the list below is abstracts from the 2019 conference.
Hacking the U.S. National Security Through Financial Cybercrimes
Day - 1
Dr. Calvin Nobles
Cyber threat actors, in the form of nation states, terrorists, cybercriminals, and hacktivists aim to disrupt the U.S. bedrock (OFR, 2017) — the financial industry (Borghard, 2018). Degrading or disrupting the U.S. financial sector can lead to financial instability (Borghard. 2018); thus, making the U.S. militarily and economically vulnerable to domestic and international threats. Challenging the U.S. national security threatens the sovereignty and democracy of our nation. One internet service provider observes more than 80 billion malicious scans per day by cybercriminals searching for vulnerabilities in interconnected systems and devices (Lewis, 2018). Researchers indicate that approximately 300,000 malware variants are released every day targeting governments, businesses, organizations, and people around the world (Lewis, 2018). Cybercriminals have victimized Sixty-four percent of Americans and more than 2 billion people online had their personable identifiable information compromised (Lewis, 2018). An FBI official postulates that cybercriminals target the U.S. due to the amount of information stored on our systems, networks, clouds, and data centers (Palmore, 2019).
Dr. Nobles is cybersecurity and national security expert with over 25 years of experience. He currently works in the financial services industry as a cybersecurity professional. Dr. Nobles is an adjunct faculty member at several universities teaching the cybersecurity and MBA curriculums. He is a Cybersecurity Policy Fellow with New America Think Tank in Washington, DC. He serves as chairman of the Cybersecurity and Information Technology Advisory Board for the Maryland Center and Bowie State University and on the Cyber Council of the Intelligence National Security Alliance. He travels throughout the U.S. speaking on cybersecurity and national security topics. He is currently enrolled in the Executive Doctoral Program in Business Administration Program at Temple University.
Rise of Industrial 4.0: Crippling a Country Through Cyber Attacks in Manufacturing
Day - 2
Dr. Maurice Dawson, Illinois Institute of Technology
When we think of the breach of data, it could be the least of the industry’s problems. The “hyperconnectivity” between smart robots and the cloud could leave entire sectors vulnerable to large-scale attacks with catastrophic cascading effects. At worse, these could take out a significant chunk of a country’s GDP. Tampering with equipment in factories producing food, for instance, could lead to incorrect nutrient levels and unsafe items bypassing proper checks.
Argument for Improved Security in Local Governments within the Economic Community of West African States
Day - 2
Mr. Damon Walker, University of Missouri - Saint Louis
The Economic Community of West African States is an economic region located in West Africa. This region has a population of over 349 million and representation for approximately 15 countries. With the explosion of technological advances in agriculture, healthcare, and personal device use cybersecurity has become an important issue. Coupled with dictatorships, corrupt regimes, religious extremists, and other illicit activities it is imperative that cybersecurity is becoming a cornerstone in local governments to ensure the safety of citizens. This research paper reviews recent literature that surround West African states to present an argument on why cybersecurity must be considered essential for local governments. Observations and interviews were conducted at a government facility concerning its security posture as it relates to physical and cybersecurity. This activity included interviews with senior government officials and employees to understand the state of affairs at the organization. The Site Security Control Compliance Checklist was taken with minor modifications from the Department of Defense to serve as an instrument to use in measuring compliance to set standards. This checklist was done at three separate locations within the country of Senegal.
SheLeadsTech Panel: How Women are Making Their Mark in the Cybersecurity Landscape
Day - 1
A shortage of cyber security experts means flourishing career opportunities. So why is there a shortage of women? Just 11% of cyber security experts are women. This is despite the current under-supply of specialists in this area. Improving gender diversity needs more ‘role models’ and encouraging women to choose cyber security. Addressing this gender gulf is everyone’s responsibility – men, women, employers, educators and industry associations. Join us to find out what it takes to be a leader in an industry notorious for its lack of gender diversity.
Pamela Nigro, MBA, CRMA, CISA, CGEIT, CRISC, is a multifaceted, highly experienced IT Audit and IT Controls leader who brings unique experience with experience with external Big 4 auditing, and cost-effective management of corporate risk and regulatory compliance with the 4th largest health insurance company. Ms. Nigro is a subject matter expert in IT Controls, and is the Senior Director of Information Security focusing on the GRC practice at Heath Care Service Corporation (HCSC). She is responsible for IT risk and compliance testing for the five Blue Cross Blue Shield Plans comprising HCSC (Illinois, Texas, New Mexico Oklahoma, and Montana). Ms. Nigro is also an Adjunct Professor at Lewis University in Romeoville, IL where she teaches courses on Ethics, Risk, IT Governance and Compliance, and Information Security, in the MSIS and MBA programs.
Ms. Nigro is the current President of the ISACA Chicago Chapter, and the Chair of the ISACA Chicago Women’s Forum. She is also a Distinguished Toastmaster and a frequent speaker at IT Audit, IT Risk, and Cybersecurity industry conferences, as well as local ISACA and IIA Chapter Meetings.
The New PCI Software Security Standard: The New World of Credit Card Security
Day - 1
The Payment Card Industry Security Standards Council (PCI SSC) is in the process of implementing its new PCI Software Security Standard (S3) to enhance the security of credit card payment applications. S3 will be replacing the current Payment Application Data Security Standard (PA-DSS), which has been in place for a decade and will be retired next year in 2020.
The new S3 will be a radical shift in the way the SSC reviews payment applications. The assessments will be divided into two parts: the first part a review of the security of the software development process for payment application vendors, and the second part will be a review of the payment application itself, similar to the current PA-DSS review.
This presentation will discuss the new S3 standard, what it's all about, details about each of the two parts and how the new assessments will be conducted. Best practices for successful assessments will also be discussed. Any company currently involved with PA-DSS will want to learn about how they will need to adjust to the new S3 environment.
I have been a PCI Qualified Security Assessor (QSA) and PA-DSS QSA for almost a decade, and prior to that on the PCI review committee for a global bank, including overseeing the security of their credit card payment applications. I have reviewed payment application vendors from small mom-and-pop development shops to major global companies, and have conducted PA-DSS assessments in the U.S., Latin America, Europe and Middle East. I have also conducted PCI assessments and scoped architectures for PCI, PA-DSS applications and P2PE environments.
Password synthesizers vs. password managers
Day - 1
We are pushing people to use password managers so they can keep track of different passwords for different logins, but perhaps there is a better option. Password synthesizers generate passwords on the fly using a secure algorithm, without a need for secret storage that might be compromised. The presentation will be illustrated with examples using SynthPass, a new password synthesizer designed for ease of use.
Prof. Ruiz has a secret personality as hacker and designed of cybersecurity products, in addition to his official role as instructor and researcher in energy and transportation. His PassLok email encryption suite has won accolades in the press. The image steganography method built into PassLok and other apps is the current reigning champion in this field.
Post-Quantum Cryptography: A Survey
Day - 1
Once a sufficiently powerful quantum computer is developed, all of our current public key cryptography (e.g. RSA, DSA, ECC) will be obsolete. For this reason, the government has announced their transition to post-quantum cryptography, which is quantum-resistant cryptography that runs on our classical computers. NIST is holding a competition to standardize new public key cryptography algorithms, and recently the competition was narrowed down to 26 algorithms, most of which are based on lattices.
In this talk we introduce and demonstrate the forms of cryptography (lattice-based, code-based, and multivariate) that will become the new public key standard.
Emily Stamm is a security research engineer at Allstate specializing in cryptography and the program director of Chicago CyberSecurity. She graduated from Vassar College in 2018 with a degree in mathematics and minor in computer science, and has experience in number theory research.
Student Forensic & Cyber Competitions
Day - 1
There are several student cyber competitions as well as forensic competitions that apply the skills learned in the classroom to live real time scenarios. These competitions link the students with industry professionals and provides valuable critical thinking and time management skills.
Kevin Vaccaro has 25+ years’ experience working in the area of Information Technology. He has also been teaching various topics in IT ranging from service and repair to Cybersecurity for 20+ years. He is a full time faculty member at Moraine Valley Community College, adjunct Industry Professor at Illinois Institute of Technology and adjunct professor in CIS at Northwestern University. He has written several articles on digital forensics for eforensics magazine and holds a MS in Information Technology from Illinois Institute of Technology and several industry certifications including CISSP,and CEH, and also is an authorized trainer.
Deciphering the California Consumer Privacy Act (CCPA)
Day - 1
Data breaches, privacy abuses, and organized and state-sponsored cyber crime have finally lit a spark that has jolted legislators across the globe. In May of 2018, the General Data Protection Regulation (GDPR) went into effect enacting stricter privacy and data protection controls on behalf of EU citizens. In the U.S., California has taken a major step to protect consumer information by passing the California Consumer Privacy Act (CCPA). Although a win for consumers, these new regulations will have companies scrambling to become compliant. Join us for a discussion of CCPA and its impact.
Brian Liceaga, CISSP, is the founder of Nitra Security (https://www.nitrasecurity.com). Nitra is a cybersecurity products and services company focused on building security, risk, compliance, and privacy programs that have a lasting impact. Liceaga holds a Bachelor of Science and Master of Science from the Department of Computer Science at Loyola University Chicago.
Threat Intelligence in a Nutshell: From Intelligence to Exploitation
Day - 1
Abdel Sy Fane
Getting started with a threat intelligence program doesn’t have to be costly or time consuming, with some automation anyone can jump start their own threat program. Today, we see a lot of enterprises heavily investing in a threat intelligence program to gain informational advantage over their adversaries (bad-actors) in other to prevent threats their organizations faces but we don’t see the same trend for small organizations. Traditionally, starting a threat intel program not only requires a team of experts but also the technology to produce the data but today, that is no longer the case. With a little coding knowledge, anyone can join the OpenThreat community and consolidate a list of OpenSource threat intel tools to collect intelligence and take automated actions to remediate the threat. During this talk, we will go over how we can exploit systems from a single threat intelligence.
Abdel is a lead application security engineer at Allstate and president of the Chicago CyberSecurity (CCS) organization. With over five years of experience in security and ten years in the IT industry, Abdel is passionate about a wide range of security topics, including Threat Intelligence, DevSecOps, and Artificial Intelligence and security integration. He received his master’s in Cyber Forensics & Security from the Veteran’s Administration, PayNet and Allstate. As president of CCS, Abdel is dedicated to unifying the security community and promoting security education.
Information Assurance/Cybersecurity requirements for working with/for the US Government
Day - 1
Dr. David Anderson
Information Assurance/Cybersecurity personnel requirements for working with/having a full time, contractor or liaison position with a branch of the US Government in an Information Assurance/Cybersecurity role. I will discuss the current DoD Directives that provide the basis for the enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce.
These directives apply to the all U.S.A. Govt. departments as well as, contracts for personnel providing IA functional services for U.S.A. DoD information systems (IS) via appropriate Defense Federal Acquisition Regulation Supplement (DFARS) clauses.
Dr. David Anderson is the chair and a professor of the CIS Department at Triton College. He has earned the MCSE, CCNA, Cisco Cyber Security Specialist, CIW security Professional, CompTIA and other technical certifications.
Before retiring from the US Army, he earned the US Army's Airborne, Ranger, and NBC (nuclear, biological, chemical) warfare skill identifiers and served as the 2nd ACR Border Operations Officer on the East-West German border, as an instructor at the US Army Armor Center and School, Ft. Knox, KY., as the OIC, Operations and Security, US Army-Kuwait. He has also been a Senior Systems Engineer for Allstate Insurance, and as a training advisor for Raytheon.
His most recent IT qualification is Securing Cisco Networks with Threat Detection and Analysis (Cisco exam 600-199), approved as a Department of Defense (DoD) 8570.1-M Certification.
His most recent publication is: POST-SECONDARY EDUCATION NETWORK SECURITY: THE END USER CHALLENGE AND EVOLVING THREATS. K. Reimers, D. Anderson. ICERI2017: 10th annual International Conference of Education, Research and Innovation.
From Energy Efficient Driving to Secure Autonomous Driving
Day - 2
A large number of studies have dealt with eco-driving, have defined rules, and have provided eco-feedback to make drivers aware of energy efficiency. Current research found that human beings can hardly look at all necessary surroundings. In a digital world, cars connect to their surroundings and energy efficient driving can be done by an algorithm. An autonomous car can stick to the optimal route—overtaking the driver's response.
In addition, digitalization and the future electrification of cars is a disruptive change that opens new avenues of research in many fields. In practice, human beings need to consider this response conscious. On the one hand, crashes are made by cars and no longer by the human being. On the other hand, this technology has to be safe and secure. With all the benefits from the digitalization, security has to fulfill multiple aspects such as protection of the car from other cars and other connected devices.
Matthias Gottlieb holds a master of science in informatics at the Technical University of Munich (TUM). Currently, he is working as a scientific research assistant at the chair of information systems. As part of his position, he made several projects on Big Data, employer attractiveness, driving simulator. He is an expert in experimental design and supervised multiple student theses.
Besides, he holds the position of the teaching assistant of the chair and he has been the course coordinator for the bachelor’s degree in information systems of the department of informatics at the TUM for more than five years. He gathered teaching experiences by being the representative of several courses. In addition, he was joining the local arrangement chair of the International Conference on Information Systems (ICIS) 2019 in Munich. He is the Deputy Editor-in-Chief of the international Journal of Engineering Pedagogy (iJEP). Recently he is a visiting researcher at the Department of Information Technology and Management in the School of Applied Technology and at the Center for Cyber Security and Forensics Education at the Illinois Institute of Technology.
THE CASE FOR IT TRAINING WITHIN CONAKRY, GUINEA: USABILITY AND PERFORMANCE EVALUATION
Day - 2
DR.Maurice Dawson and Damon Walker, ILLINOIS INSTITUTE OF TECHNOLOGY
Waiting for content
Quantum Computing for Cracking Public Key Cryptography
Day - 1
Rebecca Hixson, Robert LeBeau, Craig Thompson, School of Applied Technology, IIT
Present methods of asymmetric (public key) encryption rely on the difficult nature of cracking their encryption algorithms due to the mathematical properties that they employ. These encryption algorithms take advantage of using very large semiprime integers to encode information. The process of cracking an encrypted message boils down to the ability of a program to find the factors of these large semiprime integers. Traditional computing is capable of such a feat, but the time it takes to compute the correct factors far exceeds the time during which the encrypted information is of value. A possible solution lies in the power of quantum computing to crack encryption within useable time frames.
This project investigated and then implemented semiprime factoring algorithms that we ran, first on quantum computer simulators, and then on real quantum computers. We report our experiences and results and discuss the future for public key encryption.
JPEG Steganography Using BPCS
Day - 1
Flavien Andrieux, Clément Deltel, School of Applied Technology, IIT
Bit Plane Complexity Segmentation (BPCS) steganography hides secret data within an innocent looking JPEG cover file. This project investigates and analyzes BPCS and then creates steganographic software that does this using BPCS techniques.
BPCS takes the advantage of eye limitation where a human cannot identify shape information in a complicated pattern. The main scheme behind BPCS steganography is to divide the bit-planes of the binary image into informative and noise-like regions. The noise-like regions in the bit-planes of the cover image can then be replaced with secret data without affecting the image quality. The secret data is hidden into noise-like regions of the cover image.
MP4 Steganography Using Motion Vectors
Day - 1
Raiven Johnson, Paul O’Brien, School of Applied Technology, IIT
This project developed a technique to covertly encode information within MP4 video files. An algorithm was developed to analyze all the motion vectors in an MP4 file and determine which motion vectors would be selected as candidates for hiding secret information. Once selected, the motion vectors were modified to carry our covert message. Motion vectors were selected by measuring the magnitude of each vector and determining a threshold for selection. Once motion vectors were selected the phase angle of the vector was analyzed to determine if the horizontal value would be modified or the vertical value would be modified, and the least significant bit for the appropriate portion of the motion vector modified to carry the message.
Big Data Crime Analysis : A Statistical Analysis of Chicago from 2008 to 2018
Day - 2
As the concept of the Internet of Things (IoT) progresses in a more accessible manner, the risk factors that users face while roaming the Cyberworld are becoming increased. The contemporary world of hyperconnectivity creates the necessity of developing strong systems and frameworks against nefarious users threatening the security of information and data. This study provides insights into the IoT information security (InfoSec), the security of data, as well as any risk factors that could potentially delay further development in the world of hyperconnectivity. In addition, we conducted a literature review to provide insight into existing frameworks and the importance of combating threat agents.
Analysis of the US Privacy Model – Implications of the GDPR in the US
Day - 2
Francisco García Martínez, Illinois Institute of Technology, USA
The creation of the General Data Protection Regulation (GDPR) constituted an enormous advance in data privacy, empowering the online consumers, who were doomed to the complete loss of control of their personal information. Although it may first seem that it only affects companies within the European Union, the regulation clearly states that every company who has businesses in the EU must be compliant with the GDPR. Other non-EU countries, like the United States, have seen the benefits of the GDPR and are already developing their own privacy laws.
In this paper, the most important updates introduced by the GDPR concerning US corporations will be discussed, as well as how American companies can become compliant with the regulation. Besides, a comparison between the GDPR and the state of art of privacy in the US will be presented, highlighting similarities and disparities at the national level and in states of particular interest.
Misuse of Data for Information Warfare
Day - 2
Francisco García Martínez, Illinois Institute of Technology, USA
Daily it appears that there are breaches causing millions of users to have their personal information taken, exposed, and sold on the Dark Web in exchanged for encrypted currencies. Recently, news has surfaced of major social media sites allowing emails to be read without user consent. These issues bring upon concern for the misuse of data and more importantly how can this be used for information warfare and the exploitation of targeted groups through the use of the Internet. It is essential that managers review current data policies to ensure that they do not become victims of information warfare.
Francisco García Martínez is a Double Diploma graduate student pursuing an M.Sc. in Computer Science at Polytechnic University of Madrid (UPM) and a Master of Information Technology & Management at Illinois Institute of Technology (IIT), specializing in Computer and Information Security. Besides, he has a master’s degree in Advisory and Consultancy of Information and Communications Technology with a primary focus on data protection. Francisco also holds a B.Eng. in Computer Engineering from Complutense University of Madrid (UCM). Granted with a TASSEP scholarship, he finalized his bachelor’s degree completing a research project in network intrusion detection systems at Queen’s University of Kingston (Ontario, Canada) that was awarded the second-best Final Degree Project of 2017 UCM promotion by Sopra Steria. Additionally, Francisco is certified in Information Security Foundation based on ISO/IEC 27001 and ITIL Foundation Certificate in IT Service Management.
Supply Chain Attacks (a 3rd party keys to the castle)
Day - 2
Louis F. McHugh IV, Educational Technology Leadership, Concordia University Chicago
Traditionally, a supply chain is how businesses get raw materials to build their goods or provide services. Today a supply chain can be anything from an order of chemicals to make a product to a software solution that allows users to download the latest release of your company’s software. Like all facets of life cybersecurity to becoming a major area of focus when it comes to these supply chains. In the past, few years we have seen these supply chain attacks take place in an increasingly alarming rate. One only has to look at Target, Merck, and CCleaner for examples.
In this talk, we will look at what these attacks are, how they happen, examples, the economic impact, and possible solutions to mitigate these risks. Without locking down all the ways into the castle, the gold is only a room away and the door in wide open in some cases.
Lung Cancer Detection Using Residual Networks
Day - 2
Tsega Weldu Araya, Computer Applied Technology, Illinois Institute of Technology
This research experiment develops and demonstrates a Computer Aided Diagnostics (CAD) system to help detect lung cancer nodules using Convolutional Neural Network (CNN) and Residual Network (ResNet) and help classify their malignancy or benign nature.
Here we demonstrate a CAD system for lung cancer classiﬁcation of CT scans with unmarked nodules, a dataset from the Huazhong university of science and technology lung cancer CT scans, Kaggle Data Science Bowl 2017 and LUNA (LUng Nodule Analysis) 16 ISBI. There were two segmentation methods we used, we started with Thresholding as an initial segmentation approach to segment out lung tissue from the rest of the CT scan. Thresholding produced a better result for segmentation for the processing time it took. The second segmentation method used was Watershed which on took nearly 2 weeks on a large data set to provide accurate output images.
The first approach we determined, was to directly feed in the segmented CT scans into 3D CNNs for classiﬁcation using Microsoft Cognitive Toolkit (CNTK) which includes ResNet, but this proved to be inadequate and produced high probability of error and misdiagnoses. Instead, I discovered that a modified U-Net trained on Luna16 data (CT scans with labeled nodules) was used to ﬁrst detect nodule candidates in the HUST data set provided. Upon training a slightly modified U-Net to detect nodules, it produced many false positives, so regions of CT scan images with segmented lungs where the most likely nodule candidates were located as determined by the U-Net output were fed into Deep ResNet provided by Microsoft Cognitive Toolkit (CNTK) to ultimately classify the CT scan as positive or negative for lung cancer.
This CAD system that was worked on and designed had three major phases (segmentation, nodule candidate detection, and malignancy classiﬁcation), allowing more efﬁcient training and detection and more general approach to encompass other forms of cancers.
Cyber-physical Systems Security
Day - 2
We outline topics in cyber-physical systems security. The goal is to enumerate Fundamental security primitives specific to cyber-physical systems and to apply them to a broad range of current and future security challenges. Various techniques used by to compromise computer systems or otherwise interfere with normal operations are explored including countermeasures.
A scheme of anomalous detection for load balancing using deep learning
Day - 2
Hye-Young Kim, Hongik University
The network anomalous detection using deep learning methods have been discussed with potential limitations and interests. There are used to define patterns of malicious network loads, while anomalous detections is more suitable for detecting normal and anomalous network loads on deep learning. The important goal of these issues is to recognize the anomalous detections for better preparation against future load balancing of networks. In this paper, we propose an agent Detectbot that processes anomalous detection for load balancing based on deep learning.
Event-Driven Attacks on Database Systems
Day - 2
Somendra Chaudhary and Vasanth Pranavan Selvam, Illinois Institute of Technology
Data is generated at a very fast speed in today's world and the final destination of such data is database. Data is stored in the database in order to manage these data easily and efficiently. All data manipulation and maintenance operations are performed using the Database Management System. Given the importance of data in the organization, securing the data present in the database is absolutely essential. The one that is safe from various possible database attacks is a secure database. The integrity of the databases is compromised due to these security attacks rendering the system incapable of performing the required functions. SQL Injection, Privilege-Abuse and Brute-force attacks are some of the ways in which the security of the database can be compromised. The number of the security issues increase if the database increases in complexity. In this paper, we discuss the major threats to database system like SQL Injection, Privilege-Abuse and Brute-force attacks under two events viz., Excessive Privileges and Weak Audit. We determine which events make the database vulnerable to which types of attacks.
Towards a Scenario-Based Approach for an Electronic Driving Management System Architecture: A Case STUDY
Day - 2
Martin Gottlieb-Schaflechner, Matthias Gottlieb and Harald Hagel
Electronic driving management systems are a suitable tool to control certain businesses’ mobility resources and to contribute to human resource management purposes. We investigate different scenarios for such a driving management in the context of electrified powertrains such as electromobility and digitization, with a regional focus on Germany. Therefore, a literature review has been conducted resulting in 50 driving scenarios that can be derived. The driving scenarios are divided into four dimensions splitting into two further categories. These driving scenarios shall build the foundation for an future electronic driving management architecture which is essential to meet the new requirements of electromobility. These requirements increase the complexity of the overall socio-technical system, making it challenging to manage electronical driving.
Managing third-party vendor security
Day - 2
Hannah Dawson, NCC Group
An organization’s throughout assessment of its position within the information security supply chain is a critical step to building a secure enterprise infrastructure. Questions like “Who has access to our data assets?”, “What type of data are they receiving from us or are we receiving from them?”, “How do they access our data assets?”, and “How do they handle, store, and process them?” need to be answered and evaluated to be able to accurately assess third-party risks and the impact it has on the organization. After examining three different breaches caused by third-party vendors this paper aims to outline the importance of third-party vendor security and the impact criticality it possesses on an organization’s business operations, as well as steps an organization should take to ensure third-party vendor security risks are reduced to acceptable risk levels. The methodology of this paper’s vendor security assessments and recommendations for best practices in managing third-party vendor security are based on the NIST CSF and ISO/IEC 270001 frameworks.
BUILDING A MOBILE APP PEN TESTING BLUEPRINT
Day - 1