As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, conference papers, and webcasts highlighting our work in vulnerabilities, privacy, software architecture, digital engineering, container adoption efforts, ransomware, and the Solar Winds Hack.

These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.

Attacking COM via Word RTF
by Will Dormann

Do you remember Internet Explorer version 6 (IE6), and the fun we had with ActiveX? We've come a long way since then, right? Or have we? In this presentation, given at GRIMMCon 0x4, Will Dormann describes how Microsoft Word 2019 on Windows 10 is not too different from the dark old days of the IE6 ActiveX attack surface.
Download the presentation.

Amplifying Your Privacy Program: Strategies for Success
by Daniel L. Costa, Carrie Gardner

Privacy protection isn't just a compliance activity. It’s also a key area of organizational risk that requires enterprise-wide support and participation; careful planning; and forward-leaning, data-driven controls. This webcast highlights best practices for privacy program planning and implementation. It also presents strategies for leveraging existing capabilities within your organization to further advance privacy program building. In addition, it looks ahead to emerging research and operational needs for modernizing privacy programs.

The presenters discuss

• The state of the practice for privacy program planning and development
• How to align privacy program planning and development activities with related efforts within your organization
• Areas of ongoing and future research into privacy frameworks, privacy risk management, and privacy controls efficacy

View the webcast.

Modeling and Validating Security and Confidentiality in System Architectures
by Aaron Greenhouse, Jörgen Hansson (University of Skovde), Lutz Wrage

The importance of security in computer and information systems is increasing as network-connected computer systems become more ubiquitous. The objective of security is to verify that the computing platform is secured and that data and information are properly accessed and handled by users and applications, ensuring data confidentiality and integrity. To develop a framework for modeling and verifying security as a data quality attribute, designers need to identify parameters and variables with the expressive power to capture and represent security models and determine the type of analysis to enable. This report presents an approach for modeling and validating confidentiality based on the Bell–LaPadula security model using the Architecture Analysis and Design Language (AADL). The report describes the Bell–LaPadula security model and elaborates how security and Bell–LaPadula attributes are mapped to concepts and represented in AADL. It then describes modeling and validating security in AADL models, considering conditions that must be enforced for a system to ensure conformance to the Bell–LaPadula security policy. It also presents the analysis capabilities provided by AADL and examples modeled in AADL.
Download the report.

DevOps Enables Digital Engineering
by Hasan Yasar and David James Shepard

There is some confusion about how the paradigms of DevOps and Digital Engineering fit together. In the case of software-intensive systems, we believe DevOps practices are an enabler for Digital Engineering, in many forms. During this webcast, Hasan Yasar and David Shepard introduce the relatively new concept of Digital Engineering and how they believe DevOps actually complements/enables many of the goals of Digital Engineering.

View the webcast.
Listen to a podcast on digital engineering.

A 10-Step Framework for Managing Risk

Brett Tucker, a technical manager for cyber risk in the SEI CERT Division, discusses the Operationally Critical Threat, Asset, and Vulnerability Evaluation for the Enterprise (OCTAVE FORTE) Model. OCTAVE FORTE is a process model that helps organizations evaluate their security risks and use principles of ERM to bridge the gap between executives and practitioners. In this SEI Podcast, Tucker outlines OCTAVE FORTE's 10-step framework to guide organizations in managing risk.

Listen to the podcast.

Artificial Intelligence (AI) and Machine Learning (ML) Acquisition and Policy Implications
by William E. Novak

In attempting to characterize the acquisition and policy implications of the application of AI & ML to a government context, instances of both actual and potential issues and consequences arising from such applications were researched and identified. In this context, implications are known current effects, as well as possible future effects of the use of these technologies across a number of different identified domains where those effects become manifest. Some of these implications are primary effects that occur as a direct result of the application of the technology (e.g., the need to review the ethics used in autonomous decision-making by AI & ML), while others are secondary effects that occur as a result of a primary effect (e.g., the need to access data that will then be used to train supervised ML).
Download the whitepaper.

7 Steps to Engineer Security into Ongoing and Future Container Adoption Efforts
by Tom Scanlon, Richard Laughlin

If organizations take more steps to address security-related activities now, they will be less likely to encounter security incidents in the future. When it comes to application containers, security is achieved through following and adopting a series of best practices and guidelines. In this SEI Podcast, Thomas Scanlon and Richard Laughlin discuss seven steps that developers can take to engineer security into ongoing and future container adoption efforts.
Listen to the podcast.

Ransomware: Evolution, Rise, and Response
by Marisa Midler and Timothy J. Shimeall

Ransomware, including ransomware-as-a-service threats, is a growing problem. Ransom payments from Quarter 3 of 2019 were on average $42,000, and in Quarter 1 of 2020, that average increased to $112,000. The volume of attacks also increased by 25 percent in Quarter 4 of 2019 and by another 25 percent in Quarter 1 of 2020. The sophistication of the attacks has increased alongside their severity. In this SEI Podcast, Marisa Midler and Tim Shimeall, analysts with the SEI's CERT Division, discuss steps and strategies that organizations can adopt to minimize their exposure to the risks and threats associated with ransomware.
Listen to the podcast.

SolarWinds Hack: Fallout, Recovery, and Prevention
by Matthew J. Butkovic and Art Manion

The recent SolarWinds incident demonstrated the challenges of securing systems when they are the product of complex supply chains. Responding effectively to breaches and hacks requires a cross-section of technical skills and process insights. This webcast explores the lifecycle of the SolarWinds activity and discuss both technical and risk assessment to prepare organizations to defend against this type of incident. The discussion covers

• technical details regarding the SolarWinds vulnerabilities and exploits
• supply chain risk management principles required to reduce the risk of future incidents
• advice on the core operational capabilities required to respond to and recover from the SolarWinds hack

View the webcast.