October 3: Distinguished Seminar
Abstract and speaker bio forthcoming.September 26 - September 28: Conference
2016 CyLab Partners Conference
The CyLab Partners Conference will be held September 26-28 at the main CMU campus in Pittsburgh, PA. Attendance is limited, exclusively, to representatives of CyLab's corporate partners and Carnegie Mellon University CyLab.
Not a CyLab partner? There is still time to experience this unique conference and learn how your company can benefit from becoming a CyLab partner. Contact Associate Director of Partnership Development, Michael Lisanti at ...@andrew.cmu.edu or 412-268-1870.September 14 - September 16: CERT Training
Creating a Computer Security Incident Response Team
This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT). This course provides a high-level overview of the key issues and decisions that must be addressed in establishing a CSIRT. As part of the course, attendees will develop an action plan that can be used as a starting point in planning and implementing their CSIRT.September 13 - June 13: CERT Training
Creating a Computer Security Incident Response Team
This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT). This course provides a high-level overview of the key issues and decisions that must be addressed in establishing a CSIRT. As part of the course, attendees will develop an action plan that can be used as a starting point in planning and implementing their CSIRT.July 14: Research Talk
Retrofitting Privacy into Traditional Operating Systems
Speaker: Kaan Onarlioglu, PhD Student at Northeastern University
With the scale of sensitive information processed and stored on computers today, implementing and maintaining application-specific privacy features is inefficient and bug prone. While it would be a relatively straightforward task to build a secure computing environment from the ground up, a significant challenge is to design privacy-enhancing techniques compatible with already widely-deployed operating systems, which also do not require modifications to existing user space software. In this talk I will present two systems to retrofit novel, application-agnostic privacy features into traditional operating systems: 1) PrivExec is an operating system service that allows a "private browsing mode-like" execution platform for arbitrary applications. 2) Overhaul is a user-driven access control architecture, where access to privacy-sensitive resources is mediated based on the temporal proximity of user inputs to access requests. I will present operating system-independent designs for the two systems, and then demonstrate with concrete Linux implementations that low-complexity, low-overhead, and high-usability privacy defenses can be integrated into existing operating systems.June 21 - June 23: CERT Training
Advanced Forensic Response and Analysis
The CERT Advanced Forensic Response and Analysis course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations. The goal of the course is to advance collection and processing skills of the students by outlining a structured process or flow to an incident response and intrusion investigation. Students will learn the pros and cons of common evidence collection measures and forensic analysis steps, methods for organizing analysis to identify relevant evidentiary data, and common areas containing items of evidentiary value to further their investigations.June 7 - June 8: CERT Training
ATAM Evaluator Training
The SEI Architecture Tradeoff Analysis Method (ATAM) is a proven, highly effective method for systematically evaluating software architectures for fitness of purpose. The ATAM exposes architectural risks that potentially inhibit the achievement of quality attribute goals and the system's business/mission goals. Government and industry organizations have used the ATAM for more than 10 years to improve communication, expose architectural risks, clarify requirements, and produce better systems.May 25 - May 26: CERT Training
Software Architecture Design and Analysis
This two-day course provides in-depth coverage of the concepts needed to effectively design and analyze a software architecture. The essential considerations for defining any architecture are carefully examined and then illustrated through application of the SEI Attribute-Driven Design (ADD) software architecture design method. This course also explores architecture analysis in-depth and introduces the SEI Quality Attribute Workshop (QAW) and the SEI Architecture Tradeoff Analysis Method (ATAM). Through multiple exercises, participants study an application of these methods and get a chance to apply them to sample problems.May 16 - May 20: CERT Training
Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures.April 25: Distinguished Seminar
Using Malware Analysis Results to Identify Overlooked Security Requirements
Speaker: Nancy Mead
Despite the reported attacks on critical systems, operational techniques such as malware analysis are not used to inform early lifecycle activities, such as security requirements engineering. In our CERT research, we speculated that malware analysis reports (found in databases such as Rapid 7), could be used to identify misuse cases that pointed towards overlooked security requirements. If we could identify such requirements, we thought they could be incorporated into future systems that were similar to those that were successfully attacked. We defined a process, and then sponsored a CMU MSE Studio Project to develop a tool. We had hoped that the malware report databases were amenable to automated processing, and that they would point to flaws such as those documented in the CWE and CAPEC databases. It turned out to not be so simple. This talk will describe our initial proposal, the MSE Studio project and tool, student projects at other universities, and the research remaining to be done in both the requirements and architecture areas.April 18: Distinguished Seminar
Speaker: Colonel Mary Lou Hall, United States Army War College Fellow in ISP, Dietrich College
The strategic miscalculation of Iraq’s Weapons of Mass Destruction (WMD) threat in 2003 provides a staggering example of how even very experienced leaders can be blinded by the foundational psychological effects that give rise to bias. This historical example further begs the question, ‘Could modern predictive analytics, such as machine learning, close the WMD information gap, if faced today?’ Army leaders want to understand the benefits and limitations of advancements in predictive analytics as well as in behavioral psychology in order to understand the implications for decision-making competence. U.S. commanders need both a structured approach for decision-making (ways), and the ability to leverage advanced analytical capability (means) in order to achieve operational understanding (ends). This talk offers a structured approach to decision-making that embeds a methodology for Red Teaming to address foundational behavioral psychology effects. In addition, I will offer a strategy for deploying tailored technical teams to provide commanders with access to relevant data, resources and skills to perform advanced analytical methods, including machine learning. It is in applying technological advances in big data to the crucible of ground combat that the Army can fulfill its role for the nation, and maintain competitive advantage.April 4: Distinguished Seminar
Indoor Localization or - How I learned to stop worrying and love the clock
Speaker: Anthony Rowe
In this talk, I will provide a brief overview of the state-of-the-art with respect to indoor location tracking and discuss two new systems that that are able to precisely localize mobile phones as well as low-power tags. The first is a hybrid Bluetooth low-energy and near ultrasonic beaconing platform that is able to provide sub-meter accuracy to standard smartphones. The platform leverages the phone’s IMU as well as constraints derived from building floor plans to not only localize its self, but also apply range-based SLAM techniques for bootstrapping its own infrastructure. The second platform leverages emerging Chip Scale Atomic Clocks (CSACs) and ultra wide-band (UWB) radios to create distributed networks that are able to coordinate at a level that used to be only possible with large, power-hungry and cost prohibitive atomic clocks. With sub-nanosecond time synchronization accuracy and extremely low drift rates, it is possible to dramatically reduce communication guard-bands and perform accurate speed-of-light Time-of-Arrival (TOA) measurements across distributed wireless networks.March 28: Distinguished Seminar
Using Unsupervised Big-Data Analytics to Detect Sleeper Cells Among Billions of Users
Speaker: Yinglian Xie, CEO and Founder, DataVisor
Today’s consumer-facing online services are measured by the size and growth of their user account base, as users are both contributors of content as well as a channel for monetization. Despite being their backbone, these user accounts are also their “Achilles heel” — well-organized crime rings leverage compromised or fraudulent accounts to hide amongst billions of benign users, waging a variety of large-scale attacks.
In this talk, I will present the anatomy of modern attacks and the sophisticated attack techniques that we have observed across a number of services, including social networking, gaming, financial, ecommerce and other vertical markets. I will then discuss the new challenges we face to defend against these attacks in the billion user era. Finally I’ll outline the directions pursued by DataVisor through unsupervised big data analytics to detect and mitigate large attack campaigns early, without prior knowledge of attack patterns.March 21: Distinguished Seminar
Making Password Checking Systems Better
Speaker: Tom Ristenpart, Associate Professor, Cornell Tech
Most computing systems still rely on user-chosen passwords to authenticate access to data and systems. But passwords are hard to use, easy to guess, and tricky to securely store. In practice one sees high failure rates of (legitimate) password login attempts, as well as a never-ending stream of damaging password database compromises. I will present a sequence of new results that target making password authentication systems better.
We will look at how to address concerns in three areas: (1) usability by way of easy-to-deploy typo-tolerant password authentication validated using experiments at Dropbox; (2) hardening password storage against cracking attacks via our new Pythia crypto service; and, time allowing, (3) building cracking-resistant password vaults via a new cryptographic primitive called honey encryption.
The talk will cover joint work with Anish Athayle, Devdatta Akawhe, Joseph Bonneau, Rahul Chatterjee, and Ari Juels.February 29: Distinguished Seminar
ISSTAC - Integrated Symbolic Execution for Space-Time Analysis of Code
Speaker: Corina Pasareanu
Abstract and Speaker Bio Forthcoming.Attacks relying on the inherent space-time complexity of algorithms used for building software systems are gaining prominence. When an adversary can inexpensively generate inputs that induce behaviors with expensive space-time resource utilization at the defender's end, in addition to mounting denial-of-service attacks, the adversary can also use the same inputs to facilitate side-channel attacks in order to infer some secret from the observed system behavior. Our project, ISSTAC: Integrated Symbolic Execution for Space-Time Analysis of Code, aims to develop automated analysis techniques and implement them in an industrial-strength tool that allows the efficient analysis of software (in the form of Java bytecode) with respect to these problems rapidly enough for inclusion in a state-of-the-art development process.February 15: Distinguished Seminar
Building a Software Security Program - Effective Risk Management for IT Security
Speaker: Steve Lipner, former Partner Director of Software Security, Microsoft
The growing frequency and severity of cybersecurity incidents has led government and private sector organizations to seek better ways to protect their systems and information. Many of these organizations have begun by adopting risk management frameworks as a way of structuring their approach to security. But risk management is only effective if it is informed by deep understanding of attacks and the ways to defend against them. The history and structure of successful software security programs shows how technical understanding can be integrated into risk management decisions. This talk will summarize the history of a typical software security program and outline principles by which understanding of attacks and defenses combined with continuous improvement leads to effective risk management.February 8: Distinguished Seminar
The Global DDoS Threat Landscape
Speaker: Scott Iekel-Johnson, Sr. Product Manager, Arbor Networks
Distributed Denial of Service (DDoS) attacks continue to grow in size, frequency, and complexity, and can affect any resource on the Internet, from the largest to the smallest, at any time. Motivations for attacks vary widely, from the personal to online activism to political or economic espionage to organized crime. In spite of their pervasiveness, the commercial or political sensitivities of DDoS attack targets often mean that the precise nature and impact of these attacks are hidden from view. Likewise, network operators are frequently reluctant to share details of their defense strategies for fear of giving attackers an added advantage. While understandable, this results in a siloing of expertise, preventing effective collaboration between network operators and the security research community to provide better strategies to defeat these attacks. Arbor Networks has been working with network operators, both service providers and enterprises, for the last 15 years to develop effective protection strategies for these attacks. This talk will pull back the curtain on DDoS attack experience and practice, providing an overview of Arbor Network's latest research into DDoS attack trends and discuss current operational best practices for how global network operators detect and mitigate DDoS attacks.January 28: Celebration
Data Privacy Day 2016
Join us on January 28, 2016 for CMU Privacy Day 2016 at Carnegie Mellon University. CMU Privacy Day celebrates the International Data Privacy Day with an exciting schedule of privacy-related events.
Data Privacy Day is an international effort to empower and educate people to protect their privacy and control their digital footprint. For more information, please visit StaySafeOnline.orgJanuary 25: Distinguished Seminar
Don’t Be Tomorrow’s Boiled Frog - Cyber Risk Appetite for Executives
Speaker: Earl Crane, Founder and CEO, Emergent Network Defense, Inc.
The past few years have seen a focus on cybersecurity risk management by executive leadership that increasingly have a fiduciary requirement to establish a risk appetite and manage their cybersecurity risk profile. High-profile retail breaches like Target demonstrated the inherent risks of third party connections. Destructive corporate breaches like those at Sony, Sands Casino, and Saudi Aramco demonstrated the initiative of nation-states to attack private corporations for political reasons. The root cause of every one of these breaches can be attributed not to technical failures, but to a failure in governance—a shortcoming to manage cybersecurity risks. Cybersecurity risk appetite is quickly becoming an integrated function to an organizations holistic enterprise risk management program. Organizations frequently have many of the right technical tools deployed to manage cybersecurity risk, but are not instrumented and deployed in the most effective way. This talk will provide real-world insights to instrumenting cybersecurity risk appetite as a risk management tool.