Mark Tannian

 MarkF. Tannian

Mark F. Tannian

  • Courses4
  • Reviews11

Biography

St. John's University - Computer Science


Resume

  • 2112648

    PMP

    Project Management Institute

  • 26276

    CISSP

    (ISC)²

  • 2017

    Citation: \nTannian

    M. F.

    Schweikert

    C.

    Liu

    Y.

    “A Systems Security Analysis of Issuance and Verification of Birth Documents Enhanced with DNA Profiles.” Journal of Interconnection Networks

    Vol. 17

    No. 1

    doi: 10.1142/S0219265917400035\n\nAbstract:\nThe use of biometrics to enhance identification has been explored and utilized to various extents. DNA is the most reliable and stable biometric that remains unchanged throughout an individual’s lifetime. Advancements in DNA analysis

    in terms of reduced cost and faster processing times

    make the use of DNA as a biometric more feasible over time. Since DNA data is of a sensitive nature

    privacy and ethical concerns would have to be carefully considered before large-scale adoption for use in identity documents. Birth certificates are a fundamental document used by a person for identification. However

    it does not contain any means of authentication beyond possession of the document. This paper examines the security measures that would be required if birth certificates were embedded with DNA profile information. The U.S. FBI CODIS approach is referred to

    being an established standard for human DNA profiling and identification. Effects on the issuance and verification network for birth certificate documents are explored

    in addition to the security threats.

    A Systems Security Analysis of Issuance and Verification of Birth Documents Enhanced with DNA Profiles.

    Citation:\nTannian

    M. F. “Initial Steps for IT Incident Visualization: Understanding Leadership Needs

    Design and Evaluation.” 2015 48th Hawaii International Conference on System Sciences

    pp. 1128-1137

    doi: 10.1109/HICSS.2015.137\n\nAbstract:\nIn today's technology dependent world

    business leaders within organizations must address information technology (IT) incident response needs. Yet

    piecemeal and inadequate incident response tools frequently stymie their engagement. This paper discusses a user-centered approach undertaken to design

    develop and evaluate an initial leader-centric IT incident response visualization that would facilitate effective and timely self-directed awareness. Two distinct groups of IT professionals were enlisted in this study. The methodology resulted in an initial development and evaluation of a visualization prototype. The paper introduces management of declared IT incidents as a viable problem domain for visualization. Second

    the paper presents the types of information sources for effective IT incident response. Lastly

    the paper proposes that leaders would welcome a visualization mechanism that facilitates their ability to observe

    understand

    synthesize and to adjust real-time actions based on their comprehension.

    Initial Steps for IT Incident Visualization: Understanding Leadership Needs

    Design and Evaluation

  • 2012

    Citation:\nIdziorek

    J. and Tannian

    M. \"Security Analysis of Public Cloud Computing.\" International Journal of Communication Networks and Distributed Systems

    Vol. 9

    Nos. 1/2

    pp.4-20. doi: 10.1504/IJCNDS.2012.047893\n\nAbstract:\nCloud computing is in its infancy and continues to evolve. As this evolution proceeds

    there are a number of privacy and security concerns emerging from the cloud computing model that need to be addressed before broad acceptance occurs. This paper is an initial literature survey of cloud computing security

    which promises to be a challenging research area. Although cloud computing security research inherits previous research from its elemental technologies

    this paper will limit its focus on surveying cloud computing targeted research. By performing a systematic analysis of the security aspects of the cloud model

    this work seeks to succinctly clarify why security continues to be a significant impediment for cloud adoption.

    Security Analysis of Public Cloud Computing

    Citation: \nTannian

    M. F.

    Schweikert

    C.

    Liu

    Y.

    “Securing Birth Certificate Documents with DNA Profiles.” 2017 50th Hawaii International Conference on System Sciences

    pp. 2398-2407

    DOI http://hdl.handle.net/10125/41446 \n\nAbstract:\nThe birth certificate is a document used by a person to obtain identification and licensing documents throughout their lifetime. For identity verification

    the birth certificate provides limited information to support a person’s claim of identity. Authentication to the birth certificate is strictly a matter of possession. DNA profiling is becoming a commodity analysis that can be done accurately in under two hours with little human intervention. The DNA profile is a superior biometric to add to a birth record because it is stable throughout a person’s life and beyond. Acceptability of universal DNA profiling will depend heavily on privacy and safety concerns. This paper uses the U.S. FBI CODIS profile as a basis to discuss the effectiveness of DNA profiling and to provide a practical basis for a discussion of potential privacy and authenticity controls. As is discussed

    adopting DNA profiles to improve document security should be done cautiously.

    Securing Birth Certificate Documents with DNA Profiles

    Citation:\nIdziorek

    J.

    Tannian

    M. and Jacobson

    D. \"Modeling Web Usage Profiles of Cloud Services for Utility Cost Analysis.\" In Proceedings of the 2011 Winter Simulation Conference (WSC). Phoenix

    AZ. 11-14 December 2011. pp. 3318-3329

    doi: 10.1109/WSC.2011.6148028\n\nAbstract:\nEarly proponents of public cloud computing have come to identify cost savings a key factor for adoption. However

    the adoption and hosting of a web application in the cloud does not provide any such guarantees. This is in part due to the utility pricing model that dictates the cost of public cloud resources. In this work we seek to model and simulate data usage for a web application for the purpose of utility cost analysis. Although much research has been performed in the area of web usage mining

    previously proposed models are unable to accurately model web usage profiles for a specific web application. In this paper

    we present a simulation model and corresponding algorithm to model web usage based on empirical observations. The validation of the proposed model shows that the simulated output conforms to that of what was observed and is within acceptable tolerance limits.

    Modeling Web Usage Profiles of Cloud Services for Utility Cost Analysis

    Citation:\nIdziorek

    J. and Tannian

    M. \"Exploiting Cloud Utility Models for Profit and Ruin.\" In Proceedings of the 2011 IEEE 4th International Conference on Cloud Computing (CLOUD ’11). Washington

    DC. 4-9 July 2011. pp. 33-40

    doi: 10.1109/CLOUD.2011.45\n\nAbstract:\nThis paper discusses an attack on the cloud computing model by which an attacker subtly exploits a fundamental vulnerability of current utility compute models over a sustained period of time. Internet-accessible cloud services expose resources that are metered for billing purposes. These resources are subject to fraudulent resource consumption that is intended to run up the operating expenses for public cloud service customers. The details and significance of this attack are discussed as well as two detection methodologies and there respective experimental results. This work investigates a potentially significant vulnerability of the cloud computing model that could be exploited from any Internet connected host. Well-crafted transactions that only differ in intent but not in content are challenging to differentiate and thus this attack may be difficult to detect and prevent.

    Exploiting Cloud Utility Models for Profit and Ruin

    Citation:\nIdziorek

    J.

    Tannian

    M. and Jacobson

    D. \"Attribution of Fraudulent Resource Consumption in the Cloud.\" Proceedings of the 2012 IEEE 5th International Conference on Cloud Computing (CLOUD ’12). Honolulu

    HI. 24 June 2012. pp. 99-106

    doi: 10.1109/CLOUD.2012.23\n\nAbstracted:\nObligated by a utility pricing model

    Internet-facing web resources hosted in the public cloud are vulnerable to Fraudulent Resource Consumption (FRC) attacks. Unlike an application-layer DDoS attack that consumes resources with the goal of disrupting short-term availability

    an FRC attack is a considerably more subtle attack that instead seeks to disrupt the long-term financial viability of operating in the cloud by exploiting the utility pricing model over an extended time period. By fraudulently consuming web resources in sufficient volume (i.e. data transferred out of the cloud)

    an attacker (e.g. botnet) is able to incur significant fraudulent charges to the victim. This paper proposes an attribution methodology to identify malicious clients participating in an FRC attack. Experimental results demonstrate that the presented methodology achieves qualified success against challenging attack scenarios.

    Attribution of Fraudulent Resource Consumption in the Cloud

    Mark

    Tannian

    St. John's University

    Iowa State University

    e-Security Inc.

    BCG Platinion

    StayClear Dental LLC

    CA Technologies

    Network Associates Inc. (Formerly Trusted Information Systems)

    Rex Black Consulting Services

    SAFEOperations

    Inc.

    SRA International

    Queens

    New York

    Member of the Division of Computer Science

    Mathematics and Science within the College of Professional Studies. Specialization is in the area of Information and Cyber Security teaching and research.

    Assistant Professor

    St. John's University

    Rockville

    MD

    5/98 - 8/98 - Lead Systems Engineer\n8/97 - 5/98 - Engineering Lead\n7/97 - 5/98 - Senior Technical Advisor\n5/95 - 7/97 - Support Engineer

    Lead Systems Engineer (last position)

    Network Associates Inc. (Formerly Trusted Information Systems)

    New York

    New York

    Assisted with the completion of internal cybersecurity projects for the Platinion Cybersecurity practice.

    Program Manager (Consultant)

    BCG Platinion

    On-site contract senior security operations engineer for the U.S. Department of Health and Human Services' IT Service Center (ITSC). Lead various incident response teams addressing malware outbreaks

    compromised systems

    and investigation into potential malicious activities. Worked closely with CISO to select Vulnerability Remediation products and assisted with strategy development. Analyzed and investigated tickets issued by Department's managed IDS monitoring service. Extended IDS by performing analysis using Securify

    firewall logs and Anti Virus logs. Managed firewalls and analyzed risk associated with requested changes. Contributed to Security Policy and Security Program development efforts sponsored by the CISO.

    SRA International

    SAFEOperations

    Inc.

    Columbia

    MD

    1/01 – 5/01 Senior Engineer\nLead the design

    operational readiness and staffing efforts for a Security Operations Center along with fulfilling customers’ technical needs

    continued to administer corporate information technology and provided consulting services.\n\n8/98 – 12/00 Senior Engineer & Co-Founder of Risk Management Associates\nEstablished and managed the corporate information technology infrastructure. Information security projects ranged from leading a malicious insider investigation

    leading an incident response for a steamship company

    assisting with risk assessments of a large steamship company & pharmaceutical company

    contributing to an information security policy for a natural gas utility

    participating in an intellectual property theft investigation

    leading vulnerability assessments of an ASP and a local government contractor

    integrating a PGP pilot and NAI Gauntlet. Designed and implemented a SOC and offering for a managed security service.

    Senior Engineer

    Greater New York City Area

    Rex Black Consulting Services is a software and hardware-testing consultancy

    where I provide professional development services

    such as certification exam peer review

    certification exam development

    training

    and course development. Subject areas include software security testing

    performance testing and design thinking.

    Professional Development Provider (Contractor)

    Rex Black Consulting Services

    Vienna

    VA

    11/03 - 4/04\nManaged product strategy

    market requirements

    product delivery and marketing of features

    functionality and relevant product architecture in the areas of agents

    agent platform

    reporting

    correlation

    taxonomy

    semantic schema and product security. These areas provided much of the value of the e-Security product line for these areas encompass the extraction

    normalization and analysis of the information pertinent to Security Event Management and other security monitoring interests like regulatory compliance.\n5/01 - 11/03 - Professional Services Consultant\nDelivered e-Security solutions to e-Security’s Fortune 500 customers. Provided expert solution oriented enterprise architecture design

    solution delivery and training within the Banking

    Pharmaceutical

    Communications

    Petroleum

    US Government

    and Defense sectors. Designed

    developed

    and deployed a Fault Tolerance solution extension of the Sentinel V3.2 product. Trained in excess of 200 students worldwide in product usage

    agent development

    and system administration.

    Senior Technical Product Manager (last position)

    e-Security Inc.

    Technical pre-sales engineer supporting sales efforts with CA’s Security Management product line. Efforts were primarily focused on sales opportunities of CA’s Identity and Access Management products. Expertise was developed with CA Access Control

    CA Single Sign On and CA Security Command Center. Assisted with closing of several multi-million dollar deals. Responsible for technical presentations

    demonstrations

    proof of concepts

    solution requirements gathering and documentation

    technical assistance

    informal education and addressing customer satisfaction issues.

    CA Technologies

    Graduate Assistant

    8/08 - 5/13 - Research Assistant - Developing a visualization oriented to business leaders to improve incident awareness and decision evaluation based on impact or risk on their operations. Also investigated security issues within cloud computing.\n8/07 - 5/10 - Teaching Assistant\nFall '09 and Spring '10 - Taught a graduate Information Security Seminar course. \nSpring '09 - Summer ''09 - Designed lab infrastructure for Network Security and Information Warfare classes.\nSummer '08 - Fall '08 - Developed a mobile embedded learning-platform and laboratory assignment materials as part of a three-person team.\nFall '07 - Spring '08 - Laboratory instructor for introductory embedded systems class. Responsible for the development and documentation of new lab exercises as well as final projects.

    Iowa State University

    Iowa State University

    Ames

    Iowa

    Designing and developing curriculum and teaching materials for educating high-school students in the area of IT operations and cyber defense as part of the IT-Adventures outreach project

    continued research and publishing related to business impact visualization for information security and compliance events. This research is focused on aiding decision-makers in complex IT incident handling situations.

    Postdoctoral Research Associate

    Newark

    Delaware

    StayClear Dental has innovated a patented visionary dental mirror system

    where I provided design evaluation

    supported technical procurement decision-making (e.g. PCB manufacturing

    software engineering)

    developed manufacturing and quality system processes (e.g.

    FDA 21 CFR 820) and led safety and effectiveness assessment (e.g. IEC 60601) efforts.

    Development and Manufacturing Engineer (Consultant)

    StayClear Dental LLC

  • 2007

    German

    Doctor of Philosophy (Ph.D.)

    Computer Engineering

    Iowa State University

  • 1994

    Master's degree

    Electrical Engineering

    The George Washington University

  • 1985

    Bachelor of Engineering (B.E.)

    Electrical Engineering

    University of Delaware

  • Recruit and coordinate speakers for (ISC)2 chapter meetings.

    (ISC)2 NY Metro Chapter

    Management

    Firewalls

    Computer Security

    Risk Assessment

    IT Management

    Strategy

    Vulnerability Assessment

    Software Documentation

    Cloud Computing

    Software Lifecycle

    Security

    Consulting

    Information Security

    Product Management

    Network Security

    System Administration

    Information Technology

    IDS

    Risk Management

    Detecting Fraudulent Use of Cloud Resources

    Citation:\nIdziorek

    J.

    Tannian

    M. and Jacobson

    D. \"Detecting Fraudulent Use of Cloud Resources.\" In Proceedings of the 2011 ACM Workshop on Cloud Computing Security (CCSW) at CCS. Chicago

    IL. 21 October 2011. pp. 33-40

    doi: 10.1145/2046660.2046676\n\nAbstract:\nInitial threat modeling and security research on the public cloud model has primarily focused on the confidentiality and integrity of data transferred

    processed

    and stored in the cloud. Little attention has been paid to the external threat sources that have the capability to affect the financial viability

    hence the long-term availability

    of services hosted in the public cloud. Similar to an application-layer DDoS attack

    a Fraudulent Resource Consumption (FRC) attack is a much more subtle attack carried out over a longer duration of time. The objective of the attacker is to exploit the utility pricing model which governs the resource usage in the cloud model by fraudulently consuming web content with the purpose of depriving the victim of their long-term economic availability of hosting publicly accessible web content in the cloud. In this paper

    we thoroughly describe the FRC attack and discuss why current application-layer DDoS detection schemes are not applicable to a more subtle attack. We propose three detection metrics that together form the criteria for identifying a FRC attack from that of normal web activity. Experimental results based on three plausible attack scenarios show that an attacker without knowledge of the web log has a difficult time mimicking the self-similar and consistent request semantics of normal web activity.

    Detecting Fraudulent Use of Cloud Resources

    Citation:\nTannian

    M. F. “Business impact visualization for information security and compliance events.” Ph.D.

    Iowa State University

    Iowa

    2013\n\nAbstract:\nBusiness leaders face significant challenges from IT incidents that interfere with or\npose imminent risk to more than one workgroup. Communication

    coordination and\nmonitoring are hindered by factors such as the IT incidents’ technical complexity and\nunfamiliarity

    distributed ad-hoc response teams

    competing demands for their time

    \nnuanced business dependencies

    the lack of reliable IT incident measures and a piecemeal\ntoolset to overcome these challenges. This research proposes a dynamic visual system as\na solution to overcome many of these challenges.\nStarting with a broad outline of improving the awareness and comprehension of se-\ncurity and compliance events for business leaders

    this effort enlisted the assistance of\nseven experienced IT professionals in the Des Moines metropolitan area. A user-centered\ndesign methodology was developed that enabled these individuals to influence the selec-\ntion of a problem space

    explore related challenges

    contribute to requirements definition\nand prioritization

    review designs and

    finally

    test a prototype. The group consisted\nof leaders and senior technical staff working in various industries. At the end of the\nmethodology

    a group of unrelated IT professionals

    with no prior knowledge

    of the re-\nsearch was asked to perform an objective evaluation of the prototype. That evaluation\nis reported in this document and forms the basis of conclusions regarding the research\nhypothesis.

    Business impact visualization for information security and compliance events

    Citation:\nIdziorek

    J.

    Tannian

    M.

    and Jacobson

    D.

    “Teaching Computer Security Literacy to Students from Non-Computing Disciplines.” In Proceedings of the 2011 ASEE Annual Conference

    Vancouver

    BC

    June 2011\n\nAbstract:\nGone are the days when cyber security education was only a concern for computer and Internet experts. In today's world of pervasive computing

    everyone is a target. The volume

    sophistication

    and effectiveness of cyber attacks continue to grow and show no signs of abating. At the center of this cyber epidemic are college students whom rely on their computing and communication devices and the Internet more than any previous generation for their educational

    social

    and entertainment needs. Yet these same students have little knowledge of the threats they face

    the potential short-term and long-term consequences of their actions and the context to make informed security decisions. The objective of this paper is to describe our approach to practical computer security education for students of non-computer disciplines at the university level. Our primary objective is not to delve into the technical workings of computer security

    but instead bring security context to the common computing actions that students already perform on a daily or weekly basis. In this paper

    we present our course in detail discussing topics of focus

    approaches to engage students and our assessment of student learning.

    Teaching Computer Security Literacy to Students from Non-Computing Disciplines

    Citation:\nIdziorek

    J.

    Tannian

    M. and Jacobson

    D. \"Insecurity of Cloud Utility Models.\" IEEE IT Professional. March-April 2013

    vol.15

    no.2

    pp. 22-27

    doi: 10.1109/MITP.2012.43\n\nAbstract:\nCloud-based services are vulnerable to attacks that seek to exploit the pay-as-you-go pricing model. A botnet could perform fraudulent resource consumption (FRC) by consuming the bandwidth of Web-based services

    thereby increasing the cloud consumer's financial burden.

    Insecurity of Cloud Utility Models

CUS 1115

1.3(2)

CUS 1185

3.1(7)