October 2008 Archives

I write this week about a famous person in the field of information security.  Eric Cole completed his undergraduate and masters degrees from the New York Institute of Technology.  He went on to George Mason University, where he completed is coursework, but not his dissertation.  He later received his Ph.D. from Pace University.  After graduation, Dr. Cole went to work for the Central Intelligence Agency where he was the Internet Program Manager and computer engineer in the office of security.

Dr. Cole has written and co-authored many books including:

                Hackers Beware

                Hiding in Plain Site

                Network Security Bible

                Insider Threat

                Cyber Spying: Tracking Your Family's (Sometimes) Secret Online Lives

                Network Security Fundamentals

                Hiding in Plain Sight: Steganography and the Art of Covert Communication

                SANS Security Essentials

                Network Security Bible

He is also the inventor of over 20 patents.

So, his publications are not in the peer-reviewed academic press, but his books are certainly on the bookshelves of more people than the number of people who will read the articles that many of us will ever publish.

What I admire about Dr. Cole is that while he was doing all of this work, he realized that none of it mean anything unless people were able to take action on what he knew.  He helped to found the SANS Institute, an organization that teaches security curriculum to computer professionals.  When academia moved slowly to the world of Information Science, Cole and others moved quickly.

They realized that professional education in actionable methods were important.  However, the companies in industry weren't doing the job.  Companies like Cisco and Microsoft had their professional certifications on their products and there were some low-level vendor agnostic programs for technician certification (Comp-TIA's A+), but there was a large gap at the professional level, especially in security.

So, at the risk of irritating both the vendors and the academics, Cole and others started teaching their own curriculum.  They developed it, rolled it out and starting teaching seminar style with week-long classes.  Sure, they were paid well - the average SANS class costs $5,000 per person to attend for the week and SANS now has an estimated annual sales of $30M - but face it... it's hard to pull together a good class with solid resources and get people to come back again and again.

Today, Cole is a senior scientist with Lockheed Martin Information Technology (LMIT) and Lockheed Martin (LM) fellow.  He also is the founder and CTO of Secure Anchor Consulting, which is basically his consulting and outreach mechanism.  So, between Lockheed, SANS and Secure Anchor, Eric Cole lives the life of teaching, research and outreach - the three functions that a tenure-track professor in any university does.

Oh, and how old is he?  I can't seem to locate solid information about his age.  I guess he learned a thing or two about keeping some information private when he worked at the CIA.

So, I'm into podcasts.  I find that they are a great use of my 20 minute commute between Pleasant Gap and State College.  Lately, I've been coming back to campus at night after my "family time" for dinner and bedtime routine at home - and spending 9pm to midnight back in my office or in group project meetings, etc.  So, my commute effectively doubles when I do that.

Anyway, I have this great stereo in my car that has a USB port where I can plug in a USB thumbdrive.  It plays the MP3s on the thumb drive. Oh, did I mention it has an iPod cord (like charges the iPod and everything) and a place to plug in a stereo input for any other kind of MP3 player?  Yeah, cool.


What's REALLY COOL about this Sony is that it REMEMBERS where I left off last time.  Here's a link to the CNet review of the stereo - but they really do leave out the most important feature - the remembering where you left off.  See, a lot of stereos that have USB interfaces "forget" where you left off when you turn off the car.  That's really annoying if you have a one hour podcast and only a 20 minute drive.

So, I downloaded Mark Seiden's talk from the last Usenix Security Symposium.  If found it to be wonderful.  Well, it wasn't chock full of the stuff I had hoped for - like a list of where we need to have specific standards, but it did have a number of humorous anecdotes about things like physical security and other funny things like locks that don't work, and crawling through raised floors to get under and past the biometric access devices.

I have a feeling that I'm going "attend" conferences like this more often.

In my last blog post, I commented on the conferences and symposiums that I would like to be a part of.  That shows one side of the academic publishing picture.  In this post, I'll focus on the printed journals that I'd like to post in.  Between the two, these two venue types outline the academic community that I'd like to see myself working in.


First is Computers and Security. This journal consistently publishes articles that I am likely to cite.  There is a good mix of articles covering specific technologies, legal aspects, as well as usability concerns.  For instance, in this quarter's issue - there's an article about "Interpreting the legal aspects" of security, another one about a specific protocol recommendation for SMS (short message service, one about neural networks used for intrusion detection, another about intrusion detection using attack graphs to correlate individual alerts and two articles about user authentication from a high level.



Computer Fraud and Security is another Elsevier journal that I like.  They focus on, obviously, the use of computers in fraud - anything from case studies and reports of important and timely fraud cases to metasystems of how to deal with such stuff.  What I really like about this journal is the high-level discussions - like "should open source software be used."  This is a monthly publication, so it's focus is on the news of the time, as well as the up-and-coming research that shows the most promise.



Apparently, the top journal in the field is the Journal of Computer Security.  This journal focuses on the research that will have lasting impact.  What is interesting about this journal is its assumption that its readers have a solid understanding on computer security.  So, the background informtion required in many other journal publications is not necessarily required.  The articles and succinct, dense and direct.  That's kinda scary, but I hope that I can be one of the people in the world who can 1) understand what's in this journal and 2) one day publish in it. 

Guofei Gu's Computer Security Conference Ranking and Statistics page gives a good outline of the conferences and workshops in the computer security field.  Just a quick look gives one the idea of the breadth of the field of computer security.  There's so much out there from authentication to cryptography to secure software development to malware and intrusion detection.  There's no wonder we don't have a good handle on computer security as end-users - the academics are all over the place, too.  Maybe that's just an indicator of how difficult of a problem computer security is.

So, there are parts of this community that I am not as interested in, from a research perspective.  For instance, I'm no cryptographic researcher.  Heck, those guys are like real math geeks.  I think cryptography is cool, and I have a lot of interest in USING cryptography.  I may have an academic interest in the usability of cryptography in organizations and in complex, interconnected systems - but as far as the cryptographic algorithms go - I'm leaving that to the math geeks.  So, that knocks 2 of Gu's top 6 conferences for me.

The ACM Conference on Computer and Communications Security looks very interesting.  This year (in just a couple of weeks) the conference will be in Alexandria, VA. Dr. Patrick McDaniel, from CSE is one of the technical program chairs.  He also has two students presenting a paper this year, "Rootkit-Resistant Disks" presented by Kevin Butler and Stephen McLaughlin.  So, just taking a look at who is presenting a this conference has already given me some insight into a community that I want to be involved in.  I might even see if I can break away to attend this conference - since it is relatively nearby.

The Usenix Security Symposium also looks interesting. The technical sessions ranged last year from in-depth concepts like cold-boot attacks on encryption keys to more widely generalized topics.  Check out this lead-in:  "In a field with few design principles ("defense in depth"? separate duties?), few rules of thumb, no laws named after people more influential than Murphy, no Plancks or Avogadros to hold Constant, and little quantification of any sort (we count only bad things), it appears the best we can do right now is to tell stories." See Mark Seiden's talk for more.  I know I'll be listening to the MP3 or watching the video later.  OMG!  This is great stuff.  Someone actually acknowledges where we really are in terms of policy, process and the industry (in terms of application and implementation) as whole. Last year's symposium had a number of co-located events - like the Security Metrics 3.0 Conference and Workshop on Hot Topics in Security '08.  Both of these conferences have wonderful topic sessions - like topics in authentication, security, use of encryption, password usage, and lots of other cool stuff.  Oh, and guess who from Penn State presented there last year?  You guessed it - Patrick McDaniel!  Hmm... maybe the community (or at least a part of it) is closer than I thought.

Finally, the last conference community I'd like to be a part of, eventually, is the IEEE Computer Society Technical Committee on Security and Privacy.  This is a more high-level conceptual group.  Although last year's program included a number of "in the trenches" kinds of papers - the focus is on the future directions of these topics, not on the nuts and bolts.  So, trust and privacy in Web 2.0 is a common theme from last year's conference.  So, I'm sure I'll get to this conference eventually, but because it is focused on a higher level rather than more mechanical, I'm probably not going to be publishing here anytime soon.

So, that's the long and short of it.  I'll have to use Gu's list to check out the conferences that are lower rated.  There's probably lots of interesting stuff there, too!

I interviewed Ben Hellar.  Ben is a 4^th year Ph.D. student who is also advised by David Hall.

Ben wasn't in the inaugural class as an undergrad at the School of IST at Penn State, but he was in the very next class.  He was in the first recruited class at IST.  Ben has seen the College grow from its infancy, move into its new building and create its undergrad program from scratch.  If you ripped into the walls of the IST building - you'd find his signature on an I-beam somewhere inside - literally!

Ben was a Schreyer Honors College undergraduate.  He completed an honor's thesis and took many honors courses while an undergrad.  He even pursued the combined Bachelor's/Masters program for a time, but found that his interests were more aligned with the Ph.D. program than the Masters, so he graduated with his B.S. and entered the Ph.D. program.  His original adviser was Dr. John Bagby.

Ben spent his first two years of graduate life finding his topic and interests.  He has now found a home with Dr. Hall and Dr. McNeese where he looks at Human Performance Simulation, especially in crisis management, military situations and those that require formalized C3 (Command, Control and Communications).

Ben is currently working on the NeoCities simulation project.  This project simulates Police, Fire and HazMat crisis management dispatch and resource allocation.  He's studying team decision making and collaboration, especially of dispatchers and decision makers who would manage crises.  While the tasks are oversimplified, they are done that way to specifically study the interactions of the people involved.  The output of his research would fit into models for Homeland Security, the military, and crisis management organizations.  Ben's dissertation will be focused on the overload problem in regards to the pace of events that occur.

Ben has published three conference papers.  Two were born out of his literature review.  He has presented twice at the National Symposium on Data Fusion and Sensing and once at the Cyber Situational Awareness conference at GMU.  The second conference had a "tougher audience".  These attendees were more technical and entrenched in the "T" part of the ITP triangle.  So, Ben's research was along the lines of  the T-P part of the triangle - and it was hard from them to get the idea that you needed to understand the people side of things - or that there even was a people-technology component to consider.

Ben is very different from me in many ways.  First off, he is a more traditional student - going to graduate school immediately after (or, technically during) his undergrad experience.  He's considering going out into the world to get more experience after he graduates.  However, I guess we're really similar in that we both value that real-world, hands-on experience.  I think that this will help Ben to focus his future research and make it more applicable by adding the realistic perspective.  The order that I have done things is very different, but it really does point to the same thing - we need to combine academics with a reality perspective.  Because Ben and I are both Penn State graduates, it will be interesting to see where we land later in life.

So, you've all heard people talk about a computer crashing.  I want to describe to you what happens when a server crashes at a medium-sized organization.

This particular crash was interesting because the server wasn't completely dead.  Sure, we've all had power supplies die, hard drives crap out, BSODs and other kinds of issues happen.  Those are usually complete either-or propositions.  Either the machine works or it doesn't.  Very seldom do we have the situation where the system works - sorta-kinda.  Well, that's exactly what happened in this situation.

The server in question is four years old, with a three year old Dell Powervault PV-220 RAID-5 enclosure.  It has 1.5 TB of data on this drive, storing user files and research data.  So, with the 8 hard drives in the array, one of them is a hot spare.  Because it is RAID-5,any one of the drives can fail, the hot spare comes online automatically and rebuilds the RAID.  Well, that's what is supposed to happen.

I did have a drive indicate possible failure, but it didn't swap out.  The server started serving out a number of corrupted files from this drive and a normal (non-raid) drive.  Upon reboot, the drive system showed six of the eight drives as having completely failed.  That's not supposed to happen either.

I was able to force the drives back into an online mode - and bring the array back online, but the NTFS file structure was corrupted.  The server needed about 72 hours to rebuild the NTFS structure.  Unfortunately, we needed the server to be back online within 12 hours, so we forced it back up the next day after the crash.  The data on the RAID array looked like it was completely rebuilt and some files were lost to corruption, but it turns out that halfway through the next day, that we realized that the drive wasn't rebuilt correctly, and wasn't stable... users were losing files and directories throughout the day.

So, back to square 1 - and we brought a new server online with the backup data.  However, guess what - the backup wasn't completely up-to-date.  Some files were 2-3 weeks old, while others were completely current.  So, 2 days later and we bring up the backups that are not current - yeah, people were just short of screaming at me.

That's all fine in my mind - because people should be making their own backups of their own data.  That's what I tell them to do, but not everyone listens to what I tell them.

I was able to bring up the old server with the suspect drive the next week - ran the rebuild over the weekend.  While there was file corruption on individual files, I was able to bring back some files that people had lost.  Others recovered lost work within a day or two of re-doing what they had done in the past couple of weeks.

The crash has taught me a couple of things:

• Most users will not do their own backups. They rely on systems too much and make assumptions that nothing will ever go wrong. While this is a bad assumption on the user's part, it *IS* the base assumption that most users have.

• IT Managers must live up to the user's expectation, regardless of how unrealistic that expectation is.

• There is a middle-ground between a system working and a system failing. That middle ground sucks.

• Disaster Recovering Planning needs more attention in small-to-medium sized organizations. Something as simple as a single server crash can highlight faulty backup processes, required services and end-user expectations.

• Oh, and Murphy's Law applies to IT. The server crashed 30 minutes before my IST511 class where I was supposed to do a class presentation and could not miss.

So, maybe you're laughing right now.  Maybe you're thinking, "Gee, so what's new?"  Maybe you're thinking, "I'm glad it's not me!"  Whichever your reaction - I hope this blog post has made you think about how you back up your important data.  Having a solid, reliable, reproducible, transparent and easy-to-use backup system for things that are important to you is a key ingredient in your ability to survive even the most complicated failure.Maybe I should post my philosophy on how to back up your data for your own protection... watch for that blog posting later.

My advisor is Dr. David Hall.

Dr. Hall didn't start his career as an academic, although I am pretty sure that he wanted to be a professor all along.  He just ended up taking the long way around before finally ending up in academics.  His early career was dictated by the needs of the country.  He enlisted (yes, enlisted) in the Air Force.  Apparently that choice offered him the ability to complete his Masters degree, whereas getting a commission as an officer would have sent him right to OCS and off to Vietnam much quicker.  He then ended up in a program in the Air Force tracking satellites, as they needed enlisted men with academic backgrounds in Astronomy.  As one could imagine, there probably weren't many enlisted men qualified for this position.

After some time in the Air Force, Dave returned to complete a Ph.D. in Astronomy. He returned to the corporate sector afterwards, working for MIT Lincoln Labs, Computer Sciences Corporation and then finally, HRB Systems, where he moved to management roles as a Principal Engineer, Manager and Director.  After a downsizing at HRB, he moved to Penn State, as the Associate Director of the Applied Research Lab.  In 2001, Dr. Hall realized his dream of an academic life, and joined the new School of IST as a professor and Associate Dean for Research.

What is interesting about Dr. Hall's story is how unconventional his entry into the academy was.  I appreciate his pursuit of his goals and definitely understand his desire to combine teaching, research and outreach.  He has an appreciation for others who bring value to graduate education process who, for a variety of reasons, didn't necessarily hop from high school to college to graduate school.  There is a lot of value in professional experience that isn't necessarily reflected in one's CV or resume.

Most of Dr. Hall's early research work is probably classified.  Look at the companies that he worked for to see why - they're all defense contractors.  However, Dr. Hall did manage to stake his claim on multi-sensor data fusion.  He literally wrote the book on the topic.  Today, his interests are related to multi-sensor data fusion and he is currently working on a new book, related to sensors, people as sensors and soft sensors of all sorts.  It's really interesting stuff!  As far as publications other than the books, Dave does attend the data fusion conference and publishes there regularly.  He also publishes in a variety of IEEE journals and conferences.  Here's a couple of links of conferences he has attended/attends:

http://www.vistg.net/

http://datamining.it.uts.edu.au/conferences/iat08/

http://ieeexplore.ieee.org/xpl/RecentCon.jsp?punumber=4106198

http://cihsps.dti.unimi.it/

http://www.ececs.uc.edu/~cdmc/mass/

As far as courses, Dr. Hall has taught several while at Penn State, even though his primary responsibilities over the last many years have been administrative.  This doesn't keep him from the classroom completely.  For instance, he has taught:

 

IST440W - IST Integration - which I completely missed!

IST497 - Information Systems Project Management

IST597/998 - Information Fusion (go figure!)

IST590 - The IST Graduate Colloquium

On a personal note, Dr. Hall is a fraternal twin.  He is proud to claim that he shared a womb with a girl.  The way I first met Dr. Hall is because of our twin connection - as I'm the father of identical twins.  We "ran into" each because of this and our connections to Grace Lutheran Church.