2011 Agenda

Keeping the Human in the Loop

As technologists, we sometimes focus only on what the technology does, not on how the users perceive, understand and use it. To improve technology and its impact, we need to weave into our architectures those characteristics that make the best use of what we know about human cognition and risk perception. This presentation uses examples of poorly-designed and well-designed technology to suggest ways toward more natural technological improvement.

Shari Lawrence Pfleeger

The Evolution of Cyber Threats and Government Policy

Cyber threats continue to grow and evolve. As they do, our appreciation of who the attackers are, what they are doing and why has also changed. For government, industry and the academic community to develop an effective model of cyber defense we need to be clear on not just the technology of cyber security but the strategic and economic dimensions as well. This presentation will attempt to provide a framework for developing a sustainable system of cyber security by identifying what problems need to be addressed, how Congress and the Obama Administration are attempting to address them and what needs to be done by both enterprises and government for us to combat modern cyber threats.

Larry Clinton

The Many Faces of Facebook

In an ever-changing technological world it is incumbent upon us to stay abreast of new technologies and the plethora of social networking sites. These sites have changed the face and nature of stalking as well as perpetrators' methods of attack and information gathering. This presentation explores the issue from a two-pronged approach: technological advances and the inherent danger of cyber stalking. Topics covered include an introduction to what social networking is, the history of it, how it is being utilized, the liabilities of various social networking sites and your use of them, Social Media outlets and your privacy, legal and personal implications of use of this site, and an opportunity to view the digital footprint left behind by the use of these various Internet sites.

Objectives:

1. Attendees will leave with a working knowledge of the history of social networking, its various applications, uses and structural components.
2. Attendees will learn how social networking sites are being utilized by other campus police and safety departments, administrators, the liabilities that exist and the schools responsibilities for information garnered from the site.
3. Attendees will understand social media outlets, the institutions' privacy concerns, and the legal and personal implications of use of the site. Attendees will be able to articulate the various dangers inherit in social networking programs and the dangers that exist for personal use of the sites.

Jennifer Frank

Dumb Ideas in Computer Security

Security has been a recognized computer system requirement since the 1960s, and the field has seen significant progress since then. Without smart, dedicated researchers and practitioners, we would not have such important approaches as firewalls, intrusion detection and prevention systems, public key cryptography and public key infrastructures, biometric authentication systems, various privacy and security laws and regulations, or secure offsite backups. These significant advances do not mean that all computer security problems are "solved" in some sense.

The time is right to think critically about how far we have come in security and how much farther we still need to go. To that end, we need to look at misperceptions, falsehoods, and failures in computer security in order not to repeat past mistakes.

In this talk, Dr. Pfleeger will describe "dumb ideas" in computer security: approaches shown not to work but that reappear from time to time. Some of these dumb ideas are persistent myths that people outside of security seem not to be able to release; others are limited views that circulate within the security community. Dr. Pfleeger will conclude by offering some positive suggestions to encourage progress.

Charles Pfleeger

Out of the Frying Pan and into the Fire: Protecting the Security of Research Data

Information security in higher ed to date has focused on protecting enterprise data. However, IT professionals need to be aware that many academic research studies include the collection of sensitive data, which must be adequately protected. Funding agencies are increasingly requiring data management plans be submitted as part of grant proposals, with institutions ensuring data integrity and security. This highly interactive session will include the review and discussion of a proposed approach for addressing this issue.

Larry Conrad

Anatomy of an Attack

Those familiar with information technology at higher education institutions are well aware that many systems are under a near constant barrage of cyber-attacks. From attempted exploits of servers to continued issues with spam, phishing, and malware, colleges and universities must deal with fending off these attacks on a daily basis.

Through the use of case studies and demonstrations of attack tools and techniques, this presentation will explore the motives and methods behind these attacks as well as identify the existing and emerging institutional risks they pose. In doing so, it is also possible to uncover security controls and other mitigation efforts that can assist schools in further securing their information systems.

Adam Goldstein with SISMAT Students Brendan Graham, Justin Kearns, and Luke Korth 

Evidence-based Risk Management in Information Security

Currently, people are making decisions around information security in an ad-hoc, unstructured, and many times, unscientific way. How does an industry facing issues in complexity and adaptability move from shamanism to a rational approach?

Alex Hutton will discuss epistemological challenges in information security, risk management, and while not having *all* the answers, will offer some possible solutions towards "escaping a Kuhnian proto-science."

Alexander Hutton

 

Break-out Session Abstracts

Top Ten Web Application Security Risks You Should Know About

The Open Web Application Security Project is a nonprofit organization with the mission of making application security visible. One of the most important documents the OWASP Community has contributed to the industry is the OWASP Top Ten which is a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are and the risks. OWASP urges all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that leverages the development of secure code.

Kuai Hinojosa

The Building Security In Maturity Model

The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is designed to help you understand, measure, and plan a software security initiative. The BSIMM was created by observing and analyzing real-world data from thirty leading software security initiatives. It is freely available and is licensed under the Creative Commons Attribution-Share Alike 3.0 License. The BSIMM can help you determine how your organization compares to other real-world software security initiatives and what steps can be taken to make your approach more effective. The most important use of the BSIMM is as a measuring stick to determine where your approach to software security currently stands relative to other firms. This talk will give an overview of the BSIMM and discuss how it can be used as a measuring stick for your organization, for your vendors, and paired with other security measurement methods.

Jason Hills

Understanding Global Internet Events

We're only seven months in and 2011 has been a very eventful year for the backbone of the Internet. This talk will include a technical analysis of a range of significant events from Internet outages of the Arab Spring to the fiber optic cable cut in the Caucasus. (More information is available on the Renesys blog.)

Doug Madory

Panel Discussion on Cyber Risk Insurance

Cyber Risk insurance is a relatively new, and certainly evolving, insurance product designed to protect the insured against a variety of risk exposures. This panel discussion on Cyber Risk insurance covers the topic from three diverse points of view: 1) From a buyer, 2) From an Account Executive from a national insurance brokerage firm, and 3) from an executive with an insurance company that created the product. Each will discuss their review process, rationale for seeking and/or creating insurance to meet a specific need, barriers encountered, and claim experience.

Moderated by Leslie Seabrook