Resume

• 2112648

  PMP

  Project Management Institute

• 26276

  CISSP

  (ISC)²

• 2017

  Citation: \nTannian

  M. F.

  Schweikert

  C.

  Liu

  Y.

  “A Systems Security Analysis of Issuance and Verification of Birth Documents Enhanced with DNA Profiles.” Journal of Interconnection Networks

  Vol. 17

  No. 1

  doi: 10.1142/S0219265917400035\n\nAbstract:\nThe use of biometrics to enhance identification has been explored and utilized to various extents. DNA is the most reliable and stable biometric that remains unchanged throughout an individual’s lifetime. Advancements in DNA analysis

  in terms of reduced cost and faster processing times

  make the use of DNA as a biometric more feasible over time. Since DNA data is of a sensitive nature

  privacy and ethical concerns would have to be carefully considered before large-scale adoption for use in identity documents. Birth certificates are a fundamental document used by a person for identification. However

  it does not contain any means of authentication beyond possession of the document. This paper examines the security measures that would be required if birth certificates were embedded with DNA profile information. The U.S. FBI CODIS approach is referred to

  being an established standard for human DNA profiling and identification. Effects on the issuance and verification network for birth certificate documents are explored

  in addition to the security threats.

  A Systems Security Analysis of Issuance and Verification of Birth Documents Enhanced with DNA Profiles.

  Citation:\nTannian

  M. F. “Initial Steps for IT Incident Visualization: Understanding Leadership Needs

  Design and Evaluation.” 2015 48th Hawaii International Conference on System Sciences

  pp. 1128-1137

  doi: 10.1109/HICSS.2015.137\n\nAbstract:\nIn today's technology dependent world

  business leaders within organizations must address information technology (IT) incident response needs. Yet

  piecemeal and inadequate incident response tools frequently stymie their engagement. This paper discusses a user-centered approach undertaken to design

  develop and evaluate an initial leader-centric IT incident response visualization that would facilitate effective and timely self-directed awareness. Two distinct groups of IT professionals were enlisted in this study. The methodology resulted in an initial development and evaluation of a visualization prototype. The paper introduces management of declared IT incidents as a viable problem domain for visualization. Second

  the paper presents the types of information sources for effective IT incident response. Lastly

  the paper proposes that leaders would welcome a visualization mechanism that facilitates their ability to observe

  understand

  synthesize and to adjust real-time actions based on their comprehension.

  Initial Steps for IT Incident Visualization: Understanding Leadership Needs

  Design and Evaluation

• 2012

  Citation:\nIdziorek

  J. and Tannian

  M. \"Security Analysis of Public Cloud Computing.\" International Journal of Communication Networks and Distributed Systems

  Vol. 9

  Nos. 1/2

  pp.4-20. doi: 10.1504/IJCNDS.2012.047893\n\nAbstract:\nCloud computing is in its infancy and continues to evolve. As this evolution proceeds

  there are a number of privacy and security concerns emerging from the cloud computing model that need to be addressed before broad acceptance occurs. This paper is an initial literature survey of cloud computing security

  which promises to be a challenging research area. Although cloud computing security research inherits previous research from its elemental technologies

  this paper will limit its focus on surveying cloud computing targeted research. By performing a systematic analysis of the security aspects of the cloud model

  this work seeks to succinctly clarify why security continues to be a significant impediment for cloud adoption.

  Security Analysis of Public Cloud Computing

  Citation: \nTannian

  M. F.

  Schweikert

  C.

  Liu

  Y.

  “Securing Birth Certificate Documents with DNA Profiles.” 2017 50th Hawaii International Conference on System Sciences

  pp. 2398-2407

  DOI http://hdl.handle.net/10125/41446 \n\nAbstract:\nThe birth certificate is a document used by a person to obtain identification and licensing documents throughout their lifetime. For identity verification

  the birth certificate provides limited information to support a person’s claim of identity. Authentication to the birth certificate is strictly a matter of possession. DNA profiling is becoming a commodity analysis that can be done accurately in under two hours with little human intervention. The DNA profile is a superior biometric to add to a birth record because it is stable throughout a person’s life and beyond. Acceptability of universal DNA profiling will depend heavily on privacy and safety concerns. This paper uses the U.S. FBI CODIS profile as a basis to discuss the effectiveness of DNA profiling and to provide a practical basis for a discussion of potential privacy and authenticity controls. As is discussed

  adopting DNA profiles to improve document security should be done cautiously.

  Securing Birth Certificate Documents with DNA Profiles

  Citation:\nIdziorek

  J.

  Tannian

  M. and Jacobson

  D. \"Modeling Web Usage Profiles of Cloud Services for Utility Cost Analysis.\" In Proceedings of the 2011 Winter Simulation Conference (WSC). Phoenix

  AZ. 11-14 December 2011. pp. 3318-3329

  doi: 10.1109/WSC.2011.6148028\n\nAbstract:\nEarly proponents of public cloud computing have come to identify cost savings a key factor for adoption. However

  the adoption and hosting of a web application in the cloud does not provide any such guarantees. This is in part due to the utility pricing model that dictates the cost of public cloud resources. In this work we seek to model and simulate data usage for a web application for the purpose of utility cost analysis. Although much research has been performed in the area of web usage mining

  previously proposed models are unable to accurately model web usage profiles for a specific web application. In this paper

  we present a simulation model and corresponding algorithm to model web usage based on empirical observations. The validation of the proposed model shows that the simulated output conforms to that of what was observed and is within acceptable tolerance limits.

  Modeling Web Usage Profiles of Cloud Services for Utility Cost Analysis

  Citation:\nIdziorek

  J. and Tannian

  M. \"Exploiting Cloud Utility Models for Profit and Ruin.\" In Proceedings of the 2011 IEEE 4th International Conference on Cloud Computing (CLOUD ’11). Washington

  DC. 4-9 July 2011. pp. 33-40

  doi: 10.1109/CLOUD.2011.45\n\nAbstract:\nThis paper discusses an attack on the cloud computing model by which an attacker subtly exploits a fundamental vulnerability of current utility compute models over a sustained period of time. Internet-accessible cloud services expose resources that are metered for billing purposes. These resources are subject to fraudulent resource consumption that is intended to run up the operating expenses for public cloud service customers. The details and significance of this attack are discussed as well as two detection methodologies and there respective experimental results. This work investigates a potentially significant vulnerability of the cloud computing model that could be exploited from any Internet connected host. Well-crafted transactions that only differ in intent but not in content are challenging to differentiate and thus this attack may be difficult to detect and prevent.

  Exploiting Cloud Utility Models for Profit and Ruin

  Citation:\nIdziorek

  J.

  Tannian

  M. and Jacobson

  D. \"Attribution of Fraudulent Resource Consumption in the Cloud.\" Proceedings of the 2012 IEEE 5th International Conference on Cloud Computing (CLOUD ’12). Honolulu

  HI. 24 June 2012. pp. 99-106

  doi: 10.1109/CLOUD.2012.23\n\nAbstracted:\nObligated by a utility pricing model

  Internet-facing web resources hosted in the public cloud are vulnerable to Fraudulent Resource Consumption (FRC) attacks. Unlike an application-layer DDoS attack that consumes resources with the goal of disrupting short-term availability

  an FRC attack is a considerably more subtle attack that instead seeks to disrupt the long-term financial viability of operating in the cloud by exploiting the utility pricing model over an extended time period. By fraudulently consuming web resources in sufficient volume (i.e. data transferred out of the cloud)

  an attacker (e.g. botnet) is able to incur significant fraudulent charges to the victim. This paper proposes an attribution methodology to identify malicious clients participating in an FRC attack. Experimental results demonstrate that the presented methodology achieves qualified success against challenging attack scenarios.

  Attribution of Fraudulent Resource Consumption in the Cloud

  Mark

  Tannian

  St. John's University

  Iowa State University

  e-Security Inc.

  BCG Platinion

  StayClear Dental LLC

  CA Technologies

  Network Associates Inc. (Formerly Trusted Information Systems)

  Rex Black Consulting Services

  SAFEOperations

  Inc.

  SRA International

  Queens

  New York

  Member of the Division of Computer Science

  Mathematics and Science within the College of Professional Studies. Specialization is in the area of Information and Cyber Security teaching and research.

  Assistant Professor

  St. John's University

  Rockville

  MD

  5/98 - 8/98 - Lead Systems Engineer\n8/97 - 5/98 - Engineering Lead\n7/97 - 5/98 - Senior Technical Advisor\n5/95 - 7/97 - Support Engineer

  Lead Systems Engineer (last position)

  Network Associates Inc. (Formerly Trusted Information Systems)

  New York

  New York

  Assisted with the completion of internal cybersecurity projects for the Platinion Cybersecurity practice.

  Program Manager (Consultant)

  BCG Platinion

  On-site contract senior security operations engineer for the U.S. Department of Health and Human Services' IT Service Center (ITSC). Lead various incident response teams addressing malware outbreaks

  compromised systems

  and investigation into potential malicious activities. Worked closely with CISO to select Vulnerability Remediation products and assisted with strategy development. Analyzed and investigated tickets issued by Department's managed IDS monitoring service. Extended IDS by performing analysis using Securify

  firewall logs and Anti Virus logs. Managed firewalls and analyzed risk associated with requested changes. Contributed to Security Policy and Security Program development efforts sponsored by the CISO.

  SRA International

  SAFEOperations

  Inc.

  Columbia

  MD

  1/01 – 5/01 Senior Engineer\nLead the design

  operational readiness and staffing efforts for a Security Operations Center along with fulfilling customers’ technical needs

  continued to administer corporate information technology and provided consulting services.\n\n8/98 – 12/00 Senior Engineer & Co-Founder of Risk Management Associates\nEstablished and managed the corporate information technology infrastructure. Information security projects ranged from leading a malicious insider investigation

  leading an incident response for a steamship company

  assisting with risk assessments of a large steamship company & pharmaceutical company

  contributing to an information security policy for a natural gas utility

  participating in an intellectual property theft investigation

  leading vulnerability assessments of an ASP and a local government contractor

  integrating a PGP pilot and NAI Gauntlet. Designed and implemented a SOC and offering for a managed security service.

  Senior Engineer

  Greater New York City Area

  Rex Black Consulting Services is a software and hardware-testing consultancy

  where I provide professional development services

  such as certification exam peer review

  certification exam development

  training

  and course development. Subject areas include software security testing

  performance testing and design thinking.

  Professional Development Provider (Contractor)

  Rex Black Consulting Services

  Vienna

  VA

  11/03 - 4/04\nManaged product strategy

  market requirements

  product delivery and marketing of features

  functionality and relevant product architecture in the areas of agents

  agent platform

  reporting

  correlation

  taxonomy

  semantic schema and product security. These areas provided much of the value of the e-Security product line for these areas encompass the extraction

  normalization and analysis of the information pertinent to Security Event Management and other security monitoring interests like regulatory compliance.\n5/01 - 11/03 - Professional Services Consultant\nDelivered e-Security solutions to e-Security’s Fortune 500 customers. Provided expert solution oriented enterprise architecture design

  solution delivery and training within the Banking

  Pharmaceutical

  Communications

  Petroleum

  US Government

  and Defense sectors. Designed

  developed

  and deployed a Fault Tolerance solution extension of the Sentinel V3.2 product. Trained in excess of 200 students worldwide in product usage

  agent development

  and system administration.

  Senior Technical Product Manager (last position)

  e-Security Inc.

  Technical pre-sales engineer supporting sales efforts with CA’s Security Management product line. Efforts were primarily focused on sales opportunities of CA’s Identity and Access Management products. Expertise was developed with CA Access Control

  CA Single Sign On and CA Security Command Center. Assisted with closing of several multi-million dollar deals. Responsible for technical presentations

  demonstrations

  proof of concepts

  solution requirements gathering and documentation

  technical assistance

  informal education and addressing customer satisfaction issues.

  CA Technologies

  Graduate Assistant

  8/08 - 5/13 - Research Assistant - Developing a visualization oriented to business leaders to improve incident awareness and decision evaluation based on impact or risk on their operations. Also investigated security issues within cloud computing.\n8/07 - 5/10 - Teaching Assistant\nFall '09 and Spring '10 - Taught a graduate Information Security Seminar course. \nSpring '09 - Summer ''09 - Designed lab infrastructure for Network Security and Information Warfare classes.\nSummer '08 - Fall '08 - Developed a mobile embedded learning-platform and laboratory assignment materials as part of a three-person team.\nFall '07 - Spring '08 - Laboratory instructor for introductory embedded systems class. Responsible for the development and documentation of new lab exercises as well as final projects.

  Iowa State University

  Iowa State University

  Ames

  Iowa

  Designing and developing curriculum and teaching materials for educating high-school students in the area of IT operations and cyber defense as part of the IT-Adventures outreach project

  continued research and publishing related to business impact visualization for information security and compliance events. This research is focused on aiding decision-makers in complex IT incident handling situations.

  Postdoctoral Research Associate

  Newark

  Delaware

  StayClear Dental has innovated a patented visionary dental mirror system

  where I provided design evaluation

  supported technical procurement decision-making (e.g. PCB manufacturing

  software engineering)

  developed manufacturing and quality system processes (e.g.

  FDA 21 CFR 820) and led safety and effectiveness assessment (e.g. IEC 60601) efforts.

  Development and Manufacturing Engineer (Consultant)

  StayClear Dental LLC

• 2007

  German

  Doctor of Philosophy (Ph.D.)

  Computer Engineering

  Iowa State University

• 1994

  Master's degree

  Electrical Engineering

  The George Washington University

• 1985

  Bachelor of Engineering (B.E.)

  Electrical Engineering

  University of Delaware

• Recruit and coordinate speakers for (ISC)2 chapter meetings.

  (ISC)2 NY Metro Chapter

  Management

  Firewalls

  Computer Security

  Risk Assessment

  IT Management

  Strategy

  Vulnerability Assessment

  Software Documentation

  Cloud Computing

  Software Lifecycle

  Security

  Consulting

  Information Security

  Product Management

  Network Security

  System Administration

  Information Technology

  IDS

  Risk Management

  Detecting Fraudulent Use of Cloud Resources

  Citation:\nIdziorek

  J.

  Tannian

  M. and Jacobson

  D. \"Detecting Fraudulent Use of Cloud Resources.\" In Proceedings of the 2011 ACM Workshop on Cloud Computing Security (CCSW) at CCS. Chicago

  IL. 21 October 2011. pp. 33-40

  doi: 10.1145/2046660.2046676\n\nAbstract:\nInitial threat modeling and security research on the public cloud model has primarily focused on the confidentiality and integrity of data transferred

  processed

  and stored in the cloud. Little attention has been paid to the external threat sources that have the capability to affect the financial viability

  hence the long-term availability

  of services hosted in the public cloud. Similar to an application-layer DDoS attack

  a Fraudulent Resource Consumption (FRC) attack is a much more subtle attack carried out over a longer duration of time. The objective of the attacker is to exploit the utility pricing model which governs the resource usage in the cloud model by fraudulently consuming web content with the purpose of depriving the victim of their long-term economic availability of hosting publicly accessible web content in the cloud. In this paper

  we thoroughly describe the FRC attack and discuss why current application-layer DDoS detection schemes are not applicable to a more subtle attack. We propose three detection metrics that together form the criteria for identifying a FRC attack from that of normal web activity. Experimental results based on three plausible attack scenarios show that an attacker without knowledge of the web log has a difficult time mimicking the self-similar and consistent request semantics of normal web activity.

  Detecting Fraudulent Use of Cloud Resources

  Citation:\nTannian

  M. F. “Business impact visualization for information security and compliance events.” Ph.D.

  Iowa State University

  Iowa

  2013\n\nAbstract:\nBusiness leaders face significant challenges from IT incidents that interfere with or\npose imminent risk to more than one workgroup. Communication

  coordination and\nmonitoring are hindered by factors such as the IT incidents’ technical complexity and\nunfamiliarity

  distributed ad-hoc response teams

  competing demands for their time

  \nnuanced business dependencies

  the lack of reliable IT incident measures and a piecemeal\ntoolset to overcome these challenges. This research proposes a dynamic visual system as\na solution to overcome many of these challenges.\nStarting with a broad outline of improving the awareness and comprehension of se-\ncurity and compliance events for business leaders

  this effort enlisted the assistance of\nseven experienced IT professionals in the Des Moines metropolitan area. A user-centered\ndesign methodology was developed that enabled these individuals to influence the selec-\ntion of a problem space

  explore related challenges

  contribute to requirements definition\nand prioritization

  review designs and

  finally

  test a prototype. The group consisted\nof leaders and senior technical staff working in various industries. At the end of the\nmethodology

  a group of unrelated IT professionals

  with no prior knowledge

  of the re-\nsearch was asked to perform an objective evaluation of the prototype. That evaluation\nis reported in this document and forms the basis of conclusions regarding the research\nhypothesis.

  Business impact visualization for information security and compliance events

  Citation:\nIdziorek

  J.

  Tannian

  M.

  and Jacobson

  D.

  “Teaching Computer Security Literacy to Students from Non-Computing Disciplines.” In Proceedings of the 2011 ASEE Annual Conference

  Vancouver

  BC

  June 2011\n\nAbstract:\nGone are the days when cyber security education was only a concern for computer and Internet experts. In today's world of pervasive computing

  everyone is a target. The volume

  sophistication

  and effectiveness of cyber attacks continue to grow and show no signs of abating. At the center of this cyber epidemic are college students whom rely on their computing and communication devices and the Internet more than any previous generation for their educational

  social

  and entertainment needs. Yet these same students have little knowledge of the threats they face

  the potential short-term and long-term consequences of their actions and the context to make informed security decisions. The objective of this paper is to describe our approach to practical computer security education for students of non-computer disciplines at the university level. Our primary objective is not to delve into the technical workings of computer security

  but instead bring security context to the common computing actions that students already perform on a daily or weekly basis. In this paper

  we present our course in detail discussing topics of focus

  approaches to engage students and our assessment of student learning.

  Teaching Computer Security Literacy to Students from Non-Computing Disciplines

  Citation:\nIdziorek

  J.

  Tannian

  M. and Jacobson

  D. \"Insecurity of Cloud Utility Models.\" IEEE IT Professional. March-April 2013

  vol.15

  no.2

  pp. 22-27

  doi: 10.1109/MITP.2012.43\n\nAbstract:\nCloud-based services are vulnerable to attacks that seek to exploit the pay-as-you-go pricing model. A botnet could perform fraudulent resource consumption (FRC) by consuming the bandwidth of Web-based services

  thereby increasing the cloud consumer's financial burden.

  Insecurity of Cloud Utility Models