CapTech Talks Oct 2024 Presenter Slides.pdf
CapitolTechU
99 views
47 slides
Oct 17, 2024
Slide 1 of 47
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
About This Presentation
Slides from a webinar presented by Capitol Technology University for its Women in Cyber Leadership Series. Features NIST scientist Dr. Michaela Iorga speaking about Cybersecurity Research, with a special focus on Cloud Computing.
Slide Content
Core Principles of Cybersecurity
Research Through the Outcome Lens
Dr. Michaela Iorga
NIST/ITL
Research Through the Outcome Lens
Dr. Michaela Iorga
NIST/ITL
About me
NIST Roles
qSupervisory Computer Engineer
q Chair Cloud Security Working Group
q Co-Chair Cloud Forensic Working Group
q Director, OSCAL Program
q ITL Director, SURF Program
EDUCATION
q PhD. Engineering Department, Duke University
q PhD. Naval Architecture, Galati University
2
NIST Roles
qSupervisory Computer Engineer
q Chair Cloud Security Working Group
q Co-Chair Cloud Forensic Working Group
q Director, OSCAL Program
q ITL Director, SURF Program
EDUCATION
q PhD. Engineering Department, Duke University
q PhD. Naval Architecture, Galati University
2
Outline
q NIST at a Glance
q Research areas I worked on
q Briefing on some projects & how the
topic surfaced
Ø Cloud computing R&D
Ø Fog computing
Ø Intelligent Digital Assistants
Ø Security Automation & Open Security
Controls Assessment Language (OSCAL)
NOTE: All presented projects have a lot more depth than what can be presented today. If interested to learn more,
please access the publications online (see NIST Research Library )
3
q NIST at a Glance
q Research areas I worked on
q Briefing on some projects & how the
topic surfaced
Ø Cloud computing R&D
Ø Fog computing
Ø Intelligent Digital Assistants
Ø Security Automation & Open Security
Controls Assessment Language (OSCAL)
NOTE: All presented projects have a lot more depth than what can be presented today. If interested to learn more,
please access the publications online (see NIST Research Library )
3
qNon-regulatory federal agency within U.S. Department of Commerce.
qFounded in 1901, known as the National Bureau of Standards (NBS) prior to 1988.
qOrigins in the Constitution: “Congress shall have power to …. fix the standard of weights and
measures…”
qHeadquarters in Gaithersburg, Maryland, and laboratories in Boulder, Colorado.
qEmploys around 6,000 employees and associates.
q5 Nobel prizes
NIST at a Glance
Mission: To promote U.S. innovation and industrial
competitiveness by advancing measurement science,
standards, and technology in ways that enhance
economic security and improve our quality of life.
4
qFounded in 1901, known as the National Bureau of Standards (NBS) prior to 1988.
qOrigins in the Constitution: “Congress shall have power to …. fix the standard of weights and
measures…”
qHeadquarters in Gaithersburg, Maryland, and laboratories in Boulder, Colorado.
qEmploys around 6,000 employees and associates.
q5 Nobel prizes
NIST at a Glance
Mission: To promote U.S. innovation and industrial
competitiveness by advancing measurement science,
standards, and technology in ways that enhance
economic security and improve our quality of life.
4
NIST Wide Critical and Emerging Technologies
5
5
Research Areas
qCryptography and Cryptographic modules’ security and
functionality requirements
qMulti-factor authentication and security for mobile
devices in ad-hoc mode of operation
qSmart vehicles secure communication
qPersonal Identity Verification (PIV) secure communication
qCloud Computing Security, Privacy and Forensics
qFog and Edge Computing
qIntelligent Digital Assistants
qSecurity Automation (cloud)
qBlockchain Assessment
6
“A robust cybersecurity culture is proactive rather than reactive. It entails constant risk assessments,
complex risk management frameworks, and ongoing education and training .”
-- Tom Vazdar, international banking security expert
qCryptography and Cryptographic modules’ security and
functionality requirements
qMulti-factor authentication and security for mobile
devices in ad-hoc mode of operation
qSmart vehicles secure communication
qPersonal Identity Verification (PIV) secure communication
qCloud Computing Security, Privacy and Forensics
qFog and Edge Computing
qIntelligent Digital Assistants
qSecurity Automation (cloud)
qBlockchain Assessment
6
“A robust cybersecurity culture is proactive rather than reactive. It entails constant risk assessments,
complex risk management frameworks, and ongoing education and training .”
-- Tom Vazdar, international banking security expert
Disclaimer
The views expressed in this presentation are mine alone. Reference to any
specific products, process, or service do not necessarily constitute or
imply endorsement, recommendation, or favoring by the United States
Government or the National Institute of Standards and Technology.
The presented material might contain information that has been changed
or updated by the service providers since the research concluded, as all
products and services discussed herein undergo rapid technological
updates.
7
The views expressed in this presentation are mine alone. Reference to any
specific products, process, or service do not necessarily constitute or
imply endorsement, recommendation, or favoring by the United States
Government or the National Institute of Standards and Technology.
The presented material might contain information that has been changed
or updated by the service providers since the research concluded, as all
products and services discussed herein undergo rapid technological
updates.
7
Federal Cloud Computing Timeline
2010: 25 Points Implementation Plan to Reform Federal IT
2011
: NIST Cloud
Definition (SP 800
-145)
Interagency Task Force & Public WG
2011
: Cloud Standards
Roadmap (SP 500
-291)
2012: Cloud Synopsys and Recommendations (SP 800
-146)
2011
: Cloud Reference
Architecture (SP 500
-
292) 2018: Cloud Service Metrics (SP 500
-307)
2018: Evaluation of Cloud Services Based on NIST SP 800
-145 (SP
500
-322)
2011
: USG Federal IT
Strategy2013: Cloud Security Reference Architecture R&D (SP 500
-299)
2019: Cloud Forensics Challenges (NISTIR 8006)2011
: OMB Established
FedRAMP
2014: Cloud Technology Roadmap (SP 500
-293)
Vol 1 & 22016: NIST
-FedRAMP
Cloud Security Automation Research Starts (OSCAL)
2015: FedRAMP Starts Rev 4 Transition (SP 800
-53 Rev4)
2021: Open Security Controls Assessment Language 1.0.0 Release
2022: FedRAMP Starts Rev 5 Transition (SP 800
-53 Rev 5)
2023: Cloud Forensic Reference Architecture (SP 800
-201
ipd
)
Cloud Service Providers Start submitting ATO package in OSCAL
8
2010: 25 Points Implementation Plan to Reform Federal IT
2011
: NIST Cloud
Definition (SP 800
-145)
Interagency Task Force & Public WG
2011
: Cloud Standards
Roadmap (SP 500
-291)
2012: Cloud Synopsys and Recommendations (SP 800
-146)
2011
: Cloud Reference
Architecture (SP 500
-
292) 2018: Cloud Service Metrics (SP 500
-307)
2018: Evaluation of Cloud Services Based on NIST SP 800
-145 (SP
500
-322)
2011
: USG Federal IT
Strategy2013: Cloud Security Reference Architecture R&D (SP 500
-299)
2019: Cloud Forensics Challenges (NISTIR 8006)2011
: OMB Established
FedRAMP
2014: Cloud Technology Roadmap (SP 500
-293)
Vol 1 & 22016: NIST
-FedRAMP
Cloud Security Automation Research Starts (OSCAL)
2015: FedRAMP Starts Rev 4 Transition (SP 800
-53 Rev4)
2021: Open Security Controls Assessment Language 1.0.0 Release
2022: FedRAMP Starts Rev 5 Transition (SP 800
-53 Rev 5)
2023: Cloud Forensic Reference Architecture (SP 800
-201
ipd
)
Cloud Service Providers Start submitting ATO package in OSCAL
8
USG Federal IT Strategies
Cloud First Policy:
“requiring agencies to evaluate safe,
secure cloud computing options before
making any new investments”
Goal:
“profound economic and technical shift
(with) great potential to reduce the cost of
federal Information Technology (IT)
systems while … improving IT capabilities
and stimulating innovation in IT solutions.”
Implementation: select services that can move to cloud, provision cloud services effectively, managing services
rather than assets
First Federal CIO, Vivek Kundra
2010- & 2011
9
Cloud First Policy:
“requiring agencies to evaluate safe,
secure cloud computing options before
making any new investments”
Goal:
“profound economic and technical shift
(with) great potential to reduce the cost of
federal Information Technology (IT)
systems while … improving IT capabilities
and stimulating innovation in IT solutions.”
Implementation: select services that can move to cloud, provision cloud services effectively, managing services
rather than assets
First Federal CIO, Vivek Kundra
2010- & 2011
9
NIST Cloud Computing Definition
(SP 800-145)
Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal
management effort or service provider interaction.
This cloud model is composed of five essential
characteristics, three service models, and four
deployment models.
2011
10
(SP 800-145)
Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal
management effort or service provider interaction.
This cloud model is composed of five essential
characteristics, three service models, and four
deployment models.
2011
10
The NIST Cloud Computing
Definition Visualized
Hybrid Clouds
Deployment
Models
Service
Models
Essential
Characteristics
Software as a Service
(SaaS)
Platform as a Service
(PaaS)
Infrastructure as a
Service (IaaS)
Resource Pooling
Broad Network AccessRapid Elasticity
Measured Service
On Demand Self-Service
Public
Cloud
Community
Cloud
Private
Cloud
11
Definition Visualized
Hybrid Clouds
Deployment
Models
Service
Models
Essential
Characteristics
Software as a Service
(SaaS)
Platform as a Service
(PaaS)
Infrastructure as a
Service (IaaS)
Resource Pooling
Broad Network AccessRapid Elasticity
Measured Service
On Demand Self-Service
Public
Cloud
Community
Cloud
Private
Cloud
11
NIST Cloud Computing Reference
Architecture
NIST SP 500-292
2011
12
Architecture
NIST SP 500-292
2011
12
Cloud Reference Architecture
Actors and Tasks at a Glance2011
13
Actors and Tasks at a Glance2011
13
Cloud Service Layer and Security
Considerations.
Physical Resource Layer
Hardware
Facility
Resource Abstraction and
Control Layer
Service Layer
IaaS
SaaS
PaaSSoftware as a Service
Platform as a Service
Infrastructure as a Service
Cloud Provider
IT Infrastructure/
Operation
Application
Development
Biz Process/
Operations
App/Svc
Usage
Scenarios
App/Svc
Usage
Scenarios
Develop, Test,
Deploy and Manage
Usage Scenarios
Create/Install,
Manage, Monitor
Usage Scenarios
Each Service Layer fulfills a different business need with different security considerations.
2011
14
Considerations.
Physical Resource Layer
Hardware
Facility
Resource Abstraction and
Control Layer
Service Layer
IaaS
SaaS
PaaSSoftware as a Service
Platform as a Service
Infrastructure as a Service
Cloud Provider
IT Infrastructure/
Operation
Application
Development
Biz Process/
Operations
App/Svc
Usage
Scenarios
App/Svc
Usage
Scenarios
Develop, Test,
Deploy and Manage
Usage Scenarios
Create/Install,
Manage, Monitor
Usage Scenarios
Each Service Layer fulfills a different business need with different security considerations.
2011
14
•NIST SP 800 – 145 (The NIST Definition of Cloud Computing)
•NIST SP 500 – 292 (NIST Cloud Computing Reference Architecture)
•ISO/IEC 17788:2014/ ITU-T Y.3500 (08/2014) (Cloud Computing
Overview and Vocabulary)
•ISO/IEC 17789:2014/ ITU-T Y.3502 (08/2014) (Cloud Computing
Reference Architecture)
The NIST Definition and Reference Architecture
Became the Foundation for the ISO/IEC Standards
Free copies of ISO/IEC standards are located at:
(http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html)
15
•NIST SP 500 – 292 (NIST Cloud Computing Reference Architecture)
•ISO/IEC 17788:2014/ ITU-T Y.3500 (08/2014) (Cloud Computing
Overview and Vocabulary)
•ISO/IEC 17789:2014/ ITU-T Y.3502 (08/2014) (Cloud Computing
Reference Architecture)
The NIST Definition and Reference Architecture
Became the Foundation for the ISO/IEC Standards
Free copies of ISO/IEC standards are located at:
(http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html)
15
Cloud Security Requirements
Process-oriented security requirements
•NIST SP 800-53 Security Controls for Cloud-Based
Information Systems
•Cloud Audit Assurance and Log Sensitivity
Management
•Certification and Accreditation
•Guidelines for Privacy and Electronic Discovery
•Trustworthiness of cloud operators
•Clarity on cloud actors security roles and
responsibilities
•Business Continuity and Disaster Recovery
•Continuous Assessment and Monitoring
Technically oriented
security requirements
•Visibility for consumers
•Control for consumers
•Data Security
•Risk of Account Compromise
•Identity Credential and Access
Management (ICAM) and
Authorization
•Multi-Tenancy Risks
•Cloud-based Denial of Service
•Incident Response
Cloud Computing Security R&D
2013, ongoing
16
Process-oriented security requirements
•NIST SP 800-53 Security Controls for Cloud-Based
Information Systems
•Cloud Audit Assurance and Log Sensitivity
Management
•Certification and Accreditation
•Guidelines for Privacy and Electronic Discovery
•Trustworthiness of cloud operators
•Clarity on cloud actors security roles and
responsibilities
•Business Continuity and Disaster Recovery
•Continuous Assessment and Monitoring
Technically oriented
security requirements
•Visibility for consumers
•Control for consumers
•Data Security
•Risk of Account Compromise
•Identity Credential and Access
Management (ICAM) and
Authorization
•Multi-Tenancy Risks
•Cloud-based Denial of Service
•Incident Response
Cloud Computing Security R&D
2013, ongoing
16
17
+
NIST Reference Architecture (SP 500-292) CSA’s TCI Reference Architecture
NIST Security Reference Architecture – formal modelNIST Security Reference Architecture – security components
Mapping components
to architecture
NIST CC Security Reference Architecture
(SP 500-299 > SP 800-200)
17
+
NIST Reference Architecture (SP 500-292) CSA’s TCI Reference Architecture
NIST Security Reference Architecture – formal modelNIST Security Reference Architecture – security components
Mapping components
to architecture
NIST CC Security Reference Architecture
(SP 500-299 > SP 800-200)
17
Cloud Forensic Reference
Architecture SP 800-201
•The SP 800-201 analyzes the impact of
each challenge reported in the NISTIR
8006 on performing a forensic
investigation if a specific functional
capability or process defined in the
Cloud Security Reference Architecture
were involved in an attack and breach or
were used during criminal exploitation.
•The analysis presumed fictive use case
scenarios that would exploit potential
weaknesses, vulnerabilities, exposures,
or cloud technology for criminal
activities.
18
Architecture SP 800-201
•The SP 800-201 analyzes the impact of
each challenge reported in the NISTIR
8006 on performing a forensic
investigation if a specific functional
capability or process defined in the
Cloud Security Reference Architecture
were involved in an attack and breach or
were used during criminal exploitation.
•The analysis presumed fictive use case
scenarios that would exploit potential
weaknesses, vulnerabilities, exposures,
or cloud technology for criminal
activities.
18
Layers Managedby Consumers
Layers Managedby Providers
AUTHORIZING OFFICIAL
CONTINUOUS UPWARDS REPORTING
CLOUD
PROVIDER
CLOUD
CONSUMER
19
Layers Managedby Providers
AUTHORIZING OFFICIAL
CONTINUOUS UPWARDS REPORTING
CLOUD
PROVIDER
CLOUD
CONSUMER
19
20
The Federal Government inefficiently spends hundreds of millions
of dollars a year on cybersecurity efforts.
Before FedRAMPDIFFERING INTERPRETATIONS
Agencies interpreted the NIST requirements
in different ways from agency to agency
INCOMPLETE WORK
Most agencies did not fully implement all of
the
FISMA requirements due to effort, time, and
money
LACK OF TRUST
Agencies didn’t trust security authorizations
from one agency to another due to the
differing interpretations and incomplete
packages
Federal Risk and Authorization Management Program (FedRAMP)
20
The Federal Government inefficiently spends hundreds of millions
of dollars a year on cybersecurity efforts.
Before FedRAMPDIFFERING INTERPRETATIONS
Agencies interpreted the NIST requirements
in different ways from agency to agency
INCOMPLETE WORK
Most agencies did not fully implement all of
the
FISMA requirements due to effort, time, and
money
LACK OF TRUST
Agencies didn’t trust security authorizations
from one agency to another due to the
differing interpretations and incomplete
packages
Federal Risk and Authorization Management Program (FedRAMP)
20
21
DO ONCE, USE MANY TIMES
Doing security authorizations right the first time
allows agencies to re-use work and eliminate duplicative
efforts
TRANSPARENCY
Increased collaboration and creation of a community across
the USG and vendors that did not exist before - FIRST
governmentwide FISMA program
VALIDATED WORK
FedRAMP validates security authorizations to ensure that
there is uniformity among security packages
CENTRAL SHARING
Centralized repository where agencies can request access to
security packages for expedient authorizations
FedRAMP standardizes the way the government does security
authorizations for cloud products and services
With
FedRAMP
21
DO ONCE, USE MANY TIMES
Doing security authorizations right the first time
allows agencies to re-use work and eliminate duplicative
efforts
TRANSPARENCY
Increased collaboration and creation of a community across
the USG and vendors that did not exist before - FIRST
governmentwide FISMA program
VALIDATED WORK
FedRAMP validates security authorizations to ensure that
there is uniformity among security packages
CENTRAL SHARING
Centralized repository where agencies can request access to
security packages for expedient authorizations
FedRAMP standardizes the way the government does security
authorizations for cloud products and services
With
FedRAMP
21
22
FedRAMP categorizes Cloud
Service Offerings (CSOs) into:
•Low, Moderate and High
Impact Level (IL)
and across:
•Confidentiality, Integrity and
Availability Security
Objectives (SO)
FedRAMP defines the 800-53
baselines for cloud services
FedRAMP leverages NIST guidance: applies NIST RMF and identifies and
tailors the 800-53 security controls to ensure FISMA requirements are met
22
FedRAMP categorizes Cloud
Service Offerings (CSOs) into:
•Low, Moderate and High
Impact Level (IL)
and across:
•Confidentiality, Integrity and
Availability Security
Objectives (SO)
FedRAMP defines the 800-53
baselines for cloud services
FedRAMP leverages NIST guidance: applies NIST RMF and identifies and
tailors the 800-53 security controls to ensure FISMA requirements are met
22
Fog Computing Conceptual Model
NIST Special Publication 500-325
23
NIST Special Publication 500-325
23
ØA layered model for enabling ubiquitous access to a shared continuum of scalable computing resources. The model
facilitates the deployment of distributed, latency-aware applications and services.
Fog Computing
24
facilitates the deployment of distributed, latency-aware applications and services.
Fog Computing
24
Fog Nodes: Service and Deployment Models
Fog Node
Deployment
Models
Fog Node
Service Models
Fog Node
Attributes
Software as a
Service (SaaS)
Platform as a
Service (PaaS)
Infrastructure as a
Service (IaaS)
Manageability
Hierarchical clusteringProgrammability
AutonomyHeterogeneity
Fog Node
PrivateCommunity
Fog Node
Public Fog
Node
Hybrid Fog
Node
25
Fog Node
Deployment
Models
Fog Node
Service Models
Fog Node
Attributes
Software as a
Service (SaaS)
Platform as a
Service (PaaS)
Infrastructure as a
Service (IaaS)
Manageability
Hierarchical clusteringProgrammability
AutonomyHeterogeneity
Fog Node
PrivateCommunity
Fog Node
Public Fog
Node
Hybrid Fog
Node
25
Intelligent Digital Assistant
Intelligent Digital (Virtual) Assistantsare
task-oriented artificial intelligence systems
engineered to emulate human interaction.
What is an Intelligent Digital Assistant?
26
Intelligent Digital (Virtual) Assistantsare
task-oriented artificial intelligence systems
engineered to emulate human interaction.
What is an Intelligent Digital Assistant?
26
From Eliza & Parry to Alexa, Google Assistant & IBM Watson
SIRI (APPLE) [NL Interface]
CORTANA (Microsoft)
GOOGLE ASSISTANT+ GOOGLE HOME Family
+ GOOGLE ALLO [2-way conversation]
GOOGLE NOW (GOOGLE) [Predictive analytics] + S Voice (Samsung)
20112012
2013
2016
AMAZON ALEXA [Cloud]+ ECHO Family (Plus, Dot, Show, etc.)
2014
19661972
ELIZA
PARRY
2017Few representative IVAs
IBM Watson
(Oncology Assistant), TJ Bot, Toys
SAMSUNG’s BIXBY Voice, Vision, Home
(refrigerator, Galaxy S8, TV)
2019 Too many to keep track of …27
SIRI (APPLE) [NL Interface]
CORTANA (Microsoft)
GOOGLE ASSISTANT+ GOOGLE HOME Family
+ GOOGLE ALLO [2-way conversation]
GOOGLE NOW (GOOGLE) [Predictive analytics] + S Voice (Samsung)
20112012
2013
2016
AMAZON ALEXA [Cloud]+ ECHO Family (Plus, Dot, Show, etc.)
2014
19661972
ELIZA
PARRY
2017Few representative IVAs
IBM Watson
(Oncology Assistant), TJ Bot, Toys
SAMSUNG’s BIXBY Voice, Vision, Home
(refrigerator, Galaxy S8, TV)
2019 Too many to keep track of …27
IDA– How They Work
Client’s Device
•Echo
•Google Assistant
•Bixby (Samsung)
•Others (TJ Bot …)
5. Request Proc.
>>3. Speech-to-Text conversion
2.IDA listens
>>4.Text
>>3.Speech collected
Cloud Intelligent Agent
>> 4. Speech –to-Text conversion
<<6.Text–to-Speech conversion
1.You talk
2 config: always ON
2 config: on REQUEST
<<6.Text<< 7. Text-to-Speech
<< 7. Speech returned
8. IDA
Speaks
•Siri
•Cortana
•Samsung Voice
•Google Now
Client’s Device
5. Request Processing
ON DEVICE TRANSCRIPTION
28
Client’s Device
•Echo
•Google Assistant
•Bixby (Samsung)
•Others (TJ Bot …)
5. Request Proc.
>>3. Speech-to-Text conversion
2.IDA listens
>>4.Text
>>3.Speech collected
Cloud Intelligent Agent
>> 4. Speech –to-Text conversion
<<6.Text–to-Speech conversion
1.You talk
2 config: always ON
2 config: on REQUEST
<<6.Text<< 7. Text-to-Speech
<< 7. Speech returned
8. IDA
Speaks
•Siri
•Cortana
•Samsung Voice
•Google Now
Client’s Device
5. Request Processing
ON DEVICE TRANSCRIPTION
28
Intelligent Virtual Assistants With On-device Transcription
SIRI is an offshoot of the DARPA-funded project, CALO (Cognitive Assistant that
Learns and Organizes), & it was part of DARPA's PAL initiative (Personalized
Assistant that Learns).
•When Siri is installed in the iPhone, it only downloads necessary data not
complete Database or any kind of Query Processing System.
•Once you ask any question to Siri, Siri converts voice into meaningful text and
sends the request to its server and then server finds the best most suitable
answer and reply back in text format and Siri process text into Voice.
•How is Machine Learning involved: When Siri is asked a very different question or
Siri server may not have knowledge about it then Siri server forwards this request
to one of the main servers. With time, Siri learns the answer and next time, when
same question is asked, Siri will reply back.
•Siri server use Graph database and Search Engine optimization for better result.
SIRI
29
SIRI is an offshoot of the DARPA-funded project, CALO (Cognitive Assistant that
Learns and Organizes), & it was part of DARPA's PAL initiative (Personalized
Assistant that Learns).
•When Siri is installed in the iPhone, it only downloads necessary data not
complete Database or any kind of Query Processing System.
•Once you ask any question to Siri, Siri converts voice into meaningful text and
sends the request to its server and then server finds the best most suitable
answer and reply back in text format and Siri process text into Voice.
•How is Machine Learning involved: When Siri is asked a very different question or
Siri server may not have knowledge about it then Siri server forwards this request
to one of the main servers. With time, Siri learns the answer and next time, when
same question is asked, Siri will reply back.
•Siri server use Graph database and Search Engine optimization for better result.
SIRI
29
Overview of Siri’s Technologies
SIRI (and CALO) involves: automatic speech recognition, natural language processing (NLP),
question analysis, data mashups, and machine learning.
1.Uses automatic speech recognition (ASR) to transcribe human speech into text.
2.Uses natural language processing (NLP) to translate transcribed text into "parsed text".
3.Uses question & intent analysis to analyze parsed text, detects user’s commands and
actions. ("Schedule a meeting", "Set my alarm", ...)
4.Uses data mashup technologies to interface with 3rd-party web services such as OpenTable,
WolframAlpha, to perform actions, search operations, and question answering (e.g. When Siri
has identified a question that it cannot directly answer, it will forward the question to more
general question-answering services such as WolframAlpha)
5.Transforms output of 3rd party web services back into natural language text (e.g. Today's
weather report -> "The weather will be sunny")
6.Uses text-to-speech (TTS) technologies to transform the natural language text from step 5
above into synthesized speech.
30
SIRI (and CALO) involves: automatic speech recognition, natural language processing (NLP),
question analysis, data mashups, and machine learning.
1.Uses automatic speech recognition (ASR) to transcribe human speech into text.
2.Uses natural language processing (NLP) to translate transcribed text into "parsed text".
3.Uses question & intent analysis to analyze parsed text, detects user’s commands and
actions. ("Schedule a meeting", "Set my alarm", ...)
4.Uses data mashup technologies to interface with 3rd-party web services such as OpenTable,
WolframAlpha, to perform actions, search operations, and question answering (e.g. When Siri
has identified a question that it cannot directly answer, it will forward the question to more
general question-answering services such as WolframAlpha)
5.Transforms output of 3rd party web services back into natural language text (e.g. Today's
weather report -> "The weather will be sunny")
6.Uses text-to-speech (TTS) technologies to transform the natural language text from step 5
above into synthesized speech.
30
Cortana
•Cortanais an OS-oriented voice assistant available on Windows devices & Xbox One console.
• Microsoft’s virtual assistant is constantly analyzing your interactions with the OS to learn more about you.
This info is stored in somethingMicrosoft calls the “Notebook,”whichincludes the places you like to go,
people you care about, your preferred quiet hours, and things you might be interested in, among other
things. You canevenedit the Notebook if you like.
•Cortana can:
•read your emails,
•track your location,
•watch your browsing history,
•check your contact list,
•keep an eye on your calendar
•play your favorite music
•Cortana can take voice and text as input.
•Cortana includes a new full screen mode that serves as both a screensaver and voice-assistant focused
mode when user is away or too far away to type.
BE AWARE: Cortana aggregates all this data and
mines it to suggest information considered useful
to user.
31
•Cortanais an OS-oriented voice assistant available on Windows devices & Xbox One console.
• Microsoft’s virtual assistant is constantly analyzing your interactions with the OS to learn more about you.
This info is stored in somethingMicrosoft calls the “Notebook,”whichincludes the places you like to go,
people you care about, your preferred quiet hours, and things you might be interested in, among other
things. You canevenedit the Notebook if you like.
•Cortana can:
•read your emails,
•track your location,
•watch your browsing history,
•check your contact list,
•keep an eye on your calendar
•play your favorite music
•Cortana can take voice and text as input.
•Cortana includes a new full screen mode that serves as both a screensaver and voice-assistant focused
mode when user is away or too far away to type.
BE AWARE: Cortana aggregates all this data and
mines it to suggest information considered useful
to user.
31
What Can Go Wrong When Everything Is Right…
•Convenience can turn into inconvenience when a IVA listens all
the time, including to your TV shows/videos/family
conversations and when it has the *power* to place calls or
text your contacts on your behalf;
•Our lives, our actions, our likes, dislikes, etc. are in the cloud,
or with third parties that implemented IDA interfaces.
•We give up, voluntarily or involuntarily, on our privacy.
•Your voice is in the cloud in 15-sec or 30-sec blocks.
•it is convenient but data can be misused.
32
•Convenience can turn into inconvenience when a IVA listens all
the time, including to your TV shows/videos/family
conversations and when it has the *power* to place calls or
text your contacts on your behalf;
•Our lives, our actions, our likes, dislikes, etc. are in the cloud,
or with third parties that implemented IDA interfaces.
•We give up, voluntarily or involuntarily, on our privacy.
•Your voice is in the cloud in 15-sec or 30-sec blocks.
•it is convenient but data can be misused.
32
“Hey, Google””Hey, Alexa”
Data format:
Compressed video
over TLS 1.2 -
uploads the audio
file to the servers for
processing
IDAs Listen When You Think They Do Not
& Answer When Not Asked Any Question!
33
Data format:
Compressed video
over TLS 1.2 -
uploads the audio
file to the servers for
processing
IDAs Listen When You Think They Do Not
& Answer When Not Asked Any Question!
33
IVAs Listen When You Think They Do Not & Answer
When Not Asked Any Question!
myactivity.google.com
34
When Not Asked Any Question!
myactivity.google.com
34
Some Test Results For Muted Devices
Google MiniGoogle HomeEcho DotEcho Plus
If the devices does not talk back it does not mean it is dormant or not communicating:
(pinging the network, kipping the heartbeat, getting updates, etc.)
35
Google MiniGoogle HomeEcho DotEcho Plus
If the devices does not talk back it does not mean it is dormant or not communicating:
(pinging the network, kipping the heartbeat, getting updates, etc.)
35
Some Test Results For Idled Devices
Google MiniGoogle HomeEcho DotEcho Plus
If the devices does not talk back it does not mean it is dormant or not
communicating: (pinging the network, kipping the heartbeat, getting updates,
trying to understand if called for duty, etc.)36
Google MiniGoogle HomeEcho DotEcho Plus
If the devices does not talk back it does not mean it is dormant or not
communicating: (pinging the network, kipping the heartbeat, getting updates,
trying to understand if called for duty, etc.)36
Some Test Results For Active Devices
Google MiniGoogle HomeEcho DotEcho Plus
37
Google MiniGoogle HomeEcho DotEcho Plus
37
What Can Go Wrong When You Are Hacked…
Wiretapping an IDA ecosystem (local network access)Compromised IDA-enabled devices (local network access)
Malicious voice commandsMalicious voice recording (via Dolphin Attack & variants)
”Alexa, can I trust you?”, published in IEEE Computer Magazine, Sept 2017
Malicious
voice recording
38
Wiretapping an IDA ecosystem (local network access)Compromised IDA-enabled devices (local network access)
Malicious voice commandsMalicious voice recording (via Dolphin Attack & variants)
”Alexa, can I trust you?”, published in IEEE Computer Magazine, Sept 2017
Malicious
voice recording
38
üAs virtual assistants become more
intelligent and the IDA ecosystem of
services and devices expands, there’s a
growing need to understand the security
and privacy threats from this emerging
technology.
üSeveral incidents highlight significant by
design dangerous zones, so enjoy this life-
changing technology wisely.
üMore research is needed to identify those
dangerous zones and to educate users how
to employ adequate security mitigations.
IDA Conclusions
“You can avoid reality,
but you cannot avoid the
consequences of avoiding
the reality.”
- Ayn Rand
39
intelligent and the IDA ecosystem of
services and devices expands, there’s a
growing need to understand the security
and privacy threats from this emerging
technology.
üSeveral incidents highlight significant by
design dangerous zones, so enjoy this life-
changing technology wisely.
üMore research is needed to identify those
dangerous zones and to educate users how
to employ adequate security mitigations.
IDA Conclusions
“You can avoid reality,
but you cannot avoid the
consequences of avoiding
the reality.”
- Ayn Rand
39
Compliance & Risk Management
Information technology is
complex
& calls for automation
Regulatory frameworks are
burdensome
& Need interop auto GRC tools
Paper-based A&A doesn’t
scale
& Calls for auto updates
Security vulnerabilities are
everywhere
& Calls for auto updates
Risk management is hard
& Experts need automation
DevOps & IaC is hard in
multi-clouds
& Calls for interoperability
& standardization
40
Information technology is
complex
& calls for automation
Regulatory frameworks are
burdensome
& Need interop auto GRC tools
Paper-based A&A doesn’t
scale
& Calls for auto updates
Security vulnerabilities are
everywhere
& Calls for auto updates
Risk management is hard
& Experts need automation
DevOps & IaC is hard in
multi-clouds
& Calls for interoperability
& standardization
40
Tools
OSCAL sets the foundation for automation and interoperability
A (Cyber) Machine-readable Esperanto that enables actors,
tools and organizations to exchange information via
automation:
What was needed?
Catalog
Authors
Baseline
Authors
Assessors
& Auditors
Security
Professionals
Tools to
Document
Assessment
Tools to Manage
IT Assets
Tools to Assess
IT Assets
Tools to
Report Status
Actors
41
OSCAL sets the foundation for automation and interoperability
A (Cyber) Machine-readable Esperanto that enables actors,
tools and organizations to exchange information via
automation:
What was needed?
Catalog
Authors
Baseline
Authors
Assessors
& Auditors
Security
Professionals
Tools to
Document
Assessment
Tools to Manage
IT Assets
Tools to Assess
IT Assets
Tools to
Report Status
Actors
41
ØOSCAL provides a common/single machine-readable language, expressed in XML, JSON and YAML for:
qmultiple compliance and risk management frameworks (e.g. SP 800-53, ISO/IEC 27001&2, COBIT 5)
qsoftware and service providers to express implementation guidance against security controls (Component definition)
qsharing how security controls are implemented (System Security Plans [SSPs])
qsharing security assessment plans (System Assessment Plans [SAPs] )
qsharing security assessment results/reports (System Assessment Results [SARs])
ØOSCAL enables automated traceability from selection of security controls through implementation and assessment
ß Traceability ß
OSCAL
Catalog ModelOSCAL
Profile Model
OSCAL SSP Model
Component
Definition Model
OSCAL Assessment
Plan Model
OSCAL Assessment
Results Model
OSCAL Plan of
Action and
Milestones Model
IMPORT CATALOGIMPORT PROFILE
ASSOCIATED PROFILES
IMPORT SSPIMPORT AP
OPEN RISKS
OPEN RISKS
What is OSCAL?
OSCAL is the result of NIST and FedRAMP collaboration
Controls LayerImplementation LayerAssessment Layer
Components
IMPORT SSP
à Information Flow à
42
qmultiple compliance and risk management frameworks (e.g. SP 800-53, ISO/IEC 27001&2, COBIT 5)
qsoftware and service providers to express implementation guidance against security controls (Component definition)
qsharing how security controls are implemented (System Security Plans [SSPs])
qsharing security assessment plans (System Assessment Plans [SAPs] )
qsharing security assessment results/reports (System Assessment Results [SARs])
ØOSCAL enables automated traceability from selection of security controls through implementation and assessment
ß Traceability ß
OSCAL
Catalog ModelOSCAL
Profile Model
OSCAL SSP Model
Component
Definition Model
OSCAL Assessment
Plan Model
OSCAL Assessment
Results Model
OSCAL Plan of
Action and
Milestones Model
IMPORT CATALOGIMPORT PROFILE
ASSOCIATED PROFILES
IMPORT SSPIMPORT AP
OPEN RISKS
OPEN RISKS
What is OSCAL?
OSCAL is the result of NIST and FedRAMP collaboration
Controls LayerImplementation LayerAssessment Layer
Components
IMPORT SSP
à Information Flow à
42
https://nist.gov/oscal
43
43
OSCAL Releases and News
OSCAL 1.0.0
RELEASED ON JUNE 7, 2021
LATEST: OSCAL 1.1.2
https://github.com/usnistgov/OSCAL/releases
“…First official, major release of OSCAL
provides a stable OSCAL 1.0.0 for wide-scale
implementation ...”
44
OSCAL 1.0.0
RELEASED ON JUNE 7, 2021
LATEST: OSCAL 1.1.2
https://github.com/usnistgov/OSCAL/releases
“…First official, major release of OSCAL
provides a stable OSCAL 1.0.0 for wide-scale
implementation ...”
44
Actors
Risk Management &
OSCAL content
RMF steps: PREPARECATEGORIZESELECTIMPLEMENTASSESSAUTHORIZECON-MON
SolutionEvaluatorCatalogCreatorsCatalogCreators
Component SupplierSystem ArchitectSystem EngineerSystemOwner System EngineerSystemOperatorProductEngineer SystemOwner
Authorizing
OfficialAssessorAuditorSystem Operator
Who Can Benefit & How ?
45
Risk Management &
OSCAL content
RMF steps: PREPARECATEGORIZESELECTIMPLEMENTASSESSAUTHORIZECON-MON
SolutionEvaluatorCatalogCreatorsCatalogCreators
Component SupplierSystem ArchitectSystem EngineerSystemOwner System EngineerSystemOperatorProductEngineer SystemOwner
Authorizing
OfficialAssessorAuditorSystem Operator
Who Can Benefit & How ?
45
Cloud Security - Conclusions
Cloud Security and forensic-readiness are
balancing acts that require:
•Robust standardization
•Unified assessment requirements
•3rd Party, independent assessment
process
•Clear communication and coordination
channels
46
Cloud Security and forensic-readiness are
balancing acts that require:
•Robust standardization
•Unified assessment requirements
•3rd Party, independent assessment
process
•Clear communication and coordination
channels
46
Thank you!
MY ADVICE:
ØDo not hesitate to explore wild, virgin domains.
ØNever give up: a wall you hit opens a door to a
new approach.
ØBe inquisitive and innovative.
ØMake it fun but meaningful to all.
ØEnjoy your research journey!
Contact: [email protected]
MY ADVICE:
ØDo not hesitate to explore wild, virgin domains.
ØNever give up: a wall you hit opens a door to a
new approach.
ØBe inquisitive and innovative.
ØMake it fun but meaningful to all.
ØEnjoy your research journey!
Contact: [email protected]
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 99
- Slides 47
- Age 412 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
35 views
21
Know for Certain
DaveSinNM
23 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views