Date
Tuesday, October 16, 2007 - 8 a.m. to 5 p.m.
The 3rd annual Security at University of Michigan IT (SUMIT) was held on Tuesday, October 16, 2007. As the university's flagship event for National Cybersecurity Awareness Month, SUMIT is an exciting opportunity to hear nationally recognized experts discuss the latest technical, legal, and operational trends and threats in cyberspace.
Paul Howell
Chief Security Officer, ITSS
Paul Howell (CISSP) is the Chief Information Technology Security Officer at the University of Michigan, and he directs the Information Technology Security Services office. He is a graduate of the University of Michigan in Computer Science, with a Master's degree in Information Security from Eastern Michigan University. Paul has over 20 years of computer and network security experience.
Charles Antonelli, Ph.D.
Assistant Research Scientist, Center for Information Technology Integration, School of Information
Charles Antonelli has created and teaches the popular ITS 101 Campus Computer Security training course at the University of Michigan, which covers Linux, Windows, and network fundamentals, U-M core infrastructure and services, threats and countermeasures, and security assessments. Students conduct experiments in an air-gapped security laboratory, and come to understand their systems as the attackers do.
In his spare time, Dr. Antonelli teaches regular courses and graduate seminars in the College of Engineering and at the School of Information at U-M. His previous research efforts at CITI include the secure packet vault and a secure distributed network testing and performance tool based on Globus and GARA. He received his Ph.D in Computer, Information, and Control Engineering from the University of Michigan, and has been a Member of Technical staff at Bell Laboratories.
Dan Geer, Sc.D.
Chief Scientist, Verdasys
Measuring Security
Security is a means, not an end, and so you have to keep score of how play goes. We say that, but when will we mean it, i.e., when will we graduate from adjectives to numbers? This talk discussed the areas where quantitative work can be productively done, and gave one example of how such a path can be taken.
Dan Geer is a security researcher with a quantitative bent. His group at MIT produced Kerberos, and a number of startups later he is still at it—today as Chief Scientist at Verdasys. He writes a lot, and sometimes it gets read such as the semi-famous paper on whether a computing monoculture rises to the level of a national security risk. He's an electrical engineer, a statistician, and someone who thinks truth is best achieved by adversarial procedures. Mr. Geer received his S.B from the Massachusetts Institute of Technology in EE & CS, and his Sc.D. from Harvard in Biostatistics.
Mary Ann Davidson
Chief Security Officer, Oracle Corporation
This talk discussed the ways in which the IT industry is at a tipping point. The cost of poor security, according to NIST, is as great as $59 billion a year. Vendors spend millions of dollars fixing avoidable, preventable defects in software, and customers spend millions of dollars applying patches. At the same time, the "attack dynamic" has changed: it is increasingly organized crime going after large data sources, instead of the stereotypical 16-year-old hacker trawling an infiltrated network. The presentation sought to answer questions such as: What measures are development organizations taking to improve their security-worthiness across the board? Where has there been substantial progress, and where is the more to be done? What is needed to create a "security revolution" in the industry? How can academic institutions help change the development dynamic so that every developer "thinks like a hacker?"
Mary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle product security, as well as security evaluations, assessments and incident handling. She represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC), is a member of the Global Chief Security Officer Council and the editorial advisory board of SC Magazine. She was recently named one of Information Security’s top five “Women of Vision” and is 2004 Fed100 award recipient from Federal Computer Week. Ms. Davidson has a B.S.M.E. from the University of Virginia and a M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, during which she was awarded the Navy Achievement Medal.
Dorothy Denning, Ph.D.
Professor, Naval Postgraduate School
The Jihadi Cyberterror Threat
Al-Qa'ida and the global Salafi jihadist movement increasingly use the Internet for "electronic jihad," to include cyber attacks against websites. While these attacks are generally not characterized as acts of cyberterrorism, the question arises whether the threat of cyberterrorism is or will be real. This talk assessed the threat of jihadi cyberterror by examining indicators of capability and intent in the jihadi movement. These indicators fall into five general areas: current jihadi use of cyber attacks; jihadi cyber weapons acquisition, development and training; jihadi statements about cyber attacks; jihadi education and training in computer science and information technology fields; and general use of cyberspace by jihadists.
Dorothy Denning is a professor in the Department of Defense Analysis at the Naval Postgraduate School and has published four books and 140 articles. She was formerly at Georgetown University as a professor of computer science and director of the Georgetown Institute for Information Assurance. Ms. Denning has received several awards, including the Augusta Ada Lovelace Award, National Computer Systems Security Award, and the 2004 Harold F. Tipton Award "in recognition of her outstanding information security career." In 1995, she was inducted as a Fellow of the Association for Computing Machinery. Ms. Denning received her B.A. and M.A. from the University of Michigan.
Mark D. Rasch, J.D.
Managing Director - Technology, FTI Consulting
Information Security for Educational Institutions
Mr. Rasch addressed the relevant federal and state laws regarding the privacy of student records, search and seizure law applied to the academic environment, rights to privacy and electronic privacy, and the liability of academic institutions for the copyright infringement of faculty, staff and students. He also addressed the rights of the university to monitor the activities of faculty, staff and students using university owned or managed computer facilities. Finally, he addressed relevant data privacy laws with respect to data breach notification and data security obligations.
Information Security for Educational Institutions - Presentation Materials
Mark D. Rasch joined FTI as managing director in the Technology practice in February 2007. He brings over 24 years of experience in the information security field, having served for nine years as the head of the United States Department of Justice computer crime unit, and having prosecuted key cases involving computer crime, hacking, computer fraud and computer viruses. As managing director at FTI, Mr. Rasch will be focused on helping clients in the areas of computer security, privacy and incident response.
John Hurley, Ph.D.
Security Policy Architect, Apple Inc.
Integrating security into a major consumer-oriented operating system is an interesting problem. How can this be done while remaining flexible enough and secure enough to satisfy the needs of the enterprise and government? This talk started with an overview of security development and testing at Apple, and then considered some of our security design principles. On the practical side, some of the ways to harden Mac OS X were examined.
As the Security Policy Architect for Apple, John Hurley works with diverse groups at Apple to define the security policies for the Mac OS X operating system. He frequently advises executives and IT professionals from enterprise, government and higher education. As a part of the Data Security team, he has worked on many of the security features in Mac OS X, such as the keychain, encrypted disk copy, cryptography, smartcards, and public key infrastructure. Before joining Apple, Dr. Hurley was a co-founder and Vice President of Aveo, Inc., a computer telephony and internet services corporation. Along with his work credits, Dr. Hurley holds three patents on e-commerce technologies. He received his Ph.D. in Mathematics from the State University of New York at Stony Brook.