GHC12: Cybersecurity: Are we there now and where do we need to be in 5 years?

Moderator: Minerva Rodriguez (Raytheon) Panelists: Meg Layton (Symantec), Carrie Gates (CA Labs), Michele Guel (Cisco),  Perri Nejib (Lockheed Martin)

Michele Guel has, amazingly, been in the industry for more than 30 years, starting out as sysadmin - but then, November 2, 1988 happened... The Morris Worm! Suddenly her department saw the need for a security expert!

Meg Layton started out with a Political Science degree... only to find out later, there weren't any jobs for that degree. Her first computer she used was the lighting board at her local theater and eventually found her way into IT. Eventually her career took her to Africa and realized that you haven't seen a security problem like security problems they have in a country that's just gone through a civil war.  She switched into security on September 18, 2001 after the Nimda worm was launched.

Dr. Carrie Gates found computers by following music - their department had a nice stereo.  While working as a sysadmin, she started working on a part time PhD.  The other sysadmins bragged about how much security knowledge they had, and wanting to have more, she focused her PhD in security :-)

Perri Nejib originally wanted to be a dentist! But, turns out she wasn't a fan of biology, so she changed her focus to engineering - much more fun! Her first internship was with the government, so she was able to get security clearance before she graduated - which led to her first job in the Army, working on circuits for nuclear projectiles. Security was important back then, and more important now.

Dr. Gates is not fond of the word "cyber" - but, says it's good for getting funding! (ah, buzzwords) Most of the panelists agree - they just work on security. Some of the panelists are big focus folks, while others are working on research. Ms Guel laments on the great shortage of cyber security talent, encouraging everyone to go and learn more and come apply for security jobs.

Ms. Layton said we're still not "there" - too many teams are not keeping security in mind from the early design process. This is not something we can bolt on later (preaching to the choir, here :-)

Dr. Gates notes that as long as we adversaries, our work will never be done

Ms. Guel told us to go look at the Mitnick vs Shimamoura attack. That was 20 years ago. Machines are still vulnerable to that attack!  Until everyone understands that information on the Internet is forever and that machines are long lived - we won't be there.

Ms. Guel recently started security classes at her office for non-security people, getting people to be responsible and understand the repercussions. Seems that Ms. Layton's teams she's encountered suffer from lack of training in security as well. General goals over the next 5 years - just get people informed!

Ms. Layton encourages us to keep young women (and men) informed about computer security, but keep the message simple: Keep safe, keep telling.

All of these women love their jobs and have such passion, it's clear that there's a lot of work that needs to be done and lots of opportunities in this industry.  I know I love working in computer security

Unfortunately, some of the speakers were not good about staying on mic (they were very animated, so head kept turning away), so I couldn't hear all of them very well, but overall very interesting.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC12: Securing Our Borders - Are we there yet?

Pamela K. Arya, A-T Solutions, has been actively involved with securing our borders. Some of their biggest concerns are IEDs, which are very cheap to make and deploy but very difficult to detect. These were first seen regularly in Northern Ireland, much less sophisticated than what we're seeing today in Iraq. Old IEDs were triggered with pressure so were often buried in the ground - easier to detect and monitor for. Newer ones can be set on the ground in a busy area and easily remotely detonated. Blocking signals doesn't work, as cell phones will also stop working!
Unfortunately, IEDs have become a part of the war on drugs in Mexico, often in the form of vehicle born IEDs. A-T Solutions will analyze post blast areas to help to determine what type of device was used and also will train local law enforcement about these devices. One of the best defenses against these attacks is still a dog - very difficult to trick a dog that's been well trained.

These types of devices also turn up in booby trapped homes, so there is special training for that as well. On the ground in Iraq, they've found that former farmers or other rural people can be better trained to find these IED devices. The theory is that by having a rural up bringing, these people are not used to tuning out noise or details that city dwellers need to do.

Her slides included images of post blast scenes and task forces that really bring home how real this problem is.

Laura McLay, Virginia Commonwealth University, has been working on aviation security and optimization, particularly focused on protecting nuclear material. Looking at aviation security, the first obvious thing we think of: hijackings! These have been a problem since the 1940s, with domestic hijackings peaking in the 1970s.   In response to a possible terrorist related plane crash (ended up just being an accident), Al Gore sponsored a bill creating CAPPS: Computer-Aided Passenger Prescreening System. 1998-2001, only selectee baggage was scanned. This worked well.

These machines that scan checked luggage weigh tons, take years to make and were only made by two companies, so after September 11, 2001 when all bags needed to be scanned - airport lobby floors had to be reinforced and two companies were very busy for awhile.

When a new device is being tested, it typically starts out in just four airports - and it's difficult (if not impossible) to keep those four airports a secret, so other methods need to be deployed.

Random screening doesn't seem to be an effective way to deter actual threats and thoroughly screening all passengers is not feasible, so more research needs to be done in this area to optimize this.

Susan Wilson, Cyber and DHS Solutions Operating Unit/Northrop Grumman Information Systems, Border Patrol Goals and Challenges. The Mexican border threats is well understood, but now we're having to watch the Canadian border more and the old  methods won't work with the layout of the land we have in the north.

If you're trying to protect with something obvious, like a wall, it's easier for people to come up with ways to work around it. The more hidden and subtle your border control is, the more effective it can be - but only combined with rapid response.  More agile solutions that can stay one step ahead are optimal.

One threat they actually see: balloons! So, watching the ground alone is not sufficient.

They would like to leverage open standards based components to integrate field-proven detection and assessment devices with a good user interface!

Questions for this panel ranged from how are environmental impacts considered (separate consulting firms all come together on the final solutions for border control), speed of screening at airports (focusing on doing this but maintaining security - not there, yet), agencies working together (there is just not enough funding for everyone to have all of this amazing equipment), to serving your country by protecting the borders.


Seniha EsenYuksel, University of Florida, was unable to present today due to a family emergency, but her slides will be included on the Grace Hopper Wiki.

This panel was moderated by Wendy Rannenberg.


This post syndicated from Thoughts on security, beer, theater and biking!

GHC12: Anita Borg Social Impact Award Winner: Cathi Rodgveller

This year's winner of the Anita Borg Social Impact is Cathi Rodgveller, founder of IGNITE (Inspiring Girls Now in Technology Evolution) Worldwide , she has impacted the lives of more than 18,000 women - and inspired many of us here today!

We had a wonderfully intimate session  - a great way to spend some time with an amazing woman! Her presentation was short and sweet, giving us enough background to fuel the fire for questions - and I discovered that this entire room was full of interesting women doing great work to inspire and mentor young women in technology careers.

Ms. Rodgveller started IGNITE on a Sex Equity grant 14 years ago in Seattle. She makes sure that the group stays lively and accessible by holding an event at least once a week. There are over 30 active chapters in Washington alone - and more across the globe! Ghana opened a chapter 5 years ago, and Legos, Nigeria has over 20 chapters - some of them the first programs in the area for girls.

She is tired of hearing schools saying that this outreach is not a priority, so if anyone can help set up this program for middle school or high school near you, she knows that the teachers would appreciate it. Ms. Rodgveller has been running this program herself for 14 years, and is willing to mentor anyone who can help start a chapter.  As a woman in industry, you can volunteer as little as 90 minutes for one event once a year.

We were fortunate to have one of the very first girls that went through the program at Nathan Hill High School in Seattle.  This girl, now a woman, said she originally wanted to be a veterinarian and considered herself totally technically unskilled. This long ago workshop inspired her to learn more and take a few computer science classes in college, and now she's about to finish her PhD at USC! It's amazing what an impact a few events could have on a young woman's life. Truly inspiring!

She encourages these events to be about stories, not lectures. Her book covers how to do this for each age and is geared towards teachers, using teaching models they are already familiar with. The program can be very inexpensive - merely the cost of a bus and a substitute teacher. It's designed to be cheap and easy.

If you're a woman in industry who wants to help? You can meet with a representative from the school to help get them started up and get them connected with IGNITE.

Ms. Rodgveller needs you - can you helps start up a local branch? You can learn how to do this yourself with the IGNITE Toolkit.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC12: The Internet Enables All the Worlds Hackers to Attack Your Computers 24/7. Are we secure enough yet?

Susan Lincke (University of Wisconsin),starts out with the question: Are we secure enough, yet? Looking at all of the attack reports on the news - NO! If the big companies can't get it right, what are the chances for the little companies doing it correctly?

Dr. Lincke got a grant from the NSF to create a security workbook. A security how-to with goals that non-professionsals can easily use it. It covers things like code of ethics, risk assessment and how to protect this data. It's a workbook, so a lot of the items are skeletons that you need to fill in for your specific needs and gives you a method for calculating expected loss for all of these risks.

The workbook also introduces concepts like recovery time (interruption window, service delivery objective, and maximum tolerable outage) and terms (recovery point objective and recovery time objective).

It also helps with security classification guidelines for the data, like what type of stuff should be confidential? In a medical office, that would be data covered by HIPPA, for example.

The workbook covers concepts like network security and helps people define which services and data can leave the local network. The same concepts can then be applied to the physical security map - like, which rooms can a patient walk around unmonitored?

All of this requires an incident response plan - what to do if you get a virus? What lessons can you use going forward to prevent future infections or attacks.

I think this is a great idea - I think about a small dental office, which does need to protect patient data, but probably haven't considered this because the concepts are foreign to them and seemed too difficult to begin to approach.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC12: Security and the Cloud

Susan B. Cole, Exceptional Software Strategies, Inc. started out with a great explanation of what exactly the cloud is and what goes into it (data, mostly). Advantages of the cloud? On demand self-service, broad network access, resource pooling, rapid elasticity and measured service.

Cloud is important - you're probably using it even if you don't realize it. Things like Dropbox and Google Docs are all cloud services. (note: I LOVE Google Docs! Being able o have multiple people modify a spreadsheet without emailing back and forth large files and constantly changing the name to add versioning is so nice!)

The problem, though, is a lot of people end up creating their own clouds out of necessity, but do not consider security - so, it's good to use large providers who have this built into their solutions already.

A big benefit of cloud: money savings. For example, the city of LA saved $1.1 Million per year by switching to Google Mail and Google Docs.

But, before you move to the cloud, make sure security and confidentiality are covered and get this is in writing! Service level agreements and contracts are required. You will no longer be in control of your data.  Look out for different tenants using the same instance of service but unaware of strength of the other's security controls, most SLAs do not have security guarantees, and once you're on the cloud, you are open to the world's hackers.

Ask where your data is? If your company is in Maryland, but your data ends up in California you need to be aware about California laws on data protection, as your local state laws will unlikely apply.

Can you get auditing from your cloud provider? HIPPA and PCI help with medical and financial cloud providers, but you need to even check those to make sure they are in compliance.

While you can do penetration testing on your own network, you can't do this against your cloud provider - the provider won't be able to  distinguish your test from a real attack and... what if it works and then you take down another tenant?  You need to get your provider to do regular security assessments and you'll have to ask for the reports.

 If the provider cannot or will not provide this data? You shouldn't use them!

Does your cloud provider encrypt the data between their network and yours?

You need to be in charge of asking these questions to protect your data - meet with your cloud provider regularly!

This post syndicated from Thoughts on security, beer, theater and biking!

GHC12: Leadership Workshop: Office Politics for People Who Don’t Like Politics

I always love every single Jo Miller, Women's Leadership Coaching, workshop so was so thrilled when I heard she was coming back to Grace Hopper Celebration of Women in Computing again this year!

The emerging leader's quandary: How do you get to that higher level position that requires more leadership experience than you have - but you can't get the leadership experience without the position?  A challenging question many of us have faced in the past - not just with leadership, either! Jo hopes to give us all skills that will help us become better leaders without necessarily leading a team.

Office politics - nobody likes playing this game, at least nobody in this room. But, would you be willing to join the game if it will get you the promotions and projects that you want to work on?  Could this be a skill, and not just an annoyance. "avoiding (office) politics altogether can be deadly for your career" - Erin Burt

Jo proposes that there is a way to navigate office politics in a way that is both ethical and advantageous for your teams.

Hard work alone won't get you recognized. So, work less :-)  Not exactly, but if you're always so heads down with working and never letting anyone know what you're doing.

"Get out of your in-box!" - Barbara Gee.  Get out and talk to people! Step away from the terminal..

Lets stop calling it office politics - such negative connotations. What about Organizational Awareness?  What does that mean? Being a savvy observer of the communication and relationships that surround you in your organization.

This isn't just about looking at the org chart - it doesn't tell you everything, like, who are the thought leaders, who gets things done, who's been over-promoted and are actually ineffective?   You need to find people that can happily help you get things done - the Shadow Organization. This isn't what HR knows, it's what you know.

Jo had us put together a chart of those people that we work with most frequently, adding solid lines for people that work well together and dashed lines for those that don't work work well together, adding arrows to show how influence flows. Once that is all done, we drew circles around coalitions - people that work well together. Once this was all on paper, we could better think about things, like how did those coalitions form?  Is one person excluded from all coalitions and perhaps everything?  Doing this will help you to gain perspective on your team

The final piece of this shadow organization is the verticals: people who are getting mentored and sponsored by their manager and passing this up. Like a ladder.

Doing this myself, I realized that my "shadow organization" includes many people that are not in my direct org.

Highlights of the Shadow Organization:

• Relationships
• Influence
• Coalitions
• Key Influences
• Verticals

After a group discussion, a couple of questions came up about people in their organizations who are separated from everyone due to something they did many years ago. Jo recommended really focusing over the next few months on rebranding themselves - keeping all work and communications positive to help overcome past mistakes.

How can we gather information to help map the shadow organizations?  Can you do this via face-to-face interactions? What about virtual teams?  A few audience suggestions included organizing "friendship lunches" where you just reach out to people in your organization and field of influence on a casual basis, don't open your laptop in a meeting - connect instead, invite people to coffee (and see who else is having coffee together), and never miss a happy hour :-)  For virtual teams, site visits and video calls, even if just occasionally, should be done, in addition to talking on the phone.

Sophie Vandebroek, CTO of Xerox, once told Jo: "It's not enough to have a bright technical idea. I have seen too many projects led by great, passionate people fail because they tried to be the lone influencer." Can we have stronger teams and more successful projects by building more relationships and coalitions? It sounds like it!

Every organization and every team has unwritten, unspoken "Rules of the Game". It's unlikely that anyone is going to tell you about it - but you can probably ask.  For example, in some teams, no work should start until consensus is reached - while in others, act now and ask questions later is the rule. To be successful - learn these rules in your org.

There are five ways to generate quick wins in office politics:

• In every organization, there is some who is great at navigating office politics - find them and ask them how they do it!
• They navigate well at all levels
• They are the keeper of the "institutional memory"
• They are good at reading people

•  Build and influential coalition
• It can be quicker and easier to get great things done from the grass-roots
• Be an advocate for others, support stuff that's important to them

• Don't like the unwritten, unspoken "rules of the game" - become a game changer!
• If you don't like them, you're probably not alone! This is where you can get those other like minded individuals to  help you to do so.
• For example, you can't make the late night "happy hours" in bars because you have to pick up your kids, or have other obligations - can you create a new social event that happens during normal work hours?

• Manage Upward
• Leading your leaders is easier than you think... 
• Think and act like an executive
• Understand their most important goals, their challenges, and how they make decisions.
• Remember - you're the expert in what you do, don't be deferential.
• Always have a talking point ready
• Executives have to make decisions quickly, be prepared to talk to them if you see them in the hall, in between meetings etc.

• Enlist senior-level sponsors and adocates
• These aren't mentors, but sponsors - someone that's going to promote and be an advocate for you. Someone who will argue your case behind closed doors.

 Again, sponsorship has come up. This seems to be so important. When looking for a sponsor, you want to find someone that is a senior leader with influence, well-respected and credible, familiar with your strengths, has a track record of developing talent, provides exposure and provides cover when you're under attack. Getting sponsors outside of your immediate organization is a good thing, too!

How do you get a sponsor? Turns out, you don't just go out and get one - you have to earn one, cultivate it. You can do this by outperforming, making your value visible, observe the protocols, and network across your organization. You can do a lot of these things by looking for projects and exposure opportunities working with or for senior leaders.

None of this will work, though, if you don't have clarity about your own career goals!  You have to know what you want to do or where you want to go, and make sure that these senior level people in your shadow organization are aware of those goals.

You can find the full slides on Jo's site.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC12: Keynote, Anita Jones, Another Perspective

Anita K. Jones, is a University Professor Ermerita at the University of Virginia and a Professor of Computer Science in the School of Engineering and Applied Science, and was sworn in as the Director of Defense Research and Engineering for the U.S. Department of Defense in June 1993.

Dr. Jones was the keynote speaker at the very first Grace Hopper Celebration in 1994! I wasn't at that first event, so how cool to get o see her now - a woman that has a seamount in the ocean after her!

Dr. Jones starts by looking at the conference theme: Are we there yet?

Analyzing this phrase, we need to think about the we - many great things are done together, so it's important who you associate yourself with.

Today, there are 2 times more jobs in IT than all other engineering disciplines combined. In the near future, there will be 4 times as many - an ever growing field, more people to surround yourself with :-)

Electrification of rural America in the 50s, better sanitation practice and better access to water revolutionized America and nearly doubled our life expectancies. Can there be a software revolution with that much impact?

Dr. Jones believes it's happening. The spread of the Internet, the ability to visualize organisms and galaxies, all the way to just-in-time delivery enabled by RFID tracking devices.

We're now connecting with one another in ways we never thought imaginable: there are 5 billion cellphones in the world, and only 7 billion people! We have Facebook, twitter, Google+ (and Google in general), LinkedIn, etc - where we can connect with each other, keep in touch, meet new people. Something unheard of just 20 years ago.

Yes, I did make new friends on a BBS nearly 20 years ago, and I'm sure some of you met folks through your MUDD or CompuServe chat room - but we were the very few, the Internet elite.

If you want to revolutionize the world, do research - but pick a new topic, look for new ways to  help the world. It's always easier to write the first thesis on a topic, as opposed to the 20th.  Dr. Jones jokingly said she'd like us to do research into making it possible to order really nice shoes that fit your feet perfectly.

This years revolution? Massive open online courses.While not the same as a university offered curriculum, it's getting there. Harvard and other big universities are funding these courses.

These can't be really successful until three is automated grading, individualized assistance and a way to motivate the students to finish. Let's do research in these areas - we can revolutionize education!

Revolutions can be hard: For example, the Air Force was against pilotless planes, because who are the top guys in the Air Force? Why, pilots of course - they didn't like the idea of these drones because it took pilots out of the picture. But these drones can do things pilots can't - fly for 40+ hours, no need for a cockpit, loaded with sensors and cameras and without risking the lives of pilots.  The Air Force still wasn't interested, until the Army tried to order some. The air, though, is the domain of the Air Force - and they didn't want to give that up to the Army :-)

Technology can revolutionize all sorts of industries. Being a computer scientist and information technologist means you can steer the revolution. We can make the difference!

This post syndicated from Thoughts on security, beer, theater and biking!