St. John's University - Computer Science
PMP
Project Management Institute
CISSP
(ISC)²
Citation: \nTannian
M. F.
Schweikert
C.
Liu
Y.
“A Systems Security Analysis of Issuance and Verification of Birth Documents Enhanced with DNA Profiles.” Journal of Interconnection Networks
Vol. 17
No. 1
doi: 10.1142/S0219265917400035\n\nAbstract:\nThe use of biometrics to enhance identification has been explored and utilized to various extents. DNA is the most reliable and stable biometric that remains unchanged throughout an individual’s lifetime. Advancements in DNA analysis
in terms of reduced cost and faster processing times
make the use of DNA as a biometric more feasible over time. Since DNA data is of a sensitive nature
privacy and ethical concerns would have to be carefully considered before large-scale adoption for use in identity documents. Birth certificates are a fundamental document used by a person for identification. However
it does not contain any means of authentication beyond possession of the document. This paper examines the security measures that would be required if birth certificates were embedded with DNA profile information. The U.S. FBI CODIS approach is referred to
being an established standard for human DNA profiling and identification. Effects on the issuance and verification network for birth certificate documents are explored
in addition to the security threats.
A Systems Security Analysis of Issuance and Verification of Birth Documents Enhanced with DNA Profiles.
Citation:\nTannian
M. F. “Initial Steps for IT Incident Visualization: Understanding Leadership Needs
Design and Evaluation.” 2015 48th Hawaii International Conference on System Sciences
pp. 1128-1137
doi: 10.1109/HICSS.2015.137\n\nAbstract:\nIn today's technology dependent world
business leaders within organizations must address information technology (IT) incident response needs. Yet
piecemeal and inadequate incident response tools frequently stymie their engagement. This paper discusses a user-centered approach undertaken to design
develop and evaluate an initial leader-centric IT incident response visualization that would facilitate effective and timely self-directed awareness. Two distinct groups of IT professionals were enlisted in this study. The methodology resulted in an initial development and evaluation of a visualization prototype. The paper introduces management of declared IT incidents as a viable problem domain for visualization. Second
the paper presents the types of information sources for effective IT incident response. Lastly
the paper proposes that leaders would welcome a visualization mechanism that facilitates their ability to observe
understand
synthesize and to adjust real-time actions based on their comprehension.
Initial Steps for IT Incident Visualization: Understanding Leadership Needs
Design and Evaluation
Citation:\nIdziorek
J. and Tannian
M. \"Security Analysis of Public Cloud Computing.\" International Journal of Communication Networks and Distributed Systems
Vol. 9
Nos. 1/2
pp.4-20. doi: 10.1504/IJCNDS.2012.047893\n\nAbstract:\nCloud computing is in its infancy and continues to evolve. As this evolution proceeds
there are a number of privacy and security concerns emerging from the cloud computing model that need to be addressed before broad acceptance occurs. This paper is an initial literature survey of cloud computing security
which promises to be a challenging research area. Although cloud computing security research inherits previous research from its elemental technologies
this paper will limit its focus on surveying cloud computing targeted research. By performing a systematic analysis of the security aspects of the cloud model
this work seeks to succinctly clarify why security continues to be a significant impediment for cloud adoption.
Security Analysis of Public Cloud Computing
Citation: \nTannian
M. F.
Schweikert
C.
Liu
Y.
“Securing Birth Certificate Documents with DNA Profiles.” 2017 50th Hawaii International Conference on System Sciences
pp. 2398-2407
DOI http://hdl.handle.net/10125/41446 \n\nAbstract:\nThe birth certificate is a document used by a person to obtain identification and licensing documents throughout their lifetime. For identity verification
the birth certificate provides limited information to support a person’s claim of identity. Authentication to the birth certificate is strictly a matter of possession. DNA profiling is becoming a commodity analysis that can be done accurately in under two hours with little human intervention. The DNA profile is a superior biometric to add to a birth record because it is stable throughout a person’s life and beyond. Acceptability of universal DNA profiling will depend heavily on privacy and safety concerns. This paper uses the U.S. FBI CODIS profile as a basis to discuss the effectiveness of DNA profiling and to provide a practical basis for a discussion of potential privacy and authenticity controls. As is discussed
adopting DNA profiles to improve document security should be done cautiously.
Securing Birth Certificate Documents with DNA Profiles
Citation:\nIdziorek
J.
Tannian
M. and Jacobson
D. \"Modeling Web Usage Profiles of Cloud Services for Utility Cost Analysis.\" In Proceedings of the 2011 Winter Simulation Conference (WSC). Phoenix
AZ. 11-14 December 2011. pp. 3318-3329
doi: 10.1109/WSC.2011.6148028\n\nAbstract:\nEarly proponents of public cloud computing have come to identify cost savings a key factor for adoption. However
the adoption and hosting of a web application in the cloud does not provide any such guarantees. This is in part due to the utility pricing model that dictates the cost of public cloud resources. In this work we seek to model and simulate data usage for a web application for the purpose of utility cost analysis. Although much research has been performed in the area of web usage mining
previously proposed models are unable to accurately model web usage profiles for a specific web application. In this paper
we present a simulation model and corresponding algorithm to model web usage based on empirical observations. The validation of the proposed model shows that the simulated output conforms to that of what was observed and is within acceptable tolerance limits.
Modeling Web Usage Profiles of Cloud Services for Utility Cost Analysis
Citation:\nIdziorek
J. and Tannian
M. \"Exploiting Cloud Utility Models for Profit and Ruin.\" In Proceedings of the 2011 IEEE 4th International Conference on Cloud Computing (CLOUD ’11). Washington
DC. 4-9 July 2011. pp. 33-40
doi: 10.1109/CLOUD.2011.45\n\nAbstract:\nThis paper discusses an attack on the cloud computing model by which an attacker subtly exploits a fundamental vulnerability of current utility compute models over a sustained period of time. Internet-accessible cloud services expose resources that are metered for billing purposes. These resources are subject to fraudulent resource consumption that is intended to run up the operating expenses for public cloud service customers. The details and significance of this attack are discussed as well as two detection methodologies and there respective experimental results. This work investigates a potentially significant vulnerability of the cloud computing model that could be exploited from any Internet connected host. Well-crafted transactions that only differ in intent but not in content are challenging to differentiate and thus this attack may be difficult to detect and prevent.
Exploiting Cloud Utility Models for Profit and Ruin
Citation:\nIdziorek
J.
Tannian
M. and Jacobson
D. \"Attribution of Fraudulent Resource Consumption in the Cloud.\" Proceedings of the 2012 IEEE 5th International Conference on Cloud Computing (CLOUD ’12). Honolulu
HI. 24 June 2012. pp. 99-106
doi: 10.1109/CLOUD.2012.23\n\nAbstracted:\nObligated by a utility pricing model
Internet-facing web resources hosted in the public cloud are vulnerable to Fraudulent Resource Consumption (FRC) attacks. Unlike an application-layer DDoS attack that consumes resources with the goal of disrupting short-term availability
an FRC attack is a considerably more subtle attack that instead seeks to disrupt the long-term financial viability of operating in the cloud by exploiting the utility pricing model over an extended time period. By fraudulently consuming web resources in sufficient volume (i.e. data transferred out of the cloud)
an attacker (e.g. botnet) is able to incur significant fraudulent charges to the victim. This paper proposes an attribution methodology to identify malicious clients participating in an FRC attack. Experimental results demonstrate that the presented methodology achieves qualified success against challenging attack scenarios.
Attribution of Fraudulent Resource Consumption in the Cloud
Mark
Tannian
St. John's University
Iowa State University
e-Security Inc.
BCG Platinion
StayClear Dental LLC
CA Technologies
Network Associates Inc. (Formerly Trusted Information Systems)
Rex Black Consulting Services
SAFEOperations
Inc.
SRA International
Queens
New York
Member of the Division of Computer Science
Mathematics and Science within the College of Professional Studies. Specialization is in the area of Information and Cyber Security teaching and research.
Assistant Professor
St. John's University
Rockville
MD
5/98 - 8/98 - Lead Systems Engineer\n8/97 - 5/98 - Engineering Lead\n7/97 - 5/98 - Senior Technical Advisor\n5/95 - 7/97 - Support Engineer
Lead Systems Engineer (last position)
Network Associates Inc. (Formerly Trusted Information Systems)
New York
New York
Assisted with the completion of internal cybersecurity projects for the Platinion Cybersecurity practice.
Program Manager (Consultant)
BCG Platinion
On-site contract senior security operations engineer for the U.S. Department of Health and Human Services' IT Service Center (ITSC). Lead various incident response teams addressing malware outbreaks
compromised systems
and investigation into potential malicious activities. Worked closely with CISO to select Vulnerability Remediation products and assisted with strategy development. Analyzed and investigated tickets issued by Department's managed IDS monitoring service. Extended IDS by performing analysis using Securify
firewall logs and Anti Virus logs. Managed firewalls and analyzed risk associated with requested changes. Contributed to Security Policy and Security Program development efforts sponsored by the CISO.
SRA International
SAFEOperations
Inc.
Columbia
MD
1/01 – 5/01 Senior Engineer\nLead the design
operational readiness and staffing efforts for a Security Operations Center along with fulfilling customers’ technical needs
continued to administer corporate information technology and provided consulting services.\n\n8/98 – 12/00 Senior Engineer & Co-Founder of Risk Management Associates\nEstablished and managed the corporate information technology infrastructure. Information security projects ranged from leading a malicious insider investigation
leading an incident response for a steamship company
assisting with risk assessments of a large steamship company & pharmaceutical company
contributing to an information security policy for a natural gas utility
participating in an intellectual property theft investigation
leading vulnerability assessments of an ASP and a local government contractor
integrating a PGP pilot and NAI Gauntlet. Designed and implemented a SOC and offering for a managed security service.
Senior Engineer
Greater New York City Area
Rex Black Consulting Services is a software and hardware-testing consultancy
where I provide professional development services
such as certification exam peer review
certification exam development
training
and course development. Subject areas include software security testing
performance testing and design thinking.
Professional Development Provider (Contractor)
Rex Black Consulting Services
Vienna
VA
11/03 - 4/04\nManaged product strategy
market requirements
product delivery and marketing of features
functionality and relevant product architecture in the areas of agents
agent platform
reporting
correlation
taxonomy
semantic schema and product security. These areas provided much of the value of the e-Security product line for these areas encompass the extraction
normalization and analysis of the information pertinent to Security Event Management and other security monitoring interests like regulatory compliance.\n5/01 - 11/03 - Professional Services Consultant\nDelivered e-Security solutions to e-Security’s Fortune 500 customers. Provided expert solution oriented enterprise architecture design
solution delivery and training within the Banking
Pharmaceutical
Communications
Petroleum
US Government
and Defense sectors. Designed
developed
and deployed a Fault Tolerance solution extension of the Sentinel V3.2 product. Trained in excess of 200 students worldwide in product usage
agent development
and system administration.
Senior Technical Product Manager (last position)
e-Security Inc.
Technical pre-sales engineer supporting sales efforts with CA’s Security Management product line. Efforts were primarily focused on sales opportunities of CA’s Identity and Access Management products. Expertise was developed with CA Access Control
CA Single Sign On and CA Security Command Center. Assisted with closing of several multi-million dollar deals. Responsible for technical presentations
demonstrations
proof of concepts
solution requirements gathering and documentation
technical assistance
informal education and addressing customer satisfaction issues.
CA Technologies
Graduate Assistant
8/08 - 5/13 - Research Assistant - Developing a visualization oriented to business leaders to improve incident awareness and decision evaluation based on impact or risk on their operations. Also investigated security issues within cloud computing.\n8/07 - 5/10 - Teaching Assistant\nFall '09 and Spring '10 - Taught a graduate Information Security Seminar course. \nSpring '09 - Summer ''09 - Designed lab infrastructure for Network Security and Information Warfare classes.\nSummer '08 - Fall '08 - Developed a mobile embedded learning-platform and laboratory assignment materials as part of a three-person team.\nFall '07 - Spring '08 - Laboratory instructor for introductory embedded systems class. Responsible for the development and documentation of new lab exercises as well as final projects.
Iowa State University
Iowa State University
Ames
Iowa
Designing and developing curriculum and teaching materials for educating high-school students in the area of IT operations and cyber defense as part of the IT-Adventures outreach project
continued research and publishing related to business impact visualization for information security and compliance events. This research is focused on aiding decision-makers in complex IT incident handling situations.
Postdoctoral Research Associate
Newark
Delaware
StayClear Dental has innovated a patented visionary dental mirror system
where I provided design evaluation
supported technical procurement decision-making (e.g. PCB manufacturing
software engineering)
developed manufacturing and quality system processes (e.g.
FDA 21 CFR 820) and led safety and effectiveness assessment (e.g. IEC 60601) efforts.
Development and Manufacturing Engineer (Consultant)
StayClear Dental LLC
German
Doctor of Philosophy (Ph.D.)
Computer Engineering
Iowa State University
Master's degree
Electrical Engineering
The George Washington University
Bachelor of Engineering (B.E.)
Electrical Engineering
University of Delaware
Recruit and coordinate speakers for (ISC)2 chapter meetings.
(ISC)2 NY Metro Chapter
Management
Firewalls
Computer Security
Risk Assessment
IT Management
Strategy
Vulnerability Assessment
Software Documentation
Cloud Computing
Software Lifecycle
Security
Consulting
Information Security
Product Management
Network Security
System Administration
Information Technology
IDS
Risk Management
Detecting Fraudulent Use of Cloud Resources
Citation:\nIdziorek
J.
Tannian
M. and Jacobson
D. \"Detecting Fraudulent Use of Cloud Resources.\" In Proceedings of the 2011 ACM Workshop on Cloud Computing Security (CCSW) at CCS. Chicago
IL. 21 October 2011. pp. 33-40
doi: 10.1145/2046660.2046676\n\nAbstract:\nInitial threat modeling and security research on the public cloud model has primarily focused on the confidentiality and integrity of data transferred
processed
and stored in the cloud. Little attention has been paid to the external threat sources that have the capability to affect the financial viability
hence the long-term availability
of services hosted in the public cloud. Similar to an application-layer DDoS attack
a Fraudulent Resource Consumption (FRC) attack is a much more subtle attack carried out over a longer duration of time. The objective of the attacker is to exploit the utility pricing model which governs the resource usage in the cloud model by fraudulently consuming web content with the purpose of depriving the victim of their long-term economic availability of hosting publicly accessible web content in the cloud. In this paper
we thoroughly describe the FRC attack and discuss why current application-layer DDoS detection schemes are not applicable to a more subtle attack. We propose three detection metrics that together form the criteria for identifying a FRC attack from that of normal web activity. Experimental results based on three plausible attack scenarios show that an attacker without knowledge of the web log has a difficult time mimicking the self-similar and consistent request semantics of normal web activity.
Detecting Fraudulent Use of Cloud Resources
Citation:\nTannian
M. F. “Business impact visualization for information security and compliance events.” Ph.D.
Iowa State University
Iowa
2013\n\nAbstract:\nBusiness leaders face significant challenges from IT incidents that interfere with or\npose imminent risk to more than one workgroup. Communication
coordination and\nmonitoring are hindered by factors such as the IT incidents’ technical complexity and\nunfamiliarity
distributed ad-hoc response teams
competing demands for their time
\nnuanced business dependencies
the lack of reliable IT incident measures and a piecemeal\ntoolset to overcome these challenges. This research proposes a dynamic visual system as\na solution to overcome many of these challenges.\nStarting with a broad outline of improving the awareness and comprehension of se-\ncurity and compliance events for business leaders
this effort enlisted the assistance of\nseven experienced IT professionals in the Des Moines metropolitan area. A user-centered\ndesign methodology was developed that enabled these individuals to influence the selec-\ntion of a problem space
explore related challenges
contribute to requirements definition\nand prioritization
review designs and
finally
test a prototype. The group consisted\nof leaders and senior technical staff working in various industries. At the end of the\nmethodology
a group of unrelated IT professionals
with no prior knowledge
of the re-\nsearch was asked to perform an objective evaluation of the prototype. That evaluation\nis reported in this document and forms the basis of conclusions regarding the research\nhypothesis.
Business impact visualization for information security and compliance events
Citation:\nIdziorek
J.
Tannian
M.
and Jacobson
D.
“Teaching Computer Security Literacy to Students from Non-Computing Disciplines.” In Proceedings of the 2011 ASEE Annual Conference
Vancouver
BC
June 2011\n\nAbstract:\nGone are the days when cyber security education was only a concern for computer and Internet experts. In today's world of pervasive computing
everyone is a target. The volume
sophistication
and effectiveness of cyber attacks continue to grow and show no signs of abating. At the center of this cyber epidemic are college students whom rely on their computing and communication devices and the Internet more than any previous generation for their educational
social
and entertainment needs. Yet these same students have little knowledge of the threats they face
the potential short-term and long-term consequences of their actions and the context to make informed security decisions. The objective of this paper is to describe our approach to practical computer security education for students of non-computer disciplines at the university level. Our primary objective is not to delve into the technical workings of computer security
but instead bring security context to the common computing actions that students already perform on a daily or weekly basis. In this paper
we present our course in detail discussing topics of focus
approaches to engage students and our assessment of student learning.
Teaching Computer Security Literacy to Students from Non-Computing Disciplines
Citation:\nIdziorek
J.
Tannian
M. and Jacobson
D. \"Insecurity of Cloud Utility Models.\" IEEE IT Professional. March-April 2013
vol.15
no.2
pp. 22-27
doi: 10.1109/MITP.2012.43\n\nAbstract:\nCloud-based services are vulnerable to attacks that seek to exploit the pay-as-you-go pricing model. A botnet could perform fraudulent resource consumption (FRC) by consuming the bandwidth of Web-based services
thereby increasing the cloud consumer's financial burden.
Insecurity of Cloud Utility Models