|October 16, 2007
|Paul Howell, Chief Security Officer, ITSS
Charles Antonellli, Pd.D, Assistant Research Scientist, UM
Welcome and Introductions
|Dan Geer, Sc. D., Chief Scientist, Verdasys
Topic: Measuring Security
|Mary Ann Davidson, Chief Security Officer, Oracle Corporation
Topic: The Case for Secure Coding
|Dorothy Denning, Ph.D., Professor, Naval Postgraduate School
Topic: The Jihadi Cyberterror Threat
|Lunch on your own
|Mark Rasch, Managing Director - Technology, FTI Consulting
Topic: Information Privacy & Security within the Academic Setting
|John Hurley, Ph.D., Security Policy Architect, Apple Inc.
Topic: Integrating Security into a Consumer-Oriented OS
Presentation Abstracts & Presenter Information
Chief Security Officer, ITSS
Paul Howell (CISSP) is the Chief Information Technology Security Officer at the University of Michigan, and he directs the Information Technology Security Services office. He is a graduate of the University of Michigan in Computer Science, with a Master's degree in Information Security from Eastern Michigan University. Paul has over 20 years of computer and network security experience.
Charles Antonelli, Ph.D.
Assistant Research Scientist, Center for Information Technology
Integration, School of Information
Charles Antonelli has created and teaches the popular ITS 101 Campus
Computer Security training course at the University of Michigan,
which covers Linux, Windows, and network fundamentals, U-M core
infrastructure and services, threats and countermeasures, and
security assessments. Students conduct experiments in an air-gapped
security laboratory, and come to understand their systems as the
In his spare time, Dr. Antonelli teaches regular courses and
graduate seminars in the College of Engineering and at the School
of Information at U-M. His previous research efforts at CITI include
the secure packet vault and a secure distributed network testing
and performance tool based on Globus and GARA. He received his
Ph.D in Computer, Information, and Control Engineering from the
University of Michigan, and has been a Member of Technical staff
at Bell Laboratories.
Dan Geer, Sc.D.
Chief Scientist, Verdasys
Dan Geer is a security researcher with a quantitative bent. His group at MIT produced Kerberos, and a number of startups later he is still at it -- today as Chief Scientist at Verdasys. He writes a lot, and sometimes it gets read such as the semi-famous paper on whether a computing monoculture rises to the level of a national security risk. He's an electrical engineer, a statistician, and someone who thinks truth is best achieved by adversarial procedures. Mr. Geer received his S.B from the Massachusetts Institute of Technology in EE & CS, and his Sc.D. from Harvard in Biostatistics.
Security is a means, not an end, and so you have to keep score of how play goes. We say that, but when will we mean it, i.e., when will we graduate from adjectives to numbers? This talk will discuss the areas where quantitative work can be productively done, and give one example of how such a path can be taken.
Mary Ann Davidson
Chief Security Officer, Oracle Corporation
Mary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle product security, as well as security evaluations, assessments and incident handling. She represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC), is a member of the Global Chief Security Officer Council and the editorial advisory board of SC Magazine. She was recently named one of Information Security’s top five “Women of Vision” and is 2004 Fed100 award recipient from Federal Computer Week. Ms. Davidson has a B.S.M.E. from the University of Virginia and a M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, during which she was awarded the Navy Achievement Medal.
The IT industry is at a tipping point. The cost of poor security, according to NIST, is as great as $59 billion a year. Vendors spend millions of dollars fixing avoidable, preventable defects in software, and customers spend millions of dollars applying patches. At the same time, the "attack dynamic" has changed: it is increasingly organized crime going after large data sources, instead of the stereotypical 16-year-old hacker trawling an infiltrated network. What measures are development organizations taking to improve their security-worthiness across the board? Where has there been substantial progress, and where is the more to be done? What is needed to create a "security revolution" in the industry? How can academic institutions help change the development dynamic so that every developer "thinks like a hacker?"
Dorothy Denning, Ph.D.
Professor, Naval Postgraduate School
Dorothy Denning is a professor in the Department of Defense Analysis at the Naval Postgraduate School and has published four books and 140 articles. She was formerly at Georgetown University as a professor of computer science and director of the Georgetown Institute for Information Assurance. Ms. Denning has received several awards, including the Augusta Ada Lovelace Award, National Computer Systems Security Award, and the 2004 Harold F. Tipton Award "in recognition of her outstanding information security career." In 1995, she was inducted as a Fellow of the Association for Computing Machinery. Ms. Denning received her B.A. and M.A. from the University of Michigan.
Al-Qa'ida and the global Salafi jihadist movement increasingly use the
Internet for "electronic jihad," to include cyber attacks against
websites. While these attacks are generally not characterized as acts of
cyberterrorism, the question arises whether the threat of cyberterrorism
is or will be real. This talk will assess the threat of jihadi
cyberterror by examining indicators of capability and intent in the
jihadi movement. These indicators fall into five general areas: current
jihadi use of cyber attacks; jihadi cyber weapons acquisition,
development and training; jihadi statements about cyber attacks; jihadi
education and training in computer science and information technology
fields; and general use of cyberspace by jihadists.
Mark D. Rasch, J.D.
Managing Director - Technology, FTI Consulting
Mark D. Rasch joined FTI as managing director in the Technology practice in February 2007. He brings over 24 years of experience in the information security field, having served for nine years as the head of the United States Department of Justice computer crime unit, and having prosecuted key cases involving computer crime, hacking, computer fraud and computer viruses. As managing director at FTI, Mr. Rasch will be focused on helping clients in the areas of computer security, privacy and incident response.
Mr. Rasch will address the relevant federal and state
laws regarding the privacy of student records, search and seizure law
applied to the academic environment, rights to privacy and electronic
privacy, and the liability of academic institutions for the copyright
infringement of faculty, staff and students. He will also address the
rights of the university to monitor the activities of faculty, staff and
students using university owned or managed computer facilities.
Finally, he will address relevant data privacy laws with respect to data
breach notification and data security obligations.
More about Mark Rasch (.doc)
John Hurley, Ph.D.
Security Policy Architect, Apple Inc.
As the Security Policy Architect for Apple, John Hurley works with diverse groups at Apple to define the security policies for the Mac OS X operating system. He frequently advises executives and IT professionals from enterprise, government and higher education. As a part of the Data Security team, he has worked on many of the security features in Mac OS X, such as the keychain, encrypted disk copy, cryptography, smartcards, and public key infrastructure. Before joining Apple, Dr. Hurley was a co-founder and Vice President of Aveo, Inc., a computer telephony and internet services corporation. Along with his work credits, Dr. Hurley holds three patents on e-commerce technologies. He received his Ph.D. in Mathematics from the State University of New York at Stony Brook.
Integrating security into a major consumer-oriented operating system is an interesting problem. How can this be done while remaining flexible enough and secure enough to satisfy the needs of the enterprise and government? This talk will start with an overview of security development and testing at Apple, and then consider some of our security design principles. On the practical side, some of the ways to harden Mac OS X will be examined.