‘BSides’ Las Vegas Offers Fresh Cybersecurity Insights from Industry Leaders

By James R. Lint
Faculty Member, School of Business, American Military University

Overview: On August 2nd and 3rd, BSides Las Vegas held its eighth annual information security conference at the Tuscany Suites in Las Vegas. BSides is a community event organized and run by volunteers. The following is a survey of some of the many strategies, insights and experts that enriched the entire two-day experience for cybersecurity professionals.

BSides Keynote Speaker Dr. Lorrie Cranor Discusses Misconceptions in Password Security

The conference kicked off with an outstanding keynote speaker, Dr. Lorrie Cranor, Chief Technologist of the U.S. Federal Trade Commission. Having written over 150 research papers, she’s also a professor in the School of Computer Science and the Engineering and Public Policy Department at Carnegie Mellon University, and Director of the Carnegie Mellon Usable Privacy and Security Laboratory.

A thought leader in the information security industry, Dr. Cranor puts forth revolutionary ideas—especially in changing conventional security practices such as the mandatory password changes conducted in many organizations. Her research data shows that changing passwords is not as effective as one might think. Keylogger software programs detect password changes and can instantly compromise the new password.

She discussed a report by the University of North Carolina that studied 10,000 defunct accounts. The study found that people apply changes in predictable ways, making it easier for UNC to determine future passwords using an algorithm.

The UNC study discovered that users who are annoyed when they must frequently change passwords were statistically shown to create weaker passwords. Consequently, the weaker security choices of some users endangered cybersecurity for all users in an organization.

Dr. Cranor addressed misconceptions on password strength, noting that using keyboard patterns on any mobile device, including diagonal patterns, does not provide security for users. She discredited the infamous belief that an exclamation point at the end of a password offers greater security. To increase information security for passwords, Dr. Cranor recommended that users avoid common words or names and add digits and symbols to increase a password’s strength.

Dr. Cranor also presented an interesting bit of research that asked people to decide which password was more secure: “ILoveYou88” or “IEatKale88”? The Password “IEatKale88” is 4 trillion times more secure than “ILoveYou88”. It’s interesting to note how “super” common “ILoveYou” is as a password.

Expert Haydn Johnson Talks about Organizational Confusion with Information Security

Network penetration tester and vulnerability assessment expert Haydn Johnson of KPMG Canada spoke about his interesting concerns commonly used information security terms, such as penetration testing, vulnerability assessments and red teams. Managers who contract security testing and assessment services often confuse these terms and have unrealistic expectations about system and network security, he noted.

Johnson described concerns about how to modify scanning tools to keep up with new security vulnerabilities. He advised that information security companies should differentiate themselves from their competition in the future by providing much-needed education to customers about business risks and the impact of security vulnerabilities.

Cybersecurity Research Expert Keren Elazari Calls for Better Computer Software Content Identification

Another thought-provoking speaker was Keren Elazari, a senior cybersecurity researcher and computer security expert from the Balvatnick Interdisciplinary Cyber Research Center at Tel Aviv University in Israel. Elazari facilitates hacker/security researcher conferences in Israel and spoke during I Am The Cavalry’s track at the BSides conference.

Elazari discussed why security research matters for the coming decades and emphasized that third-party computer software needs to be better identified to determine potential vulnerabilities. She drew a startling comparison—while candy bar labels are required to list all of their ingredients, software has no labels that explain elements of the software code.

There’s danger in buying unfamiliar software. Large, multimillion-dollar companies may purchase smaller software companies, yet not have intimate knowledge of their acquisitions’ third-party software, which could contain harmful viruses.

Other noteworthy topics by Elazari included how “Hacker Heroes” wield their skills for the greater good. They have the knowledge to report on vulnerabilities and assist in the software patch to repair the problem.

BSides Conference Showcases Information Security Nonprofits

One of the interesting tables on display at BSides was The Open Web Application Security Project (OWASP), a nonprofit focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations are able to make informed decisions.

OWASP is in a unique position to provide impartial, practical information about application security to individuals, corporations, universities, government agencies and other worldwide organizations. Operating as a worldwide community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.

OWASP will hold a conference in Washington, DC in October 2016, and another conference in Belfast, Ireland, in 2017. Additionally, OWASP has programs to attract women into the application security career field.They also have projects working with military veterans to boost awareness of the critical need for the application security career field.

Similarly, I Am The Cavalry is a grassroots organization that is focused on issues where computer security intersects with public safety and human lives. I Am The Cavalry’s primary concerns are medical devices, automobiles, home electronics and public infrastructure.

During the conference, I Am The Cavalry offered a choice of speakers, including Keren Elazari, for the “I Am The Calvary” track of discussion sessions. The entire track was excellently managed and facilitated by Joshua Corman and Beau Woods.

With such a diverse choice of speakers and presentations at BSides, it’s hard to see everything. However, this conference offers something for everyone and is well worth attending.

Story was originally published at: http://inhomelandsecurity.com/bsides-las-vegas-offers-fresh-cybersecurity-insights-from-industry-leaders/

Navy Cryptology
The Evolution of Navy Cryptology

BY U.S. NAVY – MARCH 11, 2016
By Vice Adm. Jan E. Tighe
Commander, Fleet Cyber Command, U.S. 10th Fleet

Eighty-one years ago today, the first unified organization coordinating Navy Cryptology, the Communications Security Group, was established. From Station HYPO, OP-20-G and the On the Roof Gang, to the present day, our community has continued to evolve to meet and defeat the threats we face.

The transition of the Information Dominance Corps to the Information Warfare Community in concert with the CNO’s Design for Maritime Superiority has given us another opportunity to formalize our evolution, and to deliberately examine our community identity. A great deal of our heritage can be traced to the Naval Security Group, and our collective identification as Navy cryptologists.

To that end, and based on thoughtful input from the affected members of our community, the name of some of our officer designators (181X, 681X, 781X) will be changing to cryptologic warfare officer. This choice honors our cryptologic heritage, reflects what we do, recognizes the military effects we deliver in the converged domain and more closely ties our officer corps with our enlisted and civilian force counterparts. Cryptologic warfare officers, together with cyber warfare engineers, cyber warrant officers, cryptologic technicians (interpretive, maintenance, networks, collection and technical) and civilians, engaged in cryptologic missions are a unified community—unified through understanding, unified in action and unified by name.

We are Navy cryptologists.

Whether we are executing mission under joint commanders, fleet commanders, Director of the National Security Agency (DIRNSA), or the Commander, United States Cyber Command (USCYBERCOM); and whether significant portions of our missions are organized under Communications Security Group, Naval Security Group, Naval Network Warfare Command or today’s Fleet Cyber Command/10th Fleet, we have our own enduring identity, culture and ethos.

We are the Navy cryptologic community.

On behalf of maritime and joint commanders, we execute cryptologic warfare, which encompasses signals intelligence (SIGINT), cyberspace operations and electronic warfare (EW) operations in order to deliver effects through sea, air, land, space and cyber domains at all levels of war.

As a symbol of what we do, I would also like to share with you our new Navy cryptologic community seal. While not a representative of a Navy organization or command in the traditional sense, this seal represents our own rich heritage, who we are and where we are going. It represents us.

The Naval officer crest and our cryptologic technician insignia, with its lightning bolt and quill, represent and respect our long history. These symbols have stood from the earliest days of our community to the present day.

The binary background overlaid on the globe represents our part in the larger information warfare community, whose seal shares the same symbolism, as well as our core expertise in cyber, along with our global reach.

The skeleton key reminds us that we are relied upon to unlock and solve puzzles, and in many cases find missing pieces to paint a complete picture of our Nation’s adversaries. The key is engraved with the date symbolic of our collective establishment as a naval profession: March 11, 1935.

The chain binds us all together — officer, enlisted, and civilian — and binds our core missions — SIGINT, Cyber, and EW — to us, and us to them. The three stars also symbolize these three core missions. Through the converged domain, we enable and deliver effects to the commander and fellow warfighters. Our Community Vision, an update to our 2012 Foundational Principles, is also under construction and I will share it with you as soon as it is complete.

Please join me in embracing this next evolution of our community, which has stood on the shoulders of giants, both seen and unseen. Today, you who serve in the Navy cryptologic community will be those giants upon whom future generations of Navy cryptologists stand.

The Future of Cryptology | The Lint Center for National Security Studies