CERIAS Security Seminar PodcastAuthor: CERIAS <webmaster@cerias.purdue.edu>
24 Sep 2018

CERIAS Security Seminar Podcast

Download, listen or watch all podcasts

CERIAS Security Seminar series video podcasts.

  • Watch

    Doug Rapp, "Breaching Water Treatment Plants: Lessons Learned from Complex Exercises"

    US cybersecurity experts determined that Russian hacking group Dragonfly targeted the United States and European utilities with a cyber espionage campaign from 2015 � 2017. This government sponsored group was able to successfully infiltrate core control systems. Cold War espionage methodologies such as �sleeper cells� are now being executed in the cyber domain. Industrial firms including power and water providers have proven to be susceptible to attacks and disruptions that could be used during a significant geopolitical conflict. Antiquated industrial control devices now connected to the internet make utilities in even the most advanced countries susceptible to everyone from hacktivists to cyber criminals to nation states. In these times, the question has shifted from �can they?� to �when will they?�. Using Indiana�s groundbreaking cybersecurity exercise Crit-Ex as an example, we explore exactly how vulnerable of utilities really are and how insights into incident response and resiliancy are discovered through complex training and exercises.

  • Posted on 06 Sep 2018

    download
  • Watch

    Ryan Elkins, "Hacking your security career: strategies that college did not teach me"

    The field of Information Security is broad with many career paths. The high demands and low supply for security expertise is constantly in the news. How do we fix this? Many people are either intimidated by security or do not realize that their expertise and talent would be a perfect fit for the security industry even if they are in a different field. This talk will bridge that gap and help identify the opportunities available to you. Common questions will be answered such as how to get started, what resources should be utilized, and what exactly does a career in Information Security look like. This presentation will turn the traditional career approach upside down and utilize the �hacker mindset� to our advantage to accelerate our careers, create opportunities, and position ourselves to be successful.

  • Posted on 30 Aug 2018

    download
  • Watch

    Abe Clements, "Protecting Bare-metal Embedded Systems from Memory Corruption Attacks"

    Embedded systems are used in every aspect of modern life. The Internet of Things is comprised of millions of these interconnected systems many of which are low cost bare-metal systems, executing without an operating system. These systems rarely employ security protections. Their development assumptions of unrestricted access to all memory and instructions and constraints on runtime, energy, and memory makes applying protections particularly challenging. I will present recent two recent techniques EPOXY (IEEE S&P 2017) and ACES (USENIX Security 2018), that harden bare-metal systems against memory corruption attacks.

    EPOXY is an LLVM based embedded compiler that uses a novel technique, called privilege overlaying, wherein operations requiring privileged execution are identified and only these operations execute in privileged mode. This provides the foundation on which code-integrity, adapted control-flow hijacking defenses, and protections for sensitive IO are applied. EPOXY also employs fine-grained randomization schemes, that work within the constraints of bare-metal systems to provide further protection against control-flow and data corruption attacks.
    These defenses prevent code injection attacks and ROP attacks from scaling across large sets of devices. EPOXY�s evaluation on case study applications shows that EPOXY has, on average, a 1.8% increase in execution time and a 0.5% increase in energy usage.

    ACES is another LLVM-based compiler that automatically infers and enforces inter-component isolation on bare-metal systems, thus applying the principle of least privileges. ACES takes a developer-specified compartmentalization policy and then automatically creates an instrumented binary that isolates compartments at runtime, while handling the hardware limitations of bare-metal embedded devices. ACES evaluation shows that ACES� compartments can have low runtime overheads (13% on our largest test application), while using 59% less Flash, and 84% less RAM than the
    Mbed uVisor�the current state-of-the-art compartmentalization technique for bare-metal systems. ACES� compartments protect the integrity of privileged data, provide control-flow integrity between compartments.

  • Posted on 23 Aug 2018

    download
  • Watch

    Cristina Ledezma, "DoD Cyber Requirements and Directives"

    The field of cyber engineering is relatively new as compared to other engineering disciplines such as software, mechanical, and systems. However, as we consistently hear and read about, cyber has rapidly become all-encompassing for every industry, including the Department of Defense. Specifically for DoD and weapons systems, the application of cyber engineering and cyber solutions must account for the entirety of the system life cycle. This requires a cyber test and evaluation strategy be defined from the start of a program and applied throughout the system life cycle, or system �V�. This presentation will discuss the cyber requirements and directives as levied by the Department of Defense and how this affects program test and evaluation strategies and implementation across DoD programs.

  • Posted on 26 Apr 2018

    download
  • Watch

    Leon Ravenna, "Personally Identifiable Data and the Specter of Customer Privacy"

    As more and more Personally Identifiable data is collected or created, the specter of customer privacy issues are looming large. Enterprises need to take a long hard look at the information they are capturing and determine whether the potential value outweighs the potential risk.  How do your current Privacy practices match up against upcoming laws soon to Europe?  Are you prepared to deal with new laws that with fines up to 4% of global revenue? If not, how do you start?  Are you prepared to deal with companies using your data like Facebook, Google, Cambridge Analytica with or without your approval? 

    Takeaways:

    • What does your data mean to you and others? 
    • Understand what the implications of new laws are as well as your risks
    • Understand how to comply with upcoming laws
    • Understand the technology at issue
    • Understand how contracts and dataflow will be impacted
    • How can this be beneficial for you personally

  • Posted on 19 Apr 2018

    download

Follow Playlisto