May 1st, 2023 Talk: Rethinking the Security Posture of On-Premises Enterprise Networks
Iffat Anjum, Department of Computer Science Research Assistant, North Carolina State University
Good pedagogy should have a far-reaching influence on the students; it should support students in developing critical thinking and problem-solving skills as they enter the real world. As an educator, I always aim to engage with the students to build a lasting interest in the topic and develop their confidence to explore independently.
In this presentation, I will briefly explain how traditional network security followed the castle and moat model. I will explain the basics of this perimeter-based enterprise network security and why it’s no longer an effective security paradigm. Through discussion of fundamental ideas and attack scenarios, I hope to motivate the audiences about my Ph.D. research, “Dissolving the reliance on the perimeter to enable zero trust within on-premises enterprise networks.” My presentation will conclude with my career aspirations and philosophy as an educator in cyber security and computer science.
Iffat Anjum is a Ph.D. candidate and research assistant at the Department of Computer Science at North Carolina State University. Dr. Willam Enck advises her at the Wolfpack Security and Privacy Research (WSPR) Lab. Her research leverages emerging technologies, like software-defined networks, to design novel security enhancements for networks and systems. Her work has been published at different security conferences and recognized with the best paper award at the SACMAT. She instructed several computer science-related courses and labs at BRAC University, Green University, and the University of Dhaka. She performed extensive research and academic mentorship as a faculty member in Bangladesh and a senior graduate student at NC State University. Iffat received her bachelor’s and master’s degree in computer science from the University of Dhaka, Bangladesh, in 2013 and 2015, respectively.
April 12, 2023 Talk: Graphika: “Future Work in Action”
Jennifer Mathieu, Chief Technology and Product Officer, Graphika
Graphika provides a continuously expanding range of dynamic intelligence feeds to inform strategic decision-making. Our analysts work with our software as a service platform and emerging research analytics built by Graphika to:
- Discover viral phenomena and new trends before they gain mainstream traction
- Explore leading influencers and online communities
- Analyze developing narratives and key amplifiers
- Be aware of key regulatory, policymaking, and security discussions
- Monitor disinformation and misinformation risks before issues ariseqweqwewe
Our current online landscapes include climate and health misinformation, hate and extremism, Chinese and Russian state actors, Ukraine conflict, media and entertainment, financial market threats, global issues, and Turkish politics. The landscapes can be focused on locations of interest and/or topic areas that span the largest challenges facing us today.
In this talk, we will demonstrate our approach to understanding the cyber social terrain using Graphika’s and other technologies with a focus on analysts. We believe our strength is derived from our culture of analysts, technologists, and researchers working together, which is one example of “future work in action.”
Jennifer Mathieu, Ph.D. is Chief Technology and Product Officer at Graphika, a company that takes a network-first approach to the global online landscape. Jennifer leads the technology department and guides its vision, evolves Graphika’s patented technology, strengthens its core products, and builds the company’s team of expert designers, engineers, and scientists. This enables Graphika’s customers to navigate threats and uncover opportunities.
March 15, 2023 Talk: Coercion in Cyberspace: A Model of Extortion via Encryption
Jenny Jun, Research Fellow, Center for Security and Emerging Technology (CSET)
Coercion using cyber capabilities is often thought to be difficult due to a severe tradeoff between the need to credibly demonstrate capability versus the need to maintain a covert presence until the final payload is dropped. Jenny Jun of the Center for Security and Emerging Technology will argue that such assessments may be premature considering the logic behind the success of ransomware, which extorts victims by using encryption to deny access to critical systems or information. This discussion will provide a counterexample to the claim that cyber weapons are poor tools of coercion, and that cyber coercion depends on situational variables rather than universal features of the cyber domain itself.
Jenny Jun is a Research Fellow at the Center for Security and Emerging Technology (CSET) and Ph.D. Candidate in the Department of Political Science at Columbia University. She also serves as a Nonresident Fellow at the Atlantic Council’s Cyber Statecraft Initiative. Her current research explores the dynamics of how coercion works in cyberspace. Her broader interests include cyber conflict, North Korea, and security issues in East Asia. Jenny is a co-author of the 2015 Center for Strategic and International Studies (CSIS) report North Korea’s Cyber Operations: Strategy and Responses, published by Rowman & Littlefield. She has presented her work on North Korea’s cyber operations at various panels and has provided multiple government briefings and media interviews on the topic. She received her M.A. and B.S. each from the Security Studies Program (SSP) and the School of Foreign Service (SFS) at Georgetown University.
Feb 15, 2023 Talk: Assessing the Cyber-attack Surface of Local Infrastructures
Dr. Ido Sivan-Sevilla, Assistant Professor, University of Maryland College of Information Studies
Access to social goods such as information, education, health, news, and utilities is now mediated through private & public socio-technical systems. Those systems advance certain goods, but at the same time risk our privacy and are vulnerable to alarming security compromises. Public policy systems have been trying to respond, struggling to create meaningful changes. Their struggle is not only due to political and bureaucratic reasons [1-5], but also because of the inability of public officials to evaluate and scrutinize the technologies they govern.
My talk discusses how we can use ‘civic technologies’ to collect & analyze publicly available data on the operation of central socio-technical systems in society. I will demonstrate that through a project that aims to assess potential vulnerabilities in US’ local infrastructures – a usually under-funded cybersecurity space . This is a collaboration with Charles Harry & Mark McDermott in which we apply a self-developed application to scan publicly facing devices of government networks, hospitals, K-12 schools, and wastewater infrastructures across local counties in the US. Through interaction with commercial port scan services – Censys & Shodan – the tool finds open ports, services, and CVEs that can be exploited in sensitive public networks. Then, we aim to rank the severity of open services based on the pace of their exploitation in the wild, evaluated through adapted honeypot farms. The project produces routine attack surface reports grouped by organizations within a given geographic jurisdiction and compiled into a first-of-its-kind integrated picture of cyber risks across local infrastructures. This is work-in-progress, and preliminary results on Maryland, Delaware, and Virginia’s attack surfaces will be presented.
Today, it would be difficult to find medical device technology that does not critically depend on computer software. Network connectivity and wireless communication has transformed the delivery of patient care. The technology often enables patients to lead more normal and healthy lives. However, medical devices that rely on software (e.g., drug infusion pumps, linear accelerators, pacemakers) also inherit the pesky cybersecurity risks endemic to computing. What’s special about medical devices and cybersecurity? What’s hype and what’s real? What can history teach us? How are international standards bodies and regulatory cybersecurity requirements changing the global manufacture of medical devices? This talk will provide a glimpse into the risks, benefits, and regulatory issues for medical device cybersecurity and innovation of trustworthy medical device software. This talk will also explore current and potential uses for sociotechnical approaches to medical device security, including identifying human-domain security challenges, and how these uses complement current practices.
Kevin Fu is Associate Professor of EECS at the University of Michigan where he direct the Security and Privacy Research Group (spqrlab1.github.io). During 2021, Fu is also Acting Director of Medical Device Cybersecurity at FDA’s Center for Devices and Radiological Health (CDRH) and Program Director for Cybersecurity
, Digital Health Center of Excellence (DHCoE). He is most known for the original 2008 cybersecurity research paper showing vulnerabilities in an implantable cardiac defibrillator by sending specially crafted radio waves to induce uncontrolled ventricular fibrillation via an unintended wireless control channel. https://www.secure-medicine.org/hubfs/public/publications/icd-study.pdf. The prescient research led to over a decade of revolutionary improvements at medical device manufacturers, global regulators, and international healthcare safety standards bodies just as ransomware and other malicious software began to disrupt clinical workflow at hospitals worldwide.
Kevin was recognized as an IEEE Fellow, Sloan Research Fellow, MIT Technology Review TR35 Innovator of the Year, Fed100 Award recipient, and recipient of an IEEE Security and Privacy Test of Time Award. Fu has testified in the U.S. House and Senate on matters of information security and has written commissioned work on trustworthy medical device software for the U.S. National Academy of Medicine. He co-chaired the AAMI cybersecurity working group to create the first FDA-recognized standards to improve the security of medical device manufacturing. He founded the Archimedes Center for Healthcare and Device Security (secure-medicine.org). He is a founding member of the N95decon.org team for emergency reuse decontamination of N95 masks during PPE shortages. Fu served as a member of the U.S. NIST Information Security and Privacy Advisory Board and federal science advisory groups. Eleven years ago, Fu served as a visiting scientist at the U.S. Food & Drug Administration. Fu received his B.S., M.Eng., and Ph.D. from MIT. He earned a certificate of artisanal bread making from the French Culinary Institute and is an intermediate level salsa dancer.
Click here for the event flyer in pdf.
April 21, 2021 Talk: A Playbook for Effective Corporate Communication After Cybersecurity Incidents
Speaker: Dr. Jason Nurse
A cybersecurity incident can cripple an organization, particularly because of the related risk of significant reputational damage. As the likelihood of falling victim to a cyberattack has increased, so too has the importance of understanding what effective corporate communications and public relations look like after an attack. Key questions that need immediate answers include: What messages should be communicated to customers? How should correspondence be released? Who should speak to the media and public? In this talk, Dr. Nurse presents recent research into a playbook to support companies in deciding how to answer these questions and more. This work is grounded in real-world case studies and academic insights and has been validated and refined through interviews with senior security and crisis response industry professionals.
The published article can be found here: https://doi.org/10.1016/j.cose.2020.102036
Jason R.C. Nurse is an Associate Professor in Cyber Security at the University of Kent, and a Visiting Academic at the University of Oxford. His research explores the interdisciplinary nature of cybersecurity, privacy and trust. This especially considers the impact of new technologies on these areas. As a result of this broad remit, Dr. Nurse has had the pleasure of working across various domains including cybersecurity, psychology, and computational social science. Dr. Nurse has authored over 100 peer-reviewed articles, and he regularly speaks on cybersecurity in mainstream media including the Wall Street Journal, The BBC (and BBC Radio 4), Newsweek, Wired, Infosecurity Magazine, The Register, Naked Security and The Conversation. He can be reached on Twitter @jasonnurse or online at https://jasonnurse.github.io.
Click here for the event flyer in pdf.
March 11, 2021 Talk: Trusting Infrastructure: The Emergence of Computer Security Incident Response, 1989-2005
Speaker: Dr. Rebecca Slayton
Historians have tended to analyze maintenance as an intrinsically local activity, something very unlike the development of large technological systems. This article challenges this historiographic dichotomy by examining efforts to construct a global infrastructure for maintaining computer security. In the mid-1990s, as the internet rapidly grew, commercialized and internationalized, a small community of computer security incident responders sought to scale up their system of coordination, which had been based on interpersonal trust, by developing trusted infrastructure that could facilitate the worldwide coordination of incident response work. This entailed developing not only professional standards, but also institutions for embodying and maintaining those standards in working infrastructure. While some elements of this infrastructure became truly global, others remained regionally bounded. We argue that this boundedness resulted not from the intrinsically local nature of maintenance, but from the historical process of infrastructure development, which was shaped by regionally based trust networks, institutions, and needs.
Read the full paper here: https://preprint.press.jhu.edu/tec/sites/tec/files/Slayton_Clarke_preprint.pdf
Dr. Slayton is an Associate Professor in the Department of Science and Technology Studies at Cornell University. Dr. Slayton’s research and teaching examine the relationships between and among risk, governance, and expertise, with a focus on international security and cooperation since World War II. Some of her recent work includes two book projects supported by a five-year NSF CAREER award, “Enacting Cybersecurity Expertise.” Shadowing Cybersecurity, examines the emergence of cybersecurity expertise through the interplay of innovation and repair. The other book, in progress, exami
nes tensions intrinsic to the creation of a “smart” electrical power grid. Dr. Slayton received the United States Presidential Early Career Award for Scientists and Engineers, for her NSF CAREER project. She was an AAAS Mass Media Science and Engineering Fellow and previously worked as a science journalist. Dr. Slayton earned a PhD in physical chemistry from Harvard University.
Click here for the event flyer in pdf.
Feb. 11, 2021 Talk: How managed security and technology are redefining how insurance operates in society
Speaker. Dr. Shauhin Talesh
Existing research suggests an increasing prevalence and reliance on data and technology across significant segments of society. This often takes the form of datafication, information capitalism, and involves data brokers. However, there has been less focus on the processes and mechanisms through which data and technology influence particular industries. Using cybersecurity as an area of focus, this study explores how data and technology influence how the insurance industry operates. We focus on cyber insurance, an area where insurers historically have lacked large actuarial data and have faced challenges on how to manage this risk. Drawing from interviews with over sixty persons in the insurance industry, analysis of big data, insurance applications, and industry materials, we find that technology is the mechanism through which insurers regulate. In addition to risk management, we explore how technology and managed security influence the underwriting, pricing, advertising, and purchase of insurance. We explore the implications of the rise of insur-tech for the insurance industry, cybersecurity, and society.
Professor Talesh is an interdisciplinary scholar whose work spans law, sociology, and political science. His research interests include the empirical study of law and business organizations, dispute resolution, consumer protection, insurance, and the relationship between law and social inequality. Professor Talesh’s most recent empirical study addresses the intersection between organizations, risk, and consumer protection laws, focusing on private organizations’ responses to and constructions of laws designed to regulate them, consumers’ mobilization of their legal rights and the legal cultures of private organizations. Professor Talesh’s scholarship has appeared in multiple law and peer-reviewed social science journals including Law and Society Review and has won multiple awards in Sociology, Political Science and Law & Society.
Please contact Professor Talesh about copies of the presentation slides or his working paper.
Dec. 11, 2020 Talk: The simulation of scandal: Hack-and-leak operations, the Gulf States, and U.S. politics
Speaker: Dr. James Shires
Four hack-and-leak operations in U.S. politics between 2016 and 2019, publicly attributed to the United Arab Emirates (UAE), Qatar, and Saudi Arabia, should be seen as the “simulation of scandal” — deliberate attempts to direct moral judgment against their target. Although “hacking” tools enable easy access to secret information, they are a double-edged sword, as their discovery means the scandal becomes about the hack itself, not about the hacked information. There are wider consequences for cyber competition in situations of constraint where both sides are strategic partners, as in the case of the United States and its allies in the Persian Gulf.
James Shires is an Assistant Professor at the Institute for Security and Global Affairs, University of Leiden, and a fellow with the Cyber Statecraft Initiative at the Atlantic Council. He has written many articles and policy papers on cybersecurity, disinformation, and international politics, and has won awards from the Hague Program on Cyber Norms, the German Marshall Fund and the International Institute for Strategic Studies. His forthcoming book “The politics of cybersecurity in the Middle East” will be available from Hurst/Oxford University Press in summer 2021.
Click here for the presentation slides in pdf.
Author’s article related to this talk:
Shires (Fall 2020) The simulation of scandal: Hack-and-leak operations, the Gulf States, and U.S. politics. Texas National Security Review 3(4): 10-29
Click here for the article on the TNSR website.
Click here for the article as pdf.
Click here for the event flyer in pdf.
Nov. 19, 2020 Talk: Cybersecurity and local government: Findings from a nationwide survey
Speakers: Dr. Donald Norris & Laura Mateczun
This talk discussed data and results from the first nationwide survey of cybersecurity among local or grassroots governments in the United States and examined how these governments manage this important function. As we have shown elsewhere, cybersecurity among local governments is increasingly important because these governments are under constant or nearly constant cyberattack. Due to the frequency of cyberattacks, as well as the probability that at least some attacks will succeed and cause damage to local government information systems, these governments have a great responsibility to protect their information assets. This, in turn, requires these governments to manage cybersecurity effectively, something our data show is large
ly absent at the American grassroots. That is, on average, local governments fail to manage cybersecurity well. After discussing our findings, we conclude and make recommendations for ways of improving local government cybersecurity management.
Donald F. Norris is Professor Emeritus, School of Public Policy, University of Maryland, Baltimore County. His principal field of study in public management, specifically information technology in governmental organizations, including electronic government and cybersecurity. He has published extensively in refereed journals in these areas. He received a B.S. in history from the University of Memphis and an M.A. and a Ph. D. in political science from the University of Virginia.
Laura Mateczun is a graduate of the University of Maryland Francis King Carey School of Law, and a member of the Maryland Bar. She is currently a Ph.D. student at the University of Maryland, Baltimore County School of Public Policy studying public management. Her research interests involve local government cybersecurity, criminal justice, and the importance of equity in policy analysis. She received her B.A. in Public Policy and Political Science from St. Mary’s College of Maryland.
Click here for the presentation slides in pdf.
One of the authors’ papers using this research:
Norris, Mateczun, Joshi, & Finin (2020) Managing cybersecurity at the grassroots: Evidence from the first nationwide survey of local government cybersecurity. Journal of Urban Affairs
Click here for the event flyer in pdf.
2020 STC Summer Reading Group
Aug. 20 – Talesh (2018) Data Breach, Privacy, and Cyber Insurance (pdf)
Aug. 13 – Lawson & Middleton (2019) Cyber Pearl Harbor: Analogy, fear, and the framing of cyber security threats in the United States, 1991-2016 (pdf)
Aug. 6 – Shires (2020) Cyber-noir: Cybersecurity and popular culture (pdf)
Jul. 30 – Gellman (2020) Since I met Edward Snowden, I’ve never stopped watching my back (The Atlantic) (pdf)
Jul. 23 – Zhang-Kennedy et al. (2016) The Role of Instructional Design in Persuasion: A Comics Approach for Improving Cybersecurity (pdf)
Jul. 16 – Norris et al. (2019) Cyberattacks at the Grass Roots: American Local Governments and the Need for High Levels of Cybersecurity (pdf)
Jul. 9 – Chatfield & Reddick (2017) Cybersecurity Innovation in Government: A Case Study of U.S. Pentagon’s Vulnerability Reward Program (pdf)
Jul. 2 – Matatji et al. (2018) Socio-technical Systems Cybersecurity Framework (pdf)
Jun. 25 – Haber & Kandogan (2007) Security Administrators: A Breed Apart (pdf)
Jun. 18 – Botta et al. (2007) Towards understanding IT security professionals and their tools (pdf)
2019 STC Summer Reading Group
Aug. 14 – Clark-Ginsberg & Slayton (2019) Regulating risks within complex sociotechnical systems: Evidence from critical infrastructure cybersecurity standards (pdf)
Aug. 7 – Porter et al. (2019) Just This Once: Predicting When Work Pressures Lead to the Circumvention of Security Practices (pdf)
Jul. 31 – Wolff (2016) Perverse Effects in Defense of Computer Systems: When More Is Less. (pdf)
Jul. 24 – Elish (2019) Moral Crumple Zones: Cautionary Tales in Human-Robot Interaction (pre-print) (pdf)
Jul. 17 – Blythe et al. (2013) Circumvention of Security: Good Users Do Bad Things (pdf)
Jul. 10 – Craigen et al. (2014) Defining Cybersecurity (pdf)
Jul. 3 – Sawyer & Jarrahi (2014) Sociotechnical approaches to the study of Information Systems (pdf)