Inaugural Maryland Cybersecurity Council Meeting

On Tuesday, November 10, UMUC hosted the inaugural meeting of the Maryland Cybersecurity Council, which was created by Governor Larry Hogan and is chaired by Attorney General Brian Frosh. The mission of the council is to assist and advise the state on strengthening its critical cyber infrastructure. UMUC is proud to have hosted the first meeting and to be designated to staff and support the council as it conducts its work. It was also a great privilege to welcome the council on behalf of President Miyares and to discuss UMUC’s efforts in building the critical cyber talent needed to protect our state and national information infrastructure.

As the council begins its important work, I believe it is important that the Council not only take into consideration the technical aspects but also consider equally important human, legal, policy and ethical aspects associated with cybersecurity. UMUC is also playing an important role in this effort. In response to the critical shortage of cybersecurity professionals that our state and nation face, UMUC has developed seven different cybersecurity related programs—including policy and technical-related programs—at the undergraduate and graduate levels. And since 2010, more than 4,000 new cyber professionals have graduated from UMUC and more than 8,000 students are currently enrolled.

We are proud of our efforts in this critical area and look forward to producing graduates with the skills to handle the latest and most complex cybersecurity issues facing Maryland and threatening our regional, national and global economy, as well as our national security.

Staying Protected While Connected to Social Communities

This week’s theme for National Cyber Security Awareness Month is about connected communities. Social media sites such as Facebook, LinkedIn, Twitter and Instagram allow users to communicate and share information and events with friends, family, co-workers and others. As you connect to these types of sites it is critical to be aware of the potential privacy and security issues that could surface without proper safeguards and knowledge of application privacy settings, encryption, strong passwords, two-factor authentication, and phishing schemes.

Most popular social media sites provide the ability for a user to modify their privacy settings. These privacy settings are the key to who is allowed to see the information, pictures and events posted on the site. For example, in Facebook, the privacy settings are found in the upper right corner of the interface by selecting “settings” and then privacy. Here you can determine who will see your posts along with the timeline for viewing those posts. You can also control photos that may have been tagged by someone. Before you start posting and using the social media sites, be sure you understand and set the privacy settings appropriately.

Don’t share private information on social media sites. Many hackers use social engineering techniques to gather information from you from multiple social media sites. Private information such as birth dates, social security numbers, children’s names, banking locations, and even pet names can be used to guess passwords and other information to gain access to financial or other sensitive accounts.

When logging on to any account, be sure you are using strong passwords or two-factor authentication. Strong passwords consist of numbers, symbols and mix of upper and lower case letters. Longer passwords are also more difficult to guess than shorter passwords. Two-factor authentication adds an additional layer of security by requiring two-forms of identification to access the system. For example, if you participate in Google’s two-step verification process you will be asked for your password and then for an additional piece information such as a code sent to you via text. Also, be sure the data being sent between your computer or mobile device and the web site or server is secure. HTTPS should be the default connection when accessing any accounts on remote machines.

Finally, be sure you carefully review hyperlinks provided to you in an email before you click on the link. Phishing schemes attempt to steal your account information by pretending to be your bank or another vendor and request you to login or reset a password. These emails can be quite convincing so have your IT or security expert review the email before you provide any information. These schemes have been around for quite some time and some people still fall victim to this scam.

In summary, use computer security best practices when connecting to any sites. Hackers love easy targets who share all of their private information on social web sites and use simple passwords. Don’t make their job easy. Always work to protect yourself while you are connected.

jrphoto2 Dr. James Robertson is a collegiate professor and Chair for Computer Science and the Software Development and Security programs in the undergraduate school at UMUC. Prior to joining UMUC, he worked as a Principle consultant for the Oracle corporation. Dr. Robertson has more than 20 years of technical, engineering, and information systems experience with progressively increasing responsibilities in the areas of education administration, software development, application security testing, database design and development, modeling and simulation, and data mining. He has designed and developed secure software, algorithms, and techniques for image and signal processing in federal, health and commercial industries within all phases of software life cycle.

Embracing Cybersecurity Awareness

We’re about halfway through National Cyber Security Awareness Month. I wanted to talk about the importance of securing your perimeter of online and network usage. Users tend to assume that security is an on-off switch that can be controlled or activated when and as often as needed. Experts in the cybersecurity industry are aware of this misconception. It is not sufficient to activate anti-malware and anti-virus software updates; it is also eminent to update the underlying operating system — especially when working with cloud and big data-based enterprises, both private and public.

Additional awareness should be embraced and adopted not only on wired but also wireless infrastructure. It is not as easy, but care must be exercised when accessing sites which do not begin with “https” on their URL.

The most important element is self-discipline and caution when browsing sites, downloading files, and accessing unknown or unsure sources of email. Also, training and education should be routinely and continuously conducted to educate users, managers, and IT and system administrators to follow certain password guidelines and schemes.

System recovery, backup, and updates must be routinely performed. Also, additional security algorithms must be used and devised always to combat, lessen, or deter attacks. Users must be aware of pop ups, ads, adware, malware, spyware, social engineering, and shoulder surfing, a way in which people can look over a user’s shoulder to obtain passwords or information they are inputting on their devices.

Always be leery of where you are sending and downloading your private data, especially when using the cloud. As a cloud security expert, I promote awareness of using the cloud as a convenience– but always exercise care and be alert. It is the price we pay for technological civilization. A byproduct of technological civilization and advancement is cybercrime. As we advance our technologies, we must also be prepared to secure these technologies. As such, we must also be prepared to sacrifice convenience. This is a fact.

unnamedDr. Ihssan Alkadi is an adjunct professor at UMUC and is on the faculty at Southeastern Louisiana University in the Computer Science Department. Dr. Alkadi received his B.S. in Computer Science at SLU and went on to earn his M.S. in Systems Science and his Doctoral degree in Computer Science from Louisiana State University (LSU). His areas of expertise include software engineering, and Internet, HTML, and operating systems testing. His research interests include testing in object oriented systems, systems validation, and system verification. His current research is in cloud computing security and cybersecurity.

Creating a Culture of Cybersecurity at Work

With it being National Cyber Security Awareness Month, one of the most important things to think about is whether or not you are practicing good cybersecurity habits at work. Here’s a top ten list of ideas that can help foster a culture of cybersecurity in the workplace:

  1. Institute quality cybersecurity training. Teach employees cybersecurity policies, procedures and best practices such as managing passwords, how to recognize a breach or attack and respond accordingly, and proper web browsing procedures. If there is a breach, they should know what actions to be taken such as who to contact. Training should be provided for new employees and refresher training should be conducted at least annually for regular employees. Include self-assessment security quizzes to test their knowledge of cybersecurity threats, vulnerabilities and countermeasures.
  2. Create a dynamic cybersecurity awareness program. These could include cybersecurity posters, newsletters, email reminders, token gifts with security reminders and computer log-on displays. Messages should change at least monthly to keep the information fresh. Include fun and informative events such as cybersecurity fairs, guest speakers and brown bag lunches.
  3. Gain managerial support. The CEO, other executives and managers need to announce their support and full commitment toward cybersecurity. They should also participate in cybersecurity activities. Employees will recognize that they mean business when it comes to cybersecurity.
  4. Establish sound cybersecurity policies, procedures, controls and practices. This is a basic requirement for any organization that wants to establish a culture of cybersecurity. If these policies, procedures and controls are weak, outdated and/or impractical, employees will not see the importance of cybersecurity.
  5. Ensure cybersecurity employee performance. Due to its criticality, the need for cybersecurity should be considered for inclusion in the employee’s performance appraisal to ensure that it will be addressed.
  6. Certify employee accountability. Require employees sign “acceptable use policy” statements that address requirements for cybersecurity and outline penalties for not complying with these requirements.
  7. Relate to the employee. Employees often think that they will never be victims of a breach. Share recent cybersecurity breaches that occurred in similar environments so employees can relate to possible attacks. This information can be conveyed through email or newsletters.
  8. Tie cybersecurity to every business process. Every new and existing standard operating procedure for each business process should be reviewed for possible security breaches and appropriate adjustments be made in a timely manner.
  9. Establish a cybersecurity community of interest. Have a team of employees who are well versed and/or interested in cybersecurity share information and experiences with each other and the rest of the organization. This can be accomplished through social media if there are adequate security measures.
  10. Conduct informal security checks on employees. For example, have an outside third party perform social engineering attacks to see how many employees give up their passwords.   These will certainly grab the attention of your employees. Of course, employees should not be disciplined for these actions since the security check is meant as an educational experience.

Have anything to add? Post it in the comments and keep the conversation going!


pangDr. Les Pang, CISSP, is a Program Chair and Associate Vice Dean in the UMUC Graduate School.  Besides several technical classes, he teaches Cyberspace and Cybersecurity (CSEC 610), the first course in the Master of Science in Cybersecurity Degree Program.  He is a former professor at the National Defense University where he taught both information security and technology courses. He was the 2004 recipient of the Drazek Teaching Excellence Award, the 2011 United States Distance Learning (USDLA) Faculty Teaching Excellence Award – Platinum, and the 2012 University System of Maryland (USM) Board of Regents Teaching Award.

Cyber Catch Up 10/5/15

Here’s what you missed last week…

It’s bad enough to have to worry about your data getting stolen. Now officials are concerned about the next front in malicious cyber activity: efforts to deliberately manipulate data. As data theft continues, banks are now looking to retailers to bear the losses. News of the VW scandal continues, and one story indicates that “the faster we upgrade our roads and autos with better capabilities to detect and analyze what’s going on in the transportation system, the better we’ll be able to find hackers, cheaters and others looking to create havoc on the highways.”

Microsoft reported that the highly suspicious Windows update that was “delivered to customers around the world was the result of a test that wasn’t correctly implemented”– but this isn’t the first time a Windows update has been compromised. As cybercriminals move from online banking to the industrial supply chain, they find the Dyreza computer trojan a useful tool. On Thursday, T-Mobile announced that about 15 million of its U.S. customers may have been exposed in a data breach at one of its vendors. Also on Thursday, it was reported that newly discovered vulnerabilities in Android’s media file processing may lead attackers to compromise devices by tricking users into visiting maliciously crafted Web pages.

Apple’s new privacy policy was announced and has been given kudos in its design and simplicity, promising personalization without sacrificing privacy. In the meantime, privacy advocates increase efforts to beat back cybersecurity information-sharing legislation. Recently, Edward Snowden and a number of his supporters put forward a proposal to curb mass state surveillance. Could this be doomed?

With National Cyber Security Awareness Month in full swing, it’s time for millennials to step up their slacking security habits— according to a recent survey, they are least likely to protect their data, despite being the most concerned with cybersecurity. According to another survey, even though IT professionals often warn their superiors about pending IT security disasters, almost half of respondents report that executive management fails to take action.

Researchers have created an AI system to detect malware in shortened Twitter links, exposing a security flaw in Twitter’s site. Speaking of malware, are you searching for celebs in your spare time? Be careful who you search for– a study shows that celebrity searches are loaded with malware. Steer clear of getting the scoop on Kelly Brook, Nick Grimshaw, Kate Middleton, Idris Elba, Frank Lampard, Jeremy Clarkson and Tom Hardy, among others.

Screen Shot 2015-09-30 at 12.36.23 PMRebecca Foss is the Director of Social Media at the University of Maryland University College (UMUC). In her current role, she is working with stakeholders across the university to develop the overall strategic approach in using social media platforms and tools globally for UMUC. She has over 15 years of marketing and communications experience and has been involved with championing social media initiatives since the early stages of the medium’s existence in 2007. Rebecca specializes in content management, creation, and curation and serves as co-editor of the Cyber Connections blog. 

October is National Cyber Security Awareness Month

We live in a digital era and are more connected than ever before. The increased reliance on the use of Internet in our daily lives comes with increased cybersecurity risks. Today, no one is immune to the cyber risks. As a nation, we face rapidly evolving cyber threats against our cyberspace, a critical domain of our national security. As individuals, our finances, identity, and privacy can be threatened by online theft, fraud and abuse.

Recognizing the importance of cybersecurity to our nation, President Obama designated October as National Cyber Security Awareness Month. The purpose of National Cyber Security Awareness Month is to enhance cybsercurity awareness among organizations and individuals of all ages and segments of the community.

UMUC has joined with the Department of Homeland Security in the promotion of Stop.Think.Connect, a national public awareness effort aimed at enhancing cybersecurtiy awareness and empowering Americans to be safer and more secure online. As part of the Stop.Think.Connect Campaign, UMUC offers a variety of cybersecurity awareness and educational activities during the month of October to its community – students, alumni, faculty, staff and beyond. We encourage you to actively participate in these activities as cybersecurity is a shared responsibility and we each have a role to play in promoting and protecting the cyberspace.

Thank you for all your efforts in promoting cybersecurity awareness during October and beyond. Together we can meet the cybersecurity challenges of today and tomorrow.

Dr. Amjad Ali serves as associate vice president and cybersecurity advisor to the president of University of Maryland University College (UMUC). In addition, he is professor of cybersecurity at the Graduate School. He made significant contributions to the development and launch of UMUC’s cybersecurity programs and initiatives, and has served as director of the UMUC’s Center for Security Studies of the Cybersecurity. Before joining UMUC, Amjad worked as manager of Continuing Education at the American Council of Engineering Companies in Washington, DC.  He has also served as the Dean of Keller Graduate School of Management-New York Region. Amjad has presented at major conferences and seminars on cutting-edge topics in cybersecurity, and he has a strong portfolio of scholarly publications. He holds a doctorate in Engineering Management from the George Washington University. He is UMUC’s staff to the Maryland Cybersecurity Council and serves on the advisory board of the Center for Strategic Cyberspace & Security Science and AFCEA International Cyber Committee.


Cyber Catch Up

Here’s a recap of what you missed last week in cyber.

The charge that Beijing was behind the theft of the personal data of more than 20 million federal workers could become a primary topic for an important visit from China’s President Xi with hacking to shadow the China summit. At the start of President Xi’s visit, he sought to reassure American companies that his government was committed to protecting the interests of foreign companies and fighting cybercrime. But was it all double talk? Speaking of stolen personal data, it is reported that OPM underestimated the number of fingerprints stolen by approximately 4 million. The government now estimates this number to be 5.6 million.

Big news this week was Apple’s confirmation of the the discovery of malicious code in some App Store products. The Washington Post reported that the Obama administration has been exploring ways to bypass smartphone encryption to allow access to law enforcement. Also this week, a campaign was launched by a group of privacy advocates including former NSA whistleblower Edward Snowden for a new global treaty against government mass surveillance. Business advisory firm Grant Thornton International, released a report that indicates that global cybercrime has cost $315 billion over the past 12 months.

In policy news, cyber crime laws are showing their age and some are badly outdated, including the Computer Fraud and Abuse Act (CFAA) of 1986. Senator Ron Wyden of Oregon announced this week that the Section 603 provision on terrorist activity was removed from the 2016 Intelligence Authorization Act. Finally, a federal judge ruled this week that forcing suspects to give up their cell phone passwords is a violation of the constitutional right against self-incrimination.

Screen Shot 2015-09-30 at 12.36.23 PMRebecca Foss is the Director of Social Media at the University of Maryland University College (UMUC). In her current role, she is working with stakeholders across the university to develop the overall strategic approach in using social media platforms and tools globally for UMUC. She has over 15 years of marketing and communications experience and has been involved with championing social media initiatives since the early stages of the medium’s existence in 2007. Rebecca specializes in content management, creation, and curation and serves as co-editor of the Cyber Connections blog. 

Student View: The App store has been attacked. Should you worry ?

Palo Alto Networks, a security firm based in Santa Clara, California, announced on Sunday September 21, 2015 that Apple’s App Store has been compromised and more than 80 malicious apps have been inserted to the store by hackers. This is a big deal since according to multiple sources, only 5 malicious apps have been found in the store since its first launch in July of 2008.  As of today, this major security breach affects the Chinese version of the App Store. Cybersecurity experts agree that this is a game changer for the trusted App Store.

What is the App Store ?

The App Store is the one-stop-shop for applications (apps) use on iPhone, iPad and iPod Touch. The store allows users to buy or download apps. It is in the same place where iOS devices receive updates. It is worth noting that the users may chose to apply these updates or ignore them.

How do apps get into App Store ?

iOS, the operating system that runs iPhone, iPad and iPod Touch does have some native applications (apps) such as Maps, Calendar, iBook and the App Store itself. Additional apps enhance the usability of the these devices for users. This is where app developers come into play. According to Palo Alto and Apple, some developers in China downloaded a fake version of Xcode, called XcodeGhost. Xcode is the apps development platform distributed by Apple.

Xcode helps developers in the process of building new apps and allows the developers to submit their app to Apple for the review process. If the app is approved, it is published in the App Store and available to iOS device owners. For the record, there is nothing worse for an application than the code being compromised. XcodeGhost injects malicious code in Apps developed from the rogue platform.

How developers downloaded XcodeGhost instead of Xcode is unclear, but there are several scenarios that may have happened:

  1. Search engine poisoning: This attack takes advantage of the fact that a group of people may be searching for the same thing, in this case developers. The attackers may setup a rogue website that indicates that clicking on the link will allow the developer to download Xcode, but the link actually takes the developer to the Xcode Ghost download.
  2. Rogue ftp website: In the developers community, downloading Xcode takes a great deal of time. The developers may chose to go with an easy to download alternative site and get tricked into downloading XcodeGhost.
  3. Spear Phishing Attack: The attackers may target a specific list of known developers and provide information about Apple products and regularly update these developers through email until they receive the fake link.

What now?

The affected apps are able to collect a great deal of information including phone location, device name, network type, and more. Apple has managed to remove the known apps from the App Store. You should always keep all your apps updated to avoid attackers exploiting known vulnerabilities. If you worry about this particular attack, you can always check out the list of the affected apps.

FullSizeRender (1)Tapoko Honore is a world class IT Support Analyst for UMUC where he started as student worker. Tapoko studied computer science for 3 years in Cameroon before arriving in the United States in 2008.  He is currently ITIL  V3, Security +, SSCP and HDI certified. He received B.S. in Computer Information Technology at UMUC in 2014 and is a current UMUC student studying to complete his M.S. in Cybersecurity. He decided to continue his education because it was a logical evolution in his career and he also aspires to teach Information Systems and Cybersecurity.