Projects & Presentations
A menagerie of things I've been up to lately.
Cyber-Hygiene for All: An Introduction to the CIS Controls
RSA, 2020 (Slides)
Co-authors: Phyllis Lee
The CIS Controls are one of the most popular cybersecurity standards in the world, used by auditors, CISOs and security professionals like you. This session will explore the CIS Controls and highlight the free tools, techniques and guidance CIS provides to overcome pitfalls and barriers to adoption in your organization.
CIS Telework and Small Office Network Security Guide
CIS, 2019 (Document)
Editor: Joshua Franklin
Contributors: Alan B. Watkins (ABW Consulting LLC), Stephen Campbell (Non-State Threat Intelligence LLC), Uros Trnjakov (Oxfam GB), Maurice Turner (Center for Democracy & Technology), [Aaron Piper, Michael K. Wicks, Robin Regnier, Aaron Wilson Phil Langlois] (CIS)
In a world of limited resources, organizations have to be strategic and meticulous in their planning and selection of security controls and the MITRE ATT&CK model has become an important piece for categorizing and understanding adversary techniques and contextualizing our own defenses. However, there still underlies a difficult question, where should organizations start and how should they prioritize their cybersecurity efforts? Join CIS as we explore our attempt to tackle this problem through the use of our community, content and real-world threat data collected as part of the Multi-State Information Sharing and Analysis Center (MS-ISAC). Participants should look forward to learning how to prioritize their security efforts and leverage the process for their own data and threats.
Prioritizing ATT&CK Informed Defenses the CIS Way
ATT&CK-con 2.0, 2019 (Slides)
Co-authors: Phillipe Langlois
In a world of limited resources, organizations have to be strategic and meticulous in their planning and selection of security controls and the MITRE ATT&CK model has become an important piece for categorizing and understanding adversary techniques and contextualizing our own defenses. However, there still underlies a difficult question, where should organizations start and how should they prioritize their cybersecurity efforts? Join CIS as we explore our attempt to tackle this problem through the use of our community, content and real-world threat data collected as part of the Multi-State Information Sharing and Analysis Center (MS-ISAC). Participants should look forward to learning how to prioritize their security efforts and leverage the process for their own data and threats.
CIS Controls IoT Companion Guide
CIS, 2019 (Document)
Editors: Mary C. Yang (MITRE) & Joshua M. Franklin (CIS)
Contributors: Vytautas Kuliesius (NRD Cyber Security), Staffan Huslid (Knowit Secure), Tony Krzyzewski (SAM for Compliance Ltd.), Karen Scarfone (Scarfone Cybersecurity), Emilio Grande-Garcia, Joseph M. DiPipi (Zoetis), Stephanie Domas (MedSec), Brian Russell (Cloud Security Alliance), [Robin Regnier, Philippe Langlois (CIS)]
Internet of Things (IoT) devices aren't just invading our homes; these smart, connected machines are in the workplace and virtually every other public and private location we visit daily. To help secure this new frontier, CIS released the free CIS Controls® Internet of Things Companion Guide to help organizations apply the CIS Controls to the IoT. The CIS Controls are internationally-recognized cybersecurity best practices for defense against common cybersecurity threats. They are used within a variety of industry sectors, and throughout local, state, and federal governments.
Prioritizing the CIS Controls An Introduction to CIS Implementation Groups
MS-ISAC Conference, 2019 (Slides)
This prresentation was give to state, local, and tribal authorities at the 2019 Multi-State Information Sharing and Analysis Center (MS-ISAC) conference. It was the first public presentation on the CIS Controls Implementation Groups.
CIS Controls Mobile Companion Guide
CIS, 2019 (Document)
Editors: Sean Frazier (Duo) & Joshua M. Franklin (CIS)
Contributors: Tim LeMaster (Lookout), Angelos Stavrou (Kryptowire), Paul Campbell (Whitepages), Tyler Desjardins, CISSP (Blackberry), Stephen Campbell (Non-State Threat Intelligence, LLC), Joseph Martella (American Airlines), Jenifer Bauer (Now Secure), [Phil Langlois, Jordan Rakoske, Robin Regnier (CIS)]
The CIS Controls team has released a new companion guide to help organizations break down and map the applicable CIS Controls and their implementation in mobile environments. This new resource helps organizations implement the consensus-developed best practices using CIS Controls Version 7 for phones, tablets, and mobile applications. For the mobile companion guide, we focused on a consistent approach on how to apply the CIS Controls security recommendations to Google Android and Apple iOS environments. Factors such as “Who owns the data?” and “Who owns the device?” all affect how the device can be secured, and against what threats. The guide explores various ways that organizations purchase, provision, and provide devices to employees. Styles include bring your own device (BYOD), corporate-owned, personally-enabled (COPE), fully managed, and unmanaged.
Defending the 2018 Midterm Elections From Foreign Adversaries
DEF CON, 2018 (Slides)
Co-authors: Kevin Franklin, Ian Weinstock, Eli Franklin
Election Buster is an open source tool created in 2014 to identify malicious domains masquerading as candidate webpages and voter registration systems. During 2016, fake domains were used to compromise credentials of a Democratic National Committee (DNC) IT services company, and foreign adversaries probed voter registration systems. The tool now cross-checks domain information against open source threat intelligence feeds, and uses a semi-autonomous scheme for identifying phundraising and false flag sites via ensembled data mining and deep learning techniques. We identified Russian nationals registering fake campaign sites, candidates deploying defensive—and offensive—measures against their opponents, and candidates unintentionally exposing sensitive PII to the public. This talk provides an analysis of our 2016 Presidential Election data, and all data recently collected during the 2018 midterm elections. The talk also details technological and procedural measures that government offices and campaigns can use to defend themselves
NIST SP 800-163 Revision 1: Vetting the Security of Mobile Apps
NIST, 2018 (Slides)
Co-authors: Michael Ogata, Stephen Quirolgico, Vincent Sritapan, Jeffrey Voas
Mobile applications have become an integral part of our everyday personal and professional lives. As both public and private organizations rely more on mobile applications, securing these mobile applications from vulnerabilities and defects becomes more important. This paper outlines and details a mobile application vetting process. This process can be used to ensure that mobile applications conform to an organization’s security requirements and are reasonably free from vulnerabilitiesy.
Marginal Remarks on Voting System Security
US Election Assistance Commission TGDC, Sept 2017 (Slides)
This presentation presents the current state of voting system security to a US federal advisory board and provides recommendations to improve security.
The State of US Voting System Security
DEF CON Voting Village, 2017 (Slides)
This presentation chronicles the current state of voting system security and describes additions to federal guidelines to address new threats in the election landscape.
Building Threat Models for the Mobile Ecosystem
Android Security Symposium, 2017 (Slides)
Co-authors: Michael Peck, Christopher Brown, Spike Dog
This presentation will provide an in-depth discussion and analysis of NIST's National Cybersecurity Center of Excellence's (NCCoE) efforts to enumerate and model these threats, resulting in our Mobile Threat Catalogue and a mobile profile of MITRE's ATT&CK model. NCCoE's mobile security efforts are dedicated to solving enterprise mobile security challenges. In talking with mobile security stakeholders, we realized there was a need for a comprehensive catalog of threats posed to mobile devices. The resulting Catalogue outlines a taxonomy of threats, including those faced by a mobile device itself as well as the broader mobile ecosystem upon which the device depends. Each Catalogue entry includes a title, exploit examples, countermeasures, and references. The Catalogue resides on GitHub, enabling public collaboration and continuous development.
Mobile Data & Application Isolation - Project Update
Public Safety Communications Research, 2016 (Slides)
The NPSBN will enable first responders to use modern mobile devices for interoperable public safety operations. While this fundamentally changes how first responders will communicate and access public safety resources, the mobile devices and the data and applications residing on the devices, need to be secured against mobile malware and other threats. Protection mechanisms will need to include methods to isolate commercial applications from mission critical ones, while providing management and reporting capabilities to determine if a device is compromised. Note: This slide deck focuses on discussing preliminary research.
NISTIR 8071: LTE Architecture Overview and Security Analysis (Draft)
NIST, 2016 (Report)
Co-authors: Michael Bartock, Jeffrey Cichonski
Cellular technology plays an increasingly large role in society as it has become the primary portal to the Internet for a large segment of the population. One of the main drivers making this change possible is the deployment of 4th generation (4G) Long Term Evolution (LTE) cellular technologies. This document serves as a guide to the fundamentals of how LTE networks operate and explores the LTE security architecture. This is followed by an analysis of the threats posed to LTE networks and supporting mitigations.
NISTIR 8080: Usability and Security Considerations for Public Safety Mobile Authentication (Draft)
NIST, 2016 (Report)
Co-authors: Dr. Yee-Yin Choong, Dr. Kristen K Greene
There is a need for cybersecurity capabilities and features to protect the Nationwide Public Safety Broadband Network (NPSBN). However, cybersecurity requirements should not compromise the ability of first responders to complete their missions. In addition, the diversity of public safety disciplines means that one solution may not meet the usability needs of different disciplines. Understanding how public safety users operate in their different environments will allow for usable cybersecurity capabilities and features to be deployed and used. Although first responders work in a variety of disciplines, this report is focused on fire service, emergency medical, and law enforcement. This report describes the constraints presented by the personal protective equipment, specialized gear, and unique operating environments and how such92 constraints may interact with mobile authentication requirements. The overarching goal of this work is analyzing mobile authentication technologies to explore which may be more appropriate and usable for first responders in a given environment.
NIST SP 1800-4: Mobile Device Security - Cloud & Hybrid Builds
NIST, 2015 (Report)
Co-authors: Christopher Brown, Kevin Bowler, Sallie Edwards, Neil McNab, Matthew Steele
This NIST Cybersecurity Practice Guide demonstrates how commercially available technologies can meet an organization’s needs to secure sensitive enterprise data accessed by and/or stored on employees’ mobile devices. In our lab at the NCCoE, part of the National Institute of Standards and Technology (NIST), we built an environment based on typical mobile devices and an enterprise email, calendaring, and contact management solution. We demonstrate how security can be supported throughout the mobile device lifecycle.
Defending Election Campaigns from Cyberspace
BSides DC 2015 (Slides) (Code)
Co-authors: Kevin Franklin
Electoral candidates from both sides of the aisle increasingly rely on the internet to promote their brands and to focus the message of their political platforms. Yet cyberspace isn’t safespace. How do voters know they’re viewing a candidate’s real website? How can voters ensure their online donations are actually going to a specific candidate or cause? Election cybercrime is a burgeoning area but little data exists on the size and scope of these unscrupulous activities. We wrote our own open source suite of tools to begin to measure the scope of this problem and used it to scan every single candidate running for the house and senate (1000+ candidates)in the 2014 General Elections. In this session we’ll discuss the results of our scans and explore how any candidates and voters can defend themselves online.
LTE Security - How Good Is It?
RSA 2015 (Slides)
Co-authors: Jeff Cichonski
LTE standards purport to provide strong security. However, many security protections are optional with all the carrier variations that implies. We present an overview of the LTE standards, technology, security architecture. We also describe the threats (rogue towers, eavesdropping, renegotiation attacks, etc.) and mitigations to LTE networks versus the required security mechanisms.
Considerations for Identity Management in Public Safety Mobile Networks
NIST, March 2015 (Paper)
Co-authors: Nelson Hastings
NIST Interagency Report (NISTIR) 8014, Considerations for Identity Management in Public Safety Mobile Networks, analyzes approaches to identity management for public safety networks in an effort to assist individuals developing technical and policy requirements for public safety use. These considerations are scoped into the context of their applicability to public safety communications networks with a particular focus on the nationwide public safety broadband network (NPSBN) based on the Long Term Evolution (LTE) family of standards. A short background on identity management is provided alongside a review of applicable federal and industry guidance. Considerations are provided for identity proofing, selecting tokens, and the authentication process.
Tap on, tap off: Onscreen keyboards and mobile password entry
Shmoocon 2015 (Slides)
Co-authors: Dr. Kristen K. Greene, John Kelsey
Password entry on mobile devices significantly impacts both usability and security, but there is a dearth of usable security research in this area, specifically for complex password entry. To address this research gap, we set out to assign strength metrics to passwords for which we already had usability data, in an effort to have a more meaningful comparison between usability and security. A primary accomplishment of this work is our method of optimizing the input of randomly generated passwords on mobile devices via password permutation. This is done by grouping character classes (i.e., uppercase, lowercase, digit, symbol) together to minimize the total number of required keystrokes and decrease cognitive load. We propose a measurement method for quantifying effects on entropy resulting from this password permutation. Additionally, we created and are releasing python scripts, and make use of an existing publicly available NIST data visualization tool to facilitate comparison between usability and security metrics.
Exploring Usability and Security Metrics for Passwords on Mobile Platforms
ACSAC 2014 Poster Session (Poster)
Co-authors: Dr. Kristen K. Greene
This poster discusses work in progress. We are exploring the current state of both usability and security metrics applicable to passwords and to discuss our experiences in attempting to use these metrics in a real world situation.
LTE Security - Facts & Fictions
Common Vulnerability Scoring System Implementation Guidance
NIST, April 2014 (Paper)
Co-authors: Harold Booth, Charles Wergin
This Interagency Report provides guidance to individuals scoring vulnerabilities using the Common Vulnerability Scoring System (CVSS) Version 2.0 scoring metrics. CVSS defines a vulnerability as a bug, flaw, weakness, or exposure of an application, system device, or service that could lead to a failure of confidentiality, integrity, or availability. The guidance in this document is the result of applying the CVSS specification to over 50 000 vulnerabilities scored by analysts at the National Vulnerability Database (NVD). This document is intended to serve as an extension to the CVSS Version 2.0 specification, providing additional guidance for difficult and/or unique scoring situations. To assist vulnerability analysts, common keywords and phrases are identified and accompanied by suggested scores for particular types of software vulnerabilities. The report includes a collection of scored vulnerabilities from the NVD, alongside a justification for the provided score. Finally, this report contains a description of the NVD’s vulnerability scoring process.
Malicious Online Activities Related to the 2012 U.S. General Election
ShmooCon 2014 (Slides)
Co-authors: Matthew Jablonski, Robert Tarlecki
This presentation looks back at the number of ways that the 2012 Presidential election was bought, sold, and manipulated through malicious online activities. We identify activities that could be classified as manipulative, mischievous, or downright illegal, such as fake campaign donation sites, political spam, attempts to sell ballots, privacy violations, and rogue Super PACs. For each of these activities we provide examples of sources that demonstrate their online presence during the 2012 election and include additional information. We also include examples of malicious election activity in recent elections. Finally, we attempt to examine and discuss the motivations and methods behind these malicious activities.
An Introduction to Cellular Security
Open Security Training, 2014 (Class Page) (Slides)
This 8 hour Open Security Training class is intended to demonstrate the core concepts of cellular network security. Although the course discusses GSM, UMTS, and LTE - it is heavily focused on LTE.
NIST SP 800-164: Guidelines on Hardware Rooted Security in Mobile Devices (Draft)
NIST, 2012 (Report)
Co-authors: Lily Chen, Andrew Regenscheid
Many mobile devices are not capable of providing strong security assurances to end users and organizations. Current mobile devices lack the hardware-based roots of trust that are increasingly built into laptops and other types of hosts. This document focuses on defining the fundamental security primitives and capabilities needed to enable more secure mobile device use. This document is intended to accelerate industry efforts to implement these primitives and capabilities. The guidelines in this document are intended to provide a baseline of security technologies that can be implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices brought into an organization, such as personally-owned devices used in enterprise environments (e.g., Bring Your Own Device, BYOD).
Common Software Weaknesses Reported in Evoting Systems
Software Assurance Forum, September 2012 (Slides)
Co-authors: Michael Kass
This presentation discusses the architectures of electronic voting systems typically used in the U.S. today, and the kinds of software security weaknesses and vulnerabilities identified in independent security assessments of those systems. In particular, reported security vulnerability information is presented from the 2007 state-sponsored California Top to Bottom Review (TTBR) and Ohio EVEREST independent security assessments of electronic voting systems used in those states
Interpreting Babel: Classifying Electronic Voting Systems
EVOTE 2012 (Slides) (Paper)
Co-authors: Jessica Myers
This presentation discusses the architectures of electronic voting systems typically used in the U.S. today, and the kinds of software security weaknesses and vulnerabilities identified in independent security assessments of those systems. In particular, reported security vulnerability information is presented from the 2007 state-sponsored California Top to Bottom Review (TTBR) and Ohio EVEREST independent security assessments of electronic voting systems used in those states
Generalized Protocol for Certifying E-Voting Systems
State Certification Testing of Voting Systems National Conference, June 2012 (Slides)
Co-authors: Dr. Jay Bagga, Jessica Myers
The certification of voting systems is both an art and a science, drawing from a variety of scientific fields while requiring astute political and sociological knowledge. This work attempts to abstract from all the layers and complexities of voting system certification and propose a protocol to be used a guide when certifying voting systems. It represents current best practices, and incorporates ideas from both the federal and state certification programs. Although the protocol is generalized, it is intended to be extremely practical. This work applies to certification at all levels in the United States, including federal, state, and local. It attempts to aggregate best practices and knowledge of certification processes at these levels to produce a certification protocol that can be continually revised. In the author's opinion, the certification authority granting or denying certification possibly plays the largest role in the certification process, in that the skill, personnel, and resources of that entity are used to assess a voting system against the certification requirements. As a best practice the certification authority should work closely with the local election officials running elections, and incorporate this perspective into the certification process.
Checking the List Twice
State Certification Testing of Voting Systems National Conference, June 2012 (Slides)
Co-authors: Matthew Masterson, Danielle Sellars
This presentation documents our experiences in verifying the physical, software, and set up configuration for the voting systems in Ohio's 88 counties.
A Survey of Internet Voting
Election Assistance Commission, August 2011 (Paper)
Co-authors: Jessica Myers
The EAC's Survey of Internet Voting is a comprehensive review of Internet voting systems used in elections worldwide between 2000 and 2011. EAC staff conducted the study to assist in the development of electronic absentee voting guidelines, specifically to assist the Commission's efforts to identify technologies that could improve services for military and overseas voters and voters with disabilities