Category Archives: Engineering
Prioritization of the Detection Engineering Backlog – Security Boulevard
Written by Joshua Prager and EmilyLeidy
Strategically maturing a detection engineering function requires us to divide the overall function into smaller discrete problems. One such seemingly innocuous area of detection engineering is the technique backlog (a.k.a. the detection engineering backlog, attack technique backlog, or detection backlog).
The concept of incorporating a backlog into the detection engineering function as a medium for receiving and storing attack techniques for detection generation is not a novel concept for most organizations. However, very few security organizations consider how best to prioritize these attack techniques found within this backlog. By combining input-based prioritization and the Center for Threat Informed Defenses Top Ten Technique Calculator, detection engineers can confidently select target techniques with some sense of direction.
The detection engineering backlog is the starting point from which a mature detection engineering function should begin. This backlog is essentially an input chokepoint for other functions within a security organizations detection and response program to provide techniques for detection generation. These inputs may come from other functions where the detection engineering function is a stakeholder in the other functions research and output. An example of the type of function mentioned is cyber threat intelligence (CTI). Another function that can act as an input into the detection engineering backlog is the threat hunting function. This function can provide hypotheses, research, and queries to the detection engineering backlog, servicing a critical need for cross-functional collaboration.
Most functions within a security organizations detection and response program may leverage backlogs within its development process. However, many of these functions do not require input to drive their functional operation. The detection engineering function, specifically, requires the direction of cross-functional input to avoid making ad-hoc decisions for resource utilization. In other words, detection engineering must be steered by the detection and response program or resources could be devoted in the wrong direction at the wrongtime.
An example, we often utilize when describing the differences between the threat hunting function and the detection engineering function; is to highlight the expected operation of each function as a mature process. The threat hunting function requires very little input from any other function. Most threat hunting functions will be a stakeholder to CTI, at a minimum. However, the concept of proactive hunting leverages the assumption that there are no external stimuli needed to develop a hypothesis, research, and develop proactive huntingqueries.
In contrast, the detection engineering function requires the external stimuli of other detection and response inputs to accurately prioritize detection generation. Inputs into the detection engineering backlog can be of multiple types such as a gap in a defensive posture, a historical look-back query from threat hunting, or a research-centric goal of generating detections along a specific technique type. Regardless of the input type, the detection engineering function requires the inputs of other functions to know which detections to generate.
Consulting SpecterOps clients have afforded our detection services team the benefit of exposure to a wide array of strategic methods for capturing the required input for detection engineering. For each of our clients, SpecterOps avoids putting an emphasis on a particular tool or solution for providing input opportunities to the detection and response program. Instead, we provide the minimum criteria of what is needed for mature detection engineering functions to receive quality inputs as well as define the methodology by which to organize and prioritize thisbacklog.
Most of our clients utilize a ticketing platform of some kind to offer a portal for the other functions of detection and response to interact with detection engineering. These ticketing platforms, regardless of the actual software, should inquire about the same details as those that provide the input. The minimum requirements for use of a ticketing system as an input into the detection backlog are asfollows:
Most of the above criteria are common-sense requirements for any ticketing platform, however, there are quite a few organizations that rely upon methods such as email or chat platforms as an official method of requesting new detections. When consulting organizations tell us, Direct messages or email is the approved method of requesting the generation of a detection; in general, this creates concerns for us around the following twoareas:
2. The detection engineering backlog does not exist or it is utilizedad-hoc.
Ideally, we want a large list of techniques and methods of execution within the backlog from which to develop detections. Additionally, you may have noticed that we did not list the need for attaching documents or reports to the list of minimum requirements. This detail ties into the problem of the input from other functions being non-operational. Many CTI functions will provide input to the detection engineering backlog in the form of an intelligence report or a spreadsheet of Indicators-of-Compromise (IOC)s. Mature cross-functional communication between CTI and detection engineering should involve the necessary metadata to accomplish the goal of generating a detection. For example, CTI can provide a list of all known methods of Kerberoasting via links to blogs and open-source proofs-of-concept (POC)s, instead of an attached intelligence report PDF of 15 high-level explanations of Tactics, Techniques, and Procedures (TTP)s. The former of the above example provides useful information that detection engineers can use to gauge the completeness of technique coverage, and the latter provides very little actionable information for a detection engineer.
Detection engineering teams that have cross-functional communication providing inputs into their detection backlog, generally, select target techniques to research sequentially. This method sometimes assumes that the backlog is prioritized already; however, the backlog is simply listed via the creation timestamp.
We at SpecterOps have aimed to solve this problem for multiple clients, and what we have settled on is a priority based on input, with priority 0 as the highest priority and priority 4 as the lowest priority. When asked to explain this methodology to clients, we usually provide the following analogy.
When living within a house, or in a community, which of these is the greater concern? A stranger knocking on our shut and locked front door or our front porch window that is open without any screen or glass protection? If you thought, The window, because the stranger at the front door can just come through it, then you would be correct. Though the stranger knocking at our door is an attention-grabbing concern, the front door is locked and preventing, securing, and detecting that which it is designed to. However, the open window is cause for immediate concern because the window is a known vulnerability or gap in our ability to prevent, secure, ordetect.
The same can be applied to detection engineering where the input comes from gap analysis, purple team assessments, and defensive capability assessments. The highest priority of generating net new detections is to focus on known target techniques for which the organization has the least amount of coverage.
Following up with the house scenario, which of these two is the greater concern? A stranger knocking on the shut and locked front door or a community post about intruders knocking on your neighbors doors and attempting to barge in? Though the community post is definitely a frightening scenario, it doesnt directly affect us at this time. Our immediate concern is the stranger knocking on our front door. Luckily, our front doors lock is stopping any possible intrusion by preventing and detecting the possible intruder. This method of identifying the techniques used against our organization is a form of internal intelligence. Examples of internal intelligence are techniques derived from identified phishing attempts, incidents, and honeynets.
Internal intelligence can provide a wealth of opportunities to justify the prioritization of one group of TTPs over another. An example of mature organizations is those that aim to automate this input by way of forwarding prevented phishing attempt samples to cloud-hosted sandboxes. Next, the samples are cataloged and TTPs are disseminated to the detection engineering backlog via quantitative analysis of the TTPs. The detection engineers prioritize these TTPs provided from internal intelligence of prevented phishing attempts to design detections around the TTPs utilized against our organization in the case that the prevention fails and the execution of the phishing attempt is successful.
Continuing with our analogy of prioritization, we see the issue of the community post stating intruders are knocking on doors and barging in. This scenario is not ideal, however, we have not directly been attacked with this issue yet. As homeowners, we do have similarities with our neighbors and we should heed their warnings, but we should not prioritize this information over the current concerns that are at our doorstep (the open window and the stranger at our door). This part of the analogy represents external intelligence, and the techniques selected from this type of intelligence must be held against a stricter standard before acting as an input into the detection backlog.
Aligning with another organizations business vertical is not enough to filter out that which may not pertain to our organization and that which does not belong in our backlog. Instead, TTPs from this input should match pre-defined criteria that are unique to each organization. The attributes of the organizations threat landscape make for a great starting point for filters to dismiss unusable techniques and procedures requested from external intelligence. By prioritizing the detection backlog with internal intelligence before external intelligence, detection engineering can more accurately assign resources first to threats that are actively testing the defenses.
Let us progress a bit in our analogy. In the same community post above, there is a sub-comment where another person states, Sometimes the intruders knock on the door, but other times they break the glass window on the front door to unlock the deadbolt. Here, the analogy is representing new tradecraft discovered while generating a detection for a similar technique. Jared Atkinson explains that by aiming abstraction at maximizing the representation of the possible variations we may discover procedurally unique instances that are sub-technical synonyms [1]. In this case, the methods by which the intruders are gaining access to the homes differ; however they are sub-technical synonyms.
As defenders research and validate each hypothesis, procedurally unique instances of tradecraft can be discovered for which control may not yet be implemented. When these newly discovered forms of tradecraft are an input into the detection engineer backlog, they can often be somewhat theoretical and further testing and validation are often needed to determine if the new tradecraft poses a legitimate threat to the organizations environment.
Finalizing our analogy, we received a phone notification from our local police department that there has been a severe 5% increase in break-ins in our area of the city. The final part of the analogy represents the generation of metric-based queries and a threshold of alerts for non-threat detection-based concerns.
Operational metrics and key performance indicators are desired across the purview of detection and response. The requests for this type of alert often make their way to the detection backlog due to the expertise in query development and data aggregation that most detection engineers have. These metrics are focused on situational awareness and provide very little operational impact to Defense in Depth, thus they should be held at the lowest priority.
Below is a flow chart that SpecterOps has developed in an attempt to visualize this methodology based on input into the detection backlog. The flow chart provides questions that should enable the detection engineers to approve or disapprove additions to the backlog based on the context. This flow chart is a generalized starting point, and organizations that utilize this methodology should be prepared to operationalize this knowledge by clipping it on the unique structure of their organization.
There are several important considerations when implementing this methodology into your organization.
The process of determining the prioritization is subjective and may contain overlap. For example, detection engineering may receive an external intelligence report that identifies a critical TTP for which your organization is vulnerable. In this scenario, the original input (external intelligence) would indicate a level of priority 2, but the information contained in the report would be a level of priority 0. If this pertinent information is known upon prioritization; always default to the higher-priority level.
Detection prioritization requires industry and organizational context, which aids the prioritization lead in minimizing errors. These errors could lead to unidentified and un-remediated vulnerabilities sitting in the backlog. Especially, if the input is from a less mature function and does not contain needed operational information. The input may take a less experienced engineer more resources to analyze the input and prioritize correctly. Regardless of who is prioritizing, visibility bias should be considered. When the prioritizer has researched a particular high-priority attack, other unknown or unfamiliar critical inputs may be incorrectly demoted.
Finally, as mentioned before, non-operational input from other less mature functions may make this process difficult or time-consuming. Feedback loops should be implemented to streamline this process and reduce the amount of time spent dissecting theinput.
For some organizations the above methodology is sufficient as their teams are somewhat small and their inputs into the backlog are in a manageable state; however, for other organizations, the above methodology is a good starting point but may still leave those wondering how to drill down even further to have a sense of micro-control in the prioritization structure. For that, we recommend combining the Input-Based Priority structure above with the Center for Threat Informed Defenses (The Center) Top 10 Technique Calculator to prioritize the target techniques for each of the Input-Based Priority structures [2].
The Top 10 Technique Calculator has a spreadsheet version found on GitHub that represents the backend of the web-based version [3]. This spreadsheet can be tuned and customized to match the techniques within the detection backlog per priority area. The user can then further customize this spreadsheet to represent a high-level example of coverage for specific data sources. Based on The Centers methodology, the techniques selected, the coverage for data sources, and specific prevention controls; the calculator will format a list of the top ten most critical techniques.
For example, if the detection engineering function has 15 Priority 0 techniques within the detection engineering backlog, we can utilize the Top 10 Calculator to prioritize that list of 15 detection requests to select the most critical for detection generation, first.
The centers methodology for scoring the 500 techniques and sub-techniques found within MITREs knowledge base is derived from combining prevalence, chokepoints, and actionability [4]. To gain deeper insight into the methodology, The Center recently released a blog focused on the methodology and the actionability of the Top 10 Technique Calculator [5].
To summarize, The Center has collected metrics on the prevalence of an attack technique as it relates to adversaries and its frequency of use over historical evidence. By determining how prevalent an attack technique is found within intelligence reports related to specific adversaries, The Center can grade techniques in a way that highlights which techniques have the highest frequency ofuse.
The Center defines chokepoints as the convergence of different techniques to one specific technique were preventing the execution of that technique would inhibit or degrade the ability of the adversary to continue the attack chain. The Center grades this chokepoint based on the mitigations that the user has selected to mitigate this chokepoint, and thus degrade the adversarys ability to execute the attackchain.
Finally, The Center utilizes metrics to determine the actionability of a targeted technique. By quantitatively identifying the number of publicly available methods that a defender can use to mitigate or detect the target technique, an empirical weight is then attributed to the technique. The combined metrics are then utilized to grade the target technique with a score of priority.
The detection engineering backlog is a vital starting point for every detection engineering function. By providing an area of input into the detection engineering backlog, cross-functional efficiency can enhance the capability of the detection engineering function.
The prioritization methods provided are a combination of strategic guidance from SpecterOps and the use of The Centers Top Ten Techniques project. Utilizing these two methods can enhance the prioritization structure of your organizations detection engineering backlog, however, these methods are not perfect. MITREs knowledge base of techniques was never designed to be empirically scored[6].
These methods combined are not a bolt-on method for prioritization and there are limitations and logic gaps with both; however, they provide a stable platform from which to begin prioritizing the detection engineering backlog first and generate more confidence in selecting the most critical of attack techniques.
Prioritization of the Detection Engineering Backlog was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from Posts By SpecterOps Team Members - Medium authored by Joshua Prager. Read the original post at: https://posts.specterops.io/prioritization-of-the-detection-engineering-backlog-dcb18a896981?source=rss----f05f8696e3cc---4
Go here to see the original:
Prioritization of the Detection Engineering Backlog - Security Boulevard
College of Engineering Presents 2022 Tang Lecture – UMass News and Media Relations
The Shirley and Ting-Wei Tang Endowment Lecture Series, founded in 1999, brings engineering leaders to campus to present a major talk to the University. This years Tang Lecturetitled From Concept to Market: Bringing a Medical Device to Lifewill be presented by Joseph Hidler 94, Founder and CEO of Aretech, LLC.
Aretech is an industry leader in developing advanced rehabilitation technologies, with a focus on robotic body-weight support systems. Aretechs feature product, ZeroG, is designed to provide patients who have experienced a stroke, traumatic brain injury, or other neurological disorders the opportunity to practice walking safely and effectively.
Hidlers lecture will take the audience on the journey of the birth and evolution of a medical device that is now being used by thousands of patients across the world. Discussions of the engineering challenges, economic considerations, regulatory requirements, and business pitfalls will be presented, and a roadmap for aspiring medical device entrepreneurs will be outlined.
Joseph Hidler earned a bachelors degree in mechanical engineering from the University of Massachusetts Amherst in 1994, and his masters degree and Ph.D. in biomedical engineering from Northwestern University. Prior to founding Aretech, he was the director of the Center for Applied Biomechanics and Rehabilitation Research (CABRR) at the National Rehabilitation Hospital in Washington, D.C.
As the University recognizes Disability Awareness Month, this lecture may be of particular interest to students and advocacy groups in support of disabled communities.
The Tang Lecture will be delivered on Thursday, Oct. 13 at 4 p.m. in the Old Chapel. The event is free and open to the public.
More information: https://engineering.umass.edu/tang-lecture
UMass event page: https://www.umass.edu/events/2022-shirley-and-ting-wei-tang-lecture
More here:
College of Engineering Presents 2022 Tang Lecture - UMass News and Media Relations
Engineering Researcher Part of USDA Project Quantifying ‘Climate-Smart’ Rice Production – University of Arkansas Newswire
Mary Hightower, UA Division of Agriculture
From left: Kabiraj Khatiwada, Riasad Bin Mahbub, Beatriz Moreno-Garcia, Will Richardson, Elahe Tajfar, U.S. Secretary of Agriculture Tom Vilsack, Benjamin Runkle, Bonan Li, Angelia Seyfferth and Frank Linam. Others are part of Runkle's research team, while Seyfferth and Linam are collaborators from the University of Delaware.
Associate professor Benjamin Runkle is part of a group that received a five-year, $80 million U.S. Department of Agriculture award aimed at reducing greenhouse gas emission associated with rice production.
The USDA Climate Smart Agriculture Initiative project is led by USA Rice and Ducks Unlimited, which will coordinate the development and implementation. Runkle's team will receive approximately $1 million to oversee measurement, monitoring, reporting and verification to help ensure that project goals are met and wellquantified.
"This project is ambitious. It aims to impact approximately one-fifth of all rice acreage in the United States," said Runkle, who teaches in the Department of Biological and Agricultural Engineering. "Farmers will receive incentives to carry out conservation practices that save water and reduce greenhouse gas emissions while maintaining large harvests."
The project is also unique in its focus on involving historically underserved farmers through partnership with the National Black Growers Council and others. The program will also fund infrastructure development for underserved farmers to create the enabling conditions for eventual implementation of conservation practices at their farms.
This grant was one of 70 announced in September comprising a $2.8 billion investment in the creation of Partnerships for Climate Smart Commodities by the USDA. U.S. Secretary of Agriculture Tom Vilsack visited the central Arkansas rice farm of Mark Isbell on Sept. 16 to highlight the project. Vilsack noted that the USA Rice-Ducks Unlimited proposal scored the highest of all applicants.
Vilsack hosted a panel discussion that included representatives from Ducks Unlimited, the National Black Growers Council, Tyson Foods, the Winrock Foundationand U of A System Vice President of Agriculture Deacue Fields III. Both Tyson and Winrock received other awards under the program. The panelists indicated the need to develop trusted labeling of goods as climate-smart that are grounded in good science and supported throughout the supply chain.
Runkle's award will allow him to hire scientific personnel to guide project data collection, document the performance of the proposaland report findings to the USDA and to the broader scientific community. He believes that if the grant team is successful in its implementation, the project could spur spin-off activities to ensure a broader, lasting reduction of the climate impact of rice production through relatively small changes in field management practices.
Because the project will be active in all six U.S. rice producing states, the data collected will also help understanding of how to make effective changes to rice production under different management, soil and climate conditions.
Runkle noted that the project will build on his group's ongoing sustainability research at the Isbell family farm, and it will also use some of the expertise gained from his current projects funded by NASA and the National Science Foundation.
Read coverage of Vilsack's visit in the Stuttgart Daily Leader.
Go here to read the rest:
Microsoft Salaries: See What It Pays Engineers, Analysts, and More – Business Insider
Microsoft Microsoft
Computer Hardware Engineers
Hardware Engineer: $115,000 to $239,591Senior Design Verification Engineer: $160,000 to $173,000Senior Product Engineer: $165,000 to $190,000Silicon Design Engineer: $104,112 to $175,000Silicon Engineer: $94,000 to $239,292
Computer Systems Engineers/Architects
Cloud Solution Architect: $84,500 to $201,014Digital Cloud Solution Architecture: $120,170 to $160,160Escalation Engineer: $124,388 to $147,450Partner Technical Advisor: $92,700 to $123,500Senior Service Engineer: $134,500 to $196,865Service Engineer: $110,000 to $170,000Site Reliability Engineer: $112,500 to $207,959Solution Architecture: $121,256 to $210,000Support Engineer: $77,000 to $135,000Support Escalation Engineer: $94,372Technical Advisor: $128,440 to $151,199Technical Support Advisory: $92,000 to $138,495Technical Support Engineer: $77,900 to $175,000Technology Consulting: $98,600 to $153,420
Electrical Engineers
Digital Signal Processing: $131,250 to $171,480Electrical Engineer: $102,700 to $229,890
Industrial Engineers
Fulfillment and Logistics: $121,000 to $168,180Sourcing Engineer: $121,100 to $171,300
Mechanical Engineers
Mechanical Engineer: $112,500 to $191,205
Network Engineers
Cloud Network Engineer: $109,400 to $208,123Network Engineer: $150,000 to $151,160Senior Cloud Network Engineer: $160,000 to $172,000
Photonics Engineers
Optical Engineer: $143,700 to $198,000
Sales Engineers
Account Technology: $133,570 to $220,000Customer Engineer: $84,500 to $192,600Customer Solutions Architecture: $131,250 to $189,791Premier Field Engineer: $130,000 to $179,000Senior Customer Engineer: $134,100 to $171,000
Validation Engineers
Reliability Engineer: $137,000 to $160,130Software Test Engineer: $113,940 to $154,580
Read more here:
Microsoft Salaries: See What It Pays Engineers, Analysts, and More - Business Insider
World’s first fusion reactor will be open in UK by 2040 – Interesting Engineering
The announcement comes after the UK's Business secretary Jacob Rees Mogg disclosed the location at the UK Conservative Party Conference on Monday.
"The plant will be the first of its kind, built by 2040 and capable of putting energy on the grid, he announced.
In doing so, it will prove the commercial viability of fusion energy to the world," he added.
Approximate location of the new reactor.
For the STEP (Spherical Tokamak for Energy Production) program to deliver the fusion energy plant, the government has pledged more than 220 million (252 million). What's more, it will also not be constructed on the virgin ground and instead be built on the site of a to-be-decommissioned coal-fired power station.
Once completed, the project is projected to cost somewhere in the order of 10 billion ($11.42 billion). But, as anyone knows about publically-funded projects of this scale, they rarely come in below budget.
According to the government, the development of the program should also bring more high-tech firms to the UK and generate thousands of high-skilled jobs throughout building and operation.
With a tender anticipated for December, the government started looking for a construction partner for the project in August. Atkins has already been identified as the engineering partner for the project too.
Nuclear fusion is the "Holy Grail" of energy production.
Researchers, however, claim that significant obstacles must be addressed before the technology can be used.
Theoretically, nuclear fusion could produce approximately four million times as much energy as coal, oil, or gas while producing no carbon emissions.
But a functional commercial plant will need to overcome several logistical challenges, not the least of which is heating significant amounts of gas to a temperature of 180 million degrees Fahrenheit (100 million degrees Celsius).
Read more here:
World's first fusion reactor will be open in UK by 2040 - Interesting Engineering
Fracturing bones and traditional views of civil engineering – ASU News Now
October 3, 2022
When most people think of civil engineering, images of construction sites, bridges and tunnels will likely come to mind. However, a recent collaboration between Arizona State University and Mayo Clinic is placing civil engineers in a new light.
There is a huge world out there where engineers can use their skills in areas that are traditionally not associated with civil engineering, says Subramaniam Subby Rajan, a civil engineering professor in the Ira A. Fulton Schools of Engineering at ASU.
Putting that concept to the test, Rajan has spearheaded a number of projects in the School of Sustainable Engineering and the Built Environment, part of the Fulton Schools, with private companies such as Honeywell and Raytheon and government organizations such as the Federal Aviation Administration and NASA. He has aided in the materials testing of everything from jet engines to bulletproof vests efforts that have not only expanded his knowledge of civil engineering, but also that of his students and research assistants who get to participate in the studies as well.
If you ask a person on the street or even a practicing civil engineer whether civil engineering skills can be used in answering questions dealing with bone fractures, the answer will inevitably be 'no'; there is not a connection between the two. However, there are a lot of connections, Rajan says.
In his latest research project, Rajan is using his civil engineering expertise to help forensic researchers draw more accurate conclusions about the impact of trauma made on the human body.
Video by Steve Filmer/ASU Media Relations
Subramaniam Subby Rajan
With a long track record of applying civil engineering mechanics to diverse research projects, Rajan was contacted by researchers at Mayo Clinic in Arizona. The team is actively working on a project that could redefine the process for identifying trauma made to human remains. More specifically, the research could allow forensic anthropologists to determine the time at which blunt-force trauma may have occurred to a human body with greater precision and, ultimately, if the trauma played a role in a person's death.
This work is important to forensic scientists because knowing whether a fracture occurred perimortem at or around the time of death versus postmortem can give us important information about the cause and manner of death with crime scene investigations, says Natalie Langley, a consultant in the Department of Laboratory Medicine and Pathology at Mayo Clinic in Arizona and president of the American Board of Forensic Anthropology.
The collaborative team at Mayo Clinic also includes researchers from the Center for Regenerative Medicine in Arizona, the Biomaterials and Histomorphometry Core Laboratory at Mayo Clinic Rochester, Mayo Clinic postdoctoral research fellow Jessica Skinner and ASU's Barrett, The Honors College graduate intern Yuktha Shanavas.
Langley explains that femur bones are sourced from males between the ages of 50 and 80 who donated their bodies to scientific research. Those demographic variables were chosen to control for sex- and age-related compositional differences in bone. The bones are then heated at controlled temperature and humidity for varying amounts of time to simulate the loss of elasticity that bones experience during the postmortem interval.
Bone is an elastic material, and it maintains elasticity for some time after death, Langley says. By heating the bone, we are able to replicate longer periods of time after death that commonly lead to a bone losing some elasticity, leaving different fracture patterns than if it were broken while still elastic.
A layer of spray paint is also applied to the surface of the bones so high-speed cameras can detect deformation and surface strain that occur during the impact testing.
Donated femur bones are coated in a black-and-white speckled spray paint that allows high-speed cameras to capture the deformations on the surface of the sample during fracture testing. Photo by Monica Williams/ASU
Langley says her team needed help minimizing the unknowns in their research.
I contacted ASU initially because we needed an impact tester to induce fractures in a controlled manner, she says.
Rajans team and Mayo Clinic researchers created a special apparatus to hold a fragment of femur bone to allow for an impactor to drop at a controlled and monitored rate.
These are impacts that are strong enough to break a bone, but they are not as high velocity as a gunshot wound, Langley says. We even take it one step further and use high-speed photography to measure, or track, the movement of the bone during the fracture process.
This allows her team to consider what forces are being distributed across the bone.
Once the bone is fractured, it is handed back over to Langley and her team for a thorough review and documentation of the fracture characteristics.
One of the things we look at is the pattern of the fracture, Langley says. Fractures that occur at or around the time of death have a certain appearance; and those that occur much longer after death, when the bone is not as elastic, have a different appearance.
We captured 5,000 frames per second and were able to tell where the weight struck the bone and where the cracks were propagating in the bone, says Ashutosh Maurya, a graduate research associate who volunteered to participate in the bone testing.
Maurya is completing his doctorate in civil, sustainable and environmental engineering in the Fulton Schools. Despite the bone testing research having a different focus from his dissertation work, he felt it was a great opportunity to expand his skills as he explores impact dynamics problems connected to aircraft structures.
If you look at almost any research, you will see people from different areas working together, Maurya says. This will definitely help me in my future career as I collaborate with non-engineering background professionals and manage projects across disciplines.
Ashutosh Maurya, a doctoral student of civil, sustainable and environmental engineering, volunteered to participate in the collaboration with Mayo Clinic in hopes of expanding his experience working with individuals in different research fields. Photo by Monica Williams/ASU
It is a philosophy Mauryas mentor Rajan has tried to instill in all of the students that pass through his classroom.
It's only when you start looking at the fundamental tools that are used across all these different problems, that you find there are a lot of commonalities, Rajan says. For this specific project, we are able to make an impact beyond what is commonly expected of civil engineers.
In the coming months, Langley and her team will be compiling data from the fracture testing, tracking formations and markings left in the bones at different intervals of drying. The results will then be used to create a new standard for determining when trauma was inflicted on a crime victim.
Working with Rajan and his team allowed us to think outside of the box of our own work, Langley says. Their knowledge in controlling the variables with forcefully creating fractures gives validity to our work, ultimately changing the process for solving crimes and giving closure to families.
Top photo:Natalie Langley, a consultant in the Department of Laboratory Medicine and Pathology at Mayo Clinic in Arizona, applies fingerprint powder to a fractured bone to help see fracture surface markings left by an impact. These markings are then documented to help create a new set of criteria for determining the timing of fracture events (e.g., perimortem versus postmortem). Photo by Monica Williams/ASU
See more here:
Fracturing bones and traditional views of civil engineering - ASU News Now
McDonough to lead SwRI’s Chemistry and Chemical Engineering Division – Business Wire
SAN ANTONIO--(BUSINESS WIRE)--Dr. Joe McDonough has been named vice president of Southwest Research Institutes Chemistry and Chemical Engineering Division. McDonough previously served as director of the divisions Pharmaceuticals and Bioengineering Department.
I am privileged to step into this role to lead SwRIs Chemistry and Chemical Engineering Division, McDonough said. The Institute has a longstanding legacy as pioneers and visionaries in the chemistry field. We have an exceptional staff working to advance technologies in multiple disciplines.
The Chemistry and Chemical Engineering Division is one of SwRIs longest-running organizations, with chemistry and related technologies being a research focus since its founding in 1947. As vice president, McDonough will oversee a staff of more than 200, working in five departments: Analytical and Environmental Chemistry, Chemical Engineering, Fire Technology, Geosciences and Engineering, and Pharmaceuticals and Bioengineering.
Our staff continues to innovate and expand capabilities to meet changing clients needs, McDonough said. In keeping with SwRIs mission, we will continue to innovate and expand our research programs and transition technologies to the marketplace. We will remain at the forefront for our clients, providing new discoveries, high-impact advanced development and critical analyses.
McDonough joined the Institute in 2000 and was appointed director of SwRIs Pharmaceuticals and Bioengineering Department in 2008. Under McDonoughs leadership, the department has grown its microencapsulation, formulation and clinical supply of pharmaceuticals and vaccine development programs, integrating Good Manufacturing Practices and ISO quality measures. McDonough leads a chemical weapons medical countermeasures program, developing a cyanide antidote licensed for clinical development as well as a vaccine for tularemia, a potential biothreat. His team is developing treatments for filovirus, type 1 diabetes, COVID-19 and other emerging threats as well as a controlled-release steroid formulation that has been licensed for commercialization.
For more information, visit https://www.swri.org/technical-divisions/chemistry-chemical-engineering.
About SwRI:
SwRI is an independent, nonprofit, applied research and development organization based in San Antonio, Texas, with more than 3,000 employees and an annual research volume of nearly $726 million. Southwest Research Institute and SwRI are registered marks in the U.S. Patent and Trademark Office. For more information, please visit http://www.swri.org.
https://www.swri.org/press-release/mcdonough-lead-swri-chemistry-chemical-engineering-division
View post:
McDonough to lead SwRI's Chemistry and Chemical Engineering Division - Business Wire
Twelve dramatic skybridges that push the limits of engineering – Dezeen
After Foster + Partners completed a pair of skyscrapers connected by a suspension bridge, Dezeen rounds up a dozen buildings that feature various types of skybridges.
Bridge structures that span buildings high up in mid-air are now a common trick for architects to show off in skyscraper projects.
Among the earliest examples is the famous Bridge of Sighs in Venice, which was completed in 1600, but skybridges have become increasingly common and ambitious in recent years thanks to advances in engineering technology.
Below are 12 of the most arresting contemporary skybridges around the world:
DJI Sky City, China, by Foster + Partners , 2022
British studio Foster + Partners's Shenzhen headquarters for drone manufacturer DJI consists of two 200-metre-tall skyscrapers linked by an open-air suspension bridge.
The bridge itself, which is a dizzying 105 metres above the ground and 90 metres long, is attached to the vertically slatted cores of its guardian towers.
Find out more about DJI Sky City
Petronas Towers, Malaysia, by Csar Pelli, 1998
Designed by lateArgentine-American architect Csar Pelli, the Petronas Towers in Kuala Lumpur arguably kicked off the wave of skybridges that have sprung up in the 21st century.
The towers were the tallest in the world between 1998 and 2004 at 451 metres, and remain the tallest twin towers on the globe.
Find out more about Petronas Towers
Tencent Global Headquarters, China, by NBBJ, 2018
Three large bridges clad in copper-coloured aluminium louvres connect the towers of the Tencent Global Headquarters in Shenzhen, designed by NBBJ.
They were designed to encourage the tech company's workers not to become siloed in their individual departments. Between them, the bridges house a health centre, a library, a running track and a full-sized basketball court.
Find out more about Tencent Global Headquarters
Marina Bay Sands, Singapore, by Safdie Architects, 2011
Israeli-Canadian architect Moshe Safdie is the king of the skybridge, with his Marina Bay Sands resort now widely recognised as an architectural icon in Singapore.
The complex's three 57-storey towers are topped by a sky garden that cantilevers out for 65 metres on one side. In an interview with Dezeen, Safdie said the project represented "a new kind of public realm".
Find out more about Marina Bay Sands
Sky Habitat, Singapore, by Safdie Architects, 2016
Another Singapore project by Safdie Architects, Sky Habitats consists of a pair of balcony-covered apartment towers linked by three aerial walkways.
The white truss bridges are intended to provide communal outdoor space for residents in the form of sky gardens and include a vertiginous swimming pool on the highest bridge.
Find out more about Sky Habitat
The Crystal, China, by Safdie Architects, 2020
At the Raffles City complex in Chongqing, The Crystal skybridge connects four 250-metre-tall skyscrapers.
Described by Safdie Architects as a "horizontal skyscraper", The Crystal is a 300-metre-long glass-and-steel tube containing gardens, bars, restaurants, a clubhouse and a hotel lobby, with a transparent-bottomed viewing deck at one end.
Find out more about The Crystal
CCTV Headquarters, China, by OMA, 2012
Dutch architect Rem Koolhaas sought to redefine the traditional form of skyscrapers with the deconstructivist CCTV Headquarters in Beijing.
The 234-metre-tall building's two towers are connected on their upper floors by a 75-metre-long cantilevered linking element. This produces its distinctive overall shape, described as a "three-dimensional cranked loop".
Find out more about CCTV Headquarters
American Copper Buildings, USA, by SHoP Architects, 2017
Floors 27 to 29 of these bent Manhattan skyscrapers designed by SHoP Architects are connected by a skybridge that is 30 metres long and sits 91 metres above the ground.
The three-storey bridge contains an indoor lap pool, a hot tub and a bar and lounge for residents of the luxury apartment complex.
Find out more about the American Copper Buildings
Sky Pool, UK, by HAL, 2021
The controversial Sky Pool is a transparent swimming pool bridge suspended 35 metres in the air between two buildings at the Embassy Gardens development in south-west London.
"It's the transparency, the lightness of touch and the fact that it's straddling two buildings that makes it unique and it captures the imagination, the fact that swimmers can see the ground and people below can see the sky," said HAL founder Hal Currey.
Find out more about the Sky Pool
ME Dubai, UAE, by Zaha Hadid Architects, 2020
Seen from the front, the ME Dubai hotel by Zaha Hadid Architects appears to be a giant cube with a large hole at its centre.
But the reverse view reveals it is in fact a pair of towers connected at the bottom and top, with a three-storey bridge suspended 71 metres in the air above the lower atrium.
Find out more about ME Dubai
Collins Arch, Australia, by Woods Bagot and SHoP Architects (2020)
The tapered 164-metre-tall towers of Collins Arch, a mixed-use skyscraper in Melbourne designed by Woods BagotandSHoP Architects, are linked at the top by an eight-story skybridge.
"The skybridge connecting the two buildings is not simply decorative," said SHoP Architects founding principal Bill Sharples. "It maximizes views and sunlight for office, hotel and residential occupants of the two buildings that, on the ground, meet public space and commercial requirements."
Find out more about Collins Arch
Bundang Doosan Tower, South Korea, by Kohn Pedersen Fox (2021)
US firm Kohn Pedersen Fox designed the Bundang Doosan Tower to mimic Seoul's historic city gates, with the two blocks topped by a 100-metre-high skybridge forming an open rectangle.
The "gateway" office building stands beside the Gyeongbu Expressway, a major arterial road leading into the city that is used by around 1.2 million drivers a day.
Find out more about Bundang Doosan Tower
Read more:
Twelve dramatic skybridges that push the limits of engineering - Dezeen
The pitfalls of trust: all you need to know about social engineering – Raconteur
The natural inclination to trust is a fundamental part of life and business. You would not be able to form business relationships, secure investment, serve customers and keep staff without it. But, there are increasing instances where our human instinct to trust something can lead to us being taken advantage of, and social engineering is a prime example ofthis.
Richard De Vere is the founder of The Antisocial Engineer and head of social engineering for business solution company Ultima. He has spent his career highlighting the many ways that trusting strangers can make a business vulnerable to threats both physically andonline.
Social engineering is a professional name for scams and crime where there is an element of human manipulation, De Vereexplains.
In cases where social engineering is used, fraudsters turn our most human instincts against us to access information, physical spaces or systems for financial gain. To do this, they might present themselves as a trusted - or trustworthy - individual and source of information.
De Vere illustrates this with a standard example from outside the business world. A parent gets a text message from a phone number they dont recognise. The text reads Mum/Dad, Ive just been mugged so Im borrowing my friends phone. Could you send some money to their online bank so I can gethome?
That particular scam works on peoples desire to care for their offspring, says De Vere. Its very human. And, he says, it is an impulse which all of us have to use social cues and our understanding of people to influence others behaviour.
By understanding how people build trust, you can then learn to dress and speak appropriately. You can start to orchestrate trust
In a business setting, a social engineer could be the slick salesperson who has learned to talk with a smile and turns up to meetings in an expensive suit with a polished pitch deck of slides. A lot of people probably dont know this form of manipulation is called social engineering, theyre just sick of sending out emails which dont get through to people and theyve started to think about the psychology behindit.
This situation can be classed as social engineering, rather than simply good sales technique, if the person is explicitly looking to trick you for their own nefarious purposes and to line their ownpockets.
The rise in levels of cybercrime is well documented and no business can afford to ignore the severe threats posed by hackers. But social engineering can be just as effective in person as it can online, and it takes much more than a bouncer to stopit.
To illustrate this, De Vere describes the occasion when he used a bunch of flowers to get past the receptionists of a large office complex and gain unaccompanied access to the boardroom to plant abug.
We trust people because we need tosurvive
In the scam, De Vere arrived at reception with a large bouquet from an expensive local florist and told the women behind the desk that he was there to deliver them to an employee who he secretly knew wasnt working that day. Flowers will only get you so far, though, he says, and the secret to success was in his manner. First of all - I was careful not to be scary! Im quite a big chap, so I could come across as intimidating. So I was very apologetic, embarrassed, flustered.
And that was it, he says. In his embarrassment he suggests the women keep the flowers and excuses himself, ostensibly to call the intended recipient to let her know what has happened. This provides exactly the right amount of time to slip into the conference room and plant thebug.
Its exploiting human nature. You have two receptionists who would love a bunch of flowers, then you have me acting like Hugh Grant - Oh God, Im such an idiot! - and it all falls intoplace.
This is how social engineers work: they study how people interact and use that to build personas which seem trustworthy. Youve got to look at how humans define trust on the fly. We do this through what we wear, how we speak, and through accents and mannerisms. By understanding how genuine people build trust, you can then learn to dress and speak appropriately. You can start to orchestrate trust.
So, how can businesses protect themselves from attacks such as these? Is it as simple as encouraging a dont trust anyone attitude among staff? Absolutely not, says De Vere. We trust people because we need to survive, he explains. If we question everything, we never get anything done. And it could have the counterintuitive outcome of filtering into relationships between colleagues, leadership and clients. Trust is crucial for successful businesses, but there are things you can do to make organisations less vulnerable to fraudsters.
1
For too long, weve said that people are the weakest link in the chain, says De Vere. The best way to scam-proof your organisation is to challenge this assumption. Empower staff to recognise and safeguard against attacks by training them and educating them to spot the risks. How many people do you think get training on psychological manipulation when they start working in a bank? Notmany!
2
Social engineering is no longer a niche area of the business. It very much should be in the forefront. You should be discussing it with your security teams. Much like cybersecurity, organisations who wish to protect themselves need to take threats like this seriously and factor them into risk management systems and business continuity plans.
3
The truth is, says De Vere, were all very much human. And I dont think that gets factored into any stage of the business until it becomes a problem and theres a reason to start to make processes. Designing your business around people means understanding that anyone can be scammed and that human behaviour is, to a certain extent, predictable. Mitigate for this by establishing set processes to combat risk, rather than simply holding people accountable once something has gone wrong. In the case of the receptionists and the flowers, had the business had a strict policy in place stating that visitors dont pass a certain point unaccompanied, it would have been far harder for De Vere to make it into the conference room.
Social engineering is a professional name for scams and crime where there is an element of human manipulation
Finally, says De Vere, there is one way to recognise that normal levels of human interaction might be tipping into the sphere of social engineering. Social engineering makes you feel stuff that isnt real, he explains. Potential victims should keep a keen eye out for when a radical change of emotion happens quickly. Its about spotting the triggers that this person is making me upset or elated all of a sudden. But why? From an emotional perspective its about being aware of the feeling of being strungalong.
By training everyone in your organisation to recognise this feeling, making security a top priority and establishing processes which assume natural levels of human fallibility, you can keep trust for the people who deserve it. And keep your business safer from those who donot.
See original here:
The pitfalls of trust: all you need to know about social engineering - Raconteur
In Case You Missed It: From the U.S. Army Corps of Engineers – Governor Ron DeSantis
For Immediate Release: October 3, 2022
Contact:Jim Yocum or Shelly Roberts,904-232-3914 or 904-232-1004,publicmail.cesaj-cc@usace.army.mil
USACE announces start of Blue Roof Program in response to Hurricane Ian
The U.S. Army Corps of Engineers has been tasked by the Federal Emergency Management Agency (FEMA) to assist eligible homeowners with temporary roof repairs. The Operation Blue Roof program will begin on Oct. 3 to provide a temporary blue covering with fiber-reinforced sheeting to help reduce further damage to property until permanent repairs can be made.
Operation Blue Roof is a free service to homeowners. The counties that have been identified are Charlotte and Lee. The initial sign up period is set for 21 days and will end onOct. 23.
Residents impacted by Hurricane Ian can sign up at Blueroof.us. Here, you can sign up for Blue Roof assistance using a Right of Entry (ROE) form, which gathers information about your residence. The ROE is a legal document that allows Corps workers to access your property and assess your homes damage. The ROE also allows contracted crews to work on your roof.
Operation Blue Roof is a priority mission managed by the U.S. Army Corps Engineers. It protects property, reduces temporary housing costs, and allows residents to remain in their homes while recovering from the storm. This program is for primary residences or a permanently occupied rental property with less than 50 percent structural damage. Vacation rental properties are not eligible for this program.
After the blue roof is installed, the structure is declared habitable. Not all roof types qualify for the program. Roofs that are flat or made of metal or clay, slate, or asbestos tile do not qualify. All storm debris must be removed for the roof to qualify.
Residents can also call toll free 1-888-ROOF-BLU (1-888-766-3258) for more information.
-30-
Link:
In Case You Missed It: From the U.S. Army Corps of Engineers - Governor Ron DeSantis