We are proud to announce that
has been designated a
Center of Academic Excellence in Cyber Defense Education
By the Department of Homeland Security and the National Security Agency
for the curriculum path
MS in Computing with a specialization in Information Assurance and Cyber Defense
Here is a photo that was taken at the recognition ceremony that took place at the annual Executive Leadership Forum for the CAE Community. Dr. Kaczmarek,, Director Center for Cyber Security Awreness and Cyber Defense, Marquette University is standing with Harry Coker Jr, Executive Director NSA and Bradfor J Willke, Director (acting) Stakeholder Engagement and Cyber Infrastructure Resilience, Cyber Security Division, US Department of Homeland Security.
ETHICS BELONGS in DATA GOVERNANCE - May 1, 2019
The 4th annual Ethics of Big Data that was sponsored by our Center for Cyber Security Awareness and Cyber Defense and this year hosted by the Northwestern Mutual Data Science Institute. This was probably the best effort yet in the series.There were several excellent presentations that addressed privacy and acceptable use of information.
What was striking about the meeting's content is the shift that has occurred in the ethical expectations of society regarding the collection, management, and use of data and the abiding need to consider the ethical use of data.
As background, last week a textbook under consideration for use in courses recounted a 1980 agreement on professional ethics. The agreement was developed by the international Organization for Economic Cooperation and Development (OECD). The five rules that were mentioned in the agreement held by 30 countries were as follows:
- Collect only what you need
- Do not share information
- Keep information up to date
- Use information only for the purpose for which it was collected
- Destroy information when it is no longer needed.
Clearly, that came from a different time. While researchers in academia may have lived by rules similar to those in the OPED agreement clearly the commercial organizations that hold that data have behavior that seems to reflect the following:
- Collect data that you can sell
- Monetize the data you have collected and sell access
- Provide instant access to data as it is collected
- Provide an API so that data can be used by others
- Keep information because you never know when you''ll discover a future use to make better decisions
While the cybersecurity professionals are suggesting a strategy of "Zero Trust" for access control, organizations appear to be promoting "Just Trust Me" with their customers. There is a conflict between need-to-know for security and right-to-use for benefits.
At the symposium, there was some discussion about anonymizing data for privacy concerns, but flaws in anonymizing data are possible when the collection of attributes used to describe a sub-population effectively describe only one person, an outlier. Moreover, anonymization falls short in a world where multiple data sources can be aggregated and aligned. Consider how someone can triangulate information about internet searches for a product, data found in anonymized credit records, and Geo-location records obtained from a smart phone. If someone did a web search for a product, there is a anonymized credit card record showing that product was sold at a particular time, at a particular store, and there is a record that the user doing the search was at the location of the store at the time of the credit record, it is a pretty good bet that we can identify who made the purchase. The integration of data sources can defeat protections build into any one data set and lead to a mathematical conclusion of certainty in the same way that cryptography can be used to assign non-repudiation with certainty.
The keynote speaker at the Ethics of Big Data suggested that we now have pervasive data which has benefited computational social scientists in conducting all sorts of analysis about human behavior. It was mentioned that the scientific method in social sciences has become obsolete. The scientific method begins with a hypothesis and proceeds to define an experiment and collect data. In computational social science, the creation of a hypothesis persists, but it is followed by consideration of where one might be able to access data to investigate the hypothesis. Twitter, Facebook, and customer reviews of products and services are popular sources of data. Public records published with a desire for transparency in government are another.
Because of Fear Of Missing Out (FOMO) we have pretty much given up the right to privacy. The greater good is served when computational social scientist are able to explain human behavior; users are better served when data about user location and behavior can be accessed by an app because, for example, smartphones are more useful when the Maps app can notify us that it found a near-by restaurant with cuisine we enjoy around our normal lunch time.
So,we have a choice, do we believe that the use of pervasive data contributes to the common good or data should only be collected and used for a specific purpose and destroyed afterwards. No matter what you believe, you should ask what are you going to do about it.
Regardless of the ethics you apply, you should be thinking about the ethical use of the data you manage. What are you going to do to build an ethical community, a culture of ethical data management? DAMA International, like many professional organizationss, encourages an ethical culture and in their case, it is an Ethical Data Culture. In their book of knowledge, the DMBOK for data management, they focus on the risks of unethical data handling practices, but they leave an organization to define its own ethics.
In reflecting on where a data esthicist would fit into an IT organization it appears that the data governance process is the best home if you are fortunate enough to have one. While the data governance team (or process) will typically focus on the accuracy, completeness, consistency, timeliness, validity, and uniqueness of data, the concerns need to expand. The traditional four pillars of data governance (stewardship, quality, master data management and use cases) need a foundation in ethics. Like DAMA International, the cenbt encourages data management professionals to take a stand. Whether or not there is a formal data governance organization or process, data management professionals must take a stand; they must move the organization to an ethical data culture.
January 28th passed mostly in silence - February 1, 2018
Why do I mentioned January 28th? It was Data Privacy Day. So, what‘s the big deal?
Data Privacy Day is an annual international event to remind everyone to be diligent about online privacy and online information. The National Cyber Security Alliance led efforts in the USA to call attention to the event. Part of the message is to “own your online presence.”
So, here's the deal.
Part of owning your online presence is understanding what information about you is available to others. Why does that matter?
A recent investigative report aired on a local TV station. “Bogus background check could be costing you money” revealed how incorrect cyber information can hurt you. In this case a gentleman had his insurance rates go up dramatically because a company that collects credit records and provides them to insurance companies supplied bad data.
Yes, I know this is a case of garbage in garbage out, but whose garbage is it?
In this case the negative factors in the “Bogus background check,” came from the victim’s son who had the same first and last names, but we was “the second.” The son’s history was erroneously mixed in with the father’s record. According to the news story the company supplying the report responded that they do rigorous checks to maintain quality; but they didn’t in what they characterized was a “rare case.” The algorithms did not perform as intended.
What was the advice of the investigative reporter? Check the information that is available for accuracy. Sounds like “own you online presence.” I’ll be sure to add this story and this advice to people come next Data Privacy Day (January 28, 2019). Maybe more people will take notice and think more about their online presence.
The investigative news story mentioned the offending companies, but I have left them off. These kinds of mistakes are detrimental to corporate reputation. Sure, it was inadvertent, but was the company paying enough attention to the collection and use of data? What were they doing to avoid unintended consequences? One of the companies mentioned had a hugely embarrassing incident recently. It was credited to lax policy enforcement. What about you and your company?
I am proud to say that Marquette University is putting together a Symposium on the Ethics of Big Data III. This is the third in a series of meetings on privacy, data collection, and the consequences of Big Data technology. This year we will meet on April 27 in a discussion that is open to businesses, academics, students, and the public. Folks at Northwestern Mutual are demonstrating their recognition of the importance by joining us to sponsor and host the meeting at their new tower in downtown Milwaukee. See https://www.marquette.edu/ethics-of-big-data for information. Other companies have regularly made an appearance and supported this annual event..
Help make a difference; be cyber security and privacy aware.
(See https://staysafeonline.org/data-privacy-day/about/ for information about Data Privacy Day and https://www.tmj4.com/news/i-team/bogus-background-check-could-be-costing-you-money to see the full story about the bogus background check.)
Cyber Security Awareness Requires Leadership - October 20, 2017
Cyber security is a question of leadership and awareness is the responsibility of leaders.
Most all successes are the result of a proper combination of People, Process, and Technology. The importance of these three items is apparent in the examination of the cyber security incidents that have gained national attention. It always starts with people. People can prevent breaches or people can cause them. Incidents can result from inadvertent behavior or by malicious intent. Cyber Security Awareness focuses on reducing inadvertent behavior that leads to failure of the security system. Often someone with malicious intentions takes advantage of the inadvertent action, but that is not always the case. There is not always a bad guy trying to take advantage of others.
Safety in manufacturing plants is not the same as safe computing but safety awareness is remarkably similar to Cyber Security Awareness. During my career before academia, I had the privilege of observing a dramatic improvement in plant floor safety that resulted from leadership and awareness. General Motors went from having a mediocre safety record to being by far the safest manufacturing environment in the industry.
The journey from mediocrity to excellence started with recognition of the problem created by workplace injury. Leadership from the C-suite resulted in having all executives take safety training from the world leader in workplace safety, DuPont. Having been in the explosives business is is clear why DuPont emphasized safety.
The manufacturing organization followed the leadership of the VP of Manufacturing, Joe Spielman supporting the theme "Safety is Our Overriding Priority." The corporation regularly heard the message that came form DuPont, "All incidents can be avoided." The term "incident" replaced "accident" in the conversation because accidents imply that they are somehow unavoidable.
Measurements were put in place; goals were set and clearly articulated. For example the goal at one assembly plant in Oshawa was a 50% reduction in lost time injuries and “recordable” injuries every three years. This led to reducing lost work day cases per 100 employees from 13 in 1994 to under 1 before the close of 2001. In 2002, GM plants from around the world had achieved an industry leading 3.6 recordable incidents per 200,000 hours worked compared to an industry average of 20.3. 
A practice that helped lead to the improvement was attention to "near-misses." These were recorded and analyzed at safety meeting which were mandated to occur regularly. In our office environment, we held these meeting weekly. The clear goal was fool-proofing the system. In all plants, serious near-misses required the Plant Manager to tour and assess the situation within 24 hours. Supervisors and team leaders were required to investigate all actual incidents before the end of a shift.
There is a strong parallel between this example and the Stop. Think. Connect. campaign coming from the Department of Homeland Security. This is one of the primary concepts included in the DHS program in cyber security awareness.
I mentioned that there must be attention to People, Process, and Technology, The culture must change. An example from GM of the emphasis of balanced attention to People, Process, and Technology can be found in the 2004 announcement of a new safety device aimed at reducing railcar workplace injury. A joint union-management memo stated, "constant vigilance to the safety process and ongoing training to ensure compliance to safe operating practices is necessary to protect all employees."
All of this provides a nice story for safety management. Why don't we do that for cyber security? Who is providing leadership? Who is measuring the organization? What are the goals?
I am organizing a Colloquium on Cyber Security Awareness to start a conversation about how we improve security within populations such as the general public that is involved using hundreds of apps and social computing, our customers who use our IT infrastructure to communicate with us, our employees who have access to the information we need to secure, and students who are the future of computing. This event will come in October, National Cyber Security Month.
 M. Rosen, General Motors: Achieving and Maintaining World-Class Leadership in Worker Health and Safety in the Automotive Industry, Safety Management Education, May 2008, available on line at: http://safetymanagementeducation.com/wp-content/uploads/2015/06/Case_Study_GM_Truck_Plant_Case_study.pdf on 22 July, 2016.
NIST publishes NICE Cybersecurity Workforce framework
The National Initiative for Cybersecurity Education (NICE) released Special Publication 800-181, the NICE Cybersecurity Workforce Framework. The framework presents common terminology to be used to support a capable workforce. It provides a common, consistent lexicon that categorizes and describes cybersecurity work by Category, Specialty Area, and Work Role.
The Cybersecurity Jobs Heat Map has also been updated with new data and other features to align with the NICE workforce framework. The the CyberSeek portal provides access to the heat map.
Do you need Geek-speak to be convinced?
If setting up automatic system updates sounds too simple to be effective in combating cyber-attacks,
employing the auto-configurator to engage both server side and client side dissociated daemons in a distributed multi-tasking environment to update the hierarchical organized services directory and install executable specifications, processing abstractions and physical implementations of application program interfaces, peripheral drivers, communication protocols, dynamically linked libraries, interpretable kernels, and other service components and abstractions to their most immediate revision levels as prescribed by the service vendors.
STOP.THINK.CONNECT.™- May 15, 2017
Over the weekend there was an international alert about ransomware. This attack was particularly troublesome, because it combined a worm (a kind of malware that looks for ways to spread itself) with a “payload” that was ransomware, asking for a ransom to free up locked files.
The shame of the situation was that simple measures, which we remind users about regularly, could have saved the infectious nature of this incident. The malware is named “WannaCry” and it makes you want to cry to realize that following advice about not clicking on suspicious items and updating your system to the latest releases of software, could have stopped this massive intrusion on cyber lives.
We are living in a cyber world; we cannot afford this kind of problem. A few simple steps can help avoid disruption.
- Keep a clean machine—get the latest versions of software and consider automatics updates to services and apps including your operating system
- Be web wise – keep aware of threats, think before you act, back up valuable work, and do not install random malware removal tools from untrusted sites
These are simple things. Are they too obvious to be taken seriously? Are you looking for something more technically complex for the advice to be believable? Don’t. Leave that to the technical experts who are constantly providing the complex solutions to make it easy for you.
Just take those simple steps. Clean up your computers, tablets, and smart phones. Be wary of the threats that are posed. Follow the theme put forth by the National Cyber Security Alliance, Stop.Think.Connect™ and visit their website regularly for information and tips.
WORLD PASSWORD DAY-May4, 2017
Thousands of people and hundreds of global organizations will support WORLD PASSWORD DAY on May 4, 2017. We asks students, faculty, and staff to consider using multi-factor authentication.
As more and more sensitive data is stored online, the effects of cybercrime grow more significant each year. In fact, identity theft is among the fastest growing crimes in America. Passwords are critical gatekeepers to our digital identities, allowing us to access online banking, email, and social media, yet the majority of passwords are vulnerable to hacking. Millions of Americans have had their digital accounts hacked because of stolen credentials or weak logins, but many are not using widely available, simple technologies to better secure their online accounts.
The Center for Cyber Security Awareness and Cyber Defense suggests that you join on May 4 to take a social media pledge to improve your password habits. Go to https://passwordday.org/ to find out more and take the pledge
Speak Up - November 29, 2016
This week I am sponsoring a meeting on campus entitled "Stay Safe Shopping Online." It will be tomorrow evening and I hope people take the time to come to listen to the messages about reality, security, responsibility, and recovery.
Here on a campus, from an academic perspective, this is unremarkable, but I felt the need to do it. I was thinking of opening the session with the disclaimer that there is nothing in the presentation that is original. The only thing that is original is the thought to make the presentation. In deed, all of the material comes from sources readily available. The lesson for students, beyond the cyber security ideas, is, "If you feel there is a need to address a topic, take action, and speak up."
I suppose I could claim something about the importance of establishing a culture of cyber security awareness. How many times have experts told us about the importance of the correct culture for organizations? This is not about establishing a culture; it is about facing the facts and starting the conversation. Establishing a culture for this, or a culture for that, is manipulative. I have watched numerous leaders who worked at establishing a culture; and I have followed others who took the lead. I have seen many who advocated walking the talk and been skeptical. Something I learned from a leader that I followed is to talk the walk; that always seemed more effective.
But stay realistic. My observation is, if you believe in something, act on it out of passion, and speak up, it will either change the culture or not. The organization will be the judge.
So, from where does the material for "Stay Safe Online Shopping" come? It comes from people who felt some passion about cyber security awareness. They saw the need and started the conversation. I guess having heard them, I have either "drunk the Kool-Aid" or become a part of the culture.
I hope students leave campus with an openness to ideas, a penchant for action, and an eagerness to speak up. The education is there to help them to know what they are seeing, to know where to seek knowledge when they don't have it, to know what to do, and to speak up in a way people understand.
That represents a kind of culture too.
We just finished providing advice about Cloudbleed and now we have another incident requiring comment, CloudPets data breach.
The number of users impacted (800,000) in this case is less important than is the nature of this attack. The internet of things is booming. Refrigerators, televisions, cars and toys are becoming targets. Toys used to be push toys then they became motorized, then they made sounds, and now they are becoming smart. Consumers need to be smart. In the case of toys, information about your children may be getting into the wrong hands.
The National Cyber Security Alliance (the nation's leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness) used their blog to produced a statement about CloudPets™ that includes some good advice and an infographic. While much of this is a repeat of the messages from Cybersecurity Awareness Month, you ought to heed their warning. In summary you need to:
What to do about Cloudbleed?
The full impact of Cloudbleed is still unknown, however, it is "better to be safe than sorry." Cloudbleed provides an opportunity to remind everyone to be more diligent in managing their passwords. Given the millions of transactions performed by Cloudflare for numerous highly recognized websites, anyone's authentication or personal information may have been leaked. No one yet knows if Cloudbleed was exploited. We recommend doing a risk assessment and following the best practices. There are password creation tips provided by Stop Think Connect.
We have published a more complete explanation of "What to do about Cloudbleed" on the MSCS website. This includes:
- Understanding your risk.
- Using pass phrases that you can remember.
- Creating unique pass phrases for unique sites.
- Using multi-factor or two-factor authentication.
Other Resources for News and Views
There are many websites that provide access to news and views about information security.
These include the following:
While not exactly industry views, here are links to two videos that suggest the importance of cybersecurity technology: