CERT: addressing software threats and challenges
Carnegie Mellon SEI’s CERT
division experts develop and share cyber solutions. One engineer asks, “How do you defend against something only a hacker knows about?”
By Laurel A. McKee Ranger
The Carnegie Mellon University (Pittsburgh, PA) Software Engineering Institute (SEI) was founded in 1984, chartered by the Department of Defense to improve the state of software and advanced research and development. It’s considered a trusted third party and an objective organization, and performs research to explore solutions to software engineering problems.
Most of SEI’s clients are government organizations. Its areas of expertise include software engineering and research, cybersecurity, emerging software technologies, and acquisition solutions.
“The scope of work performed by the SEI ranges from theoretical to operational. Examples include analyzing the way teams work to develop software and eliminate errors and problems, providing direct support to clients, and developing technology and tools,” says Rita Creel, a principal engineer in SEI’s CERT division.
CERT: improving security
CERT was launched in 1988 in response to an early computer worm incident, and was originally known as the Computer Emergency Response Team. Its original role was to coordinate communications during cyber emergencies, but it’s now also charged with proactively improving software security. Its stated mission is to “study internet vulnerabilities, research long-term changes in networked systems, and develop information and training to help improve security.”
Creel has a BSCS and MSCS from California State University-Long Beach, and will finish an MA program in organizational leadership at Gonzaga University (WA) in 2014. She joined SEI in 2005. Previously she worked for twenty years in the aerospace industry designing, building and evaluating software for satellite systems.
Creel reports to the CERT director’s office. She works across CERT and collaborates with other SEI divisions to develop cross-discipline responses to customer challenges and needs. Most recently, she led a cross-discipline team at SEI that developed a cybersecurity risk management strategy.
Cybersecurity is a moving target
“You can’t ensure one hundred percent against threats. When you work in cybersecurity you’re dealing with a moving target. Systems and the networks connecting them are complex and always changing; at the same time, new threats are emerging. The way we build systems now, as soon as you remediate one set of vulnerabilities, you discover more. And there are always some that escape detection,” admits Creel.
Her career in aerospace gave her a good background for her work at CERT. “It’s an incredible way to start. Space is an unforgiving environment; we couldn’t risk losing a spacecraft because of a software bug. So quality issues, such as security and reliability, have always been key interests for me. I wanted to expand that interest and the expertise I’d developed into other software environments,” she says.
When Creel first came to SEI, she worked in the acquisition area. “Our job was to help organizations improve how they acquired software-reliant systems. But as time went on and systems became more interconnected, there were more and more cyber attacks. All our critical infrastructure systems are subject to cyber incidents.
“I moved to CERT because of my interest in mitigating the risks of compromise through the full lifecycle, starting from system definition and construction and moving through operations and maintenance.”
Cyber work is not just about technology, she adds. “There are behavioral implications. You’re looking for intentional and unintentional threats, and implementing policies to deal with them. You’re finding ways to build, test, deploy and sustain software that reduce vulnerability to attack. So you’re dealing with organizations and asking people to change their behavior, whether it’s how they design and write code, or what they are allowed to do on their systems. This can be difficult. For a security policy to be successful, impacts on usability and workflows must be considered,” she says.
Creel finds working at CERT both challenging and rewarding. “It’s interesting work, and given our increasing reliance on networked systems and software, it’s quite a responsibility. Our trusted agent role offers unique opportunities to collaborate across government, industry and academia. We also work closely with Carnegie Mellon. This is an organization like no other!” she says enthusiastically.
Kelwyn Pender: a journey to CERT
Kelwyn Pender is a member of CERT’s technical staff. He joined the division in 2010, and works as a security solutions engineer, engineering solutions for specific security problems.
Pender has a bachelors degree in computer science and computer engineering and a masters degree in systems architecture and engineering, both from the University of Southern California (Los Angeles). He spent eight years working in the high-tech industry, including time at Intel supporting IP-based products.
After Intel he moved into the financial industry, working for Fannie Mae on network architecture and network security. At Fannie Mae, his last job before he came to CERT, he was involved in financial network security, systems engineering and integration.
Sharing knowledge to defend against breaches
Pender explains that CERT makes its findings widely available through training courses and publications. “We sponsor conferences and host cyber exercises, bringing people in to do simulated incident response for clients,” he says.
Pender finds the diverse technical work and challenges fascinating. “We deal with talented people from around the world. We hear about the latest advances. Here we can look at all the aspects of problems and implement the best solutions. We see problems from both the macro and micro perspectives and everything in between. We see nationwide and system-specific threats,” he says.
But in cybersecurity, the challenges come on a daily, hourly and millisecond basis. “Sometimes the first time you hear about a problem is when you’ve already been breached. For example, in a successful zero-day attack your first indication of a security problem happens after an adversary has already successfully breached your system, by exploiting a previously unknown vulnerability.
“How do you defend against something that maybe only a hacker knows about? The scale is tremendous. It involves not just computer network systems, but public infrastructure, mobile devices, medical devices, home connectivity; those all are possible targets for attack,” he says.
“The world of CERT is very dynamic and exciting. We’re on the leading edge of applied security research and cyber threat analysis. It’s always a challenge.”
Back to Top