The CyberWire Daily Briefing 06.19.15
Earlier reports that US Federal employee data stolen from the Office of Personnel Management (OPM) have shown up for sale on the black market appear to be quite false. KrebsOnSecurity's investigation suggests that the data being traded by criminals appears to have come from a different agency: Federal Prison Industries (that is, Unicor.gov). The AP notes the absence of OPM data from the black market (for now — it's unwise to expect them to stay out of criminal hands indefinitely) as further evidence that the breach is the work of an intelligence service as opposed to crooks. That would also account for the relatively muted US diplomatic response: the Americans have long distinguished legitimate intelligence collection from industrial espionage. The OPM hack strikes many as the former; thus outrage is directed against OPM, not the Chinese government.
A side note on industrial espionage: many see the St. Louis Cardinals' (alleged, low-grade) hack of the Houston Astros as indicating widespread corporate hacking of competitors. Others are less sure: US professional sports are different, and have a signal-stealing tradition.
Wikileaks, dumping 276,394 stolen documents, reminds us that Sony Pictures was hacked last year.
Repeat-offending skid "Mufasa," who'd earlier said he Australia's iiNEt ISP, hacks US pharmaceutical company Akorn "to teach them a security lesson," a motive belied by his offering stolen data for sale to the highest bidder.
Interesting discussions of OS X and iOS vulnerabilities, as well as accounts of SAP static encryption issues.
The US Treasury Department sees an ISIS-Bitcoin-social-media nexus.
A note to our readers: the CyberWire will be covering SINET's Innovation Summit in New York next week. We'll live-tweet the proceedings and devote at least one special issue to the conference.
Notes.
Today's issue includes events affecting Australia, China, France, Germany, Netherlands, Romania, Russia, Turkey, Ukraine, United Kingdom, United States, and and Vietnam.
Cyber Attacks, Threats, and Vulnerabilities
OPM's Database for Sale? Nope, It Came from Another US .Gov (KrebsOnSecurity) A database supposedly from a sample of information stolen in the much publicized hack at the Office of Personnel Management (OPM) has been making the rounds in the cybercrime underground, with some ne'er-do-wells even offering to sell it as part of a larger package. But a review of the information made available as a teaser indicates that the database is instead a list of users stolen from a different government agency — Unicor.gov, also known as Federal Prison Industries
U.S. wonders: Why stolen data on federal workers not for sale? (AP via the Military Times) The Obama administration is increasingly confident that China's government, not criminal hackers, was responsible for the extraordinary theft of personal information of about as many as 14 million current and former federal employees and others, The Associated Press has learned. One sign: None of the data has been credibly offered for sale on underground markets popular among professional identity thieves
China cyber attack stole data dating back 25 years, may have impacted military and intelligence officials (World Tribune) China's recent hacking of the U.S. Office of Personnel Management (OPM) included millions of personnel files that go back at least 25 years
Could OPM have prevented the breach? (Federal Times) No, probably not. There were a number of failures on the part of the Office of Personnel Management that allowed hackers to steal the personal information on millions of current and former federal employees. But it is unlikely the agency would have been able to prevent the breach entirely
WikiLeaks dumps 276,000 more documents from Sony hack (Phys.org) WikiLeaks on Thursday released 276,394 new documents from the hack of Sony Pictures in what could be a further embarrassment for the Japanese media and electronics group
Akorn Inc. has customer database stolen, records offered to highest bidder (CSO) Hacker responsible says they compromised the company to teach them a lesson in security
Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth (Privacy Online News) Yesterday, news broke that Google has been stealth downloading audio listeners onto every computer that runs Chrome, and transmits audio data back to Google. Effectively, this means that Google had taken itself the right to listen to every conversation in every room that runs Chrome somewhere, without any kind of consent from the people eavesdropped on. In official statements, Google shrugged off the practice with what amounts to "we can do that"
Hotword behaviour in chromium v43 (binary blob download) (Chromium) Thanks for bringing this issue to our attention. I have been following this on Hacker news [1] and the Debian bug tracker [2]. I'd like to clear up a couple of misconceptions
So Long, and Thanks for All the Domains (SWITCH Security Blog) While Trojans like Dyre and Dridex are dominating malware-related news, we take the time to have a closer look at Tinba (Tiny Banker, Zusy, Illi), yet another Trojan which targets Windows users. In the first part of this post, we give a short historical review, followed by hints about how to detect (and remove) this threat on an infected system. In the second part, we have a look at a portion of the Trojan's code which enhances its communication resilience, and how we can leverage these properties for defensive purposes
Favicon Bug Can Crash Chrome, Firefox and Safari (Softpedia) Don't use 10GB files as your website's favicon
New Apple iOS, OS X Flaws Pose Serious Risk (Dark Reading) Security vulnerabilities could expose passwords for Apple iCloud, email, and bank accounts, and other sensitive information, researchers say
OS X and iOS Unauthorized Cross Application Resource Access (XARA) (Internet Storm Center) The last couple of days, a paper with details about XARA vulnerabilities in OS X and iOS is getting a lot of attention [1]. If you haven't seen the term "XARA" before, then this is probably because cross-application-resource-access was normal in the past. Different applications has access to each other's data as long as the same user ran them. But more recently, operating systems like OS X and iOS made attempts to "sandbox" applications and isolate applications from each other even if the same user is running them
Unpatchable Android? (Trend Micro: Simply Security) There's another vulnerability affecting the Android platform that this week once again raises the question: am I vulnerable?
How to hack into an email account, just by knowing your victim's mobile number (Graham Cluley) Symantec has issued a warning about what appears to be a successful scam being perpetrated against users of webmail services such as Gmail, Outlook and Yahoo
Of Non-Nexus Devices and the Android Security Rewards Program (Threatpost) Google's decision to limit its Android Security Rewards program to newer Nexus devices clearly puts the Google phones on the top tier of secure mobile devices
Exclusive — Voidsec disclosed a number of flaws affecting Minds.com Platform (Security Affairs) Security expert at Voidsec have analyzed the popular social networking minds.com disclosing a number of security vulnerabilities
The Swine Flu Wants to Infect Your PC (SenseCy) Russian underground forums often serve as a marketplace for talented coders of sophisticated malware who develop attack tools to target the financial industry
Researchers Disclose SAP Default Encryption Key Vulnerabilities (Dark Matters) Dmitry Chastukhin, Director of Professional Services at ERPScan, presented a report on the latest SAP security trends at the Black Hat Sessions conference in the Netherlands this week, examining problems related to the use of static encryption keys by SAP in their products
Static encryption keys as the latest trend in SAP security (ERPScan) Today, on the 18th of June, Dmitry Chastukhin, Director of Professional Services at ERPScan, presented a report on the latest SAP security trends at the Black Hat Sessions conference in the Netherlands. It covers multiple problems related to encryption algorithms and static keys used by SAP in their products
Weaponized Word docs, spyware and malvertising sprouting in May (CSO) Weaponized Word documents have been getting past standard defenses
Top 10 botnet targets in the U.S. and worldwide (Network World via CSO) Level 3's research report analyzes botnet activity around the world
As IPv6 rollout proceeds, security controls remain lacking, warns Rapid7 (FierceITSecurity) IPv6's ability to provide security to connected devices is not as good as IPv4's ability, said H.D. Moore, chief research officer at Rapid7, at the UNITED Security Summit being held here this week
Navy challenged by spear phishing, software patches (FCW) Of the myriad cybersecurity challenges facing the Navy, two stand out: spear phishing and more swiftly deploying software patches. That was the gist of a June 18 update on Navy defensive cyber operations given by Capt. David Bondura, U.S. Fleet Cyber Command's assistant chief of staff for operations
The Dark Web as You Know it is a Myth (Wired) The 'Dark Web' may be close to becoming a household name. After the conviction of Ross Ulbricht, the owner of the drug marketplace Silk Road, and a stream of articles claiming that the Islamic State is using secret websites to plan out attacks, this hidden part of the Internet is being talked about more than ever
Security Patches, Mitigations, and Software Updates
Critical Drupal vulnerability patched — update your website now (Naked Security) The Drupal Security Team has released a critical software update for the Drupal Content Management System (CMS)
Cyber Trends
Major US data breaches have commonalities to look out for, says Secret Service official (FierceITSecurity) Most major data breaches in the United States have three things in common, Matt Noyes, Secret Service cyber policy advisor, told an audience Wednesday at the UNITED Security Summit sponsored by security firm Rapid7
The devastating breach of US government data highlights an illusory cybersecurity paradox (Business Insider) Computer scientists love paradoxes, especially ones rooted in brain-twisting logical contradictions
Shadow data report underscores the need for strong cloud app security (TechRepublic) Cloud app security firm Elastica's Q2 2015 Shadow Data Report notes an almost 300% increase from last year in the average number of files shared per user. Enterprise users share roughly 25% of files owned, a big jump from the average rate of sharing in Q4 2014, which was 9%. In addition, 12.5% of files shared contain compliance-related data; this is a potential cybersecurity headache for organizations, since that means over 3% of files per user are at risk of sensitive data exposure
New Survey Reveals Limited Enterprise Ability to Respond to Attacks on the Trust Provided by Keys and Certificates (Information Security Buzz) RSA survey of nearly 850 it security professionals finds they don't know how to detect and respond to key and certificate vulnerabilities
Reddit, Wikipedia, Bing and the FBI agree — an encrypted web is a safer web (Graham Cluley) Reddit, the so-called "front page of the internet", is the latest in a series of popular websites to announce that it will be switching to HTTPS by default, protecting their visitors with secure connection
Houston Astros' Breach A 'Wake-Up Call' On Industrial Cyber Espionage (Dark Reading) The St. Louis Cardinals' alleged breach of the Astros' proprietary database raises concern over the possibility of US companies hacking their rivals for intel
Marketplace
IT Professionals lack confidence in board's cyber security literacy (IT Pro Portal) Tripwire, Inc., the global provider of advanced threat, security and compliance solutions, today announced the results of a study on cyber literacy challenges faced by organisations. The study, which was carried out in May 2015, evaluated the attitudes of executives as they relate to cyber security risk decision-making and communication between IT security professionals, executive teams and boards. Study respondents included 101 C-level executives and directors as well as 176 IT professionals from both private and public U.K. organisations
How about renting a CSO? (Channel World) How about renting a CSO? At a time when cyber security threats continue to increase in sophistication and prevalence, there's a real shortage of experienced, skilled security leaders. What's a company to do? One thing to consider is "renting" a CISO or other senior security executive
Nine Silicon Valley firms get highest marks for best practices around consumer privacy (SC Magazine) Noting that "it is time to expect more from Silicon Valley." the Electronic Frontier Foundation (EFF) found that nine of the 24 companies reviewed for its fifth annual "Who Has Your Back" report "show that it is practical for major technology companies to adopt best practices around transparency and stand by their users when the government comes knocking"
Cryptzone Secures $15M Series B Funding Led by Kayne Anderson (Cryptzone) Growth capital to help rapidly growing cybersecurity company accelerate sales, expansion
EdgeWave Appoints U.S. Navy/DOD Cyber Security Expert To Lead Security Analytics (PR Newswire) David Bell previously managed U.S. Navy red team operations
Willis Strengthens Cyber Team (Globe Newswire) Key appointments deliver cyber risk expertise across North America platform
Products, Services, and Solutions
Former Googler fights adblockers with adblocker blocker (Naked Security) There are dozens of adblockers to choose from, from the market dominator Adblock Plus to the new Silicon Valley darling - open-source uBlock - as well as those that block out practically everything but the sun
DuckDuckGo search traffic soars 600% post-Snowden (Naked Security) When Gabriel Weinberg launched a new search engine in 2008 I doubt even he thought it would gain any traction in an online world dominated by Google
SecureRF Selected to Present its Algebraic EraserTM Method at NIST Lightweight Cryptography Workshop (SecureRF) A lightweight, efficient asymmetric key agreement protocol for the Internet of Things
New security product for Microsoft Office 365 includes 'kill switch' to prevent data leakage (FierceITSecurity) Chief information security officers and other IT security pros are losing sleep worrying about the security of sensitive corporate data stored in the cloud
Reddit's ex-CEO supports banning online harassment that harms people in real life (Quartz) Last year, after reddit was used to spread hacked private photos of celebrities, then CEO Yishan Wong was heavily criticized by users for taking down the subreddits doing so, only to insist that the platform was committed to free speech, no matter how unsavory. Last week, after a negative reaction to a policy change by new CEO Ellen Paot that included banning five subreddits (including the very popular "/r/fatpeoplehate") because they caused real-life harassment, Wong wrote a post on Quora about why he supports her move
Technologies, Techniques, and Standards
Security CheatSheets — A collection of cheatsheets for various infosec tools and topics (KitPloit) These security cheatsheets are part of a project for the Ethical Hacking and Penetration Testing course offered at the University of Florida. Expanding on the default set of cheatsheets, the purpose of these cheatsheets are to aid penetration testers/CTF participants/security enthusiasts in remembering commands that are useful, but not frequently used. Most of the tools that will be covered have been included in our class and are available in Kali Linux
Cybersecurity Advice From A Former White House CIO (Dark Reading) Today's playbook demands 'human-centered' user education that assumes people will share passwords, forget them, and do unsafe things to get their jobs done
Breach Defense Playbook, Part 5: Reviewing Your Cybersecurity Program (Part 2) (Dark Reading) Cybersecurity requires a combination of people, process, and technology in a coordinated implementation leveraging a defense-in-depth methodology
Legislation, Policy, and Regulation
Israel To Consolidate Cyber Spending, Ops (DefenseNews) The Israeli military aims to consolidate cyber-related investment, training and planning for defensive and offensive operations under a unified Cyber Command to be stood up within two years
Opinion/Editorial: U.S. security fails again (Daily Progress) The irony is obvious, but worth repeating: On the one hand, we have federal agencies that are turning their vast powers of surveillance against potentially innocent Americans — agencies such as the NSA and the FBI, with their sophisticated electronic intelligence technologies and methods of skirting the Fourth Amendment
Why the US Hasn't Pinned the OPM Hack on China (Defense One) Getting China to stop this activity is at the top of Washington's diplomatic agenda. Stopping foreign intelligence services from spying, however, is not
Comments on 2 year Snowden anniversary (Information Security Buzz) "Two years after the Snowden leaks, it?s clear that the vast majority of the IT security community doesn't believe that the level of government surveillance has changed
Blog: Commanding and Controlling the Cyber Domain (SIGNAL) The DISA director dispels the number one myth about the agency's new operational role
Blog: Speed Dating With DISA (SIGNAL) Agency officials propose a closer relationship with industry and with warfighters
Litigation, Investigation, and Law Enforcement
Terrorists eyeing Bitcoin and social media to fund jihad: US (Business Standard) "A number of online fundraisers explicitly advertise that collected funds are being used to purchase weapons"
St Louis Cardinals foul out in hacking escapade (CSO) Who is on first? I've found it difficult t get back into watching baseball since the last strike
Poor password practices appear behind Cardinals' hack of Astros' database (FierceITSecurity) It appears poor password practices were behind the alleged St. Louis Cardinals' breach of the Houston Astros secretive Ground Control database, which contains sensitive player information including medical reports, trade talks, statistics and scouting reports
Cardinals, MLB Lawyer Up in Astros Hacking Probe (American Lawyer) On the cleated heels of Deflategate and soccer's global corruption crisis, the scandal-prone pro sports community is in need of legal advice yet again — this time related to alleged Major League foul play involving the St. Louis Cardinals. The New York Times reported Tuesday that the Federal Bureau of Investigation is probing Cardinals personnel for allegedly hacking into Houston Astros databases that house team strategies, including information on scouting and trades
Secret Service agent who stole $820K from Silk Road pleads guilty (Ars Technica) Shaun Bridges' stealing spree was the impetus for DPR's first murder-for-hire
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
2015 Community College Cyber Summit (3CS) (North Las Vegas, Nevada, USA, Jun 17 - 19, 2015) The second annual Community College Cyber Summit (3CS), hosted by the College of Southern Nevada, is organized and produced by the five cybersecurity-related Advanced Technological Education (ATE) centers funded by the National Science Foundation (NSF). 3CS meets the perceived need for a national academic conference that focuses exclusively on cybersecurity education at the community college level. Faculty, administrators, and other stakeholders in community college cybersecurity education are invited and encouraged to attend. Government, industry, and association representatives in the cybersecurity arena are likewise welcome
Suits and Spooks All Stars 2015 (New York, New York, USA, Jun 19 - 20, 2015) Unlike our typical "collision" event, our All Stars will have at least 60 minutes each for their talks. Seating will be limited because we're going to hold it in one of our most popular venues — Soho House NYC — on Friday June 19 and Saturday June 20th. It will be our last event there because they're converting the library to a member-only space starting July 1st. So think of this as your exclusive invitation to spend 8 to 16 hours talking security, multi-disciplinary problem-solving, and out-of-the-box thinking with some of our best game changers
REcon 2015 (Montréal, Québec, Canada, Jun 19 - 21, 2015) REcon is a computer security conference with a focus on reverse engineering and advanced exploitation techniques. It is held annually in Montreal, Canada. The conference offers a single track of presentations over the span of three days along with technical training sessions held before the presentation dates. Technical training varies in length between two and four days
Nuit du Hack 2015 (Paris, France, Jun 20 - 21, 2015) The "Nuit Du Hack" conference was initiated in 2003 by the French hacking group: HackerZvoice. This event has been gathering people willing to learn and share their knowledge around lectures and challenges since. Originally reuniting 20 persons, the Nuit Du Hack has never stopped growing by gathering more and more people from passionate to the professional area. Since 2010, in order to improve the quality and the accessibility of this event, talks and workshops in English are possible. In 2013 and 2014, the event announced several lecturers of international reknown and rallied more than 1500 fans including more than 50 challengers fighting in teams. The 14th edition of the Nuit Du Hack will be held at the circus academy Fratellini (Acadèmie Fratellini, ècole du cirque) on June 20th, 2015. So if you're interested in Hacking, This is Le place to be if you're in Paris during the summer. Mkay?
Fifth Annual International Cybersecurity Conference (Tel Aviv, Israel, Jun 22 - 25, 2015) The conference, held jointly this year by the Yuval Ne'eman Workshop for Science, Technology and Security, the National Cyber Bureau, the Prime Minister's Office, the Blavatnik Interdisciplinary Cyber Research Center (ICRC) and Tel Aviv University, will bring together leading international cyber experts, policymakers, researchers, security officials, and diplomats for an exchange of knowledge, methods and ideas concerning evolving cyber technologies
Cybersecurity Executive Roundtable (Blacksburg, Virginia, USA, Jun 23, 2015) experts from across the country will convene at Virginia Tech to meet with rising cybersecurity talent to discuss solutions for the country's cyber workforce shortage in an executive roundtable titled "The Manpower Crisis in Cyber Security: Promising Solutions." The roundtable discussion will be hosted by Richard McKinney, Chief Information Officer for the U.S. Department of Transportation, Andrew H. Turner, Vice President and Head of Global Cyber Security for Visa, and Karen Evans, National Director of the U.S. Cyber Challenge
Cyber Security for Defense (Augusta, Georgia, USA, Jun 24 - 26, 2015) This conference serves as an opportunity for solution providers to break through the background noise and present their unique ideas and products in an environment specifically tailored to highlighting them, while simultaneously learning about the future requirements of the Military and a variety of other topics. Meanwhile the Department of Defense gets a first hand look at some of the solutions they may have not originally considered, all in pursuit of that best value solution
Innovation Summit: Connecting Wall Street, Silicon Valley & the Beltway (New York City, New York, USA, Jun 25, 2015) Innovation Summit connects America's three most powerful epicenters and evangelizes the importance of industry, government and academic collaboration on joint research initiatives. The opportunity to bring practitioners and theory together to discuss fundamental Cybersecurity challenges is critical to the advancement of innovation in the Cybersecurity domain. This summit is designed to reinvigorate public-private partnership efforts and increase relationships that foster the sharing of information and joint collaboration on Cybersecurity research projects
AFCEA PNC Tech & Cyber Day (Tacoma, Washington, USA, Jun 25, 2015) The Armed Forces Communications & Electronics Association (AFCEA) - Pacific Northwest Chapter (PNC) will once again host the 5th Annual Information Technology & Cyber Day at Joint Base Lewis-McChord (JBLM) on Thursday, June 25, 2015. The purpose of this annual event is to allow JBLM personnel the opportunity to evaluate the latest Information Technology advancements, as well as to learn more about Cyber Security best practices and remediation strategies
Cybersecurity Outlook 2016 (Tysons Corner, Virginia, USA, Jun 26, 2015) Cybersecurity Outlook 2016 is a breakfast event by Potomac Tech Wire and Billington CyberSecurity that brings together senior executives in the Mid-Atlantic to discuss technology issues in a conversational, roundtable environment moderated by the editor of Potomac Tech Wire and the founder of Billington CyberSecurity. The panel will focus on the overall outlook for cybersecurity, including technology trends, business issues, start-up issues, government needs and predictions
NSA Information Assurance Symposium (IAS) 2015 (Washington, DC, USA, Jun 29 - Jul 1, 2015) The NSA Information Assurance Directorate (IAD)'s Information Assurance Symposium (IAS) is a biannual forum hosted by the National Security Agency (NSA). IAS events of the past have proven to be the preferred Information Assurance event of the year. Leaders and practitioners will deliver vital and relevant answers, direction, and best practice advice for carrying out the Information Assurance mission. The IAS brings, policy, governance, technology, hands-on training and networking opportunities to attendees from across government, industry, and academia. Upwards of 2,000 IA professionals area expected to attend with ample opportunities for cross-community collaboration to address the community's most challenging IA concerns. Presentations, training, and demonstrations pertinent to today's work and work planned for the future will be shared during this event. U.S. Government, U.S. Government sponsored contractors, 2nd Party Government, 2nd Party Government sponsored contractors, Academia, and Industry participants will be represented
US News STEM Solutions: the National Leadership Conference (San Diego, California, USA, Jun 29 - Jul 1, 2015) San Diego offers the perfect backdrop for the 4th annual U.S. News STEM Solutions National Leadership Conference, June 29 — July 1, 2015 in San Diego, CA. Please make your plans now to join fellow leaders from business, education and government to maintain our hard-won momentum and forge the STEM workforce of tomorrow
Information Assurance Symposium (Washington, DC, USA, Jun 29 - Jul 1, 2015) The NSA Information Assurance Directorate (IAD)'s Information Assurance Symposium (IAS) is a biannual forum hosted by the National Security Agency (NSA). IAS events of the past have proven to be the preferred Information Assurance event of the year. Leaders and practitioners will deliver vital and relevant answers, direction, and best practice advice for carrying out the Information Assurance mission. The IAS brings, policy, governance, technology, hands-on training and networking opportunities to attendees from across government, industry, and academia
Cyber Security for Healthcare Summit (Philadelphia, Pennsylvania, USA, Jun 29 - Jul 1, 2015) Our IQPC Cyber Security for Healthcare Summit will help Hospitals and Medical Device manufacturers to prepare and manage risks by viewing cybersecurity not as a novel issue but rather by making it part of the hospital's existing governance, risk management and business continuity framework
Cybergamut Tech Tuesday: The Truth About Security Your System (Elkridge, Maryland, USA, Jun 30, 2015) What does it take to secure a system? What is the logical approach to successfully achieve this endeavor? First, an understanding of who wants access and why is a necessary baseline to form a strategic approach. Next, an understanding of the critical assets in the organization is a must. Finally, an understanding of how to implement a risk-based approach sums up the discussion. Presented by: Dr. Susan Cole
TakeDownCon Rocket City (Huntsville, Alabama, USA, Jul 20 - 21, 2015) TakeDownCon is a highly technical forum that focuses on the latest vulnerabilities, the most potent exploits, and the current security threats. The best and the brightest in the field come to share their knowledge, giving delegates the opportunity to learn about the industry's most important issues. With two days and two dynamic tracks, delegates will spend Day 1 on the Attack, learning how even the most protected systems can be breached. Day 2 is dedicated to Defense, and delegates will learn if their defense mechanisms are on par to thwart nefarious and persistent attacks
CyberMontgomery 2015 (Rockville, Maryland, USA, Jul 30, 2015) Montgomery County, Maryland, is home to the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), the FDA, NIH, NOAA, NRC and more than a dozen other Federal agencies, plus regional State and local agencies, educational institutions (such as Montgomery College, the Universities at Shady Grove, a satellite campus of Johns Hopkins, and the Bethesda-based SANS Institute), plus scores of cyber companies, ranging from start-ups to multinational corporations such as Lockheed Martin, employing upwards of 37,000 people in cyber-related jobs. With cybersecurity constituting a major growth engine in the region for many years to come, and with leading Federal government, industry and academic assets already in place in the region, the annual CyberMontgomery conference serves to bring them together so that they can coalesce and elevate the cyber ecosystem to a level of national prominence. In that light, CyberMontgomery provides clear direction on finding business opportunities, contracting, forecasted demand areas, workforce development, recruiting & staffing, legal responsibilities for businesses, updates on technologies being developed in the County, and summary updates regarding our NCCoE neighbors, federal civilian agencies and commercial sector leaders