When you think of Baltimore, Maryland, you might immediately think of The Ravens, Edgar Allan Poe, or Old Bay Seasoning. Moving forward, I will always associate "BMore" (as the locals call it) with improved security across the public and private sectors, thanks to participating in the 18th International Conference on Cyber Warfare and Security, ICCWS, which happened March 9th and 10th, 2023, at Towson University, in the heart of Baltimore county.
This unique event brings together academics, military professionals, government agencies, and professionals from all around the security world to discuss their research findings and the state of cybersecurity. All the sessions I attended were very informative, and I will be summarizing a few in this post, but the best part of this event was the lively hallway conversations and connections that were made. It is hard to imagine another event where Ph.D. candidates, developer advocates, and intelligence agency officers would get to share thoughts on the future of cyber threats while sharing a meal.
While there were a lot of different subjects covered in the 2 days of sessions, there were some themes that popped up across multiple talks.
Most everyone working in security and DevOps by now is familiar with the notion of Zero Trust, the approach that denies all access by default. We apply this in practice by implementing "the principle of least privilege," granting only enough access to let people and non-human entities get their work done and no more. In his talk "Can Zero Trust Restore Our Ailing Trust?" Justin Fanelli, Technical Director, Dept of Navy PEO Digital and Georgetown University, argues that for a lot of the industry, Zero Trust is just a buzzword at the moment, albeit the "Beatles of our current jargon."
He argued that the public sector is lagging behind in adopting Zero Trust. In the private sector, teams have done a better job aligning the business value of Zero Trust to improved performance, which has really driven adoption. He shared that his efforts to get the first Zero Trust architecture adopted in his agency required the coordination of the Dept of the Navy, the White House, and the Department of Defense input. The slower nature of bureaucracies means that the value of a new approach can easily be overshadowed by the effort required to make change happen.
In his story, what made it work was the persistent story he was able to tell about performance improvements, which the private sector easily demonstrates. He stressed the importance of events like ICCWS, which connects us all to drive these narratives.
He also said there is a real opportunity right now to move the conversation from cybersecurity being the defender of legacy systems to the creator of new future-looking systems, to be the "heroes" tech needs. But this requires us to strive for better outcomes and not underestimate the power storytelling has to change the world.
While everyone I talked to at the conference agreed that Zero Trust is part of the path forward, John Hurley from the Office of the Director of National Intelligence, ODNI, laid out the argument that more is needed in his talk "Zero Trust is not Enough: Mitigating Data Repository Breaches." He started out agreeing that the move from a 'trust, but verify' model to a 'verify, then trust' model has been an important step in national cybersecurity but went on to state that for a lot of applications, there has not been adequate thought given to areas like edge computing and the hybrid models of on-prem + cloud, especially while migrations are ongoing.
He laid out the benefits of leveraging a pull-based model for architecture, similar to the model we use for git-based workflows. In a software development workflow, there are multiple opportunities to reauthenticate as the code moves through the pull request flow and CI/CD pipelines. It is straightforward to ensure that only truly authorized people can do certain actions in such a stepped system. The issue right now, for some applications, is the pattern has been to authorize and authenticate once and then allow full, or greater than intended, access rights once the user or service is trusted within the system. Thinking in terms of 'per request' authentication can help us go a step further in making sure our systems are secure throughout.
One of the ways that academia and government take the lead in the cybersecurity world is by defining terms and standards. When we think of how to categorize threats, we often refer to NIST standards, for example. Multiple talks at ICCWS brought the idea of definitions and standards to the foreground. Here are highlights from just a few of those sessions.
What Does Cyber Resilience Mean Exactly?
When we write or say a word related to cybersecurity, how do we know what we really mean? Given the relative newness of cybersecurity compared to other industries, we are still very much in the process of writing our industry's dictionary. In his talk "Towards a Scientific Definition of Cyber Resilience," Sidney C. Smith from the DEVCOM Army Research Laboratory talked about his deep dive into defining what we mean when we use the term 'cyber resilience.'
Historically, resilience has meant to 'jump back' or 'spring back' and has been applied to a wide variety of topics. From metalworking to psychology, it has morphed over time to mean quite a few different things, including stability and the ability to 'function through trauma.' In order for the military, government, and industry to be able to apply the term 'cyber resilience' in a meaningful way, we need a new standard definition.
Based on his research, he is proposing the following standard:
"Cyber resilience is the ability of a cyber system to recover from the stress that causes a reduction of performance. This may be measured by the degradation of key performance parameters caused by the stress."
Picking the best Encryption
If you are developing applications that must ensure end-to-end encryption that must protect the user, how do you begin to evaluate options? We have all heard the rule "never roll your own encryption," but what are the specific data points you should consider when shopping for existing solutions? This is the exact subject Vijay Bhuse from Grand Valley State University researched and presented in his session "Review of End-to-End Encryption for Social Media."
He and his team did an in-depth examination of the encryption used by the largest social media platforms. Their criteria examined the throughput of the various systems as well as the effectiveness of the algorithms used. This research and evaluation framework can be applied to any application where encrypted communication is key.
His team had concluded that the Signal protocol, currently in use by Meta products like Facebook and Instagram, is the best trade of functionality and performance. There are certain considerations to keep in mind, such as the double ratchet mechanism that prevents backward decryption can be a double-edged sword that does not allow inter-device operation. There is also the potential criminal abuse of fully encrypted communication tools.
The Right Architecture For The Right Application
When we think about deploying our applications, there are many things to consider, but everyone wants to have the highest performance at the lowest cost. Finding a consistent model for evaluating the trade-offs for various applications is at the heart of the research that John Hurley from ODNI presented in his session "Managing Large-Scale Heterogeneous Deployments for Cybersecurity"
He is actively working with a large private hardware manufacturer to build a model for evaluating application performance and costs when deployed to either on-premise hardware, cloud computing platforms, or edge computing. While edge computing is generally thought of as part of cloud computing, it stands out as a separate category defined by the proximity of the computing power to the data it is processing. If you are transporting data from one system to another for analysis, that is not edge computing in his definition.
Data is very much at the heart of his research. The amount of data we need to process continues to grow at an exponential rate. Unless we find a way to determine the optimal architecture for dealing with this increasing volume, we are going to end up wasting a lot of time and money.
Blockchain and CyberScams
Cyber warfare is not just being waged between state actors in military server rooms requiring a security clearance. It is being carried out against all of us in the form of cybercrime. One recurring technology that came up in multiple talks about cybercriminals was blockchain.
In his session "An Analysis of Crypto Scams during the Covid-19 Pandemic: 2020-2022," researcher Johnny Botha from the University of South Africa walked the attendees through several of the most common scams involving cryptocurrency in the last couple of years. He shared real-world examples while explaining the nature of each scam and what signs to be on the lookout for.
The top scams uncovered by his team's research included:
1. Giveaway scams - Someone impersonating a rich celebrity offering 'send me 1 Bitcoin and I will send you back 5 coins'.
2. Rug Pull scams - Criminals make fake websites and initial coin offerings, ICOs, attracting investors, then simply running away with the money. Sometimes this process can take months, referred to as a "slow rug pull/" Here, things might seem like they just went wrong on their own, leaving the victim to feel like it was just bad timing rather than that a crime has occurred.
3. Phishing scams - Targeted emails and fake websites lure victims into giving up their crypto wallet logins.
4. Ponzi schemes - Everyone is told if they can add just a few more members below them in the investment, then everyone will get paid. Only the originators of these scams make any money, and these scams are illegal throughout the world.
5. Pump and Dump - Criminal gangs use private channels like Telegraph to manipulate the prices of specific crypto coins, cashing in when the rush happens and leaving the investors with worthless assets.
Unfortunately, cyber scams are big business, raking in over $62 billion in 2022 alone. While it is unlikely that cybercriminals will make fewer attempts to steal moving ahead, we can do a lot by helping people stay aware of the dangers. We can keep ourselves safe by staying skeptical of anything that seems too good to be true and remembering, as Johnny put it, "there is no such thing as free money"
While the state of crypto scams might seem dour, there is some good news on the law enforcement front. For years most cybercriminals have acted under the belief that cryptocurrency is virtually untraceable. The truth is, according to Saminu Salisu, founder of Bilic, blockchain might be the most traceable currency out there.
In his session "Blockchain Forensics: A Modern Approach to Investigating CyberCrime in the Age of Decentralisation," he presented the finding of his joint research with the Vienna University of Technology. They were able to successfully deanonymize transactions for 47 different cryptocurrencies, even if the coins were passed through 'tumblers', systems designed to obfuscate the origins or destinations of the transitions.
This is very good news as the world continues to embrace blockchain-based currency at an ever-growing rate. The stakes are very high, as Saminu shared that about $18 Trillion USD is transferred annually through cryptocurrency. To put that in perspective, the global annual transactions processed through Visa total $14 Trillion, and Mastercard totals $7 Trillion, both of which have rigorous policies and security in place to protect your assets. Hopefully, similar research in law enforcement means we can all stay a little safer in the future, no matter how we choose to store and transfer our funds.
A True Global Community experience
Talking with the participants, it became clear this is a very special event that is looked forward to by folks in academia, as well as government agencies and security folks from the private sector. I had not experienced an event that cut across so many industry verticals before. The level of sharing was amazing, with every presenter fully engaged and very open to feedback.
I was even able to give some feedback that directly impacted the work of a Ph.D. student who is researching the security of health records. Part of her future research involved creating and maintaining honeypots, but she was worried about the costs and finding a healthcare partner that would grant her the needed network access to implement one. I was able to explain that this lighter-weight approach of honeytokens would still serve her needs but not require near the overhead, expense, or network access. Honeytokens are a great way to detect unwanted access to all manner of systems. Hopefully, her research will lead to safer healthcare records for us all.
I was very honored to be a speaker at the event myself. I was able to share my love of DevSecOps and knowledge of navigating OWASP offerings through 2 different presentations. In my newest talk, "Scaling Security: What Shifting Left Was Supposed To Mean," I was able to show that the core lessons of DevOps, such as testing earlier, dividing work into more management chunks, and enabling continual tight feedback loops, are ideals security teams need to embrace so they can be involved earlier in the software development lifecycle.
Next year's event will be in person in Johannesburg, South Africa. I might not get to make it that far to attend, but fortunately, there will be a virtual track as well, so everyone around the world can attend this truly unique event!