Description

Hands-on Zeek Scripting training, Aashish Sharma will walk attendees through the fundamentals of Zeek Scripting along with some practical exercises. This training will cover scripting basics, and will then advance through various Zeek script frameworks. In the training, we will cover how to work with Zeek events and datatypes, how to create custom datatypes, how to create custom log-files and notices, how to use probabilistic datastructures, how to load data into Zeek. We also will talk about some clusterization techniques. The training will end by walking attendees through the process of developing a new heuristic and wrapping it into a package. This will be a hands-on training. There will be an introduction for each topic, followed by hands-on exercises.

Presenter bio

Aashish Sharma is a member of the Cyber Security team of the Lawrence Berkeley National Laboratory. He is a long-time daily user of Zeek, part of the Zeek leadership team, and active in the Zeek community. Aashish is a prolific script-writer, as well as an author of several papers using Zeek data.

Description:

We will aim to give attendees the ability to run a real-world Zeek installation on their own hardware. We will start by introducing attendees to the basic architecture of Zeek. This includes showing attendees how to run and customize Zeek on the command-line. It also includes guidance on how to do basic log analysis. We will also talk about how real-world deployments of Zeek look like, using examples used by R&E institutions. We will teach attendees how to set up their own Zeek cluster deployments in production together with all the cluster components, and the new Zeek management framework. Other topics that we cover include the Zeek package manager, the configuration framework, the intelligence framework, customizing logging, and the input framework. This is a hands-on training, where attendees will be able to run Zeek on their laptops.

Presenters’ bios

Fatema Bannat Wala is a Security Engineer at ESNet. She has more than 9 years of experience in Cyber-Security. She is a member of the Zeek Leadership Team, and an active contributor to the Zeek community and other open-source projects. Fatema is well-known among security professionals for developing new technologies that solve real world security related challenges, for implementing new research ideas and for instigating operational improvements in organizations. She also is a frequent public speaker in well renowned security conferences around the globe. Fatema is enthusiastic about learning new technologies, especially when they relate to cyber security defense.

Christian Kreibich is Technical Lead (Open Source) @ Corelight by day and Zeek wizard with exceptional zeek-magic skills by night. Also, he is a Zeek LT Member

Keith Lehigh has served at UISO @ Indiana University for 10 yrs running Zeek on large .edu network and currently Zeek LT Member

Description

The role of security in the Jupyter community should be to provide users, developers, and system administrators with trustworthy software, processes, and documentation for scientific computing. Users trust that the software they rely on executes their applications in an expected manner and preserves the confidentiality and integrity of their data. Developers trust that the processes and tools they use will package and deliver the code as they’ve written it to the community. System administrators trust documentation to deploy and maintain Jupyter software in a manner that meets their local user and organizational needs. While this is not a comprehensive list, it attempts to align cybersecurity efforts with the values of Project Jupyter. These efforts build trust in Jupyter with users and organizations. This workshop will expand on the current Jupyter security practices by focusing on the following near and long goals: * Bring together people interested in contributing to security in Jupyter, with the intention that some of these are or will become longer term contributors. * A white paper on “Jupyter Security Best Practices”, scoped to various levels like DOE supercomputing centers, campus research computing centers, and workshops. * Summarizing Jupyter development practices that target security (e.g., code reviews, auth modules, CVE tracking, etc.). * Recommendations for security governance within the Project Jupyter governance model. * Draft an initial page to reference these documents and other security topics that cut across Project Jupyter components to be hosted at https://security.jupyter.org. This may be based off of other examples from open source, like the Kubernetes Security and Disclosure Information page. * Based on any security gaps in documentation, software, processes, or other areas, identify potential support mechanisms to address them. While the details will be revised and refined, the workshop structure will be aimed at producing tangible outcomes. Understanding how Jupyter is being used will help prioritize the work. Attendees will be asked to contribute information about their current Jupyter environments and security practices using presentation templates to build a survey of the Jupyter components in use and the common system architectures. Breakout sessions will be used to draft the revised documentation and scope future work. If possible, some talks will cover risk management and secure software development to help create a consensus model of security terms and concepts. To help ensure the workshop delivers on its goals, we intend to use the following process: * Clearly communicate these expectations via the marketing emails, a workshop website, and in person.

* When registering, attendees will be required to acknowledge their agreeing to contribute to the document at some level. * Set an initial timeline for having the first draft of the white paper completed within two weeks after the workshop, and the final version published within six weeks.

* During the workshop, ask the participants for realistic estimates of their areas of contribution (providing recommendations, writing, editing, etc.) and availability. Project Jupyter is built on open communication and clear expectations around the behavior of its members. This can be leveraged to incorporate security into the Jupyter culture by maintaining the expectation of clear documentation and open processes. This will avoid the unfortunately common perception of cybersecurity as opaque and confrontational. The documentation, recommendations, surveys, and other artifacts created during the workshop will be shared openly. When possible, the best practices guidelines for using Jupyter will be mapped to common or standard security control references such as the Center for Internet Security Controls, NIST SP 800-171, and NIST SP 800-53. This will enable cybersecurity professionals reviewing Jupyter to quickly map it to their security control implementations. Similarly, Project Jupyter development and governance practices will be aligned with recommendations including the Open Source Security Foundation best practices and the Trusted CI Guide to Securing Scientific Software.

Presenter bio

Rick Wagner is part of the UCSD Research IT team, helping to design solutions for projects that cut across the campus and beyond it. He is also trying to smooth the boundary between cybersecurity and research and is currently serving as the Security Subproject representative to the Jupyter Software Steering Council.

Description

The activities/working groups we propose for inclusion in the 2023 half-day WISE are:

• Security for Collaborating Infrastructures (SCI)

o Policy Development Kit and templates aimed at meeting the SCI needs

o Comparison of these templates with other such activities (Trusted CI for example) and see what we can learn from each other.

o This meeting will facilitate discussions between the SCI working group and Trusted CI Framework activities to see where the Trust Frameworks can co-exist and the identification of future work that may be required to encourage co-existence and easier interworking.

• Operational Security threat intelligence and communication between Security Operations Centres (SOCs)

o Please note that this will be an open session to all attendees and in no way conflict with any separate work and discussions of the “closed” SAFER opsec trust group activities.

Presenters’ bios

David Kelsey - Chair of WISE Community Steering Committee and chair of WISE Security for Collaborating Infrastructures working Group

David Crooks - GridPP and IRIS Information Security Officer and co-chair of WISE Incident Response and Threat Intelligence work group.

Description

University of Cincinnati is committed to supporting our faculty members research initiatives with the Department of Defense (DoD). Increasing concerns from federal officials and agencies regarding weaknesses in cybersecurity infrastructure has initiated the DFARS clauses requiring assessments and implementation of NIST 800-171 as part of award obligations and soon CMMC. Principle Investigators (PI) who are submitting proposals to the DoD are increasingly finding themselves obligated to control their research using the NIST 800-171 framework, either through assessment and POAM or through full implementation of the controls. Universities often have environments which have both centralized support and decentralized support components, each of which play a part in the implementation and management of the NIST 800-171 framework.

In the last decade, increasing incidents of cybersecurity breaches and concern for research security has resulted in the DoD implementing DFARS clauses to protect national security initiatives and Controlled Unclassified Information. These clauses require the implementation of an environment which meets the NIST 800-171 framework for the research to be completed. The NIST 800-171 framework is 110 controls from 14 different cybersecurity families involving administrative controls, technology controls, physical controls, audit controls and HR controls and others. In academic environments, these controls may be handled at the University level – or centralized controls – while others may be handled at the department level and have unique processes for the different departments – decentralized controls. To properly implement the NIST 800-171 framework in a mixed environment like this requires creativity and collaboration. The University of Cincinnati has both centralized and decentralized components which support our PIs with DoD funded projects and we hope to explain the innovative approach to implementing NIST 800-171 in our environment to help others in similar situations find a path to move forward with their own compliance needs.

This proposal would walk through the setup of a NIST 800-171 Steering Committee at the University level to guide university leaders forward with defining a standard response to NIST 800-171 which can then be adopted by the individual and decentralized departments to implement their own environment. The proposal includes a discussion of key topics which helped drive the decision to take this approach, the key stakeholders of the steering committee and some of our key initiatives to help drive this work forward. The proposal also looks at the challenges and the successes that the University of Cincinnati has had with this process and the goals for the team moving forward.

This proposal features Laura Elkin who is the Cybersecurity Specialist at the University of Cincinnati who works in the Office of Research supporting researchers with their CUI projects and cybersecurity needs. Laura is the co-chair of the NIST 800-171 steering committee with the CISO and is a key contributor to the steering committee’s efforts to define the NIST 800-171 compliance at University of Cincinnati.

We look forward to the plenary session to share the University of Cincinnati’s innovative approach as a leader in the academic research security and NIST 800-171 implementation. Our hope is that this plenary will inspire confidence in other institutions that NIST 800-171 can be accomplished and that there are ways to support their researchers doing DoD research with CUI clauses

Presenter bio

Laura Elkin - has over 20 years of experience in Cybersecurity and Information Technology with experience in the Higher Education and K12 environments as well as private industry. With a background in NIST cybersecurity assessment and risk management, she is passionate about collaborating with different teams to identify creative solutions to drive down their cyber risk. Laura has experience helping organizations evaluate their cyber risk, and working with teams to understand and mitigate or remediate those risks. Laura is the Cybersecurity Specialist for University of Cincinnati and works closely with researchers to meet their cybersecurity requirements for grants and contracts. She specializes on working with researchers on their DoD cybersecurity requirements and is partnering with the CISO to lead UC’s CMMC efforts.

Description

This research presents a comprehensive investigation into a Romanian cybercrime group's exploitation of university networks using an IRC (Internet Relay Chat) network, rootkits for stealth, and self-hiding malware to execute cryptominers. The study not only delves into the techniques employed by the group but also highlights the incident handling process.

The investigation uncovers the attack vectors utilized by the group, their methods of infiltration, and the subsequent deployment of malicious tools. Additionally, it provides detailed insights into the steps taken to identify and mitigate the threat, as well as the measures employed to enhance the security posture of affected institutions.

Moreover, this research emphasizes the collaborative approach taken to share intelligence with the wider research and education sector. By fostering information sharing and open communication, aiming to empower other organizations to defend against similar threats.

Keywords: Investigation, IRC network, rootkit, self-hiding malware, cryptominers, cybercrime, universities, incident handling, intelligence sharing, research and education sector, cybersecurity.

Presenter bio

Pau Cutrina As a member of CERN's security team, I specialize in incident handling for large-scale and distributed attacks. My primary focus lies in threat hunting, conducting forensics investigations, and gathering intelligence. In addition to investigations, I am actively involved in developing open-source tools for the community. The aim is to protect the research and education sector and contribute to enhancing the overall security posture of the scientific community.

Description

The Black Hole Locker affiliate program welcomes you. As a company created by former security experts, we believe strongly that trust is earned through transparency.

We are a team of security researchers based between the French and Swiss border. We are completely apolitical and only interested in money. We always have an unlimited amount of affiliates, enough space for all professionals.

Come and learn about the benefits our affiliate program and earn up to 20% of the ransom!

Pushing the boundaries of ransomware!

Speaker Bio

Ramon Warze, a.k.a Romain Wartel Ramon has been a gang leader from his early age. After many years leading a cartel in the drugs industry, the arrival of cybercrime made his operations more scalable, more profitable and most importantly, much safer.

Ramon currently owns a yacht and a helicopter and leads the Black Hole Locker Ransomware — the best in the market — from the comfort his mansion in his hometown in Adjikistan.

Description

In this tutorial you will learn skills critical for software developers and analysts concerned with security. It focuses on web programming practices that can lead to security vulnerabilities, on automated tools, and on software assurance tools. We will present the most common vulnerabilities found in web applications, Cross-Site Scripting (XSS) and Cross Site Request Forgery (CSRF), and how to mitigate them. Dependency analysis tools – tools that find weaknesses in the software supply chain and develop a software bill of materials (SBoM) – are the first line of defense in assessing the security of a software project. These tools can catch flaws in the packages and libraries a program depends upon, and that affects the safety of the application. Software assurance tools – tools that scan the source or binary code of a program to find weaknesses – can catch flaws in a program that affect both the correctness and safety of the code. This tutorial is also relevant to anyone wanting to learn how to use these automated assessment tools to minimize security flaws in the software they develop or manage. The tutorial includes a hands-on session, where the attendees will gain experience with automated assessment tools and dependency analysis tools, applied to a web application we crafted for learning about security weaknesses that lead to vulnerabilities. We will provide all the required software, installed, and configured, on a Virtual Machine.

Presenters’ bios

Barton Miller is the Vilas Distinguished Achievement Professor and the Amar & Belinder Sohi Professor in Computer Sciences at the University of Wisconsin-Madison. He is the Software Assurance Lead on the NSF Cybersecurity Center of Excellence. In addition, he co-directs the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona. He also leads the Paradyn Parallel Performance Tool project, which is investigating performance and instrumentation technologies for parallel and distributed applications and systems. His research interests include systems security, binary and malicious code analysis and instrumentation extreme scale systems, parallel and distributed program measurement and debugging, and mobile computing. Miller's research is supported by the U.S. Department of Homeland Security, U.S. Department of Energy, National Science Foundation, NATO, and various corporations. In 1988, Miller founded the field of Fuzz random software testing, which is the foundation of many security and software engineering disciplines. In 1992, Miller (working with his then-student, Prof. Jeffrey Hollingsworth), founded the field of dynamic binary code instrumentation and coined the term "dynamic instrumentation". Dynamic instrumentation forms the basis for his current efforts in malware analysis and instrumentation.

Elisa Heymann is a Senior Scientist on the NSF Cybersecurity Center of Excellence at the University of Wisconsin-Madison, and an Associate Professor at the Autonomous University of Barcelona. She co-directs the MIST software vulnerability assessment at the Autonomous University of Barcelona, Spain. She coordinates in-depth vulnerability assessments for NFS Trusted CI, and was also in charge of the Grid/Cloud security group at the UAB, and participated in two major Grid European Projects: EGI-InSPIRE and European Middleware Initiative (EMI). Heymann's research interests include software security and resource management for Grid and Cloud environments. Her research is supported by the NSF, Spanish government, the European Commission, and NATO.

Description

This workshop will focus on exploring how network monitoring with Zeek can safeguard Jupyter deployments. Jupyter software is inherently network-based and integrates multiple components communicating over local and frequently wide-area networks. During the workshop, Zeek and Jupyter developers will work together to discuss using or developing protocol analyzers to identify Jupyter traffic and how signals or events from Jupyter components can be incorporated into Zeek logs. Beyond Jupyter, this workshop will be an example of how networked applications for interactive computing can streamline integration with networking monitoring tools. Before the workshop, network data from example Jupyter deployments will be gathered for reference, including a multi-user JupyterHub environment and a single-user Jupyter Server connection for analysis. At the start of the workshop, the organizers will provide introductions to Zeek and Jupyter to ensure that all participants have a sufficient understanding to contribute. Next, there will be a discussion of using Zeek related to potential incidents in a Jupyter deployment, such as a compromised user account, software vulnerability, or data exfiltration. A key goal of the workshop will identify and document areas for future work, such as developing Jupyter-specific Zeek plugins or Jupyter extensions. Depending on the time and interest of the participants, some of this work may begin at the workshop by prototyping a protocol analyzer or drafting a short implementation guide on using Zeek as part of a Jupyter deployment.

Presenters’ bios

Rick Wagner is part of the UCSD Research IT team, helping to design solutions for projects that cut across the campus and beyond it. He is also trying to smooth the boundary between cybersecurity and research and is currently serving as the Security Subproject representative to the Jupyter Software Steering Council.

Christian Kreibich is the technical lead for the Zeek project and a Zeek Leadership Team member. He has 20+ years of experience working on or with Zeek. Fatema thinks he is a Zeek wizard, which he disputes.

Fatema Bannat Wala is a Security Engineer at ESNet. She has more than 9 years of experience in Cyber-Security. She is a member of the Zeek Leadership Team, and an active contributor to the Zeek community and other open-source projects. Fatema is well-known among security professionals for developing new technologies that solve real world security related challenges, for implementing new research ideas and for instigating operational improvements in organizations. She also is a frequent public speaker in well renowned security conferences around the globe. Fatema is enthusiastic about learning new technologies, especially when they relate to cyber security defense.

Description

Welcome to the Zebra Scientific Alliance! The Zebra Scientific Alliance is a distributed e-infrastructure relying on multiple teams. Today, they are being put to the test. The Zebra Scientific Alliance has been hit hard by an attacker.
The details are opaque. Log files are missing.
Time is running out. Pressure is rising.
 Police is pushing. Journalists are inquiring. 
And nothing is as it seems. Can they establish sufficient trust to communicate & coordinate in the middle of this crisis? Handle technical forensics? Share data as appropriate?
 Protect the reputation of the Alliance? 
Will the Zebra Scientific Alliance teams be able to solve the mystery? This gamified security incident response exercise requires between 20 and 25 participants to cooperate and solve. Participants will be mapped to the different teams. Together they will experience the typical phases of any crisis: chaos, connection, and hopefully, resolution. 
Each team is given a bespoke file with their specific identity, mission & goal. 
At the end of the session, participants are expected to have gained additional expertise, strategies and procedures, necessary to handle severe security incidents with confidence.

Presenter Bio

Romain Wartel has been doing forensics and incident response in R&E for nearly two decades, and this training is 100% based on his real life experience.

Description

This workshop aims to train the audience about best practices to develop efficient deep machine learning (ML) techniques for intrusion detection in cyber-physical critical infrastructures. The workshop assumes that the audience has no experience in cyber-physical systems or ML techniques. In order to develop ML-based intrusion detection, datasets reflecting the cyber-physical system behavior in normal conditions and under cyber-attacks are required. Obtaining such representative datasets is a major challenge that faces any practitioner in this field. Hence, the first part of the workshop (~0.75 hr) will discuss developing practical testbeds of cyber-physical critical infrastructures with an example of electric power systems. Specifically, this part covers setting up representative physical and cyber layers, coupling them, and collecting cyber-physical datasets during system normal operation and under cyber-attacks. The second part of the workshop (~2.25 hrs) will follow a hands-on approach to train the audience on developing deep ML techniques for intrusion detection. Supervised and unsupervised deep learning techniques will be covered such as deep feedforward, recurrent, and convolutional neural networks, and autoencoders. For each ML technique, its basic operation will be briefly discussed, then, python codes and physical layer datasets will be shared with the audience to train and test deep learning-based intrusion detection models. The codes to be shared were developed with the help of ChatGPT, hence, we will briefly discuss using ChatGPT to develop codes for ML-based intrusion detection models. The last part of the workshop (~0.5 hr) will discuss developing multi-modal intrusion detection systems that fuse cyber and physical features to enhance detection performance.

Presenter bio

Muhammad Ismail received the Ph.D. degree in Electrical and Computer Engineering from the University of Waterloo, Waterloo, ON, Canada, in 2013. He is an Assistant Professor of Computer Science and the PI of the CyberCorps SFS Program at Tennessee Tech University. His research interests include the applications of deep machine learning in cyber-physical system security. He co-authored more than 150 publications with more than 3,000 citations and was a co-recipient of six best paper awards. He is an Associate Editor of the IEEE Internet-of-Things Journal and the IEEE Transactions on Vehicular Technology.

Description:

From data centers to network closets, office desktops to public kiosks, laptops to phones, when attackers gain physical access to IT or OT assets it is very hard to prevent their attempts to steal data or outright theft of the assets an overview of some common ways attackers gain physical access to and attack IT and OT assets. Some ways to detect and prevent these attacks will also be covered. This training will include demonstrations and hands on experiences with common lock picking and bypass techniques. Technical based attacks will also be demonstrated for after physical access is gained.

Presenters’ bios

Adrian Crenshaw serves as a senior security analyst on OmniSOC's security services team. His 23+ years in the IT industry spanned educational, corporate, and consulting environments. His primary interests are pentesting, physical security bypass and darknet research. He holds an M.S. in Security Informatics, and spends his spare time helping to record presentations for various infosec conferences.

Susan Sons serves as Executive Director of OmniSOC and ResearchSOC at Indiana University. There, she leads a team of operational cybersecurity professionals providing 24/7/365 cybersecurity monitoring and support to research cyberinfrastructure and higher education. Her two decades plus in technology and information security ranges from tech startups to defense to academic science to private sector research and development environments. Susan is passionate about software and control systems security, building security programs and teams that enable research and development, and advancing the practice of information security.

Description

Cybersecurity rules and regulations in individual grants, contracts, and data use agreements have long been a challenge for researchers and organizations. The burden is now shifting as a new regulatory landscape is poised to subject the entire research enterprise to compliance. The steady arrival of new regulations has caused the number of research institutions with compliance expertise to grow, providing a new community for the uninitiated, but there is still no central resource that introduces compliance holistically. This training is designed to address this gap and introduce attendees to current and upcoming rules and regulations that affect research and strategies to tackle them.

Presenters bios

Anurag Shankar is a Senior Security Analyst at the Center for Applied Cybersecurity at Indiana University. He leads the HIPAA compliance effort for the IU Office of the Vice President for Information Technology and is responsible for developing IU's nationally renowned SecureMyResearch program. He specializes in regulatory compliance for research, cybersecurity risk management, and research cybersecurity. Anurag has over three decades of experience conducting academic research, teaching, developing and delivering research computing services, building compliant solutions for biomedical researchers, performing cybersecurity assessments, and consulting. He has a Ph.D. in astronomy from the University of Illinois at Urbana-Champaign.

Tim Daniel is an Information Security Analyst at the Center for Applied Cybersecurity at Indiana University and a member of IU's SecureMyResearch team. Previously, Tim worked for a contract research organization carrying out phase 1 and pre-phase 1 clinical trials for veterinary medicine. He holds a bachelor’s degree in biology with a focus in chemistry, and an associate's degree in applied biotechnology. After high school, Tim worked for Stone Belt, a nonprofit that provides resources and supports for individuals with disabilities, where he learned patience and listening skills, critical to the success of SecureMyResearch.

Will Drake is a Senior Security Analyst, CISO, and the SecureMyResearch lead at the Center for Applied Cybersecurity at Indiana University. Will has worked in various IT roles with Indiana University since 2012, including Operations Supervisor for Data Center Operations and Lead Systems Engineer for the Campus Communications Infrastructure team where he was responsible for ensuring the security of IU’s critical telecommunications infrastructure. Will holds an Associate’s Degree in Computer Information Technology from Ivy Tech and is currently pursuing a Bachelor’s Degree in Informatics with a specialization in Legal Informatics from Indiana University School of Informatics and Computing.

Description

In recent years, Neural Language Generation (NLG) techniques including large language models (LLMs) have greatly advanced, especially in the realm of open-ended text generation. With respect to the quality of generated texts, therefore, it is no longer trivial to tell the difference between human-written and NLG-generated texts (so-called “deepfake texts”). While this is a celebratory feat for NLG, however, it poses new security risks (e.g., generation of misinformation or phishing messages at scale). To combat this novel challenge, researchers have developed diverse techniques to automatically detect NLG-generated texts. While this niche field of deepfake text detection is growing, the field of NLG is growing at a much faster rate, thus making it difficult to understand the complex interplay between state-of-the-art NLG methods and the detectability of their deepfake texts. Scaling up the problem further to the case of 𝑘 NLG methods (𝑘 ≥ 2), each generating uniquely-different yet human-quality texts, two new computational problems emerge: (1) “Neural" Authorship Attribution (AA) and (2) “Neural" Authorship Obfuscation (AO) problems, where the AA problem is concerned with attributing the authorship of a given text to one of 𝑘 NLG methods, while the AO problem is to evade the authorship of a given text by modifying parts of the text. Both problems lie in the security field, and their importance and implications are growing rapidly. In this training, therefore, we call-attention to the serious security risks both emerging problems pose and give a comprehensive tutorial of recent literature on the detection and obfuscation of deepfake text authorships. Hands-on examples/quizzes of the generation, detection, and obfuscation of deepfake texts for engaging with participation interactively. We invite an audience from all sub-fields of cybersecurity to attend this very timely workshop.

Presenters’ bios

Adaku Uchendu recently earned her Ph.D. in Information Sciences and Technology from The Pennsylvania State University and is to join MIT Lincoln Lab. She was a Sloan scholarship fellow, an NSF CyberCorps SFS scholar and Button-Waller fellow. Her dissertation is titled “Reverse Turing Test in the Age of Deepfake Texts.” She has authored several papers in deepfake text detection at top-tier conferences & journals - EMNLP, KDD Exploration, Web of Science, Web Conference, etc. In addition, she led two similar Tutorials titled, Tutorial on Artificial Text Detection at the INLG conference, July 2022 and Catch Me If You GAN: Generation, Detection, and Obfuscation of Deepfake Texts at the Web conference in April 2023. She is interested in building robust and explainable deepfake text detectors to assist in both automatic and human detection of deepfake texts. More details of her research can be found at: https://adauchendu.github.io/. E-mail: azu5030@psu.edu

Thai Le is an Assistant Professor at The University of Mississippi since 2022. Before starting at the University of Mississippi, he worked at Amazon Alexa and obtained his doctorate degree from The Pennsylvania State University. He has published several relevant works at top-tier conferences such as KDD, ICDM, ACL, EMNLP, and Web Conference. He is also one of the Instructors in the Tutorial, Catch Me If You GAN: Generation, Detection, and Obfuscation of Deepfake Texts at the Web Conference. In general, he researches the trustworthiness of machine learning and AI, with a focus on explainability and adversarial robustness of machine learning models. He also contributed to the adversarial NLP open-source repository TextAttack1, which will be used to demonstrate the authorship obfuscation section of the tutorial. More details of his research can be found at: https://lethaiq.github.io/tql3. E-mail: thaile@olemiss.edu

Dongwon Lee is a Professor in the College of Information Sciences and Technology (a.k.a. iSchool) at Penn State University, USA and also an ACM Distinguished Scientist and Fulbright Cyber Security Scholar. Before starting at Penn State, he worked at AT&T Bell Labs and obtained his Ph.D. in Computer Science from UCLA. From 2015 to 2017, he also served as a Program Director at National Science Foundation (NSF), co-managing cybersecurity education and research programs and contributing to the development of national research priorities. In general, he researches problems in the areas of data science, machine learning, and cybersecurity. Since 2017, in particular, he has led the SysFake project at Penn State, investigating computational and socio-technical solutions to better combat fake news. More details of his research can be found at: http://pike.psu.edu. Previously, he has given numerous tutorials at various venues, including WWW, AAAI, CIKM, SDM, ICDE, and WebSci. E-mail: dongwon@psu.edu

Description

The Trusted CI Framework is a minimum standard for cybersecurity programs that can be used by any organization, regardless of age, size, or sector. However, the specifics of implementing the Framework will vary considerably depending on the specifics of the organization. One particularly challenging and important area is how to “get started” adopting the Framework. Implementing all 16 of the Framework’s Musts can be a daunting task, and organizations need help determining what to prioritize. This training will explore strategies for organizations seeking to adopt the Framework, with particular attention paid to the diversity of starting postures organizations can have. The training will focus on setting effective priorities, crafting realistic timelines, and overcoming common obstacles. Substantial time will be dedicated to Q&A with the trainees, brainstorming potential solutions to their real world challenges.

Presenters’ bios

Scott Russell is a Senior Policy Analyst with the Indiana University Center for Applied Cybersecurity Research (CACR), where his work focuses on the improvement of privacy and cybersecurity policy. A lawyer and researcher, Scott specializes in privacy, cybersecurity, and international law, and his past research has included principled cybersecurity, cybersecurity assessments, cybersecurity due diligence, cybersecurity self-governance, international data jurisdiction, and constitutional issues on digital surveillance. He is the program lead for the Trusted CI Framework, a co-author of Security from First Principles: A Practical Guide to the Information Security Practice Principles, and served as temporary faculty with Naval Surface Warfare Center Crane. He received his B.A. in Computer Science and History from the University of Virginia, received his J.D. from Indiana University, interned at MITRE, and served as a postdoctoral fellow at CACR.

Craig Jackson is Deputy Director at the Indiana University Center for Applied Cybersecurity Research (CACR), where his research and development interests include information security program development and governance, cybersecurity assessment design and conduct, legal and regulatory regimes' impact on information security and cyber resilience, evidence-based security, and innovative defenses. He leads collaborative work with the national security community, as well as interdisciplinary assessment and guidance teams for the NSF Cybersecurity Center of Excellence. He is the principal architect of the Trusted CI Framework. He is a co-author of Security from First Principles: A Practical Guide to the Information Security Practice Principles. He has served as a temporary faculty at Naval Surface Warfare Center Crane. Craig is a graduate of the IU Maurer School of Law, IU School of Education, and Washington University in St. Louis. In addition to his litigation experience, Craig’s research, design, project management, and psychology background includes work at the IU Center for Research on Learning and Technology and the Washington University in St. Louis School of Medicine.

Description

Academic institutions are committed to supporting research and collaboration which is essential to the advancement of knowledge and information. Increasing concerns from federal officials and agencies regarding improper foreign influence and cybersecurity infrastructure weaknesses has initiated an increasing number of regulations in award obligations. Principle Investigators (PI) are finding themselves obligated to follow procedural and technical steps to maintain their awards, which is often a confusing and difficult path to navigate. When compliance teams, which identify and help manage the regulatory requirements, collaborate with information technology and department resources to support the PI initiatives, the path to compliance and research becomes less confusing. In the last decade, increasing incidents of cybersecurity breaches and concern for research security and integrity have resulted in an increase in regulatory requirements for academic research. Many of the requirements for PIs to be able to participate in federal awards require efforts from multiple areas of the academic institution to implement, including legal, compliance, information technology, information security, HR and department specific organizations to support the award. PI’s may find themselves trying to navigate unfamiliar requirements with unclear direction on who can assist with implementation. This issue is compounded by different regulations being managed by different areas creating multiple meetings and working sessions leading to meetings or “touches” with a PI causing frustration and internal coordination is critical to reduce the burden on the PI. Through the coordination of a focused group, teams can create a supportive and streamlined process where research can meet the needs of federal agencies for research security, export control and cybersecurity and reduce the confusion and frustration for the PI. The University of Cincinnati and Texas A&M have recognized the importance of collaboration within their own organizations to reduce PI frustration and the number of “touches” a PI experiences when accepting an award with export control or cybersecurity terms. Additionally, they’ve recognized the importance of collaboration within the community to understand new opportunities to build efficiency and foster best practices. This proposal would like to share with the NSF community the areas that we are collaborating internally and externally but also open the conversation with a diverse community to discuss other compliance challenges they have overcome together. UC and Texas A&M intend to share processes they have found collaboration to be helpful in reducing the burden on the PI. We hope that the discussion can help generate ideas for PIs and their support teams to take back to their institutions to improve the compliance processes and supportive research security environment. This proposal would feature University of Cincinnati and Texas A&M who have begun collaborating to learn about opportunities to enhance their own programs for Research Security, Controlled Unclassified Information (CUI) and Export Control. Featured Universities and Key Strategic Collaborations.

1. University of Cincinnati (UC) – Hiring critical personnel. One of UC’s key hires was a Cybersecurity Specialist in research who works closely with principal investigators, central IT, and colleges to setup NIST and controlled unclassified information (CUI) system security plans. She also works alongside our Export Control Director to facilitate communication with Sponsored Research Services as well as ensure physical and secure computing obligations are met between the two offices.

2. Texas A&M – The Texas A&M University System has a centralized group that is responsible for managing projects that fall under the Controlled Unclassified Information umbrella. This compliance group works collaboratively with the different IT departments within a system of 11 universities and 8 state agencies. PIs that have CUI in the scope of work of their research projects will be availed with collaborative tools and resources to help ensure work in a CUI certified environment.

We look forward to a Birds of a Feather session to have a community conversation about the importance of internal collaboration for research success and discussion of new opportunities to broaden collaboration within institutions to improve the PI experience.

Presenters’ bios

Laura Elkin has over 20 years of experience in Cybersecurity and Information Technology with experience in the Higher Education and K12 environments as well as private industry. With a background in NIST cybersecurity assessment and risk management, she is passionate about collaborating with different teams to identify creative solutions to drive down their cyber risk. Laura has experience helping organizations evaluate their cyber risk, and working with teams to understand and mitigate or remediate those risks. Laura is the Cybersecurity Specialist for University of Cincinnati and works closely with researchers to meet their cybersecurity requirements for grants and contracts. She specializes on working with researchers on their DoD cybersecurity requirements and is partnering with the CISO to lead UC’s CMMC efforts.

Lauren Schroeder is currently the Director of the Texas A&M University System (A&M System) Export Control Office, a component of the A&M System Research Security Office. She provides administrative oversight to the A&M System’s 11 universities and eight state agencies‘ export controls programs in this capacity. As a shared service, the System Export Control Office leads a system-wide affinity group, a consortium of all practitioners within the A&M System, to provide assistance and guidance in all export control-related matters. Before assuming this position, she systematically developed, implemented, and administered export control programs and served in other research compliance and policy-related roles. Lauren earned a BS and MS from Texas A&M University.

Maria Bunch is a Compliance Officer at the Texas A&M University System, Research Security Office (RSO). In this role, she works collaboratively with the System’s 11 universities and eight state agencies leading the Controlled Unclassified Information (CUI) program while also assisting in export controls compliance. Prior to working at the System RSO, she worked for a System member creating an export control program and implementing processes to address export control compliance. Maria earned a BA from Columbia College and a MS from Chapman University.

Description

The University of Southern Maine (USM) Cybersecurity Ambassador Program (CAP) provides graduate and undergraduate students opportunities to use the cybersecurity knowledge, skills, and abilities acquired in higher education to raise cyber safety awareness in the community. The Principal Investigator initially designed CAP for in-person cyber safety research, with outputs being community workshops delivered by students. However, the program had to transform to a remote/online modality due to the COVID-19 pandemic. The faculty uses this program to provide students much-needed work-study and internship opportunities. The two most challenging problems we had to solve were creating a remote training program and a distance-based but not oppressive accountability program to track student progress. We partner with the Maine Office of Securities for an initial grant to fund the student internships but seek other grant support opportunities. We are currently in the process of collaborating with the Portland School District, the National Digital Equity Center (NDEC), and Maine Literacy Organizations to expand student outreach opportunities.

Presenter bio

Lori Sussman, Ed.D., is an Assistant Professor of Technology and Cybersecurity at the University of Southern Maine. She was part of the fourth class at the United States Military Academy to admit women and is a West Point graduate. Lori retired from the U.S. Army as a highly decorated colonel. Her military leadership experiences include 15th Regimental Signal Brigade Commander, 2nd Infantry Division Battalion Commander/CIO/G-6, Presidential Communications Officer, Joint Staff J-6 Executive Officer, and Assistant to the Army Chief of the Staff, as well as numerous demanding tactical assignments. Upon leaving service, Dr. Sussman worked in large and small companies, notably Cisco Systems and Hewlett Packard Enterprise (HPE). She is also an entrepreneur, having created several consulting businesses. In these varied roles, Dr. Sussman has managed a spectrum of highly complex organizations engaged in developing, integrating, deploying, and sustaining state-of-the-art technology and security solutions for clients. The Epsilon Pi Tau Technology Honor Society Awarded Dr. Sussman with the Warner Minilecture Award in 2020 and 2021 for her research about Cybersecurity Ambassadors. These individual awards followed recognition by the National Cyberwatch Center as the 2021 Most Innovative Cybersecurity Education Initiative. In 2021, Governor Mills named Dr. Sussman one of eleven veteran aides-de-camp. Her research areas include cybersecurity education, cybersecurity training and awareness, gender equity in technology and cybersecurity, and technology and cybersecurity leadership.

Description

In 2020 the global HPC community, in the Research & Education sector, was struck by a number of high profile attacks which were widely reported in the news. These incidents were seemingly unrelated, despite possessing certain puzzling commonalities. At the time, the main HPC systems affected were actively contributing to the fight against COVID-19, which created even more interest. When some large HPC centers had to be taken offline very publicly following attacks from IP addresses located in China, the political stakes were high. Finally, the wide variety and sophistication of the malware involved left a number of experts puzzled; In February 2021, ESET researchers published a comprehensive paper about Kobalos, one of the malware families used in these attacks, noting a high level of sophistication rarely seen in Linux malware. With victims scattered across southeast Asia, Europe and North America, organising a community-wide response with no obvious pre-established channels posed huge challenges. The political context and sensitive nature of the investigation presented a significant obstacle, but a number of infosec teams ultimately managed to connect and work together. This presentation focuses on mistakes and lessons learnt in this endeavour, and the ways in which, as a community, we failed to handle these global attacks, while also sharing explicit and pragmatic recommendations on how to handle such large-scale intrusions more effectively in the future. It is presented by members of the SAFER trust group (https://safer-trust.org), on behalf of those affected and those involved with the response to the attack in the Research & Education community.

Speaker Bio

Romain Wartel has been supporting "science for peace" in a hostile digital world for nearly 20 years.

Description

The presentation exposes a serious insider attack case in which the perpetrator managed, over the course of 10 months, to gradually sneak in malicious Monero mining jobs within the ground computing infrastructure of a scientific experiment located on the International Space Station. The malicious jobs were responsible for a combined usage of 2,500 years of CPU time. The presentation covers how the malicious jobs were detected, how the malicious activity was traced back to a privileged insider in the scientific collaboration, and the following administrative and technical challenges that followed. This would be a TLP:RED NO PHOTO presentation, sorry.

Speaker Bio

Romain Wartel has been fighting cybercriminals for many years and somewhat always manages to be dragged into insider attacks.

Description

"In the Research & Education (R&E) sector, ""defending as a global community"" is a crucial strategy. This involves having the hability to produce and share relevant threat intelligence, and the capability to leverage it accross the entire sector.

Large campuses and research labs typically have dedicated security teams and adequate skills. But even there, deploying and operating a Security Operations Center (SOC) is a hard problem to solve. In addition, a significant part of the R&E sector has a relatively low maturity level on threat intel, and no or limited security staff and expertise.

pDNSSOC provides a turn-key solution to both detect and respond to security incidents.

https://github.com/CERN-CERT/pDNSSOC

Presenters’ Bios

Romain Wartel & Pau Cutrina Pau and Romain have designed and written pDNSSOC to support organizations with no dedicated security teams (like some hospitals, universities, etc.) and allow them to be protected by their communities, and in particular by the more mature organizations, nearly at no cost for anyone.

Description

The Trusted CI Framework Community of Practice (CoP) is a continuation of Trusted CI’s Cohort engagements with NSF Major Facilities, Mid-scales, and other key research infrastructure projects. As part of their cohort engagement, each project has adopted the Trusted CI Framework, collaborated with Trusted CI in building a validated self-assessment of their cybersecurity program; and created a strategic plan to fully implement the Framework. Projects that have completed a Cohort engagement also graduate into the Community of Practice, an ongoing community designed to continue to advance the cybersecurity expertise of its membership and improve the cybersecurity posture of the NSF facilities they represent.

This CoP quarterly meeting provides an opportunity for CoP members to engage in person: sharing cybersecurity successes and challenges; learning from cybersecurity experts; and building their personal and professional network. As our first in-person event since the establishment of the CoP, this quarterly meeting will place a particular emphasis on relationship building between the members of the Community of Practice.

Description

The security log analysis workshop walks participants through the security log analysis lifecycle, providing considerations for centralized log collection and log management tools, phases of compromise, and examples from real attacks. We will be analyzing logs from Zeek Network Security Monitor, the Apache web server, two factor authentication systems, cloud service logs, as well as others. This workshop also includes hands-on exercises that will demonstrate techniques to analyze logs to detect security incidents using both the command line and Elastic Stack(aka ELK). The hands-on exercise will provide an overview of investigation techniques to determine security incident logs of some common attacks like SQL injection, filesystem transversal, brute force attacks, command-line injection and more. This will be an interactive session allowing Q&A and also will feature interactive polls to enhance the audience’s learning experience.

Presenters’ bios

Mark Krenz, Trusted CI, Indiana University Center for Applied Cybersecurity Research, Chief Security Analyst Mark Krenz is focused on cybersecurity operations, research and education. He has more than two decades of experience in system and network administration and has spent the last decade focused on cybersecurity. He serves as the CISO of the ResearchSOC and also the Software Assurance Marketplace (SWAMP).

Ishan Abhinit, Trusted CI, Indiana University Center for Applied Cybersecurity Research, Ishan has worked as a security risk analyst co-op at GMO, Boston, as well as an SOC engineer and IT security analyst at Infosys Ltd and IBM India Pvt. Ltd. He holds a master’s degree from the Cybersecurity Program at Northeastern University.

Description

This workshop/panel will feature discussions with representatives of Trusted CI's recent "secure construction by design" efforts, including from Oregon State University (OSU), taking delivery of the NSF Research Class Research Vessels (RCRVs) and Scripps Institution of Oceanography (SIO), designing the California Coastal Research Vessel (CCRV). Both vessels are expected to become a part of NSF's U.S. Academic Research Fleet (ARF). Trusted CI has been supporting the former with of the cybersecurity aspects of the acceptance testing process of the RCRVs, and the latter with security focused design and procurement requirements for the CCRV.

This aim of this workshop is to support the broader community of NSF Program Officers, NSF Major Facilities, and other significant scientific cyberinfrastructure operators to similarly work toward secure-by-design goals in their own design, refesh, onstruction, procurement, and acceptance testing activities.

Presenters

Chris Romsos is the Datapresence Systems Engineer for the Regional Class Research Vessel Project at Oregon State University where he's contributed to the scientific design and specifications for the RCRVs and now works with the vessel transition team. Chris earned a BS in Environmental Resource Management from Penn State and an MS in Marine Resource Management from Oregon State. Before joining the RCRV project, Chris worked for the Active Tectonics and Seafloor Mapping Lab at Oregon State where he specialized in geographic information systems and seabed mapping for marine habitat research and management.

Jon Meyer (SHIP OPR&MARINE TECH-SIO) has used varied information systems to aid in characterizing and understanding many types of scientific data within academia. He is currently Information Systems Manager within Shipboard Technical Support, helping lead SIO's oceanographic fleet in collecting and distributing high quality data from our oceans, worldwide.

Ezra Van Everbroeck (DIRECTORS OFFICE-SIO) is the Director of Information Systems and Services at Scripps Institution of Oceanography providing strategic planning support and technical coordination for computing and network related activities within, and affecting, the Institution.

Craig Risien is the project manager for the NSF Ocean Observatories Initiative (OOI) data center that Oregon State University has operated and maintained since July 2021. He is currently working with the OOI CI Systems team and Dell EMC to design and build a new data center that will support OOI through September 2028.

Description

To ease the burden in navigating the International Maritime Organization’s (IMO) cyber risk management requirements, the ARF Security Team at OmniSOC has developed a successful cyber risk management program (CRMP) that each institution can adopt. Without clear guidance from IMO on cyber risk management, this program provides an achievable and effective framework to meet IMO compliance, and considers the myriad of resource and support challenges common to research vessel operations. Per IMO guidelines, the ARF CRMP sets out to:

• scope critical OT/IT systems while focusing on documenting the current state

• partner with cybersecurity experts to evaluate risk/control gap assessments and creating plans to address gaps

• make continuous updates and improvements to the CRMP

In this presentation, we’ll briefly review the IMO requirements, the delegation of cyber risk management responsibilities to ship operators (in the US), and the ARF CRMP as a successful solution in achieving IMO compliance.

Speaker Bio

Mikeal Jones is a security analyst at OmniSOC. He has 20+ years of professional IT experience in higher education spanning IT leadership and operational strategy, security and policy, risk assessment and mitigation, incident response, systems architect and administration, project management, workflow specialist, and customer service and support. Mikeal has contributed to the creation of processes, procedures, and standards at all levels of IT operation within Indiana University Bloomington’s largest division, the College of Arts + Sciences and provided services and support to more than 100 unique departments, programs, centers, and institutes. Mike is passionate about protecting and supporting the technology OmniSOC members use in their pursuit of knowledge, the advancement of science, and in finding solutions to real world problems.

Description

Cyber and data forensics are valuable tools for law enforcement when investigating potential criminal activity. Beyond that, forensic tools and methods can be used in everyday cybersecurity operations to build more robust response playbooks, understand attacker actions, and inform our defense. Whether it is data recovery, incident response, or securing critical systems, putting forensic measures in place early can help protect research cyberinfrastructure from attack and data loss.

Speaker Bio

Chris Lauderbaugh is a Security Analyst with the OmniSoc Team at Indiana University. He holds a Master's Degree in Cybersecurity with specializations in Forensics and Intelligence from Utica College.