Cybersecurity Awareness Events

Security Engineering for Medical Products: Sensors, Signals, Semiconductors, Software Systems (Sept 15)

Medical devices, healthcare delivery, and other cyber-physical systems depend on sensors to make safety-critical, automated decisions. The research lab of Kevin Fu, PhD (University of Michigan) investigates the problem of how to protect cyber-physical systems from adversaries who can maliciously control sensor output by subverting its semiconductor physics. Finding principled, systematic solutions is extremely important to give consumers confidence in innovative medical devices and other emerging technology. Unique to our embedded security research contributions is an emphasis on protecting the longevity of implanted batteries and using software-only approaches to mitigate design flaws in legacy hardware. These contributions were important to creating the field of medical device security; advancing the academic community's ability to measurably defend against signal injection attacks on sensors; and changing how international regulators evaluate security of consumer products.

In this talk, he highlighted academic research on protecting sensor semiconductors from maliciously modulated sound waves, radio waves, and lasers that can compromise software systems in cyber-physical systems such as pacemakers and vaccine cold-chain transportation.

Part of the UCSF-Stanford CERSI-FDA Distinguished Speaker Series on Cybersecurity for Biomedical Engineering

Watch the recording

Advanced Persistent Threats (APTs) and their use of social engineering to target your organization (June 21)

Advanced Persistent Threats (APTs) often utilize social engineering, the psychological manipulation to trick people into divulging sensitive information (information gathering) or performing actions (fraud, unauthorized system access). Rosa Smothers, Vice President of Cyber Operations at KnowBe4, will discuss various approaches by APT groups and ways to be a “human firewall” for UC and your digital life.

The Tech Talk: Talking to Your Kids About Online Safety (June 2)

The kids are coming home for the summer and spending a lot more time online. You’ve taught them about physical safety, like looking both ways when crossing the street, but have you taught them about online safety? In this recent webinar, experts shared resources and tips to help you successfully prepare the younger generation to navigate their online lives.

Whether you are a parent, teacher, or school faculty, watch the video recording to equip yourself for “The Tech Talk” with your kids.

Security Engineering of Machine Learning (May 19)

Statistical machine-learning techniques have been used in security applications for over 20 years, starting with spam filtering, fraud engines and intrusion detection. In the process we have become familiar with attacks from poisoning to polymorphism, and issues from redlining to snake oil. The neural network revolution has recently brought many people into ML research who are unfamiliar with this history, so it should surprise nobody that many new products are insecure.

In this talk, Ross J. Anderson, PhD (Edinburgh University; University of Cambridge) described some recent research projects where we examined whether we should try to make machine-vision systems robust against adversarial samples, or fragile enough to detect them when they appear; whether adversarial samples have constructive uses; how we can do service-denial attacks on neural-network models; on the need to sanity-check outputs; and on the need to sanitize inputs. We need to shift the emphasis from the design of "secure" ML classifiers, to the design of secure systems that use ML classifiers as components.

Part of the UCSF-Stanford CERSI-FDA Distinguished Speaker Series on Cybersecurity for Biomedical Engineering

Watch the recording

QB3 Webinar - Cybersecurity: What You Need to Know in 2022 with Elvis Chan, FBI, Allison Henry, UC Berkeley, and Pat Phelan UC San Francisco (May 17)

Cybersecurity is a key issue for us in our private lives — think identity theft — and at the national scale — such as federal elections. For scientists in academic & commercial labs, threats include IP theft, ransomware, and hacktivism. Where are we vulnerable to those who want to disrupt or steal from us? How can we do the best possible job of protecting ourselves and the organizations we serve? Join us to learn best practices from the FBI's Elvis Chan, who manages San Francisco’s Cyber Branch, which is responsible for cyber investigations and digital forensics, and Allison Henry and Patrick Phelan, chief information security officers at UC Berkeley and UCSF respectively.

Co-sponsored by the UCSF Cyber-Champion Team. 

Take control of your security and privacy on social media! (April 28)

Social media has become increasingly prevalent in our lives. It's how we connect with our family, friends and the world. But in having a social media account we are also sharing our private information for all to see. It has come to a point where we are ignoring our own security and privacy to have these Apps because we don't want to lose their social aspects.

In this workshop, panelists will empower you to take control of your security and privacy when it comes to social media. They will discuss tips and tricks to lock-down your accounts to your level of comfort, and also make sure that you understand the risks involved with having these accounts. Get the slide deck from the presentation.

This event was co-hosted by UCSC student and Information Security Assistant, Magdalena Ramirez and UCSC ITS Compliance Coordinator, Cecilia Carrillo. Panelists were Researcher and PhD Candidate at Cornell University, Diana Freed and PhD student in Computer Science at University of Maryland, Julio Poveda.

Unringing the Bell: A Physician's Perspective on the Future Of Medical Device Security (April 21)

Healthcare delivery across the globe is critically and increasingly dependent on computerized hardware and software including electronic health records and connected medical devices. Healthcare cyber attacks have resulted in technology failure, compromised data integrity, and breaches of sensitive patient information. Though the proliferation of cyber attacks in healthcare has raised serious concerns about patient privacy violations through healthcare data theft, the impacts of cyber attacks on patient safety and clinical outcomes are poorly understood.

In this talk, Christian Dameff, MD (UCSD) discussed historical barriers to developing a strong, data-driven foundational body of knowledge in healthcare cybersecurity, and the impacts cyber attacks may have on patient outcomes. He also discussed novel patient cyber safety risks inherent in digitized clinical workflows, as well as possible sector-wide defensive mitigation strategies resulting in safer and more resilient patient care.

Part of the UCSF-Stanford CERSI-FDA Distinguished Speaker Series on Cybersecurity for Biomedical Engineering

Watch the recording

Modern Automotive Vulnerabilities: The Science Behind the Fast and the Furious (March 17)

Over the last decade, a range of research has transformed our understanding of automobiles. What we traditionally envisioned as mere mechanical conveyances are now more widely appreciated as complex distributed systems "with wheels". A car purchased today has virtually all aspects of its physical behavior mediated through dozens of microprocessors, themselves networked internally, and connected to a range of external digital channels. As a result, software vulnerabilities in automotive firmware potentially allow an adversary to obtain arbitrary control over the vehicle. Indeed, led by UC San Diego and the University of Washington, multiple research groups have been able to demonstrate such remote control of unmodified automobiles from a variety of manufacturers.

In this talk, Stefan Savage, PhD (UCSD) highlighted how our understanding of automotive security vulnerabilities has changed over time, how unique challenges in the automotive sector give rise to these problems and create non-intuitive constraints on their solutions and, finally, the forces that naturally limit the kinds of automotive attacks seen in the wild.

Part of the UCSF-Stanford CERSI-FDA Distinguished Speaker Series on Cybersecurity for Biomedical Engineering

Watch the recording

What Biomedical Engineering Can Learn from Research and Academic Programs in Embedded Cybersecurity (February 17)

Biomedical engineering students learn how to ensure the safety and effectiveness of medical products ranging from medical devices to pharmaceutical products. Today, that advanced degree skill set must include embedded cybersecurity because of endemic cyber threats to technology inside medical products. A lot can be learned from advances in Internet of Things (IoT) security education and research. The mission of the Cybersecurity Assurance and Policy (CAP) Center at Morgan State University is to provide the defense and intelligence community with the knowledge, methodology, solutions, and highly skilled cybersecurity professionals to mitigate penetration and manipulation of our nation’s cyber-physical infrastructure.

The Internet of Things (IoT) permeates all areas of life and work, with unprecedented economic effects. The IoT is a network of dedicated physical objects (things) whose embedded system technology senses or interacts with its internal state or external environment. Embedded systems perform dedicated functions within larger mechanical or electrical systems. Critical infrastructures in transportation, smart grid, manufacturing, and health care, etc. are highly dependent on embedded systems for distributed control, tracking, and data collection. While it is paramount to protect these systems from hacking, intrusion, and physical tampering, current solutions rely on a patchwork of legacy systems, and this is unsustainable as a long-term solution. Transformative solutions are required to protect these systems.

In this talk, Kevin T. Kornegay, PhD (Morgan State University) presented CAP's current research that addresses security vulnerabilities in IoT ecosystems to provide secure, resilient, and robust operation.

Part of the UCSF-Stanford CERSI-FDA Distinguished Speaker Series on Cybersecurity for Biomedical Engineering

Watch the recording

Security and Privacy for Humans (January 20)

Traditionally, security and privacy research focused mostly on technical mechanisms and was based on the naive assumptions that Alice and Bob were capable, attentive, and willing to jump through any number of hoops to communicate securely. However, 20+ years ago that started to change when a seminal paper asked "Why Johnny Can't Encrypt" and called for usability evaluations and usable design strategies for security. Today a substantial body of interdisciplinary literature exists on usability evaluations and design strategies for both security and privacy. Nonetheless, it is still difficult for most people to encrypt their email, manage their passwords, and configure their social network privacy settings.

In this talk, Lorrie Faith Cranor, DSc (Carnegie Mellon University) highlighted some of the research from my lab that evaluates security and privacy for humans and proposes some new solutions.

Recommended Reading:
Fundamentals: Password Research
Intermediate: Humans and computer security failures
User studies: Privacy Choice Indicators

Part of the UCSF-Stanford CERSI-FDA Distinguished Speaker Series on Cybersecurity for Biomedical Engineering

Watch the recording

Laws for Cybersecurity? (December 16, 2021)

Cyber-security today is focused largely on defending against known attacks. We learn about the latest attack and find a patch to defend against it. Our defenses thus improve only after they have been successfully penetrated. This is a recipe to ensure some attackers succeed---not a recipe for achieving system trustworthiness. We must move beyond reacting to yesterday's attacks and instead start building systems whose trustworthiness derives from first principles--laws that relate attacks, defense mechanisms, and security properties. In this talk, Fred B. Schneider, PhD (Cornell University) explored examples of such laws, suggest avenues for future exploration, and discuss risks implicit in using such a deductive framework.

Related Reading:
Blueprint for a science of cybersecurity
Science of Security

Part of the UCSF-Stanford CERSI-FDA Distinguished Speaker Series on Cybersecurity for Biomedical Engineering

Watch the recording

During Identity Theft Awareness Week, the Federal Trade Commission (FTC) and its partners hosted free webinars, podcasts, and other events focused on trending issues in identity theft. Topics included how to detect identity theft, protect against it, and recover if identity theft occurs. Find out the top identity theft scams — and how to avoid them — with content from some of these events now available on-demand.

Facebook Live: Impersonator Scams and Identity Theft

Jeff Abramo of the AARP Fraud Watch Network and FTC Northwest Regional Directory Chuck Harwood talk about trending schemes that impersonators use to steal personal information – and how to spot and avoid them. Available on-demand at http://www.facebook.com/aarpfraudwatchnetwork.

Webinar: Staying Safe Online

Experts from the FTC and the Identity Theft Resource Center (ITRC) discuss online safety practices that can lessen your risk of identity theft. Available on-demand on the ITRC Events webpage.

Facebook Live: Combating Identity Theft for Servicemembers & Veterans

Troy Broussard of AARP's Veterans and Military Families Initiative and Carol Kando-Pineda of the FTC discuss how servicemembers, veterans, and their families can fight identity theft. Available on-demand at http://www.facebook.com/aarpfraudwatchnetwork.

Data Privacy Day 2022 (Jan. 26)

The events of 2020 and 2021 underlined the necessity for data privacy in a big way. So much so, that Data Privacy Day is now Data Privacy Week in order to give the topic the attention it needs. Now in early 2022, the cybersecurity and data privacy community are intensely focused on protecting individuals and organizations from data breach scandals, fragmented data privacy legislation, and misuse of personal information.

The Data Privacy Balancing Act, hosted by the National Cybersecurity Alliance and LinkedIn, convened data privacy experts from industry, government, academia, and non-profit for an afternoon of discussions on hot topics in privacy that included:

How to Break Down Barriers to Privacy Careers for Underrepresented Populations

Watch the recording

UC Berkeley hosted a panel discussion among privacy officials from across the UC system and the public sector about how to address the lack of diversity in the Privacy field and how to break down barriers to entry for young professionals of color who are interested in Privacy careers.

(Event recordings provided below as available.)

A Webinar on Digital Equity - Panel Discussion (December 2)

During the week of November 29 to December 3, 2021, UCSC hosted the first ever digital equity week. What is Digital Equity?

Digital Equity is creating equal access technology that enables individuals to participate in society. The five components of digital equity include:

• Affordable, robust broadband Internet service.
• Internet-enabled devices that meet the needs of the user.
• Access to digital literacy training. This means that individuals know how to use and navigate digital software and hardware in a way that supports their needs and use.
• Quality technical support. If an individual runs into a technical issue, they should have access to help and support to resolve the issue.
• Applications and online content designed to enable and encourage self-sufficiency, participation and collaboration. 

Do You have the technology you need to be successful?

Panelists included UCSC Alumnus and Founder and Executive Director of Digital NEST, Jacob Martinez, UCSC Chief Information Security Officer, Brian Hall and UCSC Compliance Coordinator, Cecilia Carrillo. The session was moderated by UCSC Student Magdalena Ramirez.

Modern Automotive Vulnerabilities: The Science Behind the Fast and the Furious (November 12)

Over the last decade, a range of research has transformed our understanding of automobiles. What we traditionally envisioned as mere mechanical conveyances are now more widely appreciated as complex distributed systems "with wheels". A car purchased today has virtually all aspects of its physical behavior mediated through dozens of microprocessors, themselves networked internally, and connected to a range of external digital channels. As a result, software vulnerabilities in automotive firmware potentially allow an adversary to obtain arbitrary control over the vehicle. Indeed, led by UC San Diego and the University of Washington, multiple research groups have been able to demonstrate such remote control of unmodified automobiles from a variety of manufacturers.

Watch the recording of the discussion in which Stefan Savage highlights how our understanding of automotive security vulnerabilities has changed over time, how unique challenges in the automotive sector give rise to these problems and create non-intuitive constraints on their solutions and, finally, the forces that naturally limit the kinds of automotive attacks seen in the wild. You may also enjoy listening to a conversation with Stefan for the ITS Podcast released November 3.

Choose Your Own Cybersecurity Adventure: How to get started and succeed in the InfoSec field (October 18)

It's no secret that technology is evolving faster and faster each day. Which means the types of skills and the needs of organizations to protect and secure those technologies is changing just as quickly. Trying to get started in the Information Security or Cybersecurity fields can be difficult, at best, with the ever-changing curriculums and often unreasonable levels of skill being asked for by many hiring managers.

For both students and educators, it can be difficult to know what the most relevant courses are, what topics should be focused on and what additional skills will help position the next generation of security practitioners for success. And this leads to the questions: What area of cybersecurity should I specialize in? How do I demonstrate skill and experience when I'm first interviewing? How do we better prepare students to be successful in their careers? Are there some skills and knowledge that are more in demand than others?

Watch the recording of the discussion where Nathan Wenzler, Chief Security Strategist at Tenable, shared what he's seen work for both educators and students over a 25 year career of mentoring new practitioners and leaders in the cybersecurity field as well as what trends are being seen in the industry for what skills and topics both students and educators should include in their programs to remain relevant for the future. 

Cybersecurity: What You Need to Know (May 20)

The May 20 webinar, Cybersecurity: What You Need to Know, featured FBI Agent Elvis Chan and UC San Francisco CISO Pat Phelan. Since an FBI agent presented, the session could not be recorded, however, Agent Chan provided some standard FBI handouts covering common cybersecurity topics, including ransomware.

Diversity, Equity, and Inclusion in the Digital Age (April 30)

UC Santa Barbara also hosted the April 30 event, Diversity, Equity, and Inclusion in the Digital Age (Zoom recording), where we had the opportunity to hold a discussion on this vitally important topic with Jessica Robinson, Founder and CEO of PurePoint International. She spoke on why systemic racism poses a threat to cybersecurity infrastructure, the role of leadership and management in cultivating Diversity, Equity and Inclusion (DEI) within the cybersecurity field, and what action items can be taken to highlight the importance of DEI in the digital context.

The Credibility of Misinformation (March 5)

UC Santa Barbara opened the series with two great webinars. First, was the March 5 event The Credibility of Misinformation moderated by Professor Joseph B. Walther who spoke with Professor Miriam Metzger. These accomplished professors covered the implications of Professor Metzger's research on how individuals perceive misinformation and its sources, and what you can do to protect yourself and your communities from the damaging effects of misinformation.  

General Campus Presentations

LastPass Enterprise at UC San Diego (July 27, 2021)

LastPass Enterprise is UC San Diego’s password manager of choice. No more writing down passwords on a sticky note or keeping a spreadsheet on your desktop.

Watch this recording of the live presentation to find out how you can use LastPass to securely manage both your university (e.g. Business Systems, Active Directory) and your personal accounts (e.g. online banking, tax preparation) on all of your devices.

This presentation can also be delivered directly to departmental groups if desired. Contact cybersecurity@ucsd.edu to coordinate your team presentation.