Prof. Chris Johnson: School of Computing Science, University of Glasgow
Improving the Cyber-security of Safety-Critical Systems
Over the last three years, we have begun to detect a small but growing number of attacks inside operational safety-related systems in aviation, healthcare and energy distribution. Typically, these attacks have been linked to policy violations by employees and sub-contractors and by the increasing use of Commercial Off The Shelf (COTS) software in safety-related applications. This talk identifies the challenges posed by safety AND security. They are both non-functional requirements; this makes it difficult to determine an appropriate budget when it is impossible to guarantee total safety or total security. Testing only provides limited assurance - bugs may persist in safety-critical systems just as novel forms of malware can undermine security related applications. It is particularly difficult to secure safety-related applications. For example, safety verification and validation procedures prevent the use of intrusion detection systems that fail to meet reliability requirements. This leads to the paradox that many of Europe¹s critical infrastructures are less protected that more conventional office-based systems.
I will illustrate these arguments with recent attacks on safety-critical applications. In particular, I will show that we cannot simply turn off¹ a compromised system or conduct a forensic analysis while aircraft continue to land or patients are undergoing an operation. The talk will conclude with a number of novel techniques that can be used to balance safety and security requirements using modular, redundant and diverse programming techniques.
Prof. Chris Hankin, Director of the Security Research Institute, Imperial College London
Games and Industrial Control Systems
We have been studying the challenge “how do we make better cyber security decisions?” and have developed techniques to support human decision making and algorithms which enable well-founded cyber security decisions to be made. We will describe a game theoretic model which aids security managers to optimally allocate cyber security resources such as administrators’ time across different tasks. We will also present some recent extensions to this work.
Our emphasis to date has been on defending Enterprise IT systems against commodity style attacks. We are now in the process of establishing a new research institute on trustworthy industrial control systems. We will describe some of the key challenges and outline the approach to be taken within the institute.
Prof. Bill Buchanan: School of Computing, Edinburgh Napier University
Complete Anatomy of Heartbleed, TrueCrypt and Large-scale Vulnerabilities
This presentation will outline some new research related to the Heartbleed vulnerability, and cover the full technical details of the threat, with a live demo. Along with it will show how Heartbleed is detected on networked device, and some new research of the full time line of the vulnerability, including details of insider trading.
A key focus will be on how software coding problems, and the lack of testing, have caused many of the current problems, especially around cross-site scripting, and will highlight the strange mystery around TrueCrypt and in the recent SQL injection attack by Russian hackers who stolen over 1.2 billion usernames and passwords.
Prof. Jaideep Vaidya, Associate Professor of Computer Information Systems, Rutgers University
Preserving Privacy in Collaborative Optimization
Big data analytics can revolutionize innovation and productivity across diverse domains. However, this requires sharing or joint analysis of data, which is often inhibited due to privacy and security concerns. In this talk, we look at the problem of collaborative optimization. Optimization is a fundamental problem found in many diverse fields. Research in optimization methods has generated many successes; the ubiquitous collection of data opens even greater opportunities. Much of this data is constrained by privacy and security concerns, preventing the sharing and centralization of data needed to apply optimization techniques. Collaborative optimization, when done properly can significantly help in widening co-operation between organizations and prevent loss through data isolation, resulting in cost savings and new income realization worth millions, if not billions, of dollars through joint resource usage. While theoretical solutions for privacy-preserving optimization exist, they are not directly applicable due to the size and scope of the data, the complexity, and the iterative nature of the solutions. Efficient solutions require a blend of cryptographic and game theoretic techniques. We discuss the challenges in this context, present some of the innovative solutions that have been recently developed, and discuss the avenues for future research.
Industrial Talk by Bill Hargenrader: Senior Lead Technologist
Booz | Allen | Hamilton
Advances In Continuous Monitoring As An Integrated Component Of Cybersecurity Management
Continuous monitoring as an integrated component to your organization’s cybersecurity management strategy has numerous benefits such as providing accurate up to the minute risk posture and control compliance, as well as providing security performance metrics via dashboard. A key component is a centralized system that supports activity logging and automated updates with dedicated auditing to ensure the accuracy of the decision making data streams. In order to successfully implement a fully integrated continuous monitoring program, a continuous monitoring strategy needs to be developed that includes consideration of advances in continuous monitoring methods, system development plans, and organizational culture considerations.
Prof. Atilla Elci, Aksaray University, Turkey
Isn’t the time ripe for a standard ontology on security of information and networks?
I have long been involved in the fields of semantic technology and information assurance. Having aimed at fostering an interface between the two, SIN Conferences included semantics, metadata and ontology aspects as well. On the other hand, I came across certain studies and I had humble attempts at setting example as well. Reference information security and semantics, in this talk I'll mention a few haves and have-nots to drive my point that generic Ontology for security of information and networks is urgently needed.
A search for books on "ontology and security" at Amazon produces absolutely no results! What gets listed are citations to certain talks or passing remarks in edited books. However, separate searches for "ontology" books and "security" books returns hundreds of references. Similar results come out for searches on Springer Link. These must be the prime signs that the two fields exist at a grand scale but do not intersect! Also, one can easily deduce that security ontology has not been worked on let alone becoming a mainstream research or professional practice.
I'll bring forward other haves and have-nots regarding the two fields.It may be conjectured that generic Ontology for security of information and networks is urgently needed. Furthermore, there is a dire need for standardization of high-level information security ontology, perhaps an upper ontology for all others to link up to. Thus there should come about a forest of linked ontologies allowing all concerned to link their big data.