About
State Governments Under Siege From Cyber Thieves

A new report from Deloitte and the National Association of State Chief Information Officers (NASCIO) points to state governments facing serious risk of pilfered electronic records.

The survey of state chief information security officers named a variety of risks facing state officials, including hackers attempting financial fraud, “hactivism, (hacking aimed at making a political statement), stolen laptops, and foreign state-sponsored espionage. The study  found that less than a quarter of state CIOs (24 percent) are “very confident” that their state assets are protected against external threats, while only about a third (32 percent) report that their staff have the required cyber security competency.

Deloit says that government agencies have lost more than 94 million citizen records since 2009. The average cost per lost or breached record is $194.  “The states have the most comprehensive information about citizens from birth to death, from doctor visits to tax information and benefits information,” said Srini Subramanian, leader of Deloitte’s security and privacy practice to state governments, and one of the report’s authors. “States have the most comprehensive information compared to any private sector organization.”

To read more, visit Report: States Face Growing Cybersecurity Threats.

 


2014 Cyber Boot Camp: pictures from the front line

High school students from the top three teams in the 2014 Mayors’ Cyber Cup spent this week at Cyber Boot Camp, hosted in the ESET building in Little Italy (the tall dark blue one with the ESET logo on top).

2014-cyber-boot-camp

The Cyber Boot Camp format combines classroom presentations and discussions with hands-on work in the custom-built computer lab, seen here:

Cyber Boot Camp Lab

This year’s lab consists of 20 workstations running Linux and/or Windows, a big Cisco switch, various servers, and a variety of wireless access points, all of which become potential targets and a test of cyber defense skills. While the servers and networking infrastructure were put together by ESET researchers using gear supplied by the company as part of its sponsorship of the event, the workstations were loaned by Computers 2 San Diego Kids, to which they will be returned after the boot camp. (Every city should have an organization like C2SDK, a wonderful non-profit organization that recycles computers into the community.)

The lectures include security experts from around the San Diego area, including several members of the FBI’s cyber task force. We can’t show their pictures for security reasons, but here is Andrew Lee, CEO of ESET North America, discussing careers in cyber security with students.

Andrew Lee CBC

The event would not be possible without the support of volunteers from the community. This year we got some great help from UCSD graduate students, all experienced “Capture the Flag” participants who clearly found that lending a hand at the boot camp was a very rewarding experience.

UCSD-CTF-CBC

One of the great joys of this year’s boot camp was seeing students from different high schools working together to solve security problems, with these grad students offering suggestions and guidance as needed, acting as a form of learning accelerant. For next year’s boot camp we will be looking for more students from area colleges and universities to assist with the program.

The boot camp is such an intense experience that documenting it in real time is a real challenge. However, we did make sure that plenty of photos were taken and more will be posted here as time permits. The event was also documented by local and national media. For those who speak the language of Marketing and PR here is a number you might find interesting: combined national reach of the boot camp coverage is currently nearly 195 million unique monthly site visitors. Here are just some of the reports:


Mayors’ Cyber Cup Winners Head to Cyber Boot Camp

war-room-2014Today, this space will be filled with 20 high school students from the greater San Diego area. The students are taking part in something we call Cyber Boot Camp, five days of hands-on education in the art of cyber offense and defense, hosted by ESET North America and Securing Our eCity.

The classes will be led by ESET security researchers Cameron Camp and Lysa Myers, supported by other members of the ESET research team including Stephen Cobb and Aryeh Goretsy. In addition to the lab sessions, the students will meet experts from ESET and other organizations in the local community, such as Bridgepoint Education, San Diego Gas & Electric, San Diego Police Department, Verizon, C.A.T.C.H., the FBI and more.

New for Cyber Boot camp this year is a field trip to Federal Court to hear from a judge and former cybercrime prosecutor. These experiences enable students to consider the skills they are developing and where they want to apply them in the future. And it seems to work. One boot camp alumni, Vineel Adusumilli, a Westview High graduate now studying at MIT, was recently quoted in the UT San Diego as saying “Cyber Boot Camp was a terrific learning experience, combining lab work using the latest tools with insights from experienced security professionals.”

The goal of the boot camp, attendance of which was offered to the top three teams in the fifth annual Mayors’ Cyber Cup, is to provide the right learning environment to interest more students in cyber security as a career. As ESET security researcher Lysa Myers has pointed out: America needs to do a lot more to promote STEM education in general. At Securing Our eCity we think that cyber security is one of the coolest ways to apply Science, Technology, Engineering, and Mathematics in the real world.

As we reported previously, the 2014 winners were, in first place, Canyon Crest Academy. In second place was the team from Westview High School, the school that won last year. In third place was Mira Mesa High School. The other teams that made it to the final round were La Jolla Country Day School, Patrick Henry High School, Ramona High School, and 2012 cup winners, Troy High School.

lectures-start-cbc1

Cyber Boot Camp lead instructor Cameron Camp, a security researcher with ESET, describes the week ahead to students before they head to the lab.

Of course, the Cyber Boot Camp would not be possible without the support of the community, so a big hat tip to the sponsors who made this year’s event possible, including ESET, SDG&E, California Coast Credit Union, Higgs Fletcher & Mack LLP, Hughes Marino and Mendez Strategy Group. A special thanks is due to Computers 2 San Diego Kids or C2SDK, who provided those racks of machines for the week, and do a great job supplying schools and families in San Diego with recycled computer gear.


The Winners of the 5th Annual Mayors’ Cyber Cup

The winners will be announced in just a moment, but first the news…

XS 2014-03-19 at 3.10.11 PM
That’s right, the fifth annual running of the San Diego Mayor’s Cyber Cup was covered on television by Channel 10 ABC News who really seem to get how important this event is as a motivator for young people to consider a career in cyber security, one of the hottest job markets today and into the foreseeable future.

For those not yet familiar with the San Diego Mayor’s Cyber Cup, this annual competition, established in 2010, seeks to find and encourage the best cyber security talent in California’s high schools. The competition starts with a practice round, which this year took place in late January. There were over 50 teams participating from more than a dozen schools! The practice round was quickly followed by qualification rounds in February, all conducted over the Internet. Then the top seven qualifying teams came together on March 15 in San Diego for live, head-to-head competition.

And the winners of the 2014 San Diego Mayor’s Cyber Cup are: Canyon Crest Academy!

canyon-crest-academy-690

Well Done Canyon Crest!

The top team received a check for $2,500, presented by former Interim Mayor and City Council Member Todd Gloria, accompanied by fellow City Council Member, Sherri Lightner. Canyon Crest Academy is part of the San Dieguito Union High School District.

And well done to the runners up! In second place was the team from Westview High School, the school that won last year. In third place was Mira Mesa High School. The other teams that made it to the final round were La Jolla Country Day School, Patrick Henry High School, Ramona High School, and 2012 cup winners, Troy High School.

Winners ALL!

The winning team not only won the title and a year of hosting the very impressive cup that goes with that title, there was also a check. And there were checks for second and third place as well ($1,500 and $1,000 respectively).

But wait, there’s more….The top three teams this year will also be treated to a week of Cyber Boot Camp! Hosted in San Diego by the Internet security company ESET, the Cyber Boot Camp is a lively mix of practical, instructor-led cyber security exercises, plus classroom presentations by experts in a wide range of related fields, from law enforcement to computer forensics, malware research, and career advice. The event will take place during summer recess. Here’s a peek at a past session of Cyber Boot Camp:

boot-camp-690Beyond winning great prizes in the Mayor’s Cup, there is a sense in which we all win from this competition. Right now, our country faces a critical shortage of cyber security expertise. One of the main goals of the project is to address that problem. Through the event and the publicity surrounding it we hope to encourage students of all ages, from all schools, to learn more about information assurance and computer security. Hopefully this will lead many more students to consider these and related STEM fields as possible career paths or courses of study in higher education.

Thanks to All!

This year’s competition would not have been possible without the volunteer work and financial support of many organizations. We will mention some here, but this list is by no means exhaustive. Thanks to Leidos for the use of CyberNEXS, the competition engine used in the event. The Mayor’s Cup is sponsored by the National Defense Industrial Association (NDIA), in cooperation with the University of California, San Diego (UCSD). With additional support from National University, SDG&E, DTI, TSG Solutions, Blue Pyramid, Minuteman Press, ISSA, TechFlow, DCS Corp, La Jolla Logic, Major Motion Pixels, Bridgepoint Education. Additional sponsors and supporters include Securing Our eCity Foundation, Computers 2 San Diego Kids, ESET, and The Ranger Group. With further assistance from Mr. & Mrs. Kurt Worden and Mr. & Mrs. Dwayne Junker.

We leave you with a photo of the very happy, and decidely cool, third place finishers, Mira Mesa High School:

mira-mesa-690


Cyber security and electronic voting: SOeC at EVN 2014

Educating people about the challenges of cyber security is at the heart of what Securing Our eCity is all about, so it was only natural that, when the Electronic Verification Network held it’s tenth annual meeting in San Diego last week, SOeC would be involved. For ten years now, the folks at EVN have been dedicated to making sure that every vote cast in U.S. elections counts, and they are particularly concerned with electronic voting, where verification can be challenging. The SOeC foundation was happy to assist with sponsorship and speakers.

Using digital technology to process votes might sound like a good idea, but it raises a lot of security questions. These were addressed in several sessions over the two-day conference, starting with the “Fireside (Firewall) Chat” with SOeC board member Howard Schmid who was White House Chief Advisor on Cyber Security to Presidents George H.W. Bush and Barack Obama. Mr. Schmidt is now a principal of Ridge Schmidt Cyber, LLC. Although on a tight schedule with a plane to catch, he graciously found time for a quick snapshot with myself and SOeC executive director, Liz Fraumann.

evn-howard-soec

Mr. Schmidt set the scene for later discussions by reviewing the current cyber security threatscape in conversation with Jeremy Epstein, Senior Computer Scientist, SRI International, and a member of the EVN Coordinating Committee.

Later in the day, I was privileged to participate in a panel titled “Cyber Security Crossover: Leveraging Cyber Security Best Practices in the Realm of Elections”. Fellow panelists included David Dill, Professor of Computer Science at Stanford University, and Gary Hayslip, the CISO of the City of San Diego. The moderator was Pamela Smith, President of Verified Voting Foundation.

Two points became clear to me during these two days of great content and conversation. First, America is very lucky to have EVN keeping an eye on electronic voting. Second, as one expert put it, when it comes to Internet voting, “there is no way to guarantee that the security, privacy, and transparency requirements for elections can all be met with any practical technology.” Not now and not in the foreseeable future.

Recent discovery of longstanding flaws in Internet encryption protocols like SSL and TLS are a stark reminder of the practical impossibility of ensuring secure Internet interactions of the type required for a secret ballot, not to mention the widespread distribution of state-sponsored malware.

In 2008, Verified Voting founder and co-panelist, David Dill, organized the creation of a document that spells out the unique nature of secure voting: the Computer Technologists’ Statement on Internet Voting. The document warns against “pilot” Internet voting projects, which already exist in some states in the form of email ballot submissions, and describes “the severe challenges that must be met if an Internet voting system is to justify public confidence.”

I was very grateful to have the chance to participate in this tenth anniversary meeting of EVN, and proud that my employer, ESET, was a sponsor. It’s not every day that you get to hang out with esteemed experts such as David Jefferson, the author of the one paper on Internet voting that everyone should read: If I Can Shop and Bank Online, Why Can’t I Vote Online? David is a Computer Scientist at Lawrence Livermore National Laboratory, a member of the Verified Voting Foundation Board, and serves on the board of the California Voter Foundation.

If you are still wondering “what could possibly go wrong?” when it comes to Internet voting, consider the following slide. It comes from the very interesting presentation on Internet voting experiences outside the U.S. by former Technical University of Denmark professor Joseph Kiniry, now Principal Investigator at Galois. He highlighted actual code from an Internet voting program that was used in national elections in one European country.

voting-codeIf you are familiar with computer programming, this slide speaks for itself, and apparently it speaks volumes. When I tweeted the above photo it was re-tweeted almost 200 times, reaching over 220,000 Twitter accounts!

In this year of mid-term elections in the U.S. there will be renewed interest in electronic voting and Internet voting in particular. Hopefully the warnings from technology and cyber security experts will be heeded.


San Diego as a nationally recognized center for cyber security

Did you know that San Diego, the birthplace of Securing Our eCity, is seeking recognition as a nationally recognized center for cyber security excellence? This move has widespread backing from multiple sectors, from cities and county and chamber of commerce, to defense agencies and contractors and security companies.

One example of the enthusiasm behind this initiative is the terrific call to action from San Diego Security.

Getting San Diego nationally recognized as a center for cyber security presents some terrific opportunities for investment and job opportunities because right now, and well into the foreseeable future, cyber security is a major concern for most Americans. Says who? Says the average American, as recently polled by the highly respected Pew Research Center, which found “cyber attacks from other countries” were second only to”Islamic extremist groups like al Qaeda” in a table of answers to “what do you think is the greatest threat to the U.S.?”

Maybe this is not surprising after 2013, the year that saw Snowden’s revelations about NSA cyber-surveillance and an unprecedented breach of payment card data from one of the country’s largest and best known retailers. Cyber security has gone from an esoteric subject, studied and discussed mainly by computer geeks, to a serious concern for 70% of Americans.

At Securing Our eCity, we are proud of the work we have done so far to raise public awareness of cyber security threats and to help people deal with them. We are adding our voice to the calls for national recognition of San Diego’s unique role in tackling cyber threats, and look forward to helping even more people enjoy and employ cyber technology more safely than ever in 2014.


Just released are four of the top winners for 2013.

With the growth of powerful new threats to the security of the online experience, more and more Americans are discovering that their digital experience must be conducted with a new found awareness of safety and caution. We are pleased to help lead a charge to help expand awareness of the importance of being smart online. On October 10 at CyberFest, the SOeC will be presenting the CyberFest2013 awards to some of the best and brightest in San Diego, visionaries who are helping ensure the web is a safer place to work and play.

Just released are four of the top winners for 2013 – Lifetime Achievement to Andrew Lee, CEO of ESET North America; Community Leadership to Jessie J. Knight, Jr., SDG&E chairman and CEO; Exemplary Service to the Honorable Mitchell D. Dembin; and Volunteer of the Year to Roger Fraumann of PBResilience. Award finalists for Thursday’s ceremony include San Diego’s law enforcement, educational, corporate, military, infosec and emergency responder communities.

You can still register to join the award ceremony and the day long event, CyberFest2013, focused on “The Truth About Cyber security” at:http://www.securingourecity.org/cyberfest2013


San Diego Mayor’s Cup Winners Enjoy a Week of Cyber Boot Camp

It is widely acknowledged that our country needs more computer security experts, and that requires more young people taking a greater interest in computer security. Enter the San Diego Mayor’s Cyber Cup, a competition in which teams from dozens of high schools all over San Diego County compete in tests of cyber-defense, protecting computer systems from attackers.

After several rounds of competition, the winning team emerges, and this year it was Westview High School, pictured here with their coach, Ms. Tammie Neuhaus, and the check they earned for their school, thanks to generous sponsors like SAIC, Bridgepoint Education, NDIA, ESET, SOeC, and many others.
Winners_2013a

In addition to that check, the winning team got to attend Cyber Boot Camp at the offices of Securing Our eCity in Little Italy, spending five days in a custom computer lab where they expanded their knowledge of cyber attacks and defenses under the guidance of ESET security researcher Cameron Camp, a Certified Information System Security Professional, seen on the left below.

cameron

Below is another shot of students exploring the network in the lab, where they were able to hone their cyber-defense skills by becoming familiar with attack strategies and tools used by cyber criminals and white hat hackers alike.

group-shot

In addition to lab time, the boot camp provides context and guidance to students through a series of lectures in ESET’s San Diego conference room, many by leading experts in the area, such as U.S. Magistrate Judge, the Hon. Mitchell Dembin, who has been successfully prosecuting computer crime cases since 1991.

Students were also introduced to the many educational and career opportunities available in the field of information security. Dr. Gordon Romney, Professor of Security at National University, impressed students with war stories from the early days of computing as well as his recent installation of Kali on Raspberry Pi (if you know what that means, you’ll know it’s very cool). The huge demand for skilled security professionals in both the government and private sectors was made clear by several presenters.

This is the third time that ESET has hosted Cyber Boot Camp for the Mayor’s Cup winners and this year’s event attracted considerable media attention, reflecting increased public awareness of cybercrime and the growing need for computer security education. Reporters from NBC, U-T San Diego, and NPR spent time with the students, instructors, and guest speakers (although some of the material presented by the three computer security specialists from the FBI were off limits to the press). Here’s a link to the NBC coverage and video.

By the end of the week, students professed themselves well-pleased with the event, which included a points-based competition among students administered by lead instructor Cameron Camp. According to Camp, who tailors the content and pace of the sessions to each year’s participants, all of the Westview students made significant advances in their security knowledge over the five days of intense learning.

The Mayor’s Cyber Cup will start up again in the Fall semester and, according to Liz Fraumann, Executive Director of the Securing Our eCity Foundation, attendance at Cyber Boot Camp will again be among the prizes awarded to the winning team.


Cyber Boot Camp 2013: Mayor’s Cyber Cup winners put to the test

The winners of the 2013 San Diego Mayor’s Cyber Cup received part of their prize this week, participation in Cyber Boot Camp, orchestrated by SOeC at the North America headquarters of global cyber security company ESET, sponsored by ESET and Bridgepoint Education. Cyber boot camp is five days of intense cyber security education that combines hands-on experience in a computer lab with presentations from subject matter experts, including a U.S. magistrate judge and members of the FBI’s cyber squad.

At the heart of boot camp is a computer lab affectionately known as “The War Room”. The lab enables students to practice both computer defense and system penetration in a safe environment and was created by ESET Security Researcher, Cameron Camp, CISSP. But defending computer systems is not just about digital strategies. Here we see students from Westview High School engaged in a mock investigation of a security breach.

boot-camp-lab

By the end of the week the students professed themselves greatly enriched by the whole experience, enjoying both the practical exercises and the guest speakers.

While some of the students have now graduated and are on their way to college in the Fall, some of the younger students will participate in the Mayor’s Cup competition next year and are likely to be formidable opponents.

This year was notable for the high level of media interest in the event, which was covered this week by NBC7 and U-T San Diego. We expect further coverage next week from Marketplace on NPR and others.


National University achieves NSA/DHS National Center of Academic Excellence in Information Assurance Education status

This week, Securing Our eCity stakeholder National University became the first school in San Diego, and only the eighth in California, to achieve the coveted National Security Agency and the Department of Homeland Security designation of “National Center of Academic Excellence in Information Assurance Education“.

National University

The San Diego university’s cyber security program is somewhat unique in that it teaches both theory and the hands-on skills needed to identify and defend against threats. The program uses an innovative Virtual Education Lab (VEL) where professors create scenarios on multiple machine platforms for students to assess and defend in role-playing exercises.

“This national recognition provides tremendous validation for what we are doing at National University,” said Dr. John Cicero, dean of National University’s School of Engineering, Technology and Media in the announcement.

“Nearly every aspect of our lives is susceptible to Cyber Attack and our students are the future Cyber Warriors who will be defending the integrity and security of our national, business and infrastructure data online.”

According to Program Lead, Dr. Ron Gonzales, “MSCSIA students completing this unique and specialized area of professional training are well prepared with both counter defense, and penetration measures associated with computing security”.

We applaud National for its great work and commend all of those who worked so hard to achieve this elite designation.