Cyber Cyber Cyber ReportReportReport 201420142014

N O V E M B E R 2 0 1 4

A S U P P L E M E N T T O

THE DAILY RECORD2

11 East Saratoga StreetBaltimore, Maryland 21202

Main Number: 443.524.8100Main Fax: 410.752.2894

TABLE OF CONTENTS

HOW BUSINESSESCAN PROTECTAGAINST HACKING

IS YOUR PASSWORD SECURE?

DEMAND SPURSGROWTH IN CYBERSECURITYTRAINING PROGRAMS

NAVIGATING THE“BRAVE NEWWORLD” OF INTERNET LAW

Suzanne E. Fischer-HuettnerPublisher

Thomas Baden Jr.Editor

Erin CunninghamSpecial Products Editor

Maria KellyComptroller

Tracy BumbaAudience Development Director

Morgan CookAdvertising and Events Coordinator

Darice Dixon Account Manager

Natasha FosterAccount Manager

Matthew StanderferDigital Manager

Maximilian FranzSenior Photographer

Lauren Gurny

Graphic Designer

To order additional copies of this publication, please contact

Clare Sheehan at 443.524.8101 orClare.Sheehan@TheDailyRecord.com

SURVEY: COMPANIES SEEK TO MANAGECYBER RISKS

3

5

4

6

7

HANDS-ON LAB WORK MEANS

YOUR TEAM CAN HIT THE

JOB RUNNING. AND HACKING,

EXTRACTING, DEFENDING,

TROUBLESHOOTING ...

You want employees who can protect your network from day one. At AACC’s CyberCenter, we challenge your employees with on-the-job situations that help them solve real cybersecurity issues so they can get the job done. Just one reason AACC is a nationally recognized leader with designations from the DC3, DHS and NSA.

Theory you learn at a four-year university. Real-world training you get on the job.

Learn how your team can benefit from our professional contract training at 410-777-1333 or CyberCenter@aacc.edu.

A National Center of Academic Excellence in InformationAssurance Two-Year Education (CAE2Y)

A National Center of Digital ForensicsAcademic Excellence (CDFAE)

www.aacc.edu/cybercenter

CYBER EMPLOYEES WHO NEVER TOUCH A FIREWALL ARE THE ONES WHO GET BURNED.

CYBER Report 2014 3

BY MARGIE HYSLOP

Special to the Daily Record

A raft of data breaches at banks, hos-pitals, health agencies, restaurants, retail-ers and universities has put hacking inthe headlines and raised awareness ofthe need to secure sensitive informationstored on computers.

With so much data stored or relayed

through computer networks, those whowould steal valuable information don’tneed to break into offices; they only needto find a way to gain digital access.

When William Huber, managing direc-tor of CohnReznick LLP, is called in toadvise businesses on how to use technol-ogy, he often hears executives say theywant the best security possible.

But the “best security,” strictly speak-ing, may not be the best solution or evenbe practical, said Huber, who worksfrom the international firm’s Baltimoreoffice.

First, businesses need to make surethey are getting the most out of every-

thing they have and make sure they trainstaff how to protect what needs protect-ing, he said.

Businesses also need to “make surethat policies aren’t so onerous that peo-ple ignore” or work around the policies;they also need to “make people see thatthey are a critical link in the chain,”Huber said.

Those principles apply to all organi-zations that harbor sensitive information,said Greg Kushto who directs securitypractice for Crofton-based Force 3.Force 3 partners with manufacturers toconfigure, install, deploy and servicedata security systems for many govern-ment agencies.

Establishing a written policy, agreedto and accessible by all, is a key compo-nent for protecting data, Kushto said.

“You want to make sure there’s not afight about who is supposed to get thingsdone” or what is to be done in certain cir-cumstances, Kushto said.

Although setting a cybersecurity pol-icy is sometimes difficult politically, hesaid, technically the hardest thing to dois “codify what data is in your environ-ment and how much you care about it,”Kushto said.

Most risk comes from well-inten-tioned employees who, for example, ac-cidentally delete something or carelesslyshare sensitive information, Huber said.Establishing separate accounts for rou-tine use and for high-level access canavoid some of that risk, he said.

With laws mandating standards to en-sure that patient health records and per-sonal financial information are protectedeven as they are transmitted electroni-cally, many businesses and organizationsface regulation and enforcement if their

cybersecurity measures fail. So do firmsthat access or store legally protecteddata records for them.

When sensitive data is at issue, regu-lators expect reasonable protections.

“These days, you really have a largeburden to prove why you didn’t encrypt,”Kushto said.

The Federal Trade Commission hasmade clear that sensitive data must beencrypted when it is transmitted overpublic or wireless networks and has rec-ommended that it be encrypted when itis stored, noted Bret Cohen, a lawyerwho specializes in privacy and informa-tion management law.

The FTC also has also indicated that,in addition to vigorous password and au-thentication measures, it expects compa-nies to maintain and monitor networkperimeter controls to guard againstunauthorized access and misuse of sensi-tive data.

“You can’t just throw up your handsanymore and say, ‘I’ll leave it up to my ITteam to do what’s best’ — all it takes isone stolen [or unsecured] laptop,” saidCohen, an attorney with Hogan Lovells inWashington.

Companies and agencies hit by cyber-attacks or threats need to go beyond fix-ing the problem and investigate to figureout what might be the attackers’ plansand objectives, Shannon N. Booker, aspokeswoman for Lockheed Martin’s cy-bersecurity business, wrote in anemailed response.

Lockheed Martin uses its own “secu-rity intelligence framework developed todetect, mitigate and effectively adapt to

How businessescan protectagainst hacking

ISTOCK.COM

“You can’t just throwup your hands anymoreand say, ‘I’ll leave it upto my IT team to dowhat’s best’ — all ittakes is one stolen [orunsecured] laptop.”

Bret Cohenattorney at Hogan Lovells

Maryland firms on alert after high-profile data breaches

See hacking 4A

THE DAILY RECORD4

advanced cyber threats,” Booker wrote.Not every company can buy or de-

velop systems such as Lockheed Mar-tin provides to protect nationalsecrets.Few companies have enough ex-

pertise under one roof, so providingdata security has grown into a large in-dustry, Cohen and Huber said.Companies can bring in data secu-

rity consultants to do the job for themor outsource it by moving data storageand processing to a company that han-dles it off-site.“The move to the cloud is very ex-

tensive, and that’s particularly true inmid-market,” Huber said.The decision whether and what

data to move to cloud serviceproviders depends on a company’sstrengths and data risks.In most cases, moving something

routine such as email to the cloud canimprove data security, but it also es-tablishes additional points that can becompromised, Huber said.Details of proprietary information,

processes or prototypes should not bestored on the cloud.“Most companies who have a data

loss are not aware of the fact, and ifthey don’t know, they aren’t able to re-spond,” Huber said.Too often, business people don’t

think that their companies are an at-tractive targets, but it might be, Huberwarned.In Baltimore, for example, a num-

ber of family-owned manufacturingfirms want to do work internationally,Huber said. However, working in somecountries could put them at risk be-cause there, reverse engineering — thepractice of making knockoff productsfor economic or military benefit — is atolerated industry.

William Huber, managing director of CohnReznick LLP in Baltimore, often advises businesseson how to use technology.

MAXIMILIAN FRANZ

Hacking >> Data security is a booming business in MarylandContinued from 3A

Greg Kushto joined Force 3 in 2014 and is the director of Force 3’s security practice. In this role, he is responsible for creating comprehensive securitysolutions for Force 3’s client base within both the public and private sectors and ensuring that customers properly align their security profile tomeet the needs of an increasingly complex security environment. Kushto is responsible for architecting security solutions that combine multiple prod-ucts and approaches to not only address security needs, but that also provide information and ROI to external stakeholders. These solutions includenetwork security, vulnerability management, anti-malware, intrusion detection and prevention, security event management and all other securitydisciplines.

He suggests:• Generally, when it comes to passwords, the longer the better. There is al-most never a maximum on the amount of characters that you can use foryour password. Consider making your password a simple sentence.Something as simple as “I love my fluffy dog!” can actually be an incredi-bly strong password compared to a password such as lovedog1.

• Always use a special character (such as an exclamation point, questionmark or asterisk) and a number. By doing so, you increase the total solu-tion set for your password. With special characters and numbers, you’regoing from 26 characters in the alphabet that could make up your pass-word to closer to 50 possibilities for each character. This makes yourpassword exponentially more difficult to crack.

• Never use the same password for every website. Consider using a base pass-word and then adding a couple of different characters to that base passwordfor every website you use. If someone gets your password, they are going to

try it everywhere. If it doesn’t work, they’lllikely move on. Most hackers don’t have timeto crack a different password for every web-site. It’s like fishing — they are trying to catchany fish, not one specific fish.

• Use a secure online site or app to keep trackof your passwords. Use one very secure pass-word for this site, and then it’s the only oneyou have to remember. That way, you can usestronger, better passwords without having toremember every single one. There are many ofthese types of services out there. Do your research and make sure it’s rep-utable before you choose one.

• Be smart. Don’t write your password down. Don’t leave your password ona sticky note under your keyboard. Make sure that your password issomething secure, not something that everyone would know about you.

Is your password secure?

Kushto

Go to work. Log onto your computer. Check your personalemail. Pay a bill online. Check your bank balance.It’s likely you just used four different logins and passwords. Itcan be difficult to keep track of the letter and number combina-

tions and even more difficult to make sure they are secure.To help, The Daily Record asked Greg Kushto, director ofsecurity practice at Force 3 in Crofton, to share his tips forselecting secure passwords.

for breaking

news

delivered

to your

phone!

Text TDR to 313131

JOIN BWTECH’S THRIVING CYBERSECURITY COMMUNITY • Access to Northrop Grumman and UMBC resources •

• Scholarship valued at $20,000 annually •

CYNC Scholarships for Innovative Cybersecurity Product Companies

APPLY NOW!Contact Sarah Purdum, Cyber Business Coordinator sarahpurdum@umbc.edu bwtechumbc.com//cync

CYBER Report 2014 5

BY MARGIE HYSLOP

Special to the Daily Record

There is huge demand for trained andexperienced cybersecurity workers, par-ticularly from the U.S. Department of De-fense, said Homer Minnick III who is incharge of cybersecurity professional de-velopment at the University of Maryland,Baltimore County Training Centers. Evidence of that demand can be seen

at UMBC Training Centers’ Cybersecu-rity Academy, where, Minnick said, thenumber of clients has grown by 15 per-cent or more since it opened in 2010. And a professional master’s degree

program in cybersecurity at UMBC “hasexperienced near parabolic growth,” saidRick Forno, who directs the graduateprogram there.Corporate, military and intelligence

employers are eager to hire workers whocan assess security postures in organiza-tions, that is, those who can answer thequestion: ”Are we in a good position tocatch the majority of attacks?” Minnicksaid.Employers are looking for workers

who are good at mitigating securitybreaches, he said.Also in high demand are those who

can develop and implement policies —particularly those who “understand thebridge,” Minnick said, between technicalwork and managing it to fulfill an objec-tive or mission.According to the National Initiative

for Cybersecurity Careers and Studies,an arm of the U.S. Department of Home-land Security, jobs are “abundant” in thepublic and private sector for cyber foren-sics experts, security architects, cryptog-raphers and source code auditors. Nearly one in 10 information technol-

ogy jobs posted online last year was incybersecurity, according to a report thatBoston-based Burning Glass Technolo-gies issued in March.The company, which uses technology

to help clients match people with jobs,also found that cybersecurity jobs took24 percent more time to fill than IT jobsgenerally.According to their analysis, Maryland

ranked sixth among states with 10,627cybersecurity jobs posted, and the Wash-ington and Baltimore metropolitan areastogether accounted for 28,000 cybersecu-rity job openings.Those numbers put UMBC Training

Centers in Columbia at the middle of theaction.

And UMBC’s Minnick says thatamong the most sought after cybersecu-rity workers now are network intrusionanalysts, penetration testers, people whoanalyze vulnerabilities and specialistswho detect, isolate and disable malware.The Burning Glass report also

showed that cybersecurity job openingsincreased sharply across several sectorsfrom 2010 to 2013.Professional services accounted for

38 percent of all cybersecurity jobsposted online in 2013, but the steepestgrowth in cybersecurity job postings wasin retail trade — up 94 percent over threeyears to account for 5 percent of cyberjobs.Finance and insurance cybersecurity

jobs rose 89 percent over the same pe-riod to account for 12 percent of cyberjobs in 2013, according to the report.UMBC is a leader, but not alone, in

working to fill the shortage of workerswith the training and experience neededto fill cybersecurity jobs. The NationalSecurity Agency and the U.S. Depart-ment of Homeland Security have des-ignated 16 Maryland colleges anduniversities as National Centers of Ac-

Md. universities react to needs of corporate, military and intelligence employers

Demand spursgrowth incybersecuritytraining programs

Homer Minnick III, the director of the University of Maryland, Baltimore County Training Centers Cybersecurity Academy, addresses studentsduring their commencement ceremony Nov. 6.

SUBMITTED

See workforce 6A

THE DAILY RECORD6

ademic Excellence in information as-surance and cybersecurity. That’smore than any other state or territoryin the nation, except Texas, withwhich Maryland is tied.

Among them are eight four-yearcolleges or universities, includinghighly ranked national and regionalschools and the U.S. Naval Academy,as well as eight community colleges.

All eight of those community col-leges, plus six more are among thetwo-year schools that will share an al-most $15 million U.S. Department ofLabor grant to develop programs thatprepare students for cyber technologyjobs that need to be filled in informa-tion technology, science, educationand various other sectors.

Called the Cyber Technology Path-ways Across Maryland Consortium,the schools will collaborate with majoremployers — including Lockheed Mar-

tin, IBM, Raytheon, MedStar, BoozAllen and Rockwell Collins — to as-sess and train low-income workers formuch better-paying cyber technologyand cybersecurity jobs.

The 14 community colleges in theconsortium plan to graduate nearly2,000 students in the next three years.Employers working with the consor-tium have agreed to interview qualifiedgraduates from the program, accord-ing to officials at Montgomery College,which is leading development of theprogram.

That’s one of the latest of severalefforts by higher education institutionsin Maryland to fill the cyber workforcegap as well as expand the diversity ofstudents — by gender, ethnicity andfield of study — who are preparing forthe possibility of entering cyber jobs.

The University of Maryland, Col-lege Park and UMBC each recentlybegan programs with those aims. Both

offer students a “live, learn” environ-ment where they reside in the samedormitory and can meet to study orcollaborate in the building where theylive.

And they are having success re-cruiting students from beyond tradi-tional majors such as computerscience and engineering.

Almost 4 percent in the selectiveAdvanced Cybersecurity Experiencefor Students, a program in the selec-tive Honors College at the Universityof Maryland, College Park, are mathe-matics majors.

Calculus is required, but almost 10percent of ACES students come from arange of majors that includes criminol-ogy, psychology, business and govern-ment and politics, said programdirector Michel Cukier.

“It’s really exciting to be buildingsomething from scratch in this field,”Cukier said.

Workforce >> 16 colleges receive cybersecurity designationContinued from 5A

The National Security Agency and the U.S. Department of Homeland Security have designated 16 Maryland colleges and universities as National Centers of Academic Excellence:

Anne Arundel Community CollegeBowie State UniversityCapitol CollegeCollege of Southern MarylandJohns Hopkins UniversityHagerstown Community CollegeHarford Community CollegeHoward Community College

Montgomery CollegePrince George’s Community CollegeThe Community College of Baltimore CountyTowson UniversityUnited States Naval AcademyUniversity of Maryland, Baltimore CountyUniversity of Maryland, College ParkUniversity of Maryland University CollegeISTOCK.COM

There was an increase this year inthe perception of cyber risk as a sig-nificant threat by boards of directorsand C-Suites, according to a recentnational survey. But while the percep-tion of the seriousness of the risks isincreasing, it is clear that businessescontinue to struggle with how to ad-dress their cyber risk managementneeds, according to the results of theZurich Insurance and Advisen Ltd.2014 Information Security and CyberLiability Risk Management survey re-leased last month.

Consistent with the 2013 survey,the majority of respondents (80 per-cent) claim that information securityrisks are a specific risk managementfocus within their organization, butonly 62 percent of survey respondentswere certain that their companies hada breach plan in place — down 10 per-centage points from last year, accord-ing to a press release. And while 92percent of larger companies do have afocus on risk management, the surveyfound that only 52 percent of respon-dents have a multi-departmental infor-mation security risk management

team, which is down nine percentagepoints from two years ago.

Because some data securitybreaches cannot be avoided and maynot be covered under commercialgeneral liability insurance, some com-panies should consider separatecyber-insurance policies, said BretCohen, an attorney at Hogan Lovellsin Washington, D.C.

Aside from costs for damages in-curred, the cost of simply notifyingcustomers or clients that their datahas been breached can be high forsome companies to sustain.

The number of businesses in thesurvey that have purchased cyber lia-bility insurance appears to have lev-eled off with 52 percent ofrespondents carrying cybersecuritycoverage, according to a press re-lease. However, of those who havenot purchased coverage, 54 percentsaid they were considering buying inthe next year.

The survey also highlighted someemerging risk issues with socialmedia, cloud services and mobile de-vices.

• Use of cloud services has increased20 points in two years, indicatingthe benefits of using cloud servicescontinues to outweigh the securityconcerns, according to respon-dents. Currently, 51 percent ofthose using cloud services are as-sessing its vulnerabilities.

• The use of personal devices forbusiness purposes is increasinglyallowed by employers. These non-company-controlled devices, how-ever, are accessing proprietarycorporate information and poten-tially exposing organizations to ahigher degree of risk. Seventy-fourpercent of respondents have a mo-bile device security policy, and 47percent have implemented a “bringyour own device” policy.

• Seventy-four percent of respon-dents have a written social mediapolicy in place to protect againstexposures like reputational dam-age, privacy issues and databreaches.

Margie Hyslop contributed to this report.

Survey: Companies seek to manage cyber risks52 percent of firms carry cybersecurity insurance coverage

CYBER Report 2014 7

BY PETE PICHASKE

Special to The Daily Record

Confused by how much of somebodyelse’s blog you can use for your own? Wor-ried that the intimate photo you sent yourboyfriend could end up all over the Inter-net now that he’s your ex-boyfriend? Won-dering if you should take that stunningphoto off someone’s Facebook page anduse it in an ad campaign for your busi-ness?

If so, join the crowd.The dizzying increase in legal ques-

tions spawned by the equally dizzying in-crease in Internet use and social mediawebsites has even lawyers who specializein the subject a little confused, worriedand wondering.

“It’s very complicated,” said AnneMcKenna, chairwoman of the Internet andPrivacy Practice Group that is part of theBaltimore law firm of Silverman Thomp-son Slutkin & White. “We’re dealing withan unusual intersection of multiple kindsof law.

“… It’s kind of this brave new worldand frontier out there in terms of havingthe citizens understand how to respondand deal with social media.”

How complex are these legal issues?An American Bar Association website listsmore than 130 blogs on Internet law.

What is and is not fair game in the Dig-ital Age is governed by laws in an array offields, including fraud, wiretapping, pri-vacy, data breaches and copyright, toname a few. To compound the confusion,both federal and state laws apply. And tocompound it even further, the laws areconstantly changing.

Maryland, for example, whichMcKenna said is one of the better states atstaying on top of Internet-related issues,has passed at least two major laws on the

subject in the past two years, one to pro-tect the privacy of passwords and socialmedia accounts, the other a “revenge pornlaw” that makes it illegal to pass on with-out consent intimate digital images thatsomeone — typically a girlfriend orboyfriend — gave you.

But while Maryland has done a decentjob of wrestling with the challenge of pa-trolling the Internet, the state — likeeveryone else — has a long way to go.

“We’re still in the process of catchingup,” said Sarah Lacey, an attorney in theBaltimore law firm of Levin & Curlett whohas handled Internet crimes. “By nomeans would anyone say the law hascaught up with the uses of the Internet.”

Some acts, of course, are clearly ille-gal. Dr. Jonathan Katz, director of theMaryland Cybersecurity Center at the Uni-versity of Maryland, College Park, saidthat hacking into someone’s phone orcomputer, for example, is illegal underunauthorized access statutes. Using abank account number you found therewould be illegal under fraud law, he said.And using a photo you found for an adcampaign would be illegal misuse of pri-vate data.

But, Katz added, there are plenty ofgray areas. For example, for a study he isworking on that involves monitoring peo-ple’s behavior on public Wi-Fi networks,he checked with university lawyers tomake sure such monitoring would belegal. Turns out that it is in Maryland — al-though not in some states.

“Where exactly you draw the line andwhat exactly is illegal … is still evolving,”Katz said. “People hadn’t thought aboutthis previously, so now they’re sort ofcatching up and trying to write laws thatwill address all these things.”

One of the grayer areas is hacking.While most hacking is illegal, some hack-

ing is done for the public good: Testingwebsites to see how vulnerable they are,for example.

McKenna said lawmakers nationwideare still wrestling with the question of howto make it legal for “good hackers” to dotheir work and at the same time protectagainst “bad hackers” with malicious in-tent.

“Our concepts of privacy … were cre-ated in a pre-Internet era, and they havenot really evolved in a way that providesthe consumer with protection,” McKennasaid.

It’s being talked about, she said, “butwe’re not there yet.”

So how does the average person dealwith all the complexities?

For those worried about their privacy,the lawyers’ advice is perhaps obvious:Think twice before posting something onthe Internet, because you never know whowill see it or how it will be used.

“Whatever you put up is perpetuallythere,” Lacey noted. “It’s gone beyondyour control.”

For those who want to take somethingfrom another site or source, the advice isalso simple: Do your best to make sure it’sallowed. For re-using certain images, youcan find good advice on the Internet(“Maybe that’s ironic,” Lacey said).

For lifting photos or words from some-one’s private site or blog, get permissionfrom that person or at least attribute thesource.

What’s important to keep in mind, theexperts said, is that your First Amendmentright to use Internet information is notboundless.

“There are limits,” Lacey said. “Andwhen your right infringes on other peo-ple’s rights and causes them damage, andthey have the resources to track you downand the motivation, then theywill do that.”

Navigating the‘brave new world’of Internet law

ISTOCK.COM

Experts say gray areas exist with statutes currently on the books