Cyber
The Next Frontier

Become part of a critical layer of cyber defense. Cybersecurity positions will make up 45% of all US tech job openings.

View Full Curriculum

The National Security Agency designated the University of Arizona's Cyber Operations program as a Center of Academic Excellence in Cyber Operations (CAE-CO). With this designation, UA joins an extremely exclusive group of only 24 cyber programs in the nation. The NSA's CAE-CO designation demonstrates that UA's Cyber Operations program meets the most demanding academic and technical requirements.

Learn More

 

The Bachelor of Applied Science in Cyber Operations prepares graduates for cyber-related occupations in defense, law enforcement, and private industry.

Our curriculum includes both offensive and defensive cyber security content delivered within our state-of-the-art Virtual Learning Environment to ensure our students have extensive hands-on experiences to develop the knowledge, skills, and abilities necessary to succeed after they graduate.

 

Program News

DoD Cyber Scholarship Program (CySP)

The DoD CySP is a yearly scholarship program aimed at Juniors and Seniors pursuing a bachelor’s degree in cyber-related academic disciplines. The CySP is a 1-year scholarship, which grants selected Cyber Scholars tuition and mandatory fees (including health care), funding for books, a $25K annual stipend, and guaranteed employment with a DoD agency upon graduation.

Cyber News

Wednesday, November 20, 2024 - 14:02
CISOs can now obtain professional liability insurance

Professional liability insurance is designed to protect executives against claims of negligence or inadequate work arising from their services. Companies often use these policies to safeguard a business’s financial assets from the potentially high costs of lawsuits and settlements in the event someone alleges executives have failed to uphold their duties. The policies often cover CEOs, CFOs, and other board members, but often fail to include CISOs. 

New Jersey-based insurer Crum & Forster is looking to change that. The company recently unveiled a policy specifically designed to shield CISOs from personal liability. 

Nick Economidis, vice president of eRisk at Crum & Forster, told CyberScoop that the company saw an opportunity since CISOs may not be recognized as corporate officers under a directors and officers liability policy, which normally covers executive liability. 

“CISOs are in a no-win situation,” Economidis said. “If everything goes right, that’s what people expect. If something goes wrong, they’re the person that everybody looks at and they’re left holding the bag. Then, there are potentially significant financial ramifications for them because they’re often not covered by traditional insurance policies.”

The policies, which can be obtained on behalf of a company or through a CISO themselves, can cover consulting done for the organization and subsidiaries, as well as moonlighting or pro bono IT security work.

“We find that it’s not unusual for CISOs to be doing consulting, either on a pro-bono basis or for a fee,” Economidis said. “That creates an exposure as well, and the policy will also cover that.” 

The CISO role is one that is under increasing legal scrutiny, especially after high-profile security incidents. In October 2023, the Securities and Exchange Commission sued SolarWinds and its chief information security officer for failing to disclose poor cybersecurity defenses in the wake of Russian-government-linked hackers breaching its systems. A judge dismissed most of that lawsuit earlier this year

The plan offers zero deductible defense costs for immediate and effective protection, along with broad claims coverage, even in criminal proceedings, ensuring CISOs have robust protection against personal liabilities. It also includes targeted regulatory protection to comply with SEC cyber disclosure rules, helping CISOs limit exposure to civil and criminal liabilities.

Economidis says policyholders can typically expect costs to range from $3,000 to $5,000 per insured person, depending on factors such as coverage limits and deductibles. Additional variables, including whether the company is public or private and the company’s years of experience, can also influence the pricing.

The post CISOs can now obtain professional liability insurance appeared first on CyberScoop.

Wednesday, November 20, 2024 - 13:19
 US charges five men linked to ‘Scattered Spider’ with wire fraud

Federal authorities unsealed charges Wednesday against five individuals with links to the “Scattered Spider” cybercrime syndicate, accusing them of conducting an extensive phishing scheme that compromised companies nationwide, enabling the theft of non-public data and millions in cryptocurrency. 

Ahmed Hossam Eldin Elbadawy, 23, of Texas; Noah Michael Urban, 20, of Florida; Evans Onyeaka Osiebo, 20, of Texas; and Joel Martin Evans, 25, of North Carolina, have been charged with conspiracy to commit wire fraud, for allegedly sending phishing messages to various technical employees to capture login credentials, which were then illicitly used to access and exploit corporate and individual accounts. 

A separate complaint was filed against Tyler Robert Buchanan, 22, from the United Kingdom, for similar crimes.

Evans was arrested Tuesday by the FBI in North Carolina and is expected to make his initial court appearance Wednesday. Urban was arrested in January in Florida after being indicted on separate federal wire fraud and aggravated identity theft charges. Buchanan was arrested in June by Spanish police for being “responsible for the computer attack on 45 companies in the United States.”  

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” said Akil Davis, the assistant director in charge of the FBI’s Los Angeles field office. “These types of fraudulent solicitations are ubiquitous and rob American victims of their hard-earned money with the click of a mouse.”

Scattered Spider emanates from an online community known as “the Com,” an aggressive, nebulous ring of approximately 1,000 young cybercriminals that are mainly organized on online platforms. The group, also tracked by cybersecurity firms as “0ktapus,” Octo Tempest, or UNC3944, has been known to target big-name companies, including the casino giant MGM Resorts and Clorox.

Court documents reveal that between September 2021 and April 2023, the defendants disseminated mass SMS phishing messages to employees of various target companies. These messages deceptively indicated account deactivation warnings, directing users to phishing sites mirroring genuine business service providers. When employees entered their credentials, these were harvested to gain unauthorized access to corporate systems, resulting in the theft of intellectual property and personal identifiers. The group also used stolen information to break into many cryptocurrency accounts and steal millions of dollars.

The FBI had faced criticism for limited progress in bringing members of the Com to justice. However, law enforcement actions targeting Scattered Spider and the wider Com network have been frequently occurring over the past few months. 

Aside from the arrests mentioned above, British police arrested a 17-year-old who is believed to be behind last year’s ransomware attack on MGM Resorts. Earlier this month, Canadian authorities arrested Alexander “Connor” Moucka, an alleged Com member suspected of orchestrating a series of data exfiltration attacks targeting customers of the data storage firm Snowflake. 

The post  US charges five men linked to ‘Scattered Spider’ with wire fraud appeared first on CyberScoop.

Wednesday, November 20, 2024 - 11:47
Vulnerability disclosure policy bill for federal contractors clears Senate panel

A bill that would require federal contractors to implement vulnerability disclosure policies that comply with National Institute of Standards and Technology guidelines cleared a key Senate panel Wednesday, setting the bipartisan legislation up for a vote before the full chamber.

The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 (S. 5028) from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., sailed through the Senate Homeland Security and Governmental Affairs Committee, after a companion bill from Rep. Nancy Mace, R-S.C., passed the House Oversight Committee in May.

The bill from Warner and Lankford would formalize a structure for contractors to receive vulnerability reports about their products and take action against them ahead of an attack. In announcing the legislation in August, Warner said that vulnerability disclosure policies, or VDPs, “are a crucial tool used to proactively identify and address software vulnerabilities,” and that this bill would “better protect our critical infrastructure and sensitive data from potential attacks.”

Federal law mandates that civilian federal agencies have VDPs, but no standard currently exists for federal contractors. The legislation would require contractors to accept, assess and manage any vulnerability reports that they receive.

The legislation was previously touted by cyber firms including Palo Alto Networks and HackerOne. In a statement provided to CyberScoop on Wednesday, Ilona Cohen, HackerOne’s chief legal and policy officer, said “the overwhelming bipartisan support in both the Senate and House” of the bill “provides additional momentum for enacting this legislation as part of this year’s” National Defense Authorization Act.

The bill was written in part as a response to the 2015 Office of Personnel Management data breach, in which vulnerabilities in systems used by two contractors that stored data on federal employee background checks were exploited. 

“Federal agencies have made significant progress in implementing vulnerability disclosure policies,” Cohen said. “This legislation will address a gap in our nation’s cybersecurity defenses by requiring contractors to adopt this best practice to protect government information and personal data.”

Other cyber bills move forward

Days after Sens. Gary Peters, D-Mich., and Mike Rounds, R-S.D., introduced legislation to strengthen oversight powers of an interagency federal council charged with securing the government’s IT supply chain, the bill cleared HSGAC and now awaits a full Senate vote.

The Federal Acquisition Security Council Improvement Act of 2024 (S. 5310) from Peters, who chairs HSGAC, and Rounds, a member of the Senate Intelligence Committee, seeks to combat security threats posed by technology products made by companies with ties to foreign adversaries, particularly China. 

The legislation, a companion to a House bill introduced in September, would give the Office of the National Cyber Director leadership authorities over the Federal Acquisition Security Council, which is currently overseen by the Office of Management and Budget.

The bill also aims to push the FASC to pursue orders to block the use of technologies that may threaten national security — something the council hasn’t done in its six years of existence. The legislation would establish a process to allow Congress to initiate investigations into potentially risky tech, with the FASC then ordering a ban on government purchases of that product or a ban on products from the company in question. 

Two pieces of cybersecurity workforce legislation also cleared the Senate panel Wednesday: the DHS Cybersecurity On-the-Job Training Program Act (H.R. 3208) and the DHS Cybersecurity Internship Program Act (S. 5321). Both bills would amend the Homeland Security Act of 2002. 

The first bill, introduced last year by Rep. Sheila Jackson Lee, D-Texas, directs DHS to develop a program to train agency workers on cyber-related matters at the department. The second bill, from Peters and Rep. Yvette Clarke, D-N.Y., would create a paid cybersecurity internship program within DHS.

The post Vulnerability disclosure policy bill for federal contractors clears Senate panel appeared first on CyberScoop.

Tuesday, November 19, 2024 - 15:39
Sen. Blumenthal wants FCC to get busy on telecom wiretap security rules

A top senator on Tuesday urged the Federal Communications Commission to begin writing rules that would create mandatory security standards for wiretapping systems embedded in the networks of telecommunications carriers.

The suggestion to act immediately from Sen. Richard Blumenthal, D-Conn., comes in response to Chinese hackers known as Salt Typhoon, targeting the phones of both 2024 presidential campaigns via the so-called “lawful access” program, which mandates that telecoms assist the U.S. government in its surveillance efforts. The hacking campaign has spurred considerable congressional interest.

It also comes after the election of Donald Trump for president and as his administration prepares to take over in January. But at a hearing of his Senate Judiciary Subcommittee on Privacy, Technology and the Law, Blumenthal said the issue is bipartisan and any rulemaking should continue into next year.

“Think of it for a moment: A foreign adversary attempted to wiretap both presidential campaigns during this past election,” he said at the hearing. “We’re still learning each week about how sprawling and catastrophic this hacking campaign was. What we know now, and it’s publicly known, should galvanize action now. We need to ensure that these specific types of hacks will never happen again.”

Adam Meyers, senior vice president of the cybersecurity firm CrowdStrike, said hackers who infiltrate the lawful access program could collect call times, call contents, text message traffic, where a call is coming from and whom a target is with — opening up the ability to then target those additional parties.

“The lawful intercept rules that are present for lawful purposes, if there’s a warrant or other means for law enforcement to collect information, is a gold mine for a foreign threat actor,” he told Blumenthal’s panel.

The FCC should also launch an investigation, Blumenthal said. The commission reportedly requested a briefing from national security officials on the Salt Typhoon intrusions, but a spokesperson declined to comment last week on whether it received that briefing.

“The FCC has the legal authority, right now it has the power, to set and enforce security standards,” Blumenthal said.

Blumethal’s urging is an echo of other calls last month for the FCC to take up those security standards. The extent to which the Trump administration will embrace minimum critical infrastructure security standards, though, is unclear.

The post Sen. Blumenthal wants FCC to get busy on telecom wiretap security rules appeared first on CyberScoop.

Tuesday, November 19, 2024 - 13:12
Microsoft launches ‘Zero Day Quest’ competition to enhance cloud and AI security

Microsoft has announced the launch of Zero Day Quest, a significant expansion of its bug bounty programs, focused on uncovering high-impact security vulnerabilities in cloud and AI technologies. 

Under the program, Microsoft will double the bounty rewards for eligible AI vulnerabilities from Nov. 19, 2024, to Jan. 19, 2025, and give researchers direct access to the company’s dedicated AI engineers and the AI Red Team, which specializes in probing AI systems for potential security flaws. The initiative is part of Microsoft’s broader Secure Future Initiative, launched to pre-emptively address security vulnerabilities across its extensive suite of products and services.

Microsoft will also be adding bonus bounty multipliers for valid, important or critical severity issues across Microsoft’s AI, Azure, Microsoft Identity, M365, Dynamics 365, and Power Platform for the length of the challenge. 

Submissions can also qualify researchers for one of 45 spots in an onsite hacking event at Microsoft headquarters in Redmond, Wash., which will be held in 2025.  

“Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers — bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe,” Tom Gallagher VP of engineering at the Microsoft Security Response Center, wrote in a blog entry posted Tuesday

The company plans to share post-discovery insights through the Common Vulnerabilities and Exposures (CVE) program to allow the entire industry to learn from the identified security issues. The event reinforces Microsoft’s commitment to elevating security standards and creating deeper partnerships within the cybersecurity community, ensuring more robust defenses across its platforms in light of increasing threats and past security breaches involving its products.

“This event is not just about finding vulnerabilities; it’s about fostering new and deepening existing partnerships between the Microsoft Security Response Center, product teams, and external researchers — raising the security bar for all,” Gallagher wrote.

More details on the program can be found on Microsoft’s Security Response Center

The post Microsoft launches ‘Zero Day Quest’ competition to enhance cloud and AI security appeared first on CyberScoop.