SUMIT_2010

Date

The 6th annual Security at University of Michigan IT (SUMIT) was held on Thursday, October 14, 2010. As the university's flagship event for National Cybersecurity Awareness Month, SUMIT is an exciting opportunity to hear nationally recognized experts discuss the latest technical, legal, and operational trends and threats in cyberspace. 

Speakers

Christopher Hoff

Christopher Hoff

Cisco Systems

CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity

This event covered the most salient points relating to how IaaS Cloud architecture shifts how, where and who architects, deploys and manages security in this "new world order" and what your options are in making sustainable security design decisions.

Mass-market, low-cost, commodity infrastructure-as-a-Service Cloud Computing providers abstract away compute, network and storage and deliver hyper-scalable capabilities. This "abstraction distraction" has brought us to the point where the sanctity and security of the applications and information transiting them are dependent upon security models and expertise rooted in survivable distributed systems, at layers where many security professionals have no visibility.

The fundamental re-architecture of the info-structure, meta-structure and infrastructure constructs in this new world forces us back to the design elements of building survivable systems focusing on information centricity -- protecting the stuff that matters most in the first place.

The problem is that we're unprepared for what this means and most practitioners and vendors focused on the walled garden, perimeterized models of typical DMZ architecture are at a loss as to how to apply security in disintermediated and distributed sets of automated, loosely-coupled resources. 

CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity - Presentation Recording

Christofer Hoff is Director of Cloud & Virtualization Solutions at Cisco Systems where he focuses on virtualization and cloud computing security, spending most of his time interacting with global enterprises and service providers, governments and the defense and intelligence communities. Previously, he was Unisys Corporation's Chief Security Architect, served as Crossbeam Systems' chief security strategist, was the CISO and director of enterprise security at WesCorp, a $25 billion financial services company and was founder/CTO of a national security consultancy amongst other startup endeavors. Hoff specializes in emerging and disruptive innovation and what it means to security, is technical advisor to the Cloud Security Alliance, founder of the CloudAudit project and blogs at http://www.rationalsurvivability.com/blog.


Gordon Snow

Gordon M. Snow

Assistant Director, FBI

Cyber Threats in the 21st Century

Mr. Snow entered on duty as a special agent with the FBI on March 8, 1992. Upon completion of training at the FBI Academy in Quantico, Virginia, he was assigned to the Birmingham Division's Huntsville Resident Agency. While there, he investigated violent crime, drug, civil rights, public corruption, and white-collar crime matters.

In April 1996, he was assigned to the Critical Incident Response Group as a member of the Hostage Rescue Team. During that time, he took part in several sensitive rendition missions; conducted terrorism assessments overseas with the Department of State; and was assigned to assessment, protection, and investigative support missions after the bombing of the USS Cole in Aden, Yemen, and the embassy bombings in Nairobi, Kenya.

Mr. Snow was promoted to supervisory special agent in the Counterintelligence Division's Middle East Unit in January 2001. Two years later, in January 2003, he was assigned to the Detroit Division, where he supervised the foreign counterintelligence program and served as the SWAT program coordinator. In April 2005, Mr. Snow was appointed chief of the Weapons of Mass Destruction and Acquisition of U.S. Nuclear & Missile Technology Unit at FBI Headquarters.

In May 2006, Mr. Snow was selected as the assistant special agent in charge of the San Francisco Division's San Jose Resident Agency. In that role, he had operational responsibility for the counterterrorism, cyber, white-collar crime, and violent crime squads; the San Jose members of the Joint Terrorism Task Force; the High-Value Computer Crimes Task Force; the Silicon Valley Regional Computer Forensics Lab; and the Monterey Bay Resident Agency. He also served as the SWAT program manager.

Mr. Snow was assigned to the Afghanistan theatre of operations as the FBI's on-scene commander for the Counterterrorism Division in June 2007. Following his return to the U.S., he was appointed section chief in the Cyber Division in January 2008 and detailed to the Office of the Director of National Intelligence, National Counterintelligence Executive. During that assignment, he and his staff led the effort in drafting the government-wide Cyber Counterintelligence Plan under Homeland Security Presidential Directive-23/National Security Presidential Directive-54, the Comprehensive National Cyber Initiative.

In January 2009, Mr. Snow was appointed as chief of the Cyber Division's Cyber National Security Section and the director of the National Cyber Investigative Joint Task Force. In November 2009, he was named deputy assistant director of the Cyber Division. In April 2010, he was named assistant director of the Cyber Division.

Mr. Snow is a native of Detroit, Michigan. He graduated from the University of Michigan, Ann Arbor, with a B.A. in English. He received an M.B.A. with an emphasis in finance from Virginia Tech in 2001 and a J.D. from Catholic University's Columbus School of Law in 2006. Prior to joining the FBI, Mr. Snow served in the United States Marine Corps for more than 10 years, as both an enlisted Marine and as an officer.


Deviant Ollam

Deviant Ollam

The CORE Group

The Four Types of Lock

Physical security is an oft-overlooked component of data and system security in the technology world. You can have the most hardened servers and network but that doesn't make the slightest difference if someone can gain direct access to a console keyboard or, worse yet, march your hardware right out the door. While numerous ratings and standards exist in order classify specific security hardware, many of these standards are ill-defined and poorly-understood. Do you know what makes a "hardened" or "contractor grade" lock special? What does the phrase "high security" signify on hardware packaging?

As it turns out, many of these terms are just for show... but Deviant walked audience members step-by-step through some distinct and easy-to-follow examples of how low-grade locks can fail as well as how to clearly identify quality equipment. Additionally, the presentation covered the more difficult matter of hardware purchase decisions at the highest levels... fine distinctions such as which locks belong on the CEO's office versus which ones to use on your server rooms. Every situation calls for something a bit different, and those differences add up when you're spending $100 or more per lock. Deviant urged viewers to make their money count and keep their budget, and their data, secure.

The Four Types of Lock - Presentation Recording

While paying the bills as a security auditor and penetration testing consultant with his company, The CORE Group, Deviant is also member of the Board of Directors of the US division of TOOOL, The Open Organization of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpicking Village, and he has conducted physical security training sessions at Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, CanSecWest, ekoparty, and the United States Military Academy at West Point.


Melissa Hathaway

Melissa Hathaway

Belfer Center for Science and International Affairs | John F. Kennedy School of Government | Harvard University

Cybersecurity: A National Imperative

Melissa Hathaway is President of Hathaway Global Strategies, LLC and a Senior Advisor at Harvard Kennedy School's Belfer Center. Having served in two Presidential administrations, Hathaway brings a multi-disciplinary and multi-institutional perspective to strategic consulting and strategy formulation for public and private sector clients. She is raising public awareness by writing and speaking publicly about current real-world problems and is building information and research bridges among academic, industrial and government stakeholders.

From February 2009 to August 2009, Hathaway served in the Obama Administration as Acting Senior Director for Cyberspace in the National Security Council. In that capacity she assembled a team of experienced government cyber experts to conduct the 60-Day Cyberspace Policy Review. In May 2009, the President presented the elegant blueprint of the Cyberspace Policy Review, announced cybersecurity as one of his Administration's priorities, and recognized Hathaway's leadership in conducting the review. In the ensuing months, Hathaway stood-up the Cybersecurity Office within the National Security Staff to commence the work called for in that blueprint.

During the last two years of administration of President George W. Bush, Hathaway served as Cyber Coordination Executive and Director of the Joint Interagency Cyber Task Force in the Office of the Director of National Intelligence. She built a broad coalition from within the Executive Branch and established an unprecedented partnership with Congress to obtain bipartisan support for addressing cybersecurity priorities. She developed and created a unified cross-agency budget submission for FY 2008 and for 2009-13, assembling disparate funding sources into a coherent, integrated program. One of the single largest intelligence programs of the Bush administration, the Comprehensive National Cybersecurity Initiative has been carried forward by the Obama administration. At the conclusion of her government service she received the National Intelligence Reform Medal in recognition of her achievements.

Previously, Hathaway was a Principal with Booz Allen & Hamilton, Inc., where she led two primary business units: information operations and long range strategy and policy support, supporting key offices within the Department of Defense and Intelligence Community. Earlier in her career she worked with Evidence Based Research, Inc. and the American Foreign Service Association. Hathaway is a frequent keynote speaker on cybersecurity matters, and regularly publishes papers and commentary in this field. 


Charles Miller

Charles Miller

Independent Security Evaluators

The Past, Present, and Future of Smartphone Security

Miller discussed smartphone security from a historical perspective, beginning by outlining the threats posed by smartphones and what makes smartphone payloads unique. He discussed the security architectures of a few platforms and demonstrate attacks which have been successful in the past and how they worked. Finally, he ended by making wild speculations about the future of smartphone security.

Charlie Miller is Principal Analyst at Independent Security Evaluators, a Baltimore based consulting company. He was the first with public exploits against Apple's iPhone and the G1 phone, which was the first phone running Google's Android operating system. He won the CanSecWest Pwn2Own competition in 2008, 2009. He was one of the top 10 computer hackers of 2008 according to Popular Mechanics. Miller is a former researcher for the NSA and holds a PhD from the University of Notre Dame.


Marcus Ranum

Marcus J. Ranum

Tenable Security, Inc.

Scenes from the 2010 Cyberwar between China and the US

Marcus J. Ranum is Chief Security Officer of Tenable Security, Inc. and is a world-renowned expert on security system design and implementation. Since the late 1980's, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC "Clue" award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference.


Whitfield Diffie

Whitfield Diffie

Vice President for Information Security at ICANN (Internet Corporation for Assigned Names and Numbers) | Visiting Scholar in the Center for International Security and Cooperation at Stanford University

An Historical Look at Cloud Computing

The history of information security is one of repeated confrontations with resources too valuable to be ignored which bypass our existing security mechanism. The presentation followed this process from radio through shared computing and networking to cloud computing and speculate on what form the solution of this latest challenge will take.

An Historical Look at Cloud Computing - Presentation Recording

Diffie began his career in security as the inventor of the concept of public key cryptography, which underlies the security of internet commerce. He has made fundamental contributions to many aspects of secure communications and was instrumental in the rise of a public cryptographic research community. In the 1990s he turned his attention to public policy and played a key role in opposing government key-escrow proposals and restrictive regulations on the export of products incorporating cryptography. Diffie recently retired from his position as Chief Security Officer at Sun Microsystems and is now studying the impact of web services and grid computing on security and intelligence.

Prior to assuming his position at Sun, Diffie was Manager of Secure Systems research at Northern Telecom throughout the 1980s.

Diffie is a fellow of the Marconi Foundation. He is the recipient of the National Computer Systems Security Award given jointly by the National Institute of Standards and Technology and the National Security Agency, the Levy prize of the Franklin institute, and other awards. His work and career are treated at length in the book Crypto by Steven Levy.