Tuesday, November 10, 2009

From Biometrics to BSIMM , & "50 Hurricanes Hitting At Once!" -- A Report on the Sixth Annual Partners Conference

Image: CyLab Biometrics Center

From Biometrics to BSIMM, & "50 Hurricanes Hitting At Once!" -- A Report on the Sixth Annual Partners Conference

by Richard Power

Throughout 2009, I have made a point of attending some important security conferences and delivering reports on what I saw and heard, some of these reports are posted here on CyBlog and in the Intelligence Briefing section of the CyLab Partners-Only Portal. The events covered include RSA, Black Hat Briefings and USENIX Security Symposium, as well as our own SOUPS and Mobile Health Workshop. (I have included a listing of the summary reports below in “Conference Coverage.”)

It is wonderful to finish off the series with a report on the CyLab Partners Conference. It is an event accessible via invitation only, and developed as an opportunity for CyLab’s corporate partners to immerse themselves in an audacious program. The conference's agenda, like CyLab's research program itself, is sweeping in its scope and impressive in its implications.

The sixth annual CyLab Corporate Partners Conference, held on the main campus of Carnegie Mellon University (Pittsburgh, Pennsylvania) from Wednesday, October 14 to Friday, October 16, offered a deep dive into one of the world’s premier cyber security research programs. Over the span of two and a half days, attendees immersed themselves in presentations and panel discussions on a broad spectrum of research areas, including:

• Corporate Governance
• Secure Home Computing
• Usability of Security and Privacy Techniques
• Security of Cyber-Physical Systems
• Secure Mobile Systems and Networks
• Trusted Computing Platforms and Devices
• Secure Software Engineering
• Digital Forensics

The rich conference agenda also featured two keynotes, one from former White House aide Melissa Hathaway, and the other from Gary McGraw, CTO of Citigal, Inc.

In her remarks at lunch on Wednesday, Hathaway spoke of the vital role of business, government and the individual and emphasized the threat to critical infrastructure:

The specter of a "digital 9/11" is what still keeps the former U.S. acting cybersecurity czar up at night, Melissa Hathaway told a gathering of Carnegie Mellon University's CyLab corporate partners ...
To illustrate one possibility, Hathaway referred to the relatively low-level denial-of-service attacks that hit some federal Web sites for several days beginning over the July Fourth weekend.
A more powerful barrage that used more points of attack, perhaps against private-sector targets, could cause $700 billion in damage, she said.
"That's the equivalent of 50 hurricanes hitting at once," Hathaway said.
Mike Cronin, Partners of Carnegie Mellon's CyLab warned that 'digital 9/11' threat growing, Pittsburgh Tribune Review, 10-15-09

At dinner on Thursday, McGraw championed the Building Security in Maturity Model (BSIMM) that McGraw's Citigal developed and is now promoting with SANS Institute, through BSIMM Begin

BSIMM is based on large-scale software security initiatives in nine enterprises: four financial services companies, three independent software vendors and two technology companies.

As McGraw remarked in his keynote, "BSIMM is not about good or bad ways to eat bananas or banana best practices. BSIMM is about observations."

The power of the observations offered by McGraw and his colleagues is in their practicality: e.g., "Ten Surprising Things," including "Nobody uses WAFs," "QA can't do software security," "PEN testing is diminishing," etc., and "Ten Things Everybody Does," including "Evangelist role,""SSG does ARA" and "good network security," etc.

BSIMM will help you know where your enterprise stands, and what direction you might want maneuver it. Perhaps most important, through BSIMM Begin, it is intended to be ongoing and participatory:

"BSIMM Begin aims to significantly broaden data collection. To keep the survey manageable, the scope has been limited to the BSIMM Level 1 activities. The goals of this survey are two-fold: to provide participants with a solid understanding of where they stand with respect to foundational software security activities; and to provide an understanding of where they stand relative to everyone else that participates. BSIMM Begin will broaden the collective understanding of what "keeping up" really means." Software Security Self-Measurement with BSIMM Begin Introduced by Cigital and The SANS Institute, 10-8-09

The BSIMM Begin survey can be accessed from the landing site: http://bsi-mm.com/begin/

For more information, read McGraw's Software [In]security: The Building Security In Maturity Model (BSIMM) in InformIT (3/16/09).

The body of the conference was devoted to updates on the diverse aspects of Cylab's bold research program.

For example, Marios Savvides, Director of Cylab’s Biometrics Center, and one of the four scientists of the Office of the Director of National Intelligence Center of Academic Excellence in S&T in Identity Sciences, delivered a report on his team's "Multi-Biometrics Research Effort."

Savvides' compelling presentation showcased how his research is tackling some of the field's most urgent and vital challenges, from Long Range Iris Recognition on the Move to Soft Biometrics to Automatic Landmarking Frontal Faces to 3-D Face Reconstruction from Single Images.

In his summary, Savvides outlined his Center's current status and goals, including:

-- Developed several key technologies of HIGHEST interest to the USG.

-- Already transitioning one technology to USG (FBI’s Universal Face Workstation)

-- Working with MIT-LL to develop Government Owned Face Recognition (GOTS-FR).

-- Working on refining and developing Iris acquisition and other technology to the USG for two more success transition stories.

"We collaborate and bridge across many USG agencies," Savvides concluded, "Our goal is to support the USG in developing key enabling technologies to deter terrorism and aid the war fighter."

The three presentations briefly cited here offer only a few glimpses into the scope of the sessions stretching over the two and a half day conference.

NOTE: A full archive of presentations, student posters, photo gallery and videos is accessible to CyLab Partners only from the Partners Portal.

Conference Coverage

A Report from the 18th USENIX Security Symposium: Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More!

A Report from BlackHat Briefings (Las Vegas 2009): From Parking Meters to the Cloud, from SMS to Smart Grids, “Everything is Broken …”

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

RSA Conference 2009: Summary of Posts

CyLab MRC's Martin Griss Declares,"I Do Not Want Us to be Just Another Big Consortium, I Want Us to Do Something"

NOTE: Full texts of my reports from USENIX, Blackhat and the Sixth Annual CyLab Partners Conference are available to CyLab corporate partners via the Partners Portal.