Embed Size (px)
Citation preview
Cybersecurity Competitions
Angelo Castigliola
Angelo Castigliola
• Enterprise Information Security and Risk Management Systems Analyst for Unum.
• Application Security Architecture• Winner of DHS National Cybersecurity
Awareness Campaign Challenge 2010• Contributed to GNU open source project iWar
featured in “Hacking Exposed Linux, 3rd Edition.”
Cybersecurity Competitions
• National Cybersecurity Awareness Campaign Challenge 2010– Contest rules– My Entry– Other winning entries
• Cybersecurity Competitions– Nerd Superstar
DHS Cyberchallenge• Announced by Janet Napolitano at the RSA conference• Entries dues only three months after announcement
The Department of Homeland Security is working with many organizations, both individually and through the National Cyber Security Alliance, to find ways of raising public awareness of cybersecurity. As we develop strategies and messages that will resonate with various groups, we want the benefit of your ideas on how you would get the word out to your colleagues, or your friends, or your parents and children. This competition will gather and share publicly the best, most creative ideas for making the public more cyber secure, cyber smart, and cyber assured.
Overview:
The National Cybersecurity Awareness Campaign Challenge Competition is designed to solicit ideas from industry and individuals alike on how best we can clearly and comprehensively discuss cybersecurity with the American public.
Challenge:
DHS Cyberchallenge Judging Criteria
Key areas that should be factored into the competition are the following:
• Teamwork • Ability to quantify the distribution method • Ability to quantify the receipt of message • Solution may under no circumstance create spam • Use of Web 2.0 Technology • Feedback mechanism • List building • Privacy protection • Repeatability • Transparency • Message
DHS Cyberchallenge Entry Rules
• It should engage the Private Sector and Industry leaders to develop their own campaign strategy and metrics to track how to get a unified cyber security message out to the American public.
• Proposals should be submitted in Word format by April 30, 2010 and should include the following:
• Company name, Point of Contact and contact information • Outline of Campaign Strategy
– Strategic overview of plan and definition of success – Organizations involved – Target audience – Timeline – Metrics used to define success.
• Distribution of Message – Communication methods to reach targeted audience
• Traditional media/PSAs • New Media • Literature/Pamphlets
My Strategy for the DHS Cyberchallenge
• Main focus was writing the proposal• Brainstormed to come up with as many
activities as possible to write about.• Found out what other initiatives existed that
supported same goals• Identified stakeholders• Networking
Proposal Structure
• Criteria for the proposal was an outline for a marketing campaign
• Biggest challenges:– Organizations involved (Teamwork)– Target audience
• Ability to quantify the distribution method • Ability to quantify the receipt of message
– Metrics used to define success– Communication methods to reach targeted audience
Collaboration
• Deployed websites mymaineprivacy.org and wiki.mymaineprivacy.org
• Website central to teamwork, transparency, list building, and feedback
• Easily integrated with Facebook, Twitter, and YouTube for Web 2.0
• Meetings • Phone conferencing
Teamwork and Networking
• Assembled a group of friends interested in participating
• Reached out to government cybersecurity awareness campaigns– Federal Trade Commission: Bureau of Consumer
Protection (onguardonline.gov)– National Cyber Security Alliance
(staysafeonline.org)• Unum and General Dynamics
Stakeholders
• Antivirus companies– McAfee
• Banks– Emailed over fifty local banks– Partnered with Androscoggin Bank and Gorham
Savings Bank• Community organizations– 4H– Small Business Association
Marketing
• Local Community and Government Television Stations– Over 70 public and government television stations in the
state of Maine– Received commitments from 50 television stations
• Local Community Radio Stations– Maine has 15 community radio stations– Received commitments from 4
• Public Libraries– Over 300 public libraries exist in Maine– Received commitments from 150 libraries
Timeline
My Proposal
• Listed all of the contacts I made and how they agreed to help my local initiative
• Summery of campaign materials• Defined metrics from cybercrime statistics• Available on my blog castigliola.com
Other Winning Entries• Best Local/Community Plan – Securing Our eCity San Diego and MyMaine Privacy
– For the Best Local/Community Plan, Securing Our eCity San Diego and MyMainePrivacy were both selected as winners. Both proposals offered innovative and efficient strategies for executing grassroots approaches in collaboration with state and local government, the public and private sector, and the academic community. This is an important component of the national campaign, and we will continue to explore and learn about these programs to help inform our grassroots efforts.
• Best Creative Approach – Beekeeper Group and LegalNet Works “Trot Against Bots”– For Best Creative Approach, Beekeeper Group and LegalNet Works were selected as the
winners for their “Trot Against Bots” submission. The idea puts a new twist on a traditional 5K race, and involves working with local officials to organize a 5K in the middle of downtown Washington, D.C., and intentionally causing traffic congestion. The metaphor: while a single problem may not shut down traffic, the culmination of many problems could create a large disruption (In this case, vehicle traffic represents Internet traffic). This unique demonstration could be replicated easily in cities and towns across the United States.
• Best Individual Plan – Melissa Short “Cybersecurity Starts Here: Home, School and Main Street”– For the Best Individual Plan, Melissa Short, from Roanoke, Va., was selected for her
“Cybersecurity Starts Here” campaign. Included in her proposal is the creation of a cybersecurity awareness portal and a Cybersecurity Ambassador Program, both of which will be integrated into the national Campaign.
Other Winning Entries (cont.)• Best Educational Plan – Pennsylvania State University “CyberLink Games”
– Penn State’s proposal was selected as the Best Educational Plan, for their CyberLink Games. The two games—CyberLink Duo and CyberLink Solo—are aimed at improving Internet security. CyberLink Duo helps players understand how society views cybersecurity risk, and CyberLink Solo educates players on the latest information from experts on cybersecurity threats.
• Best Publicity and Marketing – Cisco Systems, Inc. “Cybersecurity is Everyone’s Responsibility”– For Best Publicity and Marketing plan, Cisco Systems’ proposal was selected for their
“Cybersecurity is Everyone’s Responsibility” campaign. An overarching theme of the National Cybersecurity Awareness Campaign is creating a balance between Internet safety as a personal responsibility and a shared responsibility. The awareness campaign Cisco proposed addresses this goal by creating an educational cybersecurity portal and cybersecurity “IQ challenge,” and utilizing print, radio, TV and online advertisements to drive awareness of these programs.
• Best Iconic and Overall Structure – Deloitte & Touche LLP “Think Before You Click”– The winning submission for Best Iconic and Overall Structure was Deloitte & Touche for their
Cybersecurity call-to-action and “Think Before You Click” campaign. In addition to proposing creative messaging and tag lines, Deloitte proposed a logo to help drive awareness and recognition of the campaign.
Other Cybersecurity Competitions
• nerdsuperstars.com (BETA)
Competitions open to Professionals
Pwn2own 2011– Registration opens ahead of CanSecWest
conference. March 9-11, 2011 Vancouver, Canada.– Challenge is to hack various web browsers on
different platforms (Win 7, Vista, XP, Apple)• IE 8• Mozilla Firefox 3• Google Chrome 4• Apple Safari 4
– Over $200,000 in prizes given away!
Competitions open to Professionals (Cont.)
Department of Defense DC3 Digital Forensic Challenge– Approximately 25 different challenges ranging from
basic forensics to advanced tool development are being provided to all participants.
– The challenges are single based challenges and are designed to be unique and separate from one another.
– New registrations will be accepted until November 2, 2010
– $100,000 in prizes given away
Competitions open to Professionals (Cont.)
• RSA Security Blogger Awards– February 14-18, 2011 San Francisco, California
The Social Security Blogger Awards for 2010– Best Technical Security Blog – The SANS Internet Storm Center
Blog – Best Non-technical Security Blog - Krebs on Security by Brian
Krebs – Best Podcast – Pauldotcom – Best Corporate Blog – Jeremiah Grossman, White Hat Security – Most Entertaining Security Blog – Rational Survivability by Chris
Hoff
Cyber Security Competitions open to College students
• EDUCAUSE Annual Security Video Contest– Contest in search of posters and short information security
awareness videos developed by college students, for college students.
– Deadline for submission: March 11, 2011• Mid-Atlantic Collegiate Cyber Defense Competition
– Cyber attack/defense competition– Open to all two- and four-year undergraduate and graduate
students in Delaware, Maryland, North Carolina, Pennsylvania, Virginia, and Washington, D.C.
– Team registrations start October 10, 2010 and are due by December 10, 2010
Maine High School Cybersecurity Competition
Maine Cyber Defense Competition• The competition is open to all Maine high schools and technical schools • Note: no previous knowledge of cyber security is required of the
advisor or team members. A variety of educational Resources are available to each team to help them learn concepts (basic to more complex) that will introduce them to technical knowledge and skills including cyber defense techniques.
• An adult willing to serve as an advisor (must be a school staff person) • An adult willing to serve as a mentor (may be the same as the advisor) • Between three to eight students• All team advisors must submit a Participation Agreement and Release
forms as soon a possible and no later than January 30, 2011.
Past 2010 Competitions
• Defcon• SANS Netwars Next Generation Competition• NYU-Poly Capture the Flag Application
Security Challenge• NYU-Poly Embedded Systems Challenge• AFA CyberPatriot• NYU-Poly High School Cyber Forensics
Challenge
Staying in Contact
• castigliola.com– Facebook– Twitter– LinkedIn– Blog
• nerdsuperstars.com
