I have been friends with Linda McCarthy for many years. As a security strategist she has occupied a number of roles -- running research groups, managing corporate security, writing professional books, serving as a senior consultant, conducting professional training....and more. That she isn't widely known is more a function of her not seeking it by having a blog or gaining publicity by publishing derivative hacks to software than it is anything else; There are many in the field who are highly competent and who practice out of the spotlight most of the time.

One of Linda's passions over the last few years has been in reaching out to kids -- especially teens -- to make them aware of how to be safe when online. Her most recent effort is an update to her book for the youngest computer users. The book is now published under the Creative Commons license. The terms allow free use of the book for personal use. That's a great deal for a valuable resource!

I'm enclosing the recent press release on the book to provide all the information on how to get the book (or selected chapters).

If you're an experienced computer user, this will all seem fairly basic. But that's the point -- the basics require special care to present to new users, and in terms they understand. (And yes, this is targeted mostly to residents of the U.S.A. and maybe Canada, but the material should be useful for everyone, including parents.)

Industry-Leading Internet Security Book for Kids, Teens, Adults Available Now as Free Download

Own Your Space® teams with Teens, Experts, Corporate Sponsors for Kids' Online Safety

SAN FRANCISCO, June 17 -- As unstructured summertime looms, kids and teens across the nation are likely to be spending more time on the Internet and texting.

Now, a free download is available to help them keep themselves safer both online and while using a cell phone.

Own Your Space®, the industry-leading Internet security book for youth, parents, and adults, was first written by Linda McCarthy, a 20-year network and Internet-security expert.

This all-new free edition -- by McCarthy, security pros, and dedicated teenagers -- teaches youths and even their parents how to keep themselves "and their stuff" safer online.

A collaboration between network-security experts, teenagers, and artists, the flexible licensing of Creative Commons, and industry-leading corporate sponsors, together have made it possible for everyone on the Internet to access Own Your Space for free via myspace.com/ownyourspace, facebook.com/ownyourspace.net, and www.ownyourspace.net.

"With the rise of high-technology communications within the teen population, this is the obvious solution to an increasingly ubiquitous problem: how to deliver solid, easy-to-understand Internet security information into their hands? By putting it on the Internet and their hard drives, for free," said Linda McCarthy, former Senior Director of Internet Safety at Symantec.

Besides the contributors' own industry experience, Own Your Space also boasts the "street cred" important to the book's target audience; this new edition has been overseen by a cadre of teens who range in age from 13 to 17.

"In this age of unsafe-Internet and risky-texting practices that have led to the deaths and the jailing of minors, I'm thankful for everyone who works toward and sponsors our advocacy to keep more youth safe while online and on cell phones," McCarthy said.

Everyone interested in downloading Own Your Space® for free can visit myspace.com/ownyourspace, facebook.com/ownyourspace.net, and www.ownyourspace.net. Corporations who would like to increase the availability of the book and promote child safety online through their hardware and Web properties can contact Linda McCarthy atlmccarthy@ownyourspace.net.

McCarthy is releasing the book in June to celebrate Internet Safety Month.

I am posting the following at the request of someone associated with this effort at NITRD:

On May 19 the White House announced a new effort to enlist public involvement in defining new areas to "change the game" for cybersecurity. Three areas for research were proposed:

1. Moving Target – Systems that move in multiple dimensions to disadvantage the attacker and increase resiliency.
2. Tailored Trustworthy Spaces – Security tailored to the needs of a particular transaction rather than the other way around.
3. Cyber Economic Incentives – A landscape of incentives that reward good cybersecurity and ensure crime doesn’t pay.

For the next few weeks (until June 18), the public is being invited to make comments. As readers of this blog tend to be well-informed about security issues and research needs, I'd like to encourage you to review the details of the research areas and add your thoughts to the discussion at http://cybersecurity.nitrd.gov As this effort will impact the Federal funding of research for FY2012 and beyond, adding your thoughts is not only beneficial to the government, but also beneficial to those of us in the research community to ensure that research topics are both useful and feasible.

As I've noted before I believe that referring to this as "game change" has the potential to create the wrong attitudes towards the problems. However, at least this isn't an attempt to solve everything in 60-90 days!

Wednesday, March 31, 2010

Panel Members:

• David Bell, Retired, Co-author Bell-La Padula Security Model
• Joe Pekny, Purdue University
• Kenneth Brancik, Northrop Grumman
• Petros Mouchtaris, Telcordia

Summary by Utsav Mittal

The panel was started by Petros Mouchtaris. He said that applying for funding is not that bad although the researcher gets a lot of rejections, but then also once the funding comes through it gives the researcher a lot of control about the areas he wants to work in. He said in the last 10 years most of their funding came from DARPA, initially the funding was for long-term small projects. He said that a smaller, long-term project gives more time to foster basic research about abstract ideas.

Joe Pekny, who has worked in Discovery park for about 10 years, said that the fundamental principle about generating funding is about that “Research follows impact.” He said that difference between getting and not getting funding is between the ability of the researcher to relate his potential and ability to provide impact. He also talked about the research opportunities in electronic medical records and about privacy issues in videos surveillance that is widely used.

He mentioned some tactics that help in order to monetize the research impact:

1. Leverage: He mentioned that everyone wants a big grant which runs long, but that is not always possible, so the researcher should leverage whatever opportunities that he has to have the biggest advantage.

2. Interdisciplinary: He said that this is important, as many problems that we face today are of a complex nature and no single idea can crack the problem, so different smart minds from different areas should work on it.

3. Minimalistic: Joe said that a minimalistic team should be assembled in order to crack the problem, there should not be too many people working on the project.

4. Relationships: Joe stressed the importance of fostering long standing relationships for generating funding.

5. Entrepreneurship: Joe mentioned that money never comes in the form that a person wants it to, so a researcher should have the spirit of entrepreneurship.

6. Operations v. Philanthropy: He meant that if a organization thinks that the researcher has the potential to solve an operations problem then it would shell out billions and fund it. On the other hand if they do not believe in the potential then they may give money as philanthropy.

7. Vision: Joe said that an enduring, fundamental over arching vision is needed for a researcher to be successful. A researcher should have creativity and innovation is every situation.

Kenneth Brancik shared his experiences about research funding in the last 30 years. He related his life experience and its help in increasing his “situational awareness.”” He said that technology is an enabler for business. He said we should think out of the box and be aware about the “situational awareness” related to cyber security. He said that a researcher, in order to understand the complex cyber security problems, should:

1. Think out of the box
2. Understand the business impact related to it.
3. Use a wide angle lens to look at the picture.

David Bell started his talk by quoting Mark Twain and about people being lost in “Power Point Age” which cracked the audience up. David shared his experiences that he had working with ARPA and other federal agencies. He also mentioned about various projects like “Blacker.” He mentioned that in the earlier research was “Tethered research.” People were not very sure what they were working on, all they knew was that they are working on some advanced technology. His current take on federal funding was that it has dropped from 1.3% to 1%, and a lot needs to be done in the area of cyber security.

Wednesday, March 31, 2010

Summary by Robert Winkworth

“Everything I Needed to Know About Security I Learned in 1974”

Security luminary David Bell concluded this year’s Information Security Symposium with a lecture in which he argued that while the speed and size of computers has changed greatly across the decades, the principles underlying the issue of security have been remarkably constant.

With the exception of one noted MULTICS covert channel hack, the speaker asserted no fundamentally new innovation in computer security appeared from 1974 until 2005 (when he retired.) Dr. Bell had done a great deal of conceptual modeling, particularly near the beginning of his career. This, he explained, influenced his later work in security. In 1971, Bell, having read many classic MULTICS papers, felt even then that “all the good stuff” had already been done and made public. He recalled, with some amusement, that government facilities did not always share his awareness of these facts. Material freely available in research libraries, when cited in military security reports, often becomes classified as though somehow it might be made secret anew.

Commenting on the 1972 Anderson Report, Dr. Bell noted that a core collection of only about a dozen critical infiltration tactics proved successful in almost every documented penetration test. Clearly by better abstracting these procedures into general categories of attack we could better understand and predict them. So, Bell was called to produce a mathematical model of computer security, but no other details of his assignment were specified. This, he explained, turns the technical process of testing and setting conditions in the machine into a cultural process of negotiating policies. “Security” is not meaningful until defined. Likewise, threats to security must be discussed before we can discuss their remedies. General principles of a security model are not useful until somehow applied, and Bell prefers to see these concrete examples before signing off on a policy, however academically sound it may seem.

Along with Len La Padula, David Bell is probably most widely recognized for his contribution to the Bell-La Padula Model of secure systems. This widely influential set of conceptual tools appears frequently in the fundamentals of IA curricula at Purdue and probably throughout the world.

Our host was critical of those that see security as a personnel problem, noting that this approach fails to recognize the technical weaknesses that remain regardless of the people involved. And coordinating the technology is possible; Bell shows us computer systems that have never suffered a documented breach and never required a security patch. Unfortunately, the process of replacing an existing infrastructure is difficult, particularly for an entrenched bureaucracy, so the challenge facing many security modelers is producing a plan that outlines not only the destination but all the intermediary steps necessary to transform an existing system to one that approaches the level of security desired.

Many evaluators are assigned to networks the technology of which they cannot explain. Since they cannot articulate an effective policy for interactions between such a network and its trusted neighbors, a common reaction to this is to simply isolate them. As internetworking becomes pervasive, however, this cannot remain a practical strategy. Networks must be connected, but such connections introduce weaknesses if they are not thoroughly documented and regulated. How we can possibly manage the explosive complexity of internetworks remains a daunting question.

“We are not safe and secure today,” concludes our eminent guest. Those that claim otherwise are “either misinformed or lying.” Bell called upon us to implement more of the sound ideas in information assurance that hitherto have existed only as concept, and to fully acknowledge the extent to which models such as BLP have not been fully embodied.

Gene Spafford was on hand for today’s session, and asked for Dr. Bell’s comments on the software solutions of Rogers and Green Hills (two of the best-rated security platforms.) Bell found both quite sound. He was concerned, however, that neither had achieved the market “traction” that he would like to see. He provided some examples of how each could be more effectively introduced to companies that might use them in live networks.

As of March 31, 2010, the media presented in this lecture is available.

Wednesday, March 31, 2010

Summary by Gaspar Modelo-Howard

Day two opened with a keynote from Under Secretary Beers, who has had a long and interesting career of over 34 years, including military service and working as staff member for the National Security Council, under four U.S. Presidents. During his talk, he provided an introduction of the National Protection and Programs Directorate (NPPD) and DHS, discussed the importance and role of cyber security to protect the overall security of the United States, how DHS is continually evolving to meet the changing landscape and its mission, and current challenges and problems faced by NPPD.

Under Secretary Beers began with a discussion of the responsibilities of DHS and NPPD in particular. DHS has five goals or missions, listed here in no particular order: (1) counterterrorism, (2) securing U.S. borders, (3) immigration, (4) response to disasters, and (5) cyber security. This last goal refers to protecting cyberspace for civilian side of government and working with private sector to achieve physical Critical Information Infrastructure Protection (CIIP).

DHS is a pretty new department, formed in late 2002, so they are currently embarking on the transformation of its workforce. Main reason is a number of professional disciplines were brought together to start the Department but there were at time very few professionals to start DHS. So it is an evolving organization. Currently, NPPD has equal number of private contractors and federal employees working in the Directorate but there are several initiatives to fill more permanent positions. In terms of cyber security, the Department is looking to hire 1,000 people in cyber security in the next 3 years. They also expect to increase NPPD cyber security workforce to 260 by end of FY 2010.

Under Secretary Beers mentioned the difficulty faced when hiring cyber security specialists is that academic institutions do not currently produce enough graduates to meet the federal demand. Such statement considers that not all of the needs are for pure technical positions. Much to the surprise and amusement of the audience, the Under Secretary mentioned there are not enough lawyers in DHS. It takes a long time for DHS leaders to get legal advice on some topics because there are more questions than the lawyers can answer. Some of this would also be rectified by having better laws relating to cyber security.

Generally speaking, DHS and NPPD in particular, are looking to draw knowledge and experience from math, science and cyber security communities to build a strong federal department. DHS objective is to forge stronger links with educational institutions such as Purdue University, to better prepare itself to deal with cyber security matters.

During his presentation, Under Secretary Beers made an important point to help define the national cyber security strategy: 85% of cyberspace in U.S. exists outside the government. That is why the Directorate works closely with private sector. For example, the Office of Infrastructure Protection (IP) takes 18 critical sectors of the American economy (water, power, finance, etc.) and work with them to develop security plans (standards, strategies, best practices) and improve preparedness to respond to emergencies. Mr. Beers also stressed the role cyber security plays within DHS, as it is part of every other part. Cyber security works as a cross sector, for example between the communication and information sectors.

The Under Secretary noted that cyber threats are increasing on a daily basis and they also include physical attacks, because of the potential impact they can have in cyberspace. He shared two examples: (1) a bond trading company which had to evacuate during the first World Trade Center attack of 1993 and (2) the train derailment and fire in Baltimore, 2001. In the first story, the investment company had to evacuate the World Trade Center but did not backup systems off-site. It took a presidential order to allow them to re-enter the building since the fire marshal had prohibited anyone from doing so. In the train story, the fire disrupted communication links going thru the same tunnel where the disaster occurred. Such cables were major Internet links that slowed down service around the US.

NPDD cyber security daily operations include monitoring of attacks, protecting the .gov domain and monitoring Internet connections from/to government networks. US-CERT, the cyber security operational arm within NPDD, uses the Einstein intrusion detection program to work on these responsibilities. (I think it was cool that he mentioned Einstein as usually high-ranking U.S. Government officials avoid such topics). Mr. Beers also noted that under President Obama’s cyber security 60-day review, DHS had to create a Computer Emergency Response Team (CERT) plan to deal with cyber security threats and crisis. It has been done and involved government at different levels (federal, state, local) and private sector. Also, DHS opened last October the National Cyber security and Communications Integration Center to improve national efforts to address threats and incidents affecting U.S. critical cyber infrastructure.

To finish his presentation, the Under Secretary talked about several of the current and future cyber security challenges faced by DHS. First, they are currently working on developing systems that make it possible for different cyber security players to share information. This is a common problem when requesting or managing information from different sources, for example the private sector, because such information is highly sensitive to its owner. Second, DHS is also increasingly responsible for cyber security awareness and outreach initiatives. They are working with academic institutions to foster and identify potential government employees. Third, in terms of global involvement, US-CERT is partnering with similar institutions in other countries to work on international incidents and to create stronger ties. DHS is fully aware of the interconnectivity of networks, regardless of physical location. It actively participates in the annual Meridian Conference for international CIIP collaboration and invites representatives of foreign countries to their biennial Cyber Storm exercises.

In the Q&A session, a member of the audience asked Mr. Beers if he could prioritize DHS cyber security needs in terms of the human capital. This is important as cyber security is an interdisciplinary field and there is need for professionals with technical and non-technical backgrounds. Mr. Beers listed three needs: (1) people with computer science background to operate the cyber security centers; (2) people with system design and administration skills; (3) people with business background to deal with contracting issues and proficiency to understand technical requirements. This last group is important as government has a responsibility to define as clear and specific as possible the requirements and objectives so other sectors can determine how to comply. He then mentioned that government might have to start training centers as there are not enough graduates coming from college.

As a follow up question to his comment on cyber security savvy lawyers, he was asked if real problem is that U.S. does not have the appropriate laws to protect its cyber infrastructure and also if DHS is advocating for new legal frameworks. Mr. Beers agreed that a better legal framework is required and DHS is indeed advocating for this to happen. In a later question, he also pointed out that legal and cyber security communities need to further discuss issues affecting both sides and such exchanges should also happen outside the government (because of restrictions a federal employee might have by law).

The next two questions were about international efforts taken by DHS, citing the United Nations is working on developing cyber security laws and best practices. The Under Secretary mentioned that DHS cannot work at international level and that time has come for State Department to step up.

A question then was made regarding the difficulties when physical and cyber security communities interact. Mr. Beers noted it is a recurring but expected problem when working with entities from public and private sectors. Sometimes they find cases where both exist under one directorate, but in general this is not the case and it is part of the evolution of security.

A member of audience asked about briefing on current and future strategies with U.S. Cyber Command and NSA. The Under Secretary mentioned that major elements of collaboration are still under development. There are discussions on having DHS deputy and employees at Cyber Command and NSA and vice versa.

A final question was made on comparing costs of training employees in cyber security with costs of scholarship, suggesting the second option might be cheaper. Therefore there might be an incentive to increase number of scholarships. Mr. Beers agreed to the suggestion and said DHS is looking into additional opportunities to fund students/institutions but was also quick to point out that not every cyber security professional has to come from an academic setting.

Overall, it was an interesting talk by the Honorable Beers, providing an overview of the structure, mission and challenges faced by NPPD and DHS. He stressed out the importance of cyber security as part of the primary mission of the Department and the relevance of working with different partners to successfully achieve the mission.