Biblio

This article discusses how a system of Identification: Friend or Foe (IFF) can be implemented in email to make users less susceptible to phishing attacks.

CyberIR@MIT is a dynamic, interactive ontology-based knowledge system focused on the evolving, diverse & complex interconnections of cyberspace & international relations.

Explorations in Cyber International Relations (ECIR) is a collaborative research program of Massachusetts Institute of Technology and Harvard University designed to create multi-disciplinary approaches to the emergence of cyberspace in international relations. The purpose is to support policy analysis by combining leading-edge methods in computer science and technology with international law and long-range political and economic inquiry. ECIR is based in MIT Department of Political Science, with participation from Computer Science and Artificial Intelligence Laboratory (CSAIL) and Sloan School of Management. At Harvard, ECIR is based in the Kennedy School Belfer Center for Science and International Affairs, with participation of Berkman Klein Center for Internet & Society at Harvard Law School.

GSSD is an evolving knowledge networking system dedicated to sustainable development. Designed to help identify and extend innovative approaches toward sustainability—including enabling technologies, policies, and strategies—it tracks diverse aspects of challenges, problems, and emergent solutions to date. Specifically, it is a computer-assisted, organized system linking discrete actors with a knowledge producing capacity that is, (b) combined via common organizing principles, and (c) based on individual autonomy; such that (d) the value of networked knowledge is enhanced, and (e) the stock of knowledge is expanded further.

Minimal adversarial perturbations added to inputs have been shown to be effective at fooling deep neural networks. In this paper, we introduce several innovations that make white-box targeted attacks follow the intuition of the attacker's goal: to trick the model to assign a higher probability to the target class than to any other, while staying within a specified distance from the original input. First, we propose a new loss function that explicitly captures the goal of targeted attacks, in particular, by using the logits of all classes instead of just a subset, as is common. We show that Auto-PGD with this loss function finds more adversarial examples than it does with other commonly used loss functions. Second, we propose a new attack method that uses a further developed version of our loss function capturing both the misclassification objective and the L∞ distance limit ϵ. This new attack method is relatively 1.5--4.2% more successful on the CIFAR10 dataset and relatively 8.2--14.9% more successful on the ImageNet dataset, than the next best state-of-the-art attack. We confirm using statistical tests that our attack outperforms state-of-the-art attacks on different datasets and values of ϵ and against different defenses.

The purpose of this workshop is to review with participants, sponsors, and key interested parties the findings and lessons learned from a two-year long NIST and GSA-sponsored Cyber Risk Analytics project. A team composed of professionals from the University of Maryland (UMD), Zurich Insurance, and Beecher Carlson completed the following activities:

• Developed and field tested, with collaboration of NIST, a secure, online self-assessment tool, based on the Cybersecurity Framework; 
• Created a breach database for survey participants by integrating the breach datasets from Advisen, RBS , the Identity Theft Resource Center, and the Center for Business and Ethics at the University of Maryland; 
• Conducted a rigorous statistical analysis to search for significant relationships between performance results in different areas of the self-assessment tool and frequency of breaches (disaggregated by breach type). The objective was to determine specific actions initiated by the survey participants were directly associated with a reduced frequency of breach occurrence during the study period.

Cyber security is generally thought of as various types of security devices like firewalls, Web Application Firewall (WAF), IDS/IPS, SIEM, DLP etc. to safeguard network, applications and data. But what if, for example, the deployed security solutions have a bug inside? The latest example of this is exposing of a vulnerability in Lenovo notebooks. Lenovo notebooks are shipped with a program named “Superfish-Visual Discovery”, and recently a vulnerability known as Man-in-the-Middle (MITM) has been discovered in this software, so all the security controls installed in the notebooks like antivirus etc. cannot catch it, because it is the default shipped in the software. This is an example as to how important is to take not only networks but also each component of a supply chain into consideration.

Cyber security in the supply chain is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the Advanced Persistent Threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

Deception technology is an outside-the-box cybersecurity approach that aims to turn the current paradigm on its head – from reactionary to proactive defense.Traditional, signature-based security measures continue to fall prey to sophisticated zero-day attacks and advanced persistent threats, despite the fact that companies are spending upwards of $3 million per year on information security. It’s time for organizations to get proactive, and use deception technology to enhance the way they architect a comprehensive security strategy. The article presents 4 Things Every CISO Must Know About Deception Cybersecurity.

The effective deployment of deception technology still requires the fundamentals foundations of cybersecurity to be in place. Without network segmentation, proper access control, security systems and reporting – deception technology alone will add little value.

A proactive approach to security can be adopted by organizations through the use of deception technology. The application of deception technology allows organization to reduce dwell time, quickly detect attackers, and lessen false positives.  Modern deception platforms use machine learning and AI to be scalable and easy to manage. 

Organizations are encouraged to embrace deception technology in order to safely study cyber adversaries. The use of deception technology could allow security teams to further understand the motives of attackers and improve upon their defense methods.  This technology could also reduce dwell time, which is the amount of time attackers go undetected in a system or the time it takes for an organization to become aware of an incident.

This is GAO’s 18th annual assessment of DOD acquisition programs. GAO’s prior assessments covered major defense acquisition programs. This year’s assessment expands to include selected major IT systems and rapid prototyping and rapid fielding programs, in response to a provision in the National Defense Authorization Act for Fiscal Year 2019.

This report (1) summarizes the characteristics of 121 weapon and IT programs, (2) examines cost and schedule measures and other topics for these same programs, and (3) summarizes selected organizational and legislative changes. GAO identified the 121 programs for review based on their cost and acquisition status. GAO selected organizational and legislative changes that it determined related to the execution and oversight of the 121 programs.

GAO reviewed relevant legislation and DOD reports, collected data from program offices through a questionnaire, and interviewed DOD officials.
Additional analyses and assessments of major IT programs are included in a companion report to be issued later this year.

The Department of Defense (DOD) currently plans to invest over $1.8 trillion to acquire new major weapon systems such as aircraft, ships, and satellites. At the same time, the department is investing billions more in information technology (IT) systems and capabilities that it expects to either prototype or field rapidly through a new middle-tier acquisition pathway. (See table.)

The Hardening Development Toolchains Against Emergent Execution Engines (HARDEN) program seeks to give developers a way to understand emergent behaviors and thereby create opportunity to choose abstractions and implementations that limit an attacker’s ability to reuse them for malicious purposes, thus stopping the unintentional creation of weird machines. HARDEN will explore novel theories and approaches and develop practical tools to anticipate, isolate, and mitigate emergent behaviors in computing systems throughout the entire software development lifecycle (SDLC).

In a recently published document addressing supply chain risk, the Office of the Director of National Intelligence warns against “foreign attempts to compromise the integrity, trustworthiness, and authenticity of products and services purchased and integrated into the operations of the U.S. Government, the Defense Industrial Base, and the private sector.”

Attacks on the supply chain represent “a complex and growing threat to strategically important U.S. economic sectors and critical infrastructure,” the agency notes. Foreign adversaries are attacking key supply chains at multiple points: From concept to design, manufacture, integration, deployment and maintenance.

GovCon leaders say the government does well to take the risks seriously, and they point to ways in which the contracting community can work hand-in-glove with federal officials to mitigate the threat.

It must be said that not all deception technology is equal. There are many different approaches to the steps required to identify threat actors, and through the use of deception, prevent a breach by moving them out of the production environment and into the deception platform

Deception has mainly been used by attackers to deceive victims into sharing their personal information or downloading malware. However, deception has become the key to tricking adversaries into revealing their attack strategies and vulnerabilities.  In order for defensive cyber deception to be effective, a deception decoy fabric must be generated throughout a network. 

This paper proposes a new defense called $n$-ML against adversarial examples, i.e., inputs crafted by perturbing benign inputs by small amounts to induce misclassifications by classifiers. Inspired by $n$-version programming, $n$-ML trains an ensemble of $n$ classifiers, and inputs are classified by a vote of the classifiers in the ensemble. Unlike prior such approaches, however, the classifiers in the ensemble are trained specifically to classify adversarial examples differently, rendering it very difficult for an adversarial example to obtain enough votes to be misclassified. We show that $n$-ML roughly retains the benign classification accuracies of state-of-the-art models on the MNIST, CIFAR10, and GTSRB datasets, while simultaneously defending against adversarial examples with better resilience than the best defenses known to date and, in most cases, with lower classification-time overhead.

While much of the discussion around supply chain security has focused on the parts, components and gear that make up an organization's physical IT assets, a growing number of experts are making the case that vulnerabilities in the software supply chain may represent the larger cybersecurity threat over the long haul.

In his Executive Order (EO) on Improving the Nation’s Cybersecurity, President Biden identified the prevention, detection, assessment and remediation of cyber incidents as a top priority of his Administration. The Commerce Department and NTIA were directed by the EO to publish the minimum elements for a Software Bill of Materials (SBOM), a key tool to help create a more transparent and secure software supply chain. As the President notes, “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is.”

Motivated by the transformative impact of deep neural networks (DNNs) on different areas (e.g., image and speech recognition), researchers and anti-virus vendors are proposing end-to-end DNNs for malware detection from raw bytes that do not require manual feature engineering. Given the security sensitivity of the task that these DNNs aim to solve, it is important to assess their susceptibility to evasion.
In this work, we propose an attack that guides binary-diversification tools via optimization to mislead DNNs for malware detection while preserving the functionality of binaries. Unlike previous attacks on such DNNs, ours manipulates instructions that are a functional part of the binary, which makes it particularly challenging to defend against. We evaluated our attack against three DNNs in white-box and black-box settings, and found that it can often achieve success rates near 100%. Moreover, we found that our attack can fool some commercial anti-viruses, in certain cases with a success rate of 85%. We explored several defenses, both new and old, and identified some that can successfully prevent over 80% of our evasion attempts. However, these defenses may still be susceptible to evasion by adaptive attackers, and so we advocate for augmenting malware-detection systems with methods that do not rely on machine learning.

CISA, in coordination with the National Security Agency, and the Office of the Director of National Intelligence, as part of the Enduring Security Framework (ESF)—a cross-sector, public-private working group—released a Potential Threat Vectors to 5G Infrastructure paper. This paper identifies and assesses risks and vulnerabilities introduced by 5G.

The ESF 5G Threat Model Working Panel, a subgroup within the ESF, examined three major threat vectors in 5G­—standards, the supply chain, and threats to systems architecture—to develop a summary and technical review of types of threats posed by 5G adoption in the United States and sample scenarios of 5G risks.

Please note, this paper represents the beginning of the ESF’s research and not the culmination of it. It is not an exhaustive risk summary or technical review of attack methodologies and includes public and private research and analysis.

Publishing guidance that outlines security measures for critical software use – including applying practices of least privilege, network segmentation, and proper configuration – is one of NIST’s assignments to enhance the security of the software supply chain called for by a May 12, 2021, Presidential Executive Order on Improving the Nation’s Cybersecurity (14028).”