
    • Privacy: Reconciling Reality
    • Privacy vs. Free Speech
    • Our Infrastucture: Online and Vulnerable?
    http://www.uwtv.org/programs/displayseries.aspx?fid=2121
  • Pacific Rim Collegiate Cyber Defense Contest (PRCCDC)
  • Information Security Compliance and Risk Management Institute: Where Information Technology, Law and Risk Management Converge September 16-17, 2009 University of Washington UW Tower Auditorium Seattle, Washington http://www.engr.washington.edu/epp/infosec/index.php
  • CONTEXT: UNINTENDED CONSEQUENCES OF THE INFORMATION AGE
    • Transition from the Industrial Age to the Information Age is creating massive, upending, untended consequences in spite of our best efforts to think through change. As we contemplate the ICANN transition from management by the US/DOC to independence, we should consider this context.
  • Context Evolution Agricultural Age Industrial Age Information Age
  • Attribute Agricultural Age Industrial Age Information Age Wealth Land Capital Knowledge Advancement Conquest Invention Paradigm Shifts Time Sun/Seasons Factory Whistle Time Zones Workplace Farm Capital equipment Networks Organization Structure Family Corporation Collaborations Tools Plow Machines Computers Problem-solving Self Delegation Integration Knowledge Generalized Specialized Interdisciplinary Learning Self-taught Classroom Online
  • Smashing Industrial Age Infrastructure!
  • And just whom do you think is going to clean up this mess, Noah?
  • THE PROBLEM
    • Can’t get enough technology
  • Our Love Affair with the Internet Shoppers embrace the online model POSTED: 0727 GMT (1527 HKT), December 20, 2006 Embracing Internet Technologies Baby Boomers Embracing Mobile Technology US Internet Users Embrace Digital Imaging Docs Embracing Internet
  • WORLD INTERNET USAGE AND POPULATION STATISTICS Internet Users Dec. 31, 2000 Internet Users Latest Data Penetration (% Population) Growth 2000-2010 Users % of Table Internet Users Dec. 31, 2000 4,514,400 110,931,700 10.9 % 2,357.3 % 5.6 % 4,514,400 114,304,000 825,094,396 21.5 % 621.8 % 42.0 % 114,304,000 105,096,093 475,069,448 58.4 % 352.0 % 24.2 % 105,096,093 3,284,800 63,240,946 29.8 % 1,825.3 % 3.2 % 3,284,800 108,096,800 266,224,500 77.4 % 146.3 % 13.5 % 108,096,800 18,068,919 204,689,836 34.5 % 1,032.8 % 10.4 % 18,068,919 7,620,480 21,263,990 61.3 % 179.0 % 1.1 % 7,620,480 360,985,492 1,966,514,816 28.7 % 444.8 % 100.0 % 360,985,492
  •  
  •  
  •                                                            
  • . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RESISTANCE IS FUTILE. PREPARE TO BE ASSIMULATED? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Species 8472 Courtesy: K. Bailey/E. Hayden, CISOs
  • Duality in Cyberspace Benign Malignant New Opportunities Efficiencies Convenience New Crimes Privacy Loss Threat Intrusion
  • http://www.engadget.com/2009/04/28/electronic-voting-outlawed-in-ireland-michael-flatley-dvds-okay/
  • http://artsbeat.blogs.nytimes.com/2009/07/31/judge-rules-student-is-liable-in-music-download-case/
  • http://www.scmagazineus.com/Majority-think-outsourcing-threatens-network-security/article/150955/
  • http://blogs.courant.com/rick_green/2008/11/connecticut-drops-felony-charg.html
  • Growing Threat Spectrum
  • “ If the Internet were a street, I wouldn’t walk it in daytime…”
    • 75% of traffic is malicious
    • Unprotected computer infected in < 2 minutes
    • Organized crime makes more money on the Internet than through drugs
    • The ‘take’ from the Internet almost doubled e-commerce
    Courtesy: FBI, LE
  • Interdependence of Critical Infrastructure
  • We’re overwhelmed! Society is not keeping up!
  •  
  • A Metaphor…..
  • Fantasia
  •                                                                                                                                                  
  •                                                        
  • The Unintended Consequences
  • Security and Trust in VWs
  • Trouble in Paradise?
  • Evolution of Internet Threats
  • Griefers, Phishing, Hackers, oh my!
  • Set Your “Evil Bit”* to 1
    • Would you have thought of these attacks?
    • Facebook “get rich quick” scams
        • … .. only $1 down – how can you lose?
    • Driveby downloads
    • Would you like Bots with that?
    • * See RFC3514 –The Security Flag in the IPv4 Header
  • What is at risk?
    • Time
    • Effort
        • Repair damage
        • Deal with consequences
        • Prevent re-occurrence
    • In-game resources
    • Computing resources
        • Bandwidth
        • CPU
        • Storage
    • Real world resources
        • Money
        • Sensitive data
        • Identity
  • Do you trust me? Why?
  • Security and Trust in Virtual Worlds
    • Some ways to attempt to maintain trust
        • eBay ratings
        • Craigslist community flagging
        • Second Life Abuse
    • How to manage identity in virtual worlds
        • User agreement
        • Side channels
        • Security zones
        • Verifying avatars
  • User Agreements
    • VW End User License Agreements (EULAs) ‏
        • Degrees of Protection
        • Alternatives to the EULA Scheme
        • General EULA Awareness
    • Issues:
        • Who reads them?
        • What are they?
  • Side Channels: Processes Outside of VW
    • Provide “trusted path” to exchange info
    • Help achieve authentication goals
    • Two main types:
        • Prior to Virtual World interaction
        • During Virtual World interaction
  • Security Zones
    • Segregated areas within VW
        • Training/Education
        • Corporate clients
        • Highly valued services
    • Issues
        • Cost: Second Life Private Regions (2009) :
            • $1,000 purchase
            • $295/mo maintenance
        • Restricted or open
  • VW Authentication
    • SSL-like authentication for the Avatar
    • Accreditation handled by 3 rd party
    • Issues:
        • How does VW display accreditation flag?
        • Potential pitfalls?
    • Don’t trust anyone!
    • What starts off in VW can have consequences in real world.
    http://oddorama.com/2008/02/11/scamming-the-scammers-5-brilliant-419-reverse-scams/
  • What else?….
    • Questions?
  • Where are the cybersecurity professionals?
  • If government predictions are right, health IT will create 50,000 new jobs in the future. The new jobs will be needed at all levels, from engineers to IT workers. People who have experience in the computer science and informatics fields will be especially attractive to potential employers, but the federal government will put some money toward training employees. Nurses could have the hardest time transitioning from paper to digital, but the training will help to close the informatics gap 50,000 Health IT Jobs Expected October 28, 2009 - 5:53pm
  • U.S. Faces Cyber Security Gap Without Training, Education March 24, 2010 By Kenneth Corbin WASHINGTON -- As discussions about the federal approach to cyber security continue to percolate across the highest levels of government , one of the most important steps policymakers can take is to nourish the education and training of a new crop of security experts, a senior administration official said here at the FOSE government IT show . Working in concert with the government, the private sector has made significant strides in improving software security and ferreting out vulnerabilities in the supply chain, but the flow of cyber security experts graduating from the nation's universities with advanced degrees remains anemic , according to Richard Marshall, the director of global cyber security management at the Department of Homeland Security.
  • Homeland Security to hire 1,000 cybersecurity experts By Michael Cooney October 1, 2009 01:42 PM ET Network World - The Department of Homeland Security wants to hire 1,000 cybersecurity professionals in the next three years, according to agency Secretary Janet Napolitano. The department has the authority to recruit and hire cybersecurity professionals across DHS over the next three years in order to help fulfill its mission to protect the nation’s cyber infrastructure, systems and networks , she said.
    • “ OJT” – Primary source
    • Certifications – Emergent source
        • Growing numbers
        • But which ones?
    • Education – Little to nothing
        • Lack of trained faculty
        • Little research funding
        • Few university programs
    The Options …
  • Not scalable! How do we accelerate preparation of professionals?
  • THE SOLUTION
    • Growing Information Security Professionals: Pedagogical Institute Model
  • Global Competition Technologies & Policies Professional & Social Trends Experts & Community / Business Leaders Potential: Students Researchers Educators Political Environment Economy Outcomes: Professionals New Knowledge New Technology Ed. Products Ideology Culture Pedagogical institute Model
  • Emerging Job Market
    • Certified Information Systems Security Professional (CISSP) SANS/GIAC
    • Certified Information Systems Auditor(CISA)
    • Certified Intrusion Analyst SANS/GIAC
    • Certified Firewall Analyst SANS/GIAC
    • Certified Unix Security Admin SANS/GIAC
    • Certified Windows Security Admin SANS/GIAC
    • Certified Incident Handler SANS/GIAC
    • Certified Network Auditor SANS/GIAC
    • Certified Security Essentials
    • Job Titles
      • Director, Security
      • Manager, Security
      • Sr. Security Analyst
      • Security Administrator
      • Web Security Manager
      • Data Warehouse Security Manager
      • Network Administrator
    Source: Foote Partners http://www.footepartners.com/SSCP.htm
  • Global Competition Technologies & Policies Professional & Social Trends Experts & Community / Business Leaders Potential: Students Researchers Educators Political Environment Economy Outcomes: Professionals New Knowledge New Technology Ed. Products Ideology Culture Pedagogical institute Model
  • Goals
    • ISRM Certificate
        • Efficient preparation for job market
        • From literacy to problem solving
        • Communication skills
        • Academic and Training credentials
    • Course 1: Information Security and Risk Management in Context
    • Course 2: Building a Risk Management Toolkit
    • Course 3: Designing and Executing Information Security Strategies
  • Content
    • No BOK for IA/IS
    • CISO : ISRM as CEO : MBA
    • Framework
    Module 1 Module 2 Module 3 Module 4 Module 5
  • Teachers
    • Academic:
      • Barbara Endicott-Popovsky , PhD, Information School faculty member and Director, UW Center for Information Assurance & Cybersecurity
    • Practitioners:
      • Mike Simon , CTO, Creation Logic, and UW Information School affiliate faculty member
      • Seth Shapiro , Senior VP & Risk Strategist, Kibble & Prentice
      • Ilanko Subramanian , GRM, Trustworthy Computing, Microsoft
    • John Stephens , Director, UW Professional & Continuing Education
  • Teachers (Cont’d.)
    • Guest Lecturers
    • Kirk Bailey, CISO UW, Agora
    • John Christiansen, Principal Legal Counsel, Chistiansen IT Law
    • Aaron Weller, Managing Director, The Concise Group
    • Bob Clark, PRESENTATION: ISSA
    • Dennis Opacki Senior Security Consultant, Covestic
    • Ernie Hayden, Smart Grid Security, Verizon Business
    • Todd Plesco, CISO, Chapman University
    • Michael Ness, CEO Ness Group
    • Brian Haller, CISSP, Associate/FSO, Booz Allen Hamilton
    • Jim Poland, FSO, University of Washington
    • Christian Seifert, Honeynet Alliance and Microsoft Corp.
    • Ivan Orton, King County Senior Deputy Prosecutor
    • Joe Simpson, Systems Engineer , Systems Concepts
    • Ryan Heffernan, Security Analyst, Trustworthy Computing, Microsoft Corp.
    • Neil Koblitz, Professor Mathematics, University of Washington
    • Mike Howard, Security PM, Microsoft Corporation
    • George Graves, IA Advisory, KPMG
    • Peter Gregory, CISA, CISSP Senior Security Analyst, Concur Technologies
    • Randy Hinrichs, CEO, 2b3d
    • Ming-Yuh Huang, Technical Fellow, The Boeing Company
    • Ashish Malviya, MSIM intern PNNL
    • NOTE: These are your network
  • RESULTS
    • Well placed graduates
  • Sample success stories
    • Asst. Dep Secy DHS – Mike Roskind
    • CISO – Todd Plesco
    • FSO BAH – Brian Haller
    • Tech Dir NSA – Darren King
    • IA Entrepreneur – Aaron Weller
    • IA audit, system and risk analysts
    • Research scientists
  • Unintended Consequences of Embracing the Internet…..