Academy on Security and Dependability
Between December 14th and 15th, 2009, more than 20 Portuguese professionals from several companies attended the first Carnegie Mellon | Portugal Program Academy on Security and Dependability. The event was organized by Large-Scale Informatics Systems Laboratory, at Faculdade de Ciências da Universidade de Lisboa.
The academy provided computer science and engineering professionals with the opportunity to interface with the experts involved in the Carnegie Mellon University | Faculdade de Ciências da Universidade de Lisboa dual Professional Master of Science in Information Technology–Information Security (MSIT-IS).
Miguel Correia, from Faculdade de Ciências da Universidade de Lisboa (FCUL), and Rajeev Gandhi from Information Networking Institute (INI), Carnegie Mellon University, gave a presentation about the MSIT-IS program and its achievements. Since the program’s inception, the number of participating students has increased every year.
Miguel Correia gave another presentation titled “Six Billion Crash Test Dummies or Why Software Security Matters,” and the main conclusions are that “software security is very interesting, but difficult because new vulnerabilities appear every day, and we need to be prepared to find new solutions every day.”
Paulo Sousa, from FCUL, spoke about “Surviving Non-Detectable Intrusions While Fighting Them Back.” For him “intrusion tolerance added to Proactive Resilience is an effective way to survive on detectable and non-detectable intrusions.”
“Can Cost-Benefit Analysis Help Investment in Security?” Asked Pedro Ferreira.
Pedro Ferreira, from Instituto Superior Técnico (IST), gave the presentation “Can Cost-Benefit Analysis Help Investment in Security?” He encouraged listeners to view security as an investment and approach security with the underlying thought: “You are ok with some intrusions/attacks in your system” and the goal is to achieve the strategic point, the balance between cost and benefit.
José Rufino, from FCUL, in his presentation about “Building Robustness, Safety and Security for the Next Generation of Aerospace Systems,” gave some examples to address current trends in the design of the future generation of aerospace systems, discussed the paradigms, the models and the tools that currently are being developed to ensure the provisioning of high levels of safety, security and timeliness guarantees.
Paulo Veríssimo, from FCUL, added that “it is possible to estimate the hacker attack cost, and based on this value elevate the cost level to dissuade the hacker attack.” For Veríssimo, the academy “model and setting was to make it a teaser of what happens in the MSIT-IS program and a discussion forum on Security and Dependability.” The academy participants gave “wonderful feedback and got out of there with their minds set on applying,” he said.
At the end of the academy, the participants were invited to participate in the "Penetration Testing Trophy," where they received an IP (Internet Protocol) address and their goal was to imagine a gold bar inside the computer, so they had to go and get it. This challenge was won by two participants from Portugal Telecom, “who already trained several other people in our program,” explained Veríssimo.
During two days the participants attended lectures and workshops such as:
- Evolution of Security: from Ad-hoc Prevention to Automatic Protection;
- Six Billion Crash Test Dummies or Why Software Security Matters;
- MSIT-IS - A Carnegie Mellon University and University of Lisbon Masters;
- Hands-on 1 - Securing Installation is harder than it looks;
- Hands-on 2 - Attack Injection: Assess your Software Before Hackers do it;
- Are They Out There? How Many and How Smart?;
- The Delicate Balance between Distributing and Losing Control;
- Surviving Non-Detectable Intrusions While Fighting Them Back;
- Can Cost-Benefit Analysis Help Investment in Security?;
- Building Robustness, Safety and Security for the Next Generation of Aerospace Systems;
- Hands-on 3 - Honey pots: Watching Hackers at Work.
Participants in the event: PORTUGAL TELECOM; UNISYS; LOGICA; BLUE PHOENIX; EFACEC; INST. DEFESA NACIONAL; INST. POLITÉCNICO BEJA; ESPÍRITO SANTO INFORMÁTICA; KPMG; STREAMLINE; CRITICAL SOFTWARE.