Download - 2011 lecture ia orientation
![Page 1: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/1.jpg)
4/11/2011
Information Security and Risk Management in Context
The Context
Dr. Barbara Endicott-Popovsky
![Page 2: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/2.jpg)
Center for Information Assurance and Cybersecurity (NSA/DHS CAE-R)
CIAC
The Center for Information Assurance and Cybersecurity
at the University of Washington
• Promotes multi-disciplined, regional collaboration
• Produces innovative research
• Provides CNSS-accredited educational programs
• Develops well-prepared information assurance professionals
http://ciac.ischool.washington.edu/
![Page 3: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/3.jpg)
Barbara Endicott-Popovsky, DirectorCenter for Information Assurance and CybersecurityFaculty, Information School and CS UW Institute of Technology TacomaEmail: [email protected] Office: Suite 400 RCBPhone: 206-284-6123 Website: http://faculty.washington.edu/endicott
Barbara Endicott-Popovsky (Pittsburgh, Pennsylvania) is the Director of the Center for Information Assurance and Cybersecurity at the University of Washington, Seattle, WA, USA, with a joint faculty appointment in the Information School and the Computer Science Department at the UW Institute of Technology Tacoma. She previously held executive positions with The Boeing Company, Seattle, WA. Her current research interests into the Unintended Consequences of the Information Age includes impacts of technology on the legal structure include the calibration of low layer network devices, network forensic readiness methodologies, security vulnerabilities in critical infrastructure.
She earned her Ph.D. in computer science at U. Idaho, Moscow, ID, USA, (2007); She has an MS in information systems engineering from Seattle Pacific University, Seattle, WA, USA (1987); and an MBA from the University of Washington, Seattle, WA, USA (1985), and a BA in Liberal Arts from the University of Pittsburgh, Pittsburgh, PA, USA (1967).
Ms. Endicott-Popovsky is a member of the IEEE, a founding member of the NW Regional Computer Forensics Cooperative, Principal Investigator on numerous grants, producer of the televised Unintended Consequences of the Information Age Lecture series. She has served on organizing committees for the Information Security Compliance and Risk Management Institute, the International Workshop on Systematic Approaches to Digital Forensic Engineering and the Recent Advances in Intrusion Detection (RAID) conference and is on the editorial board of a Special Edition of the Journal on Educational Resources in Computing.
![Page 4: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/4.jpg)
NSA/DHS NIETP Program:
“Growing” information security professionals in our universities
![Page 5: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/5.jpg)
UW/West Coast opportunity
![Page 6: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/6.jpg)
Center for Information Assurance and Cybersecurity
CommunityCommunity
SponsorsSponsorsSponsors
Outreach
Academics
Research
• PRCCDC• IRMSCI Institute• Unintended
ConsequencesLecture Series
• Projects• Grants• Publications
• IP• Consulting• Directed
Research
• Classes• Workshops• UW Certificates Outreach
Academics
Research
• PRCCDC• IRMSCI Institute• Unintended
ConsequencesLecture Series
• Projects• Grants• Publications
• IP• Consulting• Directed
Research
• Classes• Workshops• UW Certificates Outreach
Academics
Research
• PRCCDC• IRMSCI Institute• Unintended
ConsequencesLecture Series
• Projects• Grants• Publications
• IP• Consulting• Directed
Research
• Classes• Workshops• UW Certificates
Research
AgoraPractitioner Community
Community
Research
AgoraPractitioner Community
Community
Research
AgoraPractitioner Community
Community
Center forInformation
Assurance and Cybersecurity
NSA-CAE-R
![Page 7: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/7.jpg)
Center for Information Assurance and Cybersecurity
Multi-Disciplined IA Approach
Goal of System
PolicyPolicy
Security Awareness
Training
Security Awareness
Training
Procedures & PracticesProcedures & Practices MechanismsMechanisms
Secure System
IA Audit Feedback
Business School—ITiSchoolEvans School—Internet CenterLaw School—Shidler Center
Business School—ITiSchoolEvans SchoolLaw SchoolTech Comm-Eng
iSchoolComputer ScienceElect Engr
Business School—ITiSchoolTech Comm-Eng
![Page 8: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/8.jpg)
Academics
As an NSA-designated Center, the CIAC offers certificates, courses workshops in Information Assurance
– UW Certificates• Information Assurance & Cybersecurity http://www.extension.washington.edu/ext/certificates/inf/inf_gen.asp
• IT Security http://www.extension.washington.edu/ext/certificates/iss/iss_gen.asp
• Network Engineering http://www.extension.washington.edu/ext/certificates/dac/dac_crs.asp
– Classes• Information Ethics, Security, and Privacy
– Workshops• ISCRMI• IP3 Seminars • CISSP Bootcamps
![Page 9: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/9.jpg)
Research
The CIAC partners with industry and government:
• Theory, Conceptual Models– Adding the 4th R– Theoretical Framework for Organizational Network Forensic Readiness
• Projects and Grants– PNNL: Next Generation Honeypots
– China/Microsoft: IA Compliance Framework
• Publications– Deception Taxonomy (for honeypots)– Drive-by Downloads
• Directed research, IP, Consulting – WSDOT
– Compliance-Ready Networks
![Page 10: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/10.jpg)
Center for Information Assurance and Cybersecurity
Pacific Northwest National Laboratory As the Center’s research partner, the PNNL expands the capacity and
capabilities of the University of Washington to do classified and sensitive research and provides a foundation for a regional research
center in information assurance.
Deborah Frincke, Initiative Lead for the Information and Infrastructure Integrity Initiative (I4), and Chief Scientist (Cyber Security capability), Computational & Statistical Analytics Division
Nat’l Security Directorate
• Troy Thompson, Research Engineer• Frank Greitzer, Chief Scientist (Cognitive Informatics R & D Area), Computational and Information
Sciences Directorate. • Glenn Fink, Senior Research Scientist, Information and Infrastructure Integrity Initiative (I4),
Computational & Statistical Analytics Division, National Security Directorate
![Page 11: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/11.jpg)
Center for Information Assurance and Cybersecurity
Center Contributors
• Mike Simon: CTO, Creation Logic, Asso Dir. Applied Research CIAC, Pres. Infragard Seattle Chapter
• Kirk Bailey, UW CISO, CISSP, Agora Leader, CISO UW, Security 7 Award
• John Christiansen, Christiansen IT Law< HIPPA, legal and regulatory compliance
• David Dittrich, Sr Security Engineer Researcher, Applied Physics , research on Distributed Denial of Service attack tools
• Ernie Hayden, CISSP, CEH, CISO pioneering CISO positions, previously with the Port of Seattle
• Seth Shapiro, CPCU, ARM, AIS, Are , Enterprise risk management and information security management
• Joe Simpson, IA Consultant , systems engineering and the application of systems engineering to IA.
• Merike Kaeo, Double Shot Security, Internet governance and protocol expertise
Academic ResearchersPractitioner Researchers
Electrical Engineering•Radha Poovendran, Asso. Dir. Research, CIAC, Asso. Prof. Comm. & Networking, Dir. UW Network Security Lab
•Ming-Ting Sun, Prof, EE, Machine learning, video processing
Information School•Barbara Endicott-Popovsky, Dir. Ctr for IA & cybersecurity, Res.Asso. Prof., digital forensics, secure code, enterprise IA
Computer Science and Engineering•Henry M. Levy, Wissner-Slivka Chair, Spyware/Security, OS
•Steve Gribble, Torode Family Endowed Career Dev.Prof CS, Spyware/Security projects, OS
•Tadayoshi Kohno, Asst. Prof. CSE, Security in pervasive computing; electronic voting, wireless security and privacy
UWIT Tacoma•Sam Chung, Asso. Professor, secure code
Mathematics•Neal Koblitz, Prof. Mathematics, Cryptography, theory of numbers, security issues in genus-2 hyperellipticcryptography, co-inventor elliptic curve cryptography
Law•Jane Winn, Charles I. Stone Prof of Law, Electronic commerce law developments in the US, EU, China
![Page 12: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/12.jpg)
Center for Information Assurance and Cybersecurity
Current Center Activities
Funded Projects White Papers
Next Generation HoneypotsAn assessment of using virtualization for network instrumentation, deception and measurement will be incorporated into recommendations for next generation honeypot design.
Secure Coding ProjectRecognizing the need for college-level, secure coding curriculum, the CIAC is piloting a program that will train Puget Sound faculty for two years, reaching over 1200 students. Success will be determined by internal and external evaluation. Once externally evaluated, curriculum modules will be disseminated inside and outside the region.
IA Compliance FrameworkA lack of regulatory controls and subsequent enforcement in China has focused outsourcing discussions on this growing challenge. An IA governance framework, adapted from industry, is proposed as a control to mitigate.
Cyber WarriorDefining recruiting profiles, mentoring and management strategies for the cyber defenders
Virtual World SecurityDefining and developing unique aspects of Virtual World security
Systems Engineering in IADeveloping implementation models for allocating systems engineering goals throughout an organization.
IPSEC InteroperabilityDefining IPSEC terminology, reconciling IETF RFC’s, implementing IPSEC procedures, recommending best practices
Trust along the Supply ChainDefining role of trust and IA in building supply chain relationships
![Page 13: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/13.jpg)
Center for Information Assurance and Cybersecurity
Cyber Warrior:Effectively Defending
Cyberspace
• Motivation– Dearth of cyber defenders– New MOS’s under development– Industry-expressed frustrations:
– Identification and recruiting challenges– Training out-of-the-box thinking– Stress burnout to incident response
• Need for “cockpit” studies
• Preliminary work begun
![Page 14: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/14.jpg)
Center for Information Assurance and Cybersecurity
Welcome to Cybersecurity Islandhttp://www.youtube.com/watch?v=fvYOaf-9n-o
![Page 15: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/15.jpg)
Center for Information Assurance and Cybersecurity
Asset Protection Model
Configuration
Value Protection
Storage
ProcessingTransmission
Integrity
Confidentiality
Availability Tec
hn
olo
gy
Po
licy
, P
ract
ices
Hu
man
Fac
tors
System
Threat Target
Exposure
Action Effect
Type
Specifi-cation
Program
The Asset Cube
The System CubeThe Threat Cube
The Target Cube – [CMISS]
SystemSystemSystemSystem
ConceptsConceptsConceptsConcepts
SM
• Incorporates threat and systems perspective with target [CMISS]
• Establishes standard organizational basis for learning and analysis
• Provides cognitive support as well as a static and dynamic view of the model information
![Page 16: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/16.jpg)
Center for Information Assurance and Cybersecurity
IPSec Interoperabilityfor Boeing-led Working Group
Project Overview: Testing interoperability issues during IPSec VPN configuration on different vendors’ products.
– Begun last year closely analyzing products of different vendors(Sonicwall, Fortigate, StoneSoft).– Identified /compared parameters each vendor uses for hashing, encryption and authentication during IPSec VPN configuration.– Reviewed unique approach for configuring IPSec VPN proposed by ICSA lab– Compared this approach with default method available in each vendors product for configuring IPSec.
Research divided into two phases:• Homogenous Environment:
– Configured and tested IPSec configuration between two same-vendor devices (e.g ., Sonicwall device at both endsof IPsec tunnel).
– Used common method of configuring IPSec Vpn developed by ICSA lab .– Verified that one unique method doesn’t work for all vendors.
• Heterogeneous Environment: – Proposing to configure / test the IPSec VPN tunnel between different vendors' product
(e.g., Sonicwall at one end and Fortigate at other end).– Matrix of options developed and method to configure IPSec VPN tunnel.
– Will begin testing shortly.
![Page 17: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/17.jpg)
Center for Information Assurance and Cybersecurity
Trust along Supply Chain
• Application: Drug trial outsourcing to China
• Microsoft / UW governance model developed
• Collaborations:• Interdisciplinary: Law / medical school • Cross cultural: UW / China • Industry partner: Microsoft
APEA 2010
![Page 18: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/18.jpg)
Center for Information Assurance and Cybersecurity
Securing the Future
Innovative Integration
Key Collaborations
Diverse Disciplines
Emerging Technologies
Organizational & Technical Management
Technical Approaches
Information Assurance Processes
CommunityCommunity
SponsorsSponsorsSponsors
Outreach
Academics
Research
• PRCCDC• IRMSCI Institute• Unintended
ConsequencesLecture Series
• Projects• Grants• Publications
• IP• Consulting• Directed
Research
• Classes• Workshops• UW Certificates Outreach
Academics
Research
• PRCCDC• IRMSCI Institute• Unintended
ConsequencesLecture Series
• Projects• Grants• Publications
• IP• Consulting• Directed
Research
• Classes• Workshops• UW Certificates Outreach
Academics
Research
• PRCCDC• IRMSCI Institute• Unintended
ConsequencesLecture Series
• Projects• Grants• Publications
• IP• Consulting• Directed
Research
• Classes• Workshops• UW Certificates
Research
AgoraPractitioner Community
Community
Research
AgoraPractitioner Community
Community
Research
AgoraPractitioner Community
Community
![Page 19: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/19.jpg)
OutreachThe CIAC sponsors community lectures and workshops.
– The Unintended Consequences of the Information Age Lecture Serieshttp://www.uwtv.org/programs/displayseries.aspx?fid=2121
– Pacific Rim Collegiate Cyber Defense Contest (PRCCDC) http://ciac.ischool.washington.edu/?page_id=234
– The Annual Information Security Compliance and Risk Management Institutehttp://www.engr.washington.edu/epp/infosec/index.html
– NWSec – Tacoma http://students.washington.edu/greyhat/NWSec_at_UWT_Website_v1.5/FEB_15-16_2007_NWSec_at_UWT_Website_v1.5/nwsecPresenters.html
![Page 20: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/20.jpg)
Unintended Consequences of the Information Age
A lecture series exploring controversial issues emerging in our "point and click” world
• Privacy: Reconciling Reality• Privacy vs. Free Speech• Our Infrastucture: Online and Vulnerable?
http://www.uwtv.org/programs/displayseries.aspx?fid=2121
![Page 21: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/21.jpg)
Pacific Rim Collegiate Cyber Defense Contest (PRCCDC)
![Page 22: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/22.jpg)
Information Security Compliance and Risk Management Institute:
Where Information Technology, Law and Risk Management Converge
September 16-17, 2009
University of WashingtonUW Tower AuditoriumSeattle, Washingtonhttp://www.engr.washington.edu/epp/infosec/index.php
![Page 23: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/23.jpg)
CONTEXT: UNINTENDED CONSEQUENCES OF THE INFORMATION AGE
Transition from the Industrial Age to the Information Age is creating massive, upending, untended consequences in spite of our best efforts to think through change. As we contemplate the ICANN transition from management by the US/DOC to independence, we should consider this context.
![Page 24: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/24.jpg)
Context Evolution
Agricultural Age
Industrial Age
Information Age
![Page 25: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/25.jpg)
AttributeAgricultural
AgeIndustrial
AgeInformation
Age
Wealth Land Capital Knowledge
Advancement Conquest Invention Paradigm Shifts
Time Sun/Seasons Factory Whistle
Time Zones
Workplace Farm Capital equipment
Networks
OrganizationStructure
Family Corporation Collaborations
Tools Plow Machines Computers
Problem-solving Self Delegation Integration
Knowledge Generalized Specialized Interdisciplinary
Learning Self-taught Classroom Online
![Page 26: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/26.jpg)
Smashing
Industrial Age
Infrastructure!
![Page 27: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/27.jpg)
And just whom do you think is going to clean up this mess, Noah?
![Page 28: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/28.jpg)
THE PROBLEMCan’t get enough technology
![Page 29: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/29.jpg)
Our Love Affair with the Internet
Shoppers embrace the
online model
POSTED: 0727 GMT (1527
HKT), December 20, 2006
Embracing Internet
Technologies
Baby Boomers Embracing Mobile Technology
US Internet Users Embrace Digital Imaging
Docs Embracing Internet
![Page 30: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/30.jpg)
WORLD INTERNET USAGE AND POPULATION STATISTICS
Internet UsersDec. 31, 2000
Internet UsersLatest Data
Penetration(% Population)
Growth2000-2010
Users %of Table
Internet UsersDec. 31, 2000
4,514,400 110,931,700 10.9 % 2,357.3 % 5.6 % 4,514,400
114,304,000 825,094,396 21.5 % 621.8 % 42.0 % 114,304,000
105,096,093 475,069,448 58.4 % 352.0 % 24.2 % 105,096,093
3,284,800 63,240,946 29.8 % 1,825.3 % 3.2 % 3,284,800
108,096,800 266,224,500 77.4 % 146.3 % 13.5 % 108,096,800
18,068,919 204,689,836 34.5 % 1,032.8 % 10.4 % 18,068,919
7,620,480 21,263,990 61.3 % 179.0 % 1.1 % 7,620,480
360,985,492 1,966,514,816 28.7 % 444.8 % 100.0 % 360,985,492
![Page 31: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/31.jpg)
![Page 32: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/32.jpg)
![Page 33: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/33.jpg)
![Page 34: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/34.jpg)
.
.
.
.
.
..
.
.
.
.
.
.
.
.
.
.
.. .
.
.
.
.
.
.
.
.
.
.
.
RESISTANCE IS FUTILE.PREPARE TO BE ASSIMULATED?
.
.
.
.
.
.
.
. .
.
.
..
...
.
.
.
.
.
.
.
.
.
.
.
.
.
..
.
Species 8472
Courtesy: K. Bailey/E. Hayden, CISOs
![Page 35: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/35.jpg)
Duality in Cyberspace
Benign Malignant
New Opportunities
EfficienciesConvenience New
CrimesPrivacy Loss
ThreatIntrusion
![Page 36: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/36.jpg)
http://www.engadget.com/2009/04/28/electronic-voting-outlawed-in-ireland-michael-flatley-dvds-okay/
Electronic voting outlawed in Ireland, Michael Flatley DVDs okay for now by Tim Stevens posted Apr 28th 2009 at 7:23AM
Yes, it's another international blow for electronic voting. We've seen the things proven to be insecure, illegal,
and, most recently, unconstitutional. Now the Emerald Isle is taking a similar step, scrapping an e-voting
network that has cost €51 million to develop (about $66 million) in favor of good 'ol paper ballots. With that
crisis averted Irish politicians can get back to what they do best: blaming each other for wasting €51 million
in taxpayer money.
![Page 37: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/37.jpg)
July 31, 2009, 12:34 pm
Student Fined $675,000 in Downloading Case
By Dave Itzkoff
Bizuayehu Tesfaye/Associated Press Joel Tenenbaum was found liable for copyright violations in a trial in Boston.
Updated | 7:03 p.m. A jury decided Friday that a Boston University student should pay $675,000 to four record labels for illegally downloading and sharing music, The Associated Press reported.
A judge ruled that Joel Tenenbaum, 25, who admitted to downloading more than 800 songs from the Internet between 1999 and 2007 did so in violation of copyright laws and is liable for damages. Mr. Tenenbaum testified Thursday in federal district court in Boston that he had downloaded and shared hundreds of songs by artists including Nirvana, Green Day and the Smashing Pumpkins, and said that he had lied in pretrial depositions when he said that friends or siblings may have downloaded the songs to his computer. The record labels involved the case have focused on only 30 of the songs that Mr. Tenenbaum downloaded. Under federal law they were entitled to $750 to $30,000 per infringement, but the jury could have raised that to as much as $150,000 per track if it found the infringements were willful. In arguments on Friday, The A.P. reported, a lawyer for Mr. Tenenbaum urged a jury to “send a message” to the music industry by awarding only minimal damages.
http://artsbeat.blogs.nytimes.com/2009/07/31/judge-rules-student-is-liable-in-music-download-case/
![Page 38: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/38.jpg)
Majority think outsourcing threatens network security Angela Moscaritolo September 29, 2009 A majority of IT security professionals believe that outsourcing technology jobs to offshore locations has a negative impact on network security, according to a survey released Tuesday. In the survey of 350 IT managers and network administrators concerned with computer and network security at their organizations, 69 percent of respondents said they believe outsourcing negatively impacts network security, nine percent said it had a positive impact and 22 said it had no impact.
The survey, conducted this month by Amplitude Research and commissioned by VanDyke Software, a provider of secure file transfer solutions, found that 29 percent of respondents' employers outsource technology jobs to India, China and other locations.
Of those respondents whose companies outsource technology jobs, half said that they believe doing so has had a negative impact on network security.
Sixty-one percent of respondents whose companies outsource technology jobs also said their organization experienced an unauthorized intrusion. In contrast, just 35 percent of those whose company does not outsource did. However, the survey noted that organizations that do outsource were “significantly” more likely than those that do not to report intrusions.
“We're not going to say we have any proven cause and effect,” Steve Birnkrant, CEO of Amplitude Research, told SCMagazineUS.com on Tuesday. “Correlation doesn't prove causation, but it's definitely intriguing that the companies that outsource jobs offshore are more likely to report unauthorized intrusions.”
In a separate survey released last December from Lumension Security and the Ponemon Institute, IT security professionals said that outsourcing would be the biggest cybersecurity threat of 2009.
In light if the recession, companies are outsourcing to reduce costs, but the practice opens organizations up to the threat of sensitive or confidential information not being properly protected, and unauthorized parties gaining access to private files, the survey concluded.
In contrast to their overall views about the impact that outsourcing has on network security, Amplitude/VanDyke Software survey respondents were largely positive about the impact of outside security audits. Seventy-two percent of respondents whose companies paid for outside audits said they were worthwhile investments and 54 percent said they resulted in the discovery of significant security problems.
http://www.scmagazineus.com/Majority-think-outsourcing-threatens-network-security/article/150955/
![Page 39: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/39.jpg)
Connecticut drops felony charges against Julie Amero, four years after her arrest By Rick Green on November 21, 2008 5:16 PM |
The unbelievable story of Julie Amero concluded quietly Friday afternoon at Superior Court in Norwich, with the state of Connecticut dropping four felony pornography charges.
Amero agreed to plead guilty to a single charge of disorderly conduct, a misdemeanor. Amero, who has been hospitalized and suffers from declining health, also surrendered her teaching license.
"Oh honey, it's over. I feel wonderful," Amero, 41, said a few minutes after accepting the deal where she also had to surrender her teaching license. "The Norwich police made a mistake. It was proven. That makes me feel like I'm on top of the world."
In June of 2007, Judge Hillary B. Strackbein tossed out Amero's conviction on charges that she intentionally caused
a stream of "pop-up" pornography on the computer in her classroom and allowed students to view it. Confronted with evidence compiled by forensic computer experts, Strackbein ordered a new trial, saying the conviction was based on "erroneous" and "false information."
But since that dramatic reversal, local officials, police and state prosecutors were unwilling to admit that a mistake may have been made -- even after computer experts from around the country demonstrated that Amero's computer had been infected by "spyware."
New London County State's Attorney Michael Regan told me late Friday the state remained convinced Amero was guilty and was prepared to again go to trial.
"I have no regrets. Things took a course that was unplanned. Unfortunately the computer wasn't examined properly by the Norwich police," Regan said.
"For some reason this case caught the media's attention,'' Regan said.
The case also caught the attention of computer security experts from California to Florida, who read about Amero's conviction on Internet news sites. Recognizing the classic signs of a computer infected by malicious adware, volunteers examined computer records and the hard drive and determined that Amero was not responsible for the pornographic stream on her computer.
The state never conducted a forensic examination of the hard drive and instead relied on the expertise of a Norwich detective, with limited computer experience. Experts working for Amero ridiculed the state's evidence, saying it was a classic case of spyware seizing control of the computer. Other experts also said that Amero's response -- she failed to turn off the computer -- was not unusual in cases like this.
Among other things, the security experts found that the Norwich school system had failed to properly update software that would have blocked the pornography in the first place.
http://blogs.courant.com/rick_green/2008/11/connecticut-drops-felony-charg.html
![Page 40: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/40.jpg)
Growing Threat Spectrum
![Page 41: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/41.jpg)
“If the Internet were a street, I wouldn’t walk it in daytime…”
• 75% of traffic is malicious
• Unprotected computer infected in < 2 minutes
• Organized crime makes more money on the Internet than through drugs
• The ‘take’ from the Internet almost doubled e-commerce
Courtesy: FBI, LE
![Page 42: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/42.jpg)
Interdependence of Critical Infrastructure
![Page 43: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/43.jpg)
We’re overwhelmed!
Society is not keeping up!
![Page 44: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/44.jpg)
![Page 45: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/45.jpg)
A Metaphor…..
![Page 46: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/46.jpg)
![Page 47: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/47.jpg)
![Page 48: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/48.jpg)
![Page 49: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/49.jpg)
The Unintended
Consequences
![Page 50: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/50.jpg)
Security and Trust in VWs
![Page 51: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/51.jpg)
Trouble in Paradise?
![Page 52: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/52.jpg)
Evolution of Internet Threats
![Page 53: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/53.jpg)
Griefers, Phishing, Hackers, oh my!
![Page 54: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/54.jpg)
Set Your “Evil Bit”* to 1Would you have thought of these attacks?
• Facebook “get rich quick” scams• ….. only $1 down – how can you lose?
• Driveby downloads• Would you like Bots with that?
*See RFC3514 –The Security Flag in the IPv4 Header
![Page 55: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/55.jpg)
What is at risk?• Time• Effort
• Repair damage• Deal with consequences• Prevent re-occurrence
• In-game resources• Computing resources
• Bandwidth• CPU• Storage
• Real world resources• Money• Sensitive data• Identity
![Page 56: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/56.jpg)
Do you trust me? Why?
![Page 57: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/57.jpg)
Security and Trust in Virtual Worlds
• Some ways to attempt to maintain trust• eBay ratings• Craigslist community flagging• Second Life Abuse
• How to manage identity in virtual worlds• User agreement• Side channels• Security zones• Verifying avatars
![Page 58: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/58.jpg)
User Agreements
• VW End User License Agreements (EULAs)• Degrees of Protection• Alternatives to the EULA Scheme• General EULA Awareness
• Issues:• Who reads them?• What are they?
![Page 59: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/59.jpg)
Side Channels: Processes Outside of VW
• Provide “trusted path” to exchange info
• Help achieve authentication goals
• Two main types:• Prior to Virtual World interaction• During Virtual World interaction
![Page 60: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/60.jpg)
Security Zones
• Segregated areas within VW• Training/Education• Corporate clients• Highly valued services
• Issues• Cost: Second Life Private Regions (2009) :
» $1,000 purchase» $295/mo maintenance
• Restricted or open
![Page 61: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/61.jpg)
VW Authentication
• SSL-like authentication for the Avatar
• Accreditation handled by 3rd party
• Issues:• How does VW display accreditation flag?• Potential pitfalls?
![Page 62: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/62.jpg)
Don’t trust anyone!
What starts off in VW can have consequences in real world.
http://oddorama.com/2008/02/11/scamming-the-scammers-5-brilliant-419-reverse-scams/
![Page 63: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/63.jpg)
What else?….
![Page 64: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/64.jpg)
Questions?
![Page 65: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/65.jpg)
Where are the cybersecurity professionals?
![Page 66: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/66.jpg)
If government predictions are right, health IT will create 50,000 new jobs in the future. The new jobs will be needed at all levels, from engineers to IT workers. People who have experience in the computer science and informatics fields will be especially attractive to potential employers, but the federal government will put some money toward training employees. Nurses could have the hardest time transitioning from paper to digital, but the training will help to close the informatics gap
50,000 Health IT Jobs ExpectedOctober 28, 2009 - 5:53pm
![Page 67: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/67.jpg)
U.S. Faces Cyber Security Gap Without Training, EducationMarch 24, 2010 By Kenneth Corbin
WASHINGTON -- As discussions about the federal approach to cyber security continue to percolate across the highest levels of government, one of the most important steps policymakers can take is to nourish the education and training of a new crop of security experts, a senior administration official said here at the FOSE government IT show. Working in concert with the government, the private sector has made significant strides in improving software security and ferreting out vulnerabilities in the supply chain, but the flow of cyber security experts graduating from the nation's universities with advanced degrees remains anemic, according to Richard Marshall, the director of global cyber security management at the Department of Homeland Security.
![Page 68: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/68.jpg)
Homeland Security to hire 1,000 cybersecurity expertsBy Michael CooneyOctober 1, 2009 01:42 PM ET
Network World - The Department of Homeland Security wants to hire 1,000 cybersecurity professionals in the next three years, according to agency Secretary Janet Napolitano.The department has the authority to recruit and hire cybersecurity professionals across DHS over the next three years in order to help fulfill its mission to protect the nation’s cyber infrastructure, systems and networks, she said.
![Page 69: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/69.jpg)
• “OJT” – Primary source
• Certifications – Emergent source• Growing numbers• But which ones?
• Education – Little to nothing• Lack of trained faculty• Little research funding• Few university programs
The Options …
![Page 70: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/70.jpg)
Not scalable!
How do we accelerate preparation of professionals?
![Page 71: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/71.jpg)
THE SOLUTIONGrowing Information Security Professionals: Pedagogical Institute Model
![Page 72: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/72.jpg)
Global Competition
Technologies & Policies
Professional &Social Trends
Experts & Community/ Business Leaders
Potential:StudentsResearchersEducators
Political Environment
Economy
Outcomes:ProfessionalsNew KnowledgeNew TechnologyEd. Products
IdeologyCulture
Pedagogical institute Model
![Page 73: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/73.jpg)
Emerging Job Market
• Certified Information Systems Security Professional (CISSP) SANS/GIAC
• Certified Information Systems Auditor(CISA)
• Certified Intrusion Analyst SANS/GIAC
• Certified Firewall Analyst SANS/GIAC
• Certified Unix Security Admin SANS/GIAC
• Certified Windows Security Admin SANS/GIAC
• Certified Incident Handler SANS/GIAC
• Certified Network Auditor SANS/GIAC
• Certified Security Essentials
Job Titles– Director, Security – Manager, Security– Sr. Security Analyst – Security Administrator– Web Security Manager– Data Warehouse Security
Manager– Network Administrator
Source: Foote Partnershttp://www.footepartners.com/SSCP.htm
![Page 74: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/74.jpg)
Global Competition
Technologies & Policies
Professional &Social Trends
Experts & Community/ Business Leaders
Potential:StudentsResearchersEducators
Political Environment
Economy
Outcomes:ProfessionalsNew KnowledgeNew TechnologyEd. Products
IdeologyCulture
Pedagogical institute Model
![Page 75: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/75.jpg)
Goals
• ISRM Certificate• Efficient preparation for job market• From literacy to problem solving• Communication skills• Academic and Training credentials
• Course 1: Information Security and Risk Management in Context
• Course 2: Building a Risk Management Toolkit• Course 3: Designing and Executing Information
Security Strategies
![Page 76: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/76.jpg)
Content
Module 1
Module 2 Module 3
Module 4
Mod
ule
5
• No BOK for IA/IS• CISO : ISRM as CEO : MBA• Framework
![Page 77: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/77.jpg)
Teachers• Academic:
– Barbara Endicott-Popovsky, PhD, Information School faculty member and Director, UW Center for Information Assurance & Cybersecurity
• Practitioners:– Mike Simon, CTO, Creation Logic, and UW Information School
affiliate faculty member – Seth Shapiro, Senior VP & Risk Strategist, Kibble & Prentice– Ilanko Subramanian, GRM, Trustworthy Computing, Microsoft
• John Stephens, Director, UW Professional & Continuing Education
![Page 78: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/78.jpg)
Teachers (Cont’d.)Guest Lecturers• Kirk Bailey, CISO UW, Agora• John Christiansen, Principal Legal Counsel, Chistiansen IT Law • Aaron Weller, Managing Director, The Concise Group • Bob Clark, PRESENTATION: ISSA• Dennis Opacki Senior Security Consultant, Covestic• Ernie Hayden, Smart Grid Security, Verizon Business• Todd Plesco, CISO, Chapman University• Michael Ness, CEO Ness Group• Brian Haller, CISSP, Associate/FSO, Booz Allen Hamilton• Jim Poland, FSO, University of Washington• Christian Seifert, Honeynet Alliance and Microsoft Corp.• Ivan Orton, King County Senior Deputy Prosecutor• Joe Simpson, Systems Engineer, Systems Concepts • Ryan Heffernan, Security Analyst, Trustworthy Computing, Microsoft Corp.• Neil Koblitz, Professor Mathematics, University of Washington• Mike Howard, Security PM, Microsoft Corporation• George Graves, IA Advisory, KPMG• Peter Gregory, CISA, CISSP Senior Security Analyst, Concur Technologies• Randy Hinrichs, CEO, 2b3d• Ming-Yuh Huang, Technical Fellow, The Boeing Company • Ashish Malviya, MSIM intern PNNL
NOTE: These are your network
![Page 79: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/79.jpg)
RESULTSWell placed graduates
![Page 80: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/80.jpg)
Sample success stories
• Asst. Dep Secy DHS – Mike Roskind• CISO – Todd Plesco• FSO BAH – Brian Haller• Tech Dir NSA – Darren King• IA Entrepreneur – Aaron Weller• IA audit, system and risk analysts• Research scientists
![Page 81: 2011 lecture ia orientation](https://reader036.vdocuments.us/reader036/viewer/2022062704/5559f7f1d8b42aa8098b4962/html5/thumbnails/81.jpg)
Unintended Consequences of Embracing the Internet…..