Capture the Flag Cybersecurity Contest
What Is a Capture the Flag (CTF) Competition?
An online game where players solve questions and capture "flags" with each correct answer. It is a fun, cybersecurity challenge-based event for players of all skill levels.
CTF competitions are interactive cybersecurity challenges where teams solve "jeopardy-style" problems across categories like cryptography, reverse engineering, and web exploitation. Each correct solution reveals a unique "flag" that earns points for the team--higher difficulty challenges yield more points, pushing teams to apply both technical knowledge and creative thinking.
Building Success from 2023
To celebrate October is Cybersecurity Awareness Month, the Capture the Flag (CTF) event is held to conclude the month. The 2024 CTF event at the University of Richmond was a major success, showcasing student excellence in cybersecurity. Even more, there was a 67% user participation increase from October 2023 to October 2024.
2024 CTF Winning Team Featured on Podcast
The 2024 CTF winning team, DAND, was made up of students Daniel Garay and David Nathanson. They were featured on a podcast hosted by Assura (22 minutes), where they shared their experiences and insights from the competition. During the episode, they discussed their motivation, teamwork, and approach to solving the various CTF challenges, offering listeners a behind-the-scenes look at what it takes to succeed in such a high-stakes environment.
For more information, visit the IS Security website.
CISA Tabletop Exercise
What Is the CISA Tabletop Exercise?
On September 4, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) National Cyber Exercise Program (NCEP) conducted the 2024 University of Richmond Cyber Tabletop Exercise (TTX). John Craft of the University of Richmond provided a threat briefing to start the event. The exercise was designed to assess the effectiveness of the University of Richmond’s plans and personnel in preparing for, responding to, and recovering from a complex cyber incident.
The Scenario
The scenario contained two vignettes. In the first vignette, a threat actor infiltrated the University of Richmond’s internal systems by way of a phishing email. The threat actor then used their access to manipulate and exported personally identifiable information (PII) of students, alumni, and faculty, culminating in a full ransomware system lockout. In the second vignette, the University of Richmond implemented an artificial intelligence (AI) chatbot which then malfunctions, causing reputational damage to the University. Simultaneously, a disgruntled contractor used AI to make a false audio clip impersonating the University President making disparaging remarks about alumni.
Outcome
The CISA team were exceptional and provided an engaging and productive exercise for the participants. The following general recommendations were an outcome of the exercise:
- Provide cybersecurity awareness training for students, integrate cybersecurity topics into coursework where possible, and implement a cybersecurity awareness program directed at students.
- Conduct a cybersecurity risk assessment for third-party vendors that were onboarded before cybersecurity was integrated into the contracting process.
- Establish a regular vendor cybersecurity posture risk re-evaluation process.
- Refine cyber incident information sharing channels between offices and examine incident response plan documentation handling processes.
- Ensure cyber insurance policies address Artificial Intelligence (AI) coverage.
Work is underway to address all these recommendations. The University acquired a new cybersecurity awareness training platform that includes licenses for students and a training program is under development. Additionally, in 2025 Information Security completed three overarching risk assessments for University divisions with a scope encompassing all of their technology vendors. A re-evaluation process is being developed for these assessments. AI coverage was also addressed in the request for proposal (RFP) for our new cybersecurity insurance broker.
University executive leadership were highly involved in the exercise. In addition to divisional Vice Presidents, the Executive Vice President (EVP) and Chief Operating Officer, the Executive Vice President and Provost, the President’s Chief of Staff, and University General Counsel participated.
Of the 12 participants that provided feedback during the exercise:
- 100% agreed they would recommend similar exercises to colleagues or other relevant professionals.
- 100% agreed they or their organization will be better prepared to execute their respective roles in preventing, protecting against, responding to, and/or mitigating threats or incidents.
- 100% agreed their organization will take steps to enhance its preparedness to execute its role in preventing, protecting against, responding to, and/or mitigating threats or incidents.
We look forward to partnering with CISA to plan additional tabletop exercises in the future. For more information visit the IS Security website.
Penetration Test
What?
Assura, Inc. (Assura) was engaged by University of Richmond to perform a penetration test of the University’s information technology environment, including a social engineering test of Help Desk staff. Penetration testing is a proactive information security practice intended to identify and exploit weaknesses (i.e., vulnerabilities) before discovery and exploitation by an adversary. More than just a vulnerability scan, a penetration test evaluates the environment from the perspective of an attacker and provides remediation recommendations to address:
- Weaknesses in infrastructure (e.g., unpatched systems, misconfigured firewalls, open ports).
- Attack vectors an adversary could leverage to gain unauthorized access or escalate privileges.
- Weak credentials and account misconfigurations.
- Susceptibility to social engineering attacks for users with elevated privileges, such as Help Desk staff and system administrators.
How?
The practice involves gathering information about targets, identifying potential avenues of attack, and attempting to exploit security control weaknesses to compromise confidentiality, integrity, and/or availability of data. Assura used a variety of tactics, techniques, and procedures to carry out each of those items.
Outcome
The penetration test helped improve the security posture of the Information Services technology environment by identifying vulnerabilities and recommending remediations to address those findings. In addition, using established information security protocols, the Help Desk thwarted the penetration testing team’s social engineering attempts.
For more information visit the IS Security website.
Threat Detection: SIEM Implementation
What Is a SIEM?
A Security Information and Event Management (SIEM, pronounced SIM) system is a critical cybersecurity solution that collects, centralizes, and analyzes system and security data from across an organization’s IT environment. This includes but is not limited to computers, servers, network devices (such as routers and switches), firewalls, cloud resources, and more. SIEMs use advanced machine learning, behavioral analytics, and artificial intelligence to identify and alert for anomalous or malicious activity. The University of Richmond has adopted Rapid7’s InsightIDR as its SIEM platform and its user-friendly interface allows the Information Security team to efficiently analyze key data, including login attempts, firewall activity, and intrusion detection system alerts—leading to faster and more effective threat detection and response.
Why Does the University of Richmond Need a SIEM?
- Millions of disparate log events are generated by University resources daily, making it nearly impossible for humans to manually analyze and correlate data to identify threats in a timely manner. The SIEM currently ingests approximately 260 gigabytes of data each day and maintains that data for over a year. This data is analyzed against threat intelligence, behavioral analytics, and advanced machine learning to alert the Information Security team of potential incidents. Activities that would normally take a team of skilled security analysts hours or days to review now take minutes with the SIEM.
- The SIEM allows the University to adhere to compliance programs where there is a requirement for continuous monitoring of the information systems environment.
- It provides a common interface and query language for reviewing, correlating, and parsing huge sets of data from University systems.
- In addition, the university is implementing InsightConnect, Rapid7’s Security Orchestration, Automation, and Response (SOAR) tool, to automate repetitive tasks and orchestrate security workflows across tools. This will significantly reduce response times, enrich alerts with external data, and allow the team to focus on high-priority incidents.
How Does This Affect the UR Community?
- All University-managed computers used by faculty and staff have Rapid7 software installed, ensuring comprehensive visibility and protection across campus systems.
- Incident detection and response times are faster, allowing Information Services to more quickly respond to events that may impact University or user data.
For more information visit the IS Security website.