Baijian “Justin” Yang is leading the IEEE Cybersecurity Initiative’s Try-CybSI project. He is an Associate Professor in the Department of Computer and Information Technology, Purdue University.
Question: What is the purpose of the Try-CybSI project and why is it important?
Yang: The IEEE Try-CybSI project is the IEEE Cybersecurity Initiative’s effort to provide cloud-based tools to cybersecurity professionals and students to gain hands-on experience with fundamental security concepts, proper implementation of cryptography, design flaws, exploits, state-of-art security research projects and other artifacts. We feel very strongly that cybersecurity practitioners need practical familiarity with these tools and how common cybersecurity attacks and other artifacts behave. Thus we’ve created a user-friendly, cloud-based, interactive platform to accomplish that goal.
Enormous resources are expended globally on a daily basis to combat cybersecurity attacks and correct flaws. We think that an integrated approach that combines the IEEE’s Center for Secure Design, reports such as “Avoiding the Top 10 Security Design Flaws” and “WearFit: Security Design Analysis of a Wearable Fitness Tracker,” IEEE’s Symposium on Security and Privacy, and our Try-CybSI effort will assist practitioners in becoming more proactive about security in the design phase and more knowledgeable in dealing with issues that impact our increasingly digital society. Cybersecurity breaches are a drag on the economy and violate the privacy of real people.
Question: How does this platform work?
Yang: If you go the Try-CybSI page, you’ll see a variety of tools are available. Click on one and instructions tell you how to proceed, as in this YouTube video. The beauty of this approach is that these tools and artifacts are packaged in isolated, secure containers. In the real-world these artifacts tend to be short-lived and version-specific. It is difficult to reproduce either the attack or the effective defense in a currently operational system.
So we’ve developed generic examples that illustrate the characteristics and behaviors that need to be understood by practitioners. This approach relies on a very simple user interface. It doesn’t require a fast computer. As long as you have a physical keyboard, you can interact with the system.
Question: How will Try-CybSI evolve over time?
Yang: It’s important that users and prospective users understand that Try-CybSI is an ongoing process. We have fewer than a dozen containers available today. But we have others in development and more use cases are on their way. So the platform will constantly evolve.
I’d like to point out that, at this stage, this service is free of charge. It’s a good time to play around with it. Once the word gets out, we expect this service to become very popular with cybersecurity practitioners. At some point, it may become fee-for-service, because of the cost and effort involved.
Question: What differentiates Try-CybSI from similar efforts outside IEEE?
Yang: First, just looking at the service itself, there really isn’t anything like this on the market. There are no cloud-based, interactive tools for practical cybersecurity learning. These tools demonstrate current issues in today’s cybersecurity world and there’s a strong need for that among practitioners.
Second, IEEE is a market leader in computer security studies, publications and related standards. IEEE’s reputation for collaboration, transparency and impartiality means that these tools are technically sound and of great value to potential users.
With the uniqueness of this platform, backed by IEEE’s reputation for excellence, we plan to attract cybersecurity professionals who will share their knowledge and contribute their tools for interactive use by other practitioners.
Question: What has the Try-CybSI site’s use data revealed so far?
Yang: The site was made public on March 1, 2016. We are beginning to attract users, predominantly in the United States and China so far, but also from Russia, the United Kingdom, Pakistan, Saudi Arabia, Canada, Finland and Greece. Certain tools have been explored more than others.
Anecdotally, it appears that word-of-mouth across the cybersecurity community is a powerful means of getting the word out. So if you are a cybersecurity professional or student, please visit the site, explore a few tools and let your colleagues know about it. We also think that university instructors should be encouraged to use the Try-CybSI platform in the classroom.
Question: Are there a finite number of categories of cybersecurity tools, artifacts, flaws, and so forth? And can you give us an example of one that’s currently offered?
Yang: I’d say there are four categories. One is related to network security, like ARP [Address Resolution Protocol] spoofing, SLL stripping, HSTS [Http Strict Transport Security]. The second category includes state-of-the-art research tools or products like T-DNS [DNS over TCP and TLS], Longtail, etc. The third category covers secure coding and proper cryptography implementations, such as Padding Oracle Attack and CBC-MAC. A fourth category, if you will, covers exploits and ongoing security events, such as SQL injection and the Heartbleed attack that caused industry to spend hundreds of millions of dollars to fix it.
Question: What’s next for Try-CybSI?
Yang: Primarily, we want practitioners to use the website and its tools. We’re especially interested to hear from users on what works and what enhancements are needed. They can email us at trycybsi@gmail.com with suggestions and we will respond. We’re already aware that we’ll need to refine some of these containerized artifacts. And we’re thinking of sponsoring security challenges that will raise awareness of our efforts and, therefore, contribute to improvements in cybersecurity across the globe.
Meanwhile, we’ll attend IEEE’s Symposium on Security and Privacy in San Jose, May 23-25. I plan to spread the word on Try-CybSI there and enlist users and contributors. We’re offering a valuable resource and the cybersecurity world needs to know about it.