Tech Firm Moves HQ To Newly-Constructed Miramar Tech Center, 2 Additional Tenants Ink Deals – CRE Sources

Featured in CRE Sources

Blanca Commercial Real Estate announced its completion of two lease transactions totaling 13,536 square feet at the Miramar Tech Center, located at 2900 Monarch Lakes Blvd. in Miramar. The news follows the recent occupancy of UDT into the three-story Class A office building offering approximately 56,710 rentable square feet.

The leases include new tenant 03b Networks (7,011 sf), a subsidiary of SES Networks and the world-leading satellite operator with over 50 satellites in geostationary Earth orbit and 16 in medium Earth orbit, which was represented by Juan Jaramillo of FGI Realty; and the University of Florida’s Warrington’s College of Business (6,525 sf) represented by Franklin Street’s Tom Farmer.

They join recent occupant and building owner UDT (21,155 sf), a technology enabler that helps clients in major industries evaluate, architect, secure and manage technology in mobile, on premise and in the cloud.

“We are thrilled to have facilitated the completion of these lease deals with top organizations on the vanguard of technology and business who appreciate everything this new property has to offer,” said Juan Ruiz Executive Vice President of Blanca Commercial Real Estate. “Its central location and ability to attract top talent from the area makes this property an ideal choice for any company with its eye towards the future.”

Added Henry Fleches, CEO of UDT,  “The Miramar Tech Center features some of the most advanced redundancy and backup systems in the area making it a perfect solution for any company with a robust need to provide continuous, noninterrupted service, or for any organization looking to ensure business continuity.”

The Tech Center is located in the heart of Miramar and boasts full generator backup power, wind-rated impact glass, electric car charging stations, dual HVAC chillers, heavy power and multiple telecommunication carriers and feeds to ensure redundancy and business continuity. The building is also hardened for hurricane resistance and offers high-end conferencing facilities and garage parking of 5.3 per 1,000 square feet.

SES Networks and UF sign lease deals at Miramar Tech Center – The Real Deal

Recently completed Miramar Tech Center nabs first tenants and Christ Fellowship inks lease at Lake’s Edge Commercial Park 

By Amanda Rabines | December 17, 2018 09:45AM 

SES Networks subsidiary 03b Networks and the University of Florida’s Warrington’s College of Business are the first to lease space at the recently completed Miramar Tech Center in Broward County.

The 56,710-square-foot, three-story office building saw a total of 13,536 square feet of lease deals, with 03b Networks signing a 7,011-square-foot lease and the business school inking a lease for 6,525 square feet.

Juan Jaramillo of FGI Realty represented 03b Networks and Franklin Street’s Tom Farmer represented the university. Blanca Commercial Real Estate represented the landlord 2995 Monarch Lakes LLC, which is tied to UDT.

In 2015, the company paid $2.1 million for the 3.7-acre site at 2900 Monarch Lakes Boulevard. It recently relocated out of its headquarters in Doral and moved into a 21,155-square-foot space within the building.

Technology company with hundreds of employees moves HQ to Broward – South Florida Business Journal

Technology company with hundreds of employees moves HQ to Broward

By Brian Bandell – Senior Reporter, South Florida Business Journal
Dec 14, 2018, 7:31am EST

UDT has opened its new headquarters in Miramar, and welcomed two tenants to the office building.

The 56,710-square-foot Miramar Tech Center was completed at 2900 Monarch Lakes Blvd. UDT, which relocated its headquarters from Doral, owns the building and occupies 21,155 square feet there. The company has 250 employees.

Blanca Commercial Real Estate represented the IT provider in signing leases of 7,011 square feet with 03b Networks, a satellite operator that’s a subsidiary of SES Networks, and 6,525 square feet with the University of Florida’s Warrington’s College of Business.

The satellite company 03b Networks, which worked with Juan Jaramillo of FGI Realty, was previously in a nearby executive suite. Tom Farmer of Franklin Street represented UF, which relocated from Sunrise.

“We are thrilled to have facilitated the completion of these lease deals with top organizations on the vanguard of technology and business who appreciate everything this new property has to offer,” said Juan Ruiz, executive VP of Blanca Commercial Real Estate. “Its central location and ability to attract top talent from the area makes this property an ideal choice for any company with its eye towards the future.”

UDT received a state and local job growth incentive deal for the project based on a goal of creating 142 new local jobs with an average salary of $51,266.

“The Miramar Tech Center features some of the most advanced redundancy and backup systems in the area making it a perfect solution for any company with a robust need to provide continuous, non-interrupted service, or for any organization looking to ensure business continuity,” UDT CEO Henry Fleches said.

UDT’ CEO Henry Fleches Places on the HITEC 100 List

DORAL, Fla.  –  October 1, 2018 – UDT, a technology solutions company that evaluates, architects, secures and manages information technology, today announced that UDT CEO, Henry Fleches, placed on the 2018 HITEC Top 100 list.

This list was compiled by nominations and selected by a HITEC judging committee to select the top 100 Technology Executive of Hispanic decent operating from the U.S.  HITEC is the premier global executive leadership organization for senior business and IT executives who have built exceptional careers in IT.  HITEC is focused on building stronger technology and executive leaders, leadership teams, corporations and role models in a rapidly changing world.     

 “I am humbled and honored to be ranked for the second consecutive year on the 2018 HI TECH 100 List,” said UDT CEO Henry Fleches.  “UDT is proud of our Hispanic heritage, we believe it takes a village to be successful and our talented and hardworking village is made up of many different nationalities, religions and races.  Our employees come together to create a positive impact with our customers and our communities.”

Learn more about UDT here. To view UDT’s other awards and recognitions, please visit here.

About UDT

UDT is a technology enabler that helps clients in major industries evaluate, architect, secure, and manage technology on the go, in the rack and in the cloud. UDT provides customized services, including mobility, cloud, collaboration, loT, data, security, and ITaas solutions and technical, professional and managed services.

Accomplish more with UDT:


Media Contact:

7 hot IT career trends — and 7 going cold

7 hot IT career trends — and 7 going cold

The growing IT skills gap and demand for data pros and hybrid roles are disrupting the traditional IT career path. The following heat map of career trends with help you cash in and avoid dead ends.

October 31, 2017 By Paul Heltzel

There’s a major IT skills gap in the country and it’s only expected to widen. According to the Bureau of Labor and Statistics, there will be 1 million more computing jobs than applicants by 2020.

And while this poses a problem for organizations without a plan to address it (two-thirds don’t, according to a recent CompTIA report), the skills gap can also be viewed as an opportunity. For IT pros and for businesses, there’s a chance to get ahead of your competition by matching supply and demand.

If you’re up for the challenge, read on to find out which areas are trending — in education, soft skills, networking, and hot technologies among others — and which are cooling down.

As budgets across all industries tighten, IT workers, like other enterprise groups, are increasingly expected to multitask.

“Organizations are putting IT staff in front of customers to share product insights and gather information,” says Kyle Gingrich, vice president of IT and certifications at Skillsoft. “They’re being asked to run Scrum teams. They need to present to peers or managers and may also be learning how to work with virtual teams. Whatever the new hat is that’s being added to their skills stack, it requires training in soft skills to be effective and it’s not typically the place that IT professionals are comfortable with.” Technology now shapes leadership trends, says Donna Kimmel, senior vice president and chief people officer at Citrix. And so it’s crucial for IT staff to learn leadership skills as well.

“Technology becomes more meaningful when it’s put to work to address human needs, solve problems and help achieve goals,” Kimmel says.  “Maintaining this human element in the enterprise will be much easier if the IT teams deploying big data, machine learning and IoT solutions have strong leadership and people skills, in addition to technical ones.”

Cold: Dev and ops in silos

In part because of workload migrations to the cloud, it’s less likely to see traditional user support and networking services separated from the dev team.

“The days of infrastructure and application development teams operating separately are dwindling as businesses look to operate in a more lean, agile way,” says Tim Leylek, branch manager of the IT direct hire practice at Addison Group.

Todd Vernon, CEO and co-founder of incident management services provider VictorOps, says proactive operations staffers are developing skills in software reliability engineering (SRE), with the idea of embedding in software development teams and focusing on speed, security and customer service — and avoiding a potentially dead-end career.

“If your career is in purely system administration and software operations, your technical job will be the first casualty of the high-velocity digital age,” Vernon says.

Hot: Soft skills

According to New Jersey-based HR software provider iCIMS, the top three soft skills recruiters are looking for are “problem solving (62 percent), adaptability (49 percent) and time management (48 percent).”

These stats come from their recent soft skills survey, which interestingly found that 1 in 3 recruiters are seeing soft skills on the decline in the past five years. “Ninety-seven percent of recruiting professionals agree that colleges and parents need to do a better job of teaching kids soft skills before they enter the workforce,” the survey reports.

James Stanger, chief technology evangelist for CompTIA, says the answer to boosting soft skills may be close by. “Get a mentor who knows business and who knows how to communicate well,” Stanger says. “That mentor can be someone on the job, a neighbor, or someone you meet in a class or a good trade show. No one today wants to have a talky techie in the room who doesn’t know business. Likewise, no one wants a blathering businessperson in there, either. Put together key tech, business, and soft skills, and people will beat a path to your door.”

Cold: Ability to pursue soft skills

While most tech pros agree developing soft skills could boost their careers, just over half, according to CompTIA’s “Assessing the IT Skills Gap” report, are working on this skill set.

Part of the issue may be a perceived lack of support from employers to pursue professional development. About 40 percent of the CompTIA study respondents disagreed that their company supports their career growth.

About the same said they didn’t have the tools or resources to do their jobs. “These two matters may be quite frustrating for IT pros, especially given their desire for continued learning,” according to the report. “Though many organizations may support IT employee training and professional

development to some degree, it’s simply not enough.”

Spiceworks, a social network for IT pros, recently put out its “2017 Tech Career Outlook” report, which suggests most IT staffers, understandably, working on their tech skills but aren’t brushing up on people skills.

“While soft skills are considered the second-most important IT skill to have,” the report says, “only 29 percent of IT pros plan to work on them next year. Instead, technology professionals are more likely to brush up on technical areas including networking, virtualization, and cybersecurity.”

Framed a different way, IT staff might see an opportunity to leapfrog 71 percent of their colleagues who aren’t making the time for deepening their soft skills.

Hot: Analytics certifications

Companies swamped with data from the cloud and IoT devices are struggling to analyze that information in a way that helps their business make decisions. So there’s an increasing push for analytics and automation to help firms succeed.

“Of course, any skill set that touches data is hot,” says Rick Sullivan, vice president at technology staffing firm CTG. “BI, analytics, IoT programming and development, big data, machine learning, AI, block chain and ERP.”

“Analytics is king in terms of generating value from data and the more that can be done to improve analytics, the better, for example improvements in curating data for analytics,” says Gavin Robertson, CTO of software company WhamTech. “Dumping copies of operational data without addressing fundamental data management processes can lead to actually losing value or not realizing as much value as could have been realized — up to 80 percent of difficult-and-expensive-to-obtain data scientists’ and analysts’ time is wasted on data preparation.”

This demand for data chops has many IT pros tackling data analytics certifications — or a career switch into data science.

Cold: Vendor-specific certifications for security

Earning certifications for vendor-specific technologies is seeing less demand, at least in the area of cybersecurity, according to CompTIA.

“Cybersecurity involves myriad technical and business issues,” Stanger says. “Vendor-specific training tends to focus on features rather than critical issues facing companies today. In security and networking, the more performance- based and hands-on the credential, the more it’s valued. Folks in the IT industry — and, more importantly, the companies who hire IT folks — tend to value certifications that validate and require proof of hands-on learning.”

Hot: Personal relationships with contacts

CompTIA’s Stanger says tech pros should be focusing on what he calls “quality conversations” — and the more the better.

“Use good blogging and communication skills to communicate on a one-to- many basis with your contacts,” Stanger says. “Don’t simply self-promote.

Stream valuable, curated content and thoughts to people in your network.

You’ll find that what interests you will generally interest them.”

It’s a two-way street: IT staff excel when they make personal connections, and their managers need to work those same muscles to get the best from their team.

“Having authentic performance and development conversations that are frequent and just-in-time, rather than high-stakes conversations annually, will motivate people toward creativity and excellence,” says Citrix’s Kimmel.

Cold: Padding LinkedIn connections

Recruiters, including AI-based headhunters, still rely on well keyworded

profiles. But relying on those alone isn’t advised.

“Simply growing your LinkedIn numbers and padding your profile is out,” says


IT pros who can meld personal connections with tech skill will outperform even those with more traditional hard skills, says David S. Patterson, president of IT staffing and executive search firm The Kineta Group.

“It’s not only the understanding of technology, but it’s the understanding of technology and how to creatively weave that into the business landscape that will be the real difference maker in the coming job market,” Patterson says.

Hot: Business skills

Innovating in today’s IT workplace, our experts say, means developing business smarts for those who want to advance their careers.

“We’re starting to see more roles in business competencies, like in marketing or operations, that reward an IT background or competency,” says Lev Lesokhin, executive vice president of strategy and analytics at software intelligence firm CAST. “As software continues to permeate everything we do, it’s becoming more imperative for ops people to at least have a baseline understanding of what technology does for the business.”

Even hot areas like analytics don’t exist in a vacuum. “Almost any function in the business has a lot of data they are dealing with on a regular basis and need the analytics function to ensure that data can tell the story,” says Mona Abou-Sayed, vice president of organizational development and talent at telecommunications company Mitel. “This requires a minimum level of business understanding to be able to pull out relevant stories from the data.”

Cold: Moving from tech to finance

While business skills are increasingly expected of IT staff, most tech workers like where they are and aren’t as interested in moving to the business side of the office as they may once have been.

“In fact, we see the opposite,” says Mitel’s Abou-Sayed, “where workers from other segments are shifting into more tech-centric roles.”

“Most developers are still very interested in tech-centric job opportunities,” says Lesokhin. “There’s an interesting flux of talent going between organizations with a more ‘startup-y’ vibe like what Google has, versus working at a financial services organization or a bank that’s willing to pay more to recruit top talent. The tradeoff is between having a more exciting job where you’re working on innovative projects like self-driving cars, or taking a more traditional role where you may be compensated more for a more dull day-to-day environment.”

Hot: Hybrid roles

Jesus Pena, VP of sales and services at UDT, says in the past few years he’s definitely seeing a transition to more hybrid IT roles.

“No longer are the days for technical resources to be in silos,” Pena says. “They need to be retrained and be thinking more about business outcomes, ROI conversations and vertical expertise.” But it’s not always easy. “This is an uncomfortable conversation for most technical people,” Pena says, “because they usually play in the IT department and this will push them outside of that comfort zone.”

Todd Loeppke, lead CTO architect at Sungard Availability Services, says market changes and the rise of devops have paved the way for more and varied hybrid roles. “It’s critical that IT people know when, where and how to leverage and monetize new technology,” says Loeppke. “We are seeing this right now with machine learning and blockchain. Machine learning requires large data sets to learn from and test with. Business insight is critical for guiding how ML is implemented. Similar to the career path for IT staff, the business side also has an added technical career path — data scientist.”

Cold: Jumping ship (vs. moving up)

Nearly 80 percent of IT pros in a recent CompTIA report said they were very or mostly satisfied — and just over a third said they were very satisfied with their jobs. And those numbers are up slightly from a survey taken in 2015.

“Generally, IT professionals consider an internal promotion to be a new job,” says Cliff Milles, lead technical recruiter for Sungard AS. “I think a major driver regarding this decision is whether the person wants to remain with their current company or get a fresh start.”

Hot: Developing security skills

Our experts say IT pros are developing cybersecurity skills to broaden their tool kit, advance their careers and protect their firms.

“We’ll see huge growth in security and compliance,” says CTG’s Sullivan. “IT has to address the safety component as we adopt technology exponentially faster.”

Part of the problem comes from a lack of security training in computer science programs and boot camps. Schools are racing to adopt related coursework, but that’s just one part of the problem, says Lesokhin.

“Some universities are still in the process of bolstering their secure development courses, and over 40 percent of IT developers don’t have computer science or engineering degrees to start with,” Lesokhin says. “In 2015, the U.S. graduated 60,000 computer science or equivalent majors, and in 2016 we had 18,000 people go through online coding schools that are 12- week crash courses in the basics of programming. You do the math.”

The gap for security, compliance and governance focused on apps, cloud and systems will continue to widen.

“We expect this trend to continue,” says Sullivan, “particularly as high-profile security breaches unfold, like the one seen at Equifax where failure to put an important patch in place was a key factor.”

Cold: Traditional benefits (vs. work-life balance)

There’s no question that salary seals the deal on most successful IT hires, but we’re hearing a steady buzz about the need for benefits that go beyond retirement plans and vacation.

“Entry-level engineers value being recognized and the sense of being a part of something larger than themselves,” says Joe Vacca, CMO and EVP of strategy and innovation at IT recruiting and training firm Revature. “They want to work on projects that they believe in and make a difference. As for benefits, non-traditional benefits seem to resonate, as well as employment structures that are flexible and promote work-life balance.”

“It continues to be a competitive environment in hiring technical talent,” says Alex Robbio, president and co-founder of Belatrix Software. “Of course salaries are a key factor, but the opportunity to build a strong career and have an enjoyable working environment are also critical.”

Interestingly there appear to be some differences in the way American and European IT pros look at their compensation.

“According to our data, salary is the top driver for 62 percent of developers in the U.S., whereas in Europe with countries like France, salary was only the top driver for 25 percent of respondents,” says Lesokhin. “Building something innovative, getting recognition and seeing an opportunity for advancement were also among the top drivers for developers across the board.”

Read the entire story from CIO.

UDT center

Hack attacks highlight vulnerability of Florida schools to cyber crooks

Hack attacks show that Florida schools are vulnerable

The attempted infiltration of some school districts, including Miami-Dade’s, was aimed at stealing Social Security numbers and other ID info but also at trying to access state voting systems, says a cybersecurity firm.

June 18, 2017

By Kyra Gurney

The operations center at UDT, the cybersecurity company that investigated the attempted hackings.

Two months before the U.S. presidential election, international hackers slipped into the computer systems of at least four Florida school district networks in the hopes of stealing the personal data of hundreds of thousands of students.

They infected the systems with malware — malicious software — that turned off the logs recording who accessed the systems, according to UDT, the Doral based cybersecurity company that investigated the incidents. For three months, the hackers probed the systems, mapping them out and testing their defenses. At one point, they even posted photos of someone dressed as an ISIS fighter on two school district websites.

They weren’t just looking for the names of kids and valuable Social Security numbers, UDT found. The hackers were also searching for some way to slip into other sensitive government systems, including state voting systems.

Luckily, the hackers — from Morocco, not Moscow — never found one or managed to get their hands on personal data. But the attempted hacking exposed the vulnerabilities of Florida’s school district networks: vast computer systems that store sensitive information on thousands of students, and their parents, and could potentially provide a back door into other government systems. Amid the national obsession with the alleged Russian hacking during the U.S. election and the constant stream of headlines on corporate data breaches, like the ones at Target and Chipotle, experts say the dangers of cyber attacks targeting school districts are being overlooked.

School districts around the country have been hit with cyber attacks in recent years.

In 2015, for example, the computer system of a New Jersey school district was held for ransom by a foreign hacker who demanded 500 bitcoins — about $128,000 — to hand control of the system back to school administrators, according to the technology news site FedScoop.

In a separate incident that year, three high school seniors in New York were accused of hacking into their school’s computer system to change grades and schedules.

And in Florida, state standardized testing was interrupted in 2015 when hackers overwhelmed a testing vendor’s server with traffic, making computer screens go blank. Students in Florida, like their peers in other states, have also broken into school servers to change grades.

Verizon’s 2017 Data Breach Investigations Report, which provides a snapshot of cybersecurity incidents across the country, recorded 455 “security incidents” in the education sector last year.

There are hackers — like students seeking to change grades — who specifically target schools. But in most cases, they aren’t after a particular government agency or company, said Mike Sanchez, chief information security officer at UDT. “Unless they have a real motivation to bring you down, they’re looking for the low-hanging fruit, they’re scanning for vulnerability,” Sanchez said.

And for hackers, school networks are a gold mine.

A large school district like Miami-Dade, which was one of the districts targeted in the attempted hack last fall, handles the personal information, including Social Security numbers, of hundreds of thousands of current and former students, along with data on thousands of employees and parents.

Unlike corporations with trade secrets and data to protect, many school districts have set up systems to make connectivity easy. With free Wi-Fi in school buildings and a generation of students glued to their smartphones, there are thousands of opportunities for a hacker to gain access to a school network. Students downloading free apps on their phones or hopping from one school computer to the next can spread a computer virus faster than the flu during flu season.

“There’s always this want to have open access and it is a learning environment so some things that corporate America does just by rule we wouldn’t apply in an education environment,” said Paul Smith, the Miami-Dade school district’s director of data security. “We’re talking hundreds of thousands of devices on our network. That’s one of the challenges that we face.”

And the data school districts handle is particularly valuable to cyber criminals.

“If you’re trying to steal identities or cobble together identities, if you can get a person’s name, date of birth, home address, you’re starting to get a fairly complete record,” said Michael Kaiser, the executive director of the National Cyber Security Alliance. “Think of the things school districts have — it’s more than many businesses.”

Students’ Social Security numbers are particularly valuable, said Yair Levy, a professor at Nova Southeastern University who researches cybersecurity.

“High school kids, almost all of them have a very clean slate when it comes to credit scoring. So they’re trying to gain access to a large volume of teenagers’ [information] that can help them down the road,” he said. “These guys have time. They’re willing to wait a year, two years before they can actually monetize that data.”

And on the dark web, these Social Security numbers sell for $25 to $35 a piece, Sanchez said. The information from just one school could easily be worth more than $10,000.


That appears to have been one of the principal motivations for the hackers who sent malware to Florida school districts last fall — the promise of thousands of untarnished Social Security numbers.

The attacks began with an email message containing an image that, once clicked, activated a code that sent malware into the system.

The malware went undetected for several months as the hackers conducted reconnaissance, according to UDT.

Then in November, a photo of someone who appeared to be one of the hackers dressed as an ISIS fighter went up on a school district website. It stayed there for about 24 hours. The following month, the same photo flickered onto another school district’s website.

The districts contacted UDT, and in early December the company discovered the malware.

What they found was troubling.

The hackers had been able to turn off the logs recording who entered certain computer systems and what they did while logged on. That made it difficult for the UDT analysts to know, with total certainty, what the hackers had done. It was a sophisticated maneuver that Sanchez and his team had never seen before.

UDT contacted the FBI and re-engineered the malware so it was no longer a threat. The analysts found no evidence that any data had been taken. The FBI declined to comment on the incidents or on cyber crimes in general.

Smith said Miami-Dade was one of the districts targeted in the attempted hack, but UDT would not identify the other school districts. The hackers also targeted a Florida city network with a similar attack.

In Miami-Dade’s case, Smith said, the hackers put one of the ISIS-inspired photos on a school district website, but Miami-Dade didn’t find any evidence of malware or access to its computer systems. “I would say if anything, it was an attempted hack,” Smith said. “But it was raised up to law enforcement and we did go through all the systems.”


As UDT conducted its investigation, the company learned that Social Security numbers weren’t the only thing the hackers appeared to be after.

On a site hackers use to brag about their exploits, the hackers said they were trying to get into voting systems hosted by Diebold voting platforms. They wanted to bring down what they thought were state voting systems.

But in this case, the hackers did not appear to be Russian. Instead, UDT identified them as a Morocco-based group called MoRo. UDT said there is no evidence the hackers had any connection to the Moroccan government.

The Moroccan hackers were far from the only ones trying to access election systems last fall. Russian hackers tried to break into the computer systems of at least five Florida county elections offices days before the 2016 presidential election.

By the time the Moroccan hackers posted online about voting systems, in December, the election had come and gone. The hackers never found what they were looking for. But their message was clear, Sanchez said. If they wanted to, the hackers could get into school district systems. And once they get into one government network, cybersecurity experts say, it’s easier for hackers to find a back door into others.

“That is a very common tactic,” Kaiser said. “A school district network almost likely is attached to other networks in the town or city or even the state, depending on how the network is set up.”

For example, a hacker could steal the log-in information for a system administrator who also has access to other government networks, Kaiser said, or use that person’s email account to send emails infected with malware to government employees at other agencies, tricking the recipient into believing the sender also works for the government.

UDT center

The operations center at UDT, the cybersecurity company that investigated the attempted hackings.

“There are a lot of different techniques that they might use in that situation and getting into the network opens all of that up,” Kaiser said.

Sanchez from UDT said that in mapping out school district networks, the company has discovered connections between school computer systems and different county and city systems. The connections are easy for school districts, “caught up in the day-to-day stuff,” to miss, Sanchez said.

“Sometimes the school districts don’t have all of the right tools in place or the right knowledge to map out these networks,” he said.


It’s impossible for school districts to protect against every potential threat, experts say.

For one thing, everyone from the cafeteria worker to the school principal has access to at least some student information.

In 2014, a fired Miami-Dade schools cafeteria worker was sentenced to almost seven years in prison for stealing the personal information of hundreds of students from a school computer network and using it to commit income-tax fraud. A few years earlier, a Broward Schools employee was sentenced to five years in prison for selling teachers’ Social Security numbers and dates of birth to identity thieves.

School districts also typically have tight budget constraints, which impact their ability to hire a big enough cybersecurity team and pay for the necessary tools to protect school networks.

“Security is always a tough item in the budget because a lot of it is proactive,” Smith said. “A lot of it isn’t things that you see huge benefits or direct results from. It’s almost like insurance. You’re buying it hoping that you’re going to prevent things in the future.”

Miami-Dade has a team of six people focused just on cybersecurity, and another 20 who help with cybersecurity issues in addition to other tasks.

The district has dumped older operating systems and applications that are difficult to secure and added new tools to identify where attempted hacks are coming from, said Debbie Karcher, the district’s chief information officer. Miami-Dade has also made an effort to educate employees and students about cyber threats, Karcher said, and even offers cybersecurity programs at some high schools.

“People need to become acutely aware that their digital security is as important as their home, valuables in their home,” Karcher said. “They take great care to lock their homes, lock their cars, but then they’ll click on emails that they don’t recognize the sender, they don’t use good passwords.”

The district has also restricted the data employees have access to in order to prevent breaches like the ones carried out in the past by unscrupulous employees, Smith said.

But, like any large organization, Miami-Dade still worries about cyber attacks. “As far as breaches through our data systems, we haven’t seen evidence of that on our side,” Smith said. “That’s always a big fear. We hold every student’s [personal information].”

It’s a worry Sanchez wishes more school districts shared. To effectively prevent cyber attacks, he said, administrators first have to recognize the seriousness of the threat and prepare their employees accordingly.

“Sometimes I just scratch my head and think, ‘Are these people asking the right questions or do they just not want to know? Is it safer not to know?’ I think for me we’re messing with kids’ information. Little Johnny, by the time he finds out his credit is ruined, it’s too late.”

Read the full story here.

Security firm finds flaws in CELPHIE website

Security firm finds flaws in CELPHIE website

Drew: Information taken down while concerns are addressed

May 17, 2017

By Michael Miller

Flaws in a testing website at the heart of a $1 million state appropriation to administer mental-health screenings in Nassau County schools left the site open to a number of exploits, including the ability to access students’ test results and other personally identifiable information, according to a report by a technology company working in cooperation with the News-Leader.

Florida Psychological Associates, owned by Dr. Catherine Drew, the wife of Nassau County Tax Collector John Drew, received about $600,000 of that state appropriation since August to implement the screenings locally using CELPHIE, an online tool developed by Drew and Dr. Laura Hume, another FPA employee.

Following a recent review of the site, Florida-based UDT produced the report, which details more than a dozen security gaps, most of which it labeled “high” and “critical” in severity.

“Although no exploitation of the vulnerabilities was performed (by UDT), an experienced attacker would be able to find enough clues within the application’s code to easily reach databases containing sensitive information. In short, the likelihood the website can be breached and the negative impact caused by intangible and tangible costs is potentially high,” Mike Sanchez, the chief information security officer for UDT, stated when he delivered the company’s report to the News-Leader.

The company did not use any specialized software to identify the security issues.

Shortly after the News-Leader provided the report to Catherine Drew and Hume on Monday morning, the website – hosted on a subdomain of – went offline and continued to be inaccessible as of Tuesday afternoon. The main web- site, which presents marketing materials about the mental-health screening tool, remains online. According to American Registry for Internet Numbers records, the two websites are hosted on separate IP addresses belonging to different hosting companies.

Responding to News-Leader requests for comment, Drew wrote Tuesday morning in an email, “Patient safety and privacy are crucial issues for Florida Psychological Associates. FPA senior staff members have reviewed the UDT report provided by the News-Leader, and we share some of the concerns raised about the system’s vulnerability to malicious users and the possibility that hackers could access server side architecture and/or database information through brute force attacks.”

“We have taken the system and its information offline while we work with the owners of the system, American Screener Corporation, to address these concerns to our satisfaction,” she also stated.

According to emails between Drew and officials at Florida State University’s College of Medicine, which received the state appropriation and funneled it to FPA as payment for a study of the CELPHIE screener, Drew and Hume jointly own 20 percent of American Screener. In earlier emails to FSU, Drew stated that she and Hume were the owners of American Screener, which was organized in Nevada, but did not name any others. Nevada allows the names of the owners of companies to remain confidential in most cases.

Drew also stated in her email to the News-Leader, “It is important to know that, to our knowledge, none of the information on the site has been compromised. Also, before any more screenings are conducted, FPA will contract with an independent, third-party internet security firm to review whatever changes are made to address the security concerns raised by UDT and the News- Leader.”

The News-Leader also pro- vided a copy of the report to Nassau County School District officials.

Superintendent Dr. Kathy Burns wrote in an email to the News-Leader, “We have reviewed the report from UDT and believe the findings identify legitimate concerns. We will discontinue access to the Celphie project until all identified vulnerabilities have been mitigated.”

Burns also noted, “The safety and security of students at all levels is a top priority for the Nassau County School District. The District has recently implemented procedures for Vendor Risk Assessment to ensure that software applications meet the highest level of security … We continue to work every day for the success of students and the improvement of our schools.”

Mark Durham, the school district’s executive director of curriculum, instruction and school improvement, said last month that district officials had not reviewed the content of the CELPHIE screener or how it was implemented before granting FPA permission to use it in Nassau County schools.

In addition, School Board member Dr. Kimberly Fahlgren expressed concern at a board meeting in February that the request to screen students district-wide had not come before the board.

According to an interview with Drew earlier this year, retired superintendent Dr. John Ruis asked her to provide a letter explaining the mental-health screening program and then approved the use of the screener in Nassau schools.

The News-Leader sought information from FSU officials about any security reviews the school might have made of the CELPHIE screening tool before approving its use by FPA, but Browning Brooks, the assistant vice president for university communications, issued the following statement instead:

“Florida State University has rigorous policies on the security of research data. We cannot validate the findings of the technology firm hired by the newspaper but will certainly look into the matter immediately. It is important to note that FSU is in the process of ending our contract with FPA as directed by the Florida Legislature.”

According to reports to FSU, FPA staff administered the CELPHIE mental-health screening to up to 400 students ranging in age from 8 to 18 whose parents had signed a permission form handed out in classrooms.

ensued, according to the NCSO report.

“The suspect (Dimaio) then physically engaged (the male victim) in the living room and stabbed him three times to include the neck, left shoulder and left upper back,” the report states. “During the attack and while armed with the knife, the suspect also threatened to kill his estranged wife (victim 2), placing her in fear for her life.”

During the altercation, Dimaio’s estranged wife and two other witnesses came into the living room. Both victims were able to gain control of the knife to disarm Dimaio and then forced him to leave the residence, according to the report.

Dimiao is being held in the Nassau County Jail on a bond of $177,508, according to the NCSO inmate database.

Mixed response from IT security pros following release of Cyber Security Executive Order

Mixed response from IT security pros following release of Cyber Security Executive Order

By Greg Masters

In a week filled with controversy surrounding the Trump administration, including the unexpected and abrupt dismissal of FBI Director James Comey, the president’s executive order on cybersecurity has been somewhat obscured in public forums but has drawn immediate, if mixed reactions, from cybersecurity professionals who either praise it for providing much-needed guidance or criticize it for falling short.

The Cybersecurity Executive Order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” meant to bring efficiency, clarity and additional protections to government IT systems, charges the government with reviewing its cyber posture and pins responsibility for cyber risk on those officials who lead federal agencies.

While some praise the directive for its guidance, others say its guidance falls short.

Phil Dunkelberger, CEO, Nok Nok Labs, says his firm appreciates the sentiment behind the EO and the need to understand the current gaps within the cyber capabilities of the government and where the departments are  from a budget standpoint. And, he acknowledges there are a lot of good, talented individuals that have been working on these problems for a long time both behind the scenes and in the spotlight.

But, he told SC Media,  “There is really nothing new here, it is a continuation of what we’ve already been doing (and in many cases failing).”

He says the industry needs nothing short of a revolution, citing the cyber EO as an evolution and continuation of the same frameworks and reports put forth the last 10-15 years.

“We have made strides, Dunkelberger said. “The question is, are we moving fast enough? Unfortunately, the threat factors around us are evolving at a much faster pace. We need to be much more assertive and aggressive as our adversaries aren’t playing by any rules.”

Mike Kail, co-founder and chief innovation officer, Cybric, told SC that the devil is in the details. “We need to focus on modernization and making smart investments versus trying to protect what’s already there and vulnerable. If we keep trying to put controls around critical and failing infrastructure, that’s not a good strategy.”

Instead, he says, “we should take an offensive approach by investing in the modernization of our infrastructure.”

“While the executive order does address some of the potential issues involved with adequately managing cybersecurity risk, the White House still runs the risk of doing too little too late,” Gidi Cohen, CEO, Skybox Security, told SC Media. “Per the order, while the general cybersecurity framework for each agency and department is based on NIST standards, each group is left to define and manage their own cyber risk, leaving the potential for a fragmented and incomplete point of view of the nation’s overall attack surface.”

Attacks – whether from a nation-state, hacktivist, or commercialized cybercriminal attack – target vulnerabilities that provide the easiest path into a network, Cohen said. “Without visibility into the attack surface as a whole, the government is put in the position of reacting to breaches – relying on strong wall defenses and other indicators of compromise to determine a course of action – rather than avoiding them. What’s more, these exposures could be exploited by different parties than most might think.”

State-sponsored activity gets all the attention, Cohen explained, but there are more pernicious threats out there today. These may initially have a lower impact than those involving international espionage but could eventually have an extremely negative effect on national security, public confidence, and our economy, Cohen told SC.

“As the agencies and departments responsible for protecting critical cyber infrastructure now begin to shift their focus to make sure they are aligned with the official White House perspective, it is unfortunate the executive branch hasn’t decided to take a more holistic approach,” Cohen said. “A centralized focus on government-wide indicators of exposure would empower a proactive, unified cybersecurity program. To accomplish that would be no simple task. Just like in the commercial sector, gaining this deep level of understanding is difficult in the ever-shifting cyber landscape.”

Cohen’s prescription for successfully guarding crucial cyber infrastructure has the government making use of every tool it can – including network modeling, attack vector analytics and threat-centric vulnerability intelligence – to identify the most critical exploitable attack vectors in real time. “Once it has been identified, security weaknesses that could enable the continuation of an attack allowing agencies to proactively find and fix exposed security risks before it can be exploited and potentially sold to the growing network of commercialized cybercriminals.”

Daniel Castro, vice president of The Information Technology and Innovation Foundation (ITIF), said, “We are disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats.”

Cybersecurity should be a top priority for the Trump administration, Castro said. “The last administration put together a commission which left a comprehensive set of action items for the new administration to pursue that should have been the starting point for this order. While the executive order checks most of the boxes thematically, it generally kicks the can down the road instead of taking any decisive actions.”

He adds that its incumbent upon the administration to implement its stated goals for cybersecurity. “Notably, this order leans heavily on the government for ideas and implementation rather than a public-private partnership approach. This is somewhat surprising given this administration’s belief that the private sector can generally do things better than government.”

Additionally, Castro said, the private sector has the deepest bench of cybersecurity talent, so the federal government will likely need to look outside its ranks to stay on top of these issues.

He does have praise for the White House including much-needed government IT modernization and consolidation as part of the executive order. “While there are many reasons to pursue IT modernization, the administration is likely to have the most success getting this done as a cybersecurity mandate rather than as a push for efficiency.”

“The President’s executive order does not propose a concrete plan for cybersecurity, it merely calls for a top to bottom review of where things stand,” Sanjay Beri, CEO, Netskope, told SC. “While this is a step in the right direction, kicking the can down the road leaves remaining questions about what exactly the administration’s plans are for tackling what has arguably emerged as the single most existential threat to our livelihood: defending our cyber infrastructure.”

What’s more, Beri said, the administration has yet to fill the federal CISO vacancy, leaving the government without a leader at the helm to help implement and enforce security policies and practices. “For a president so concerned about establishing a positive legacy, this seems an obvious – and critical – area to address.”

Mounir Hahad, senior director, Cyphort Labs, told SC Media that there isn’t much to write home about in this executive order. “It is basically asking for a status report from the various agencies of the executive branch, something that should be taking place on a regular basis if our administration were to establish an adequate maturity level and exercise self-introspection as defined by the Carnegie Melon Capability Maturity Model for organizations.”

However, he said he welcomed the initiative nonetheless and looks forward to what recommendations will be funded from the outcome of all the reports. “I am not sure that the head of any agency has ‘for too long accepted antiquated and difficult-to-defend IT.’ By choice. I hope the reports will shed the light on what regulation has imposed draconian restrictions on the agencies’ freedom to act and stay on top of a threat landscape that changes at neck-breaking speed.”

Philip Lieberman, president, Lieberman Software, told SC that if there is no budget from Congress for the order, it will have little real effect. “All plans have to be funded and accompanied with laws and regulations that are specific. No question cybersecurity is critical, but the devil is in the details and specifics.”

Unfortunately, NIST does not provide specific guidance on how to solve problems, only on pointing out the problems to be solved, Lieberman said.  “Some of their guidance is a little off-base and not helpful – for example, they recently put out a report stating that they no longer believe that users should change their passwords regularly.”

Tim Erlin, VP, product management and strategy, Tripwire, said that even with this long-awaited executive order, the essential priorities of cybersecurity remain the same. “We know that maintaining a critical set of foundational controls is a proven strategy for minimizing the attack surface and reducing risk of cyberattack,” he told SC. “Even the most elaborate cybersecurity program can ultimately fail if it doesn’t get the basics right. It’s a positive sign to see the executive order address foundational controls like vulnerability management and secure configuration management.”

Critical infrastructure must be addressed at the highest level, Erlin noted. “The executive order calls for a number of reports to be produced assessing the current state of information security across agencies. The truly telling results will only come after the production of these reports and be measured by the actions they initiate.”

“This is a good step in the right direction,” Jeff Engle, VP, government sector, UDT, told SC Media on Friday. When it comes to assessing the cyber workforce Engle said he believed the focus is a bit acute on the personnel who may have cyber in their title rather that the evolution in the general workforce. “Even now we are all part of the cyber workforce and can either be a conduit for vulnerabilities or part of an active defense. Lack of education of both this generation and the next on cyber risk awareness has to be addressed or no technological solution will keep us safe.”

Will Ackerly, co-founder and CTO, Virtru, is glad to see the president focused on bolstering cyber defenses. “It is very reassuring to see the Executive Order call out the need for interagency and international cooperation,” he told SC. “It is also great to see the topic of cloud storage presented so centrally. The cost and collaboration benefits of the cloud are undeniable, and, when combined with data-centric protections, such as strong encryption, government information will be even more secure. Finally, the ‘open and transparent process’ in identifying / promoting action by stakeholders to improve resilience of internet communications is highly encouraging!,” Ackerly told SC.

But there’s a caveat.  Ackerly believes that the specific methods outlined in the Order are necessary but not entirely sufficient to protect the nation. “Each department should have an experienced CISO in place who may report day-to-day to the agency chief, but should also have accountability to a cross-agency authority. This would encourage collaboration between agencies and ensure that critical information including threat intelligence, vulnerability assessment, and best practices for cyber-defense are rapidly and completely shared.”

Additionally, Ackerly said the Executive Order is missing any mention of intellectual property protection. “While an EO cannot force companies to do things directly, outlining the need for our businesses to have strong privacy protections in place would speak volumes. Government support for these kinds of endeavors would ensure that the fruits of our economic labors are not appropriated by nation state actors or other hostile parties. Until we focus on specific protections for our business and consumer data, including strong encryption, we will continue to be vulnerable.”

Steven Grossman, VP of strategy, Bay Dynamics, told SC that it is great to see that the President’s executive order supports a risk-based approach to cybersecurity. “That means prioritizing agencies’ most valued assets, such as critical infrastructure, and tackling the threats and vulnerabilities that could compromise those assets first. The order makes references like ‘commensurate with risk and the magnitude of harm,’ which ties to the necessity of measuring the mission impact of an asset at risk were compromised and prioritizing mitigation actions based on those that reduce impact the most.”

Further, the EO uses the NIST Cybersecurity Framework as the core framework agencies should follow, Grossman said. This also supports a risk-based approach. However, he added, it may not be detailed enough in the long run.

“Another great feature is that the order promotes accountability, assessment and remediation of cyber risk across many stakeholders in the agency, those in and outside of security,” Grossman said. “Cyber risk management cannot solely be the IT and security team’s problem. Stakeholders across the business from application owners who govern highly valuable assets to upper management who make investment decisions, must be involved in taking action to reduce risk.”

The order contains many positive steps that, when implemented, should significantly help reduce risk, Grossman said. “However, we would like to see more continuous monitoring requirements instead of just periodic compliance like assessments and remediation. The order should not be viewed as yet another compliance checkmark; it should be a continuous process.”

Finally, Grossman saif that focusing on building up skills and competency in the workforce is a critical activity, but there needs to be a more immediate plan in place for response until that ramp up occurs.

 Stephen Coty, chief security evangelist, Alert Logic, agrees that the EO is using a risk-based approach for the U.S. government and its suppliers. “The order is mandating that all departments complete full technology audits and put together a plan for improvement and modernization of their current IT infrastructure,” Coty explained.

“They identify unmitigated vulnerabilities as one of the highest risks facing the executive departments and other agencies. These known vulnerabilities that they’ve identified include operating systems and hardware that are beyond the vendor support lifecycle. They also include declining to implement a vendor’s recommendation on patching and configuration guidance. All agency heads will be held accountable by the president for implementing these risk management measures.”

Coty is keen on the move to the cloud, citing the NIST Framework. “Government can now feel assured that cloud computing is a secure option for storage and access of their data.”

Larry Payne, head of Cisco’s U.S. public sector, told SC Media on Friday that the EO represents a renewed commitment to protecting federal IT networks. “With the NIST Framework as a guide, agencies can improve enterprise risk management capabilities and simplify their approach to security. A key piece of this effort will be continuing the push to modernize government systems, including rooting out unpatchable legacy hardware and better lifecycle management.”

Payne said his company looks forward to working with agency leaders to implement a strategic security approach, rather than deploying project-based solutions in response to incidents or compliance.

The EO is a tall order to accomplish in the timeline set forth, said John Kronick, director ATG Cybersecurity Solutions, Stratifrom, a PCM Company. “Since the NIST Cybersecurity Framework has been out for several years (2014), it has gone through revision, but has not been implemented on a consistent or comprehensive basis, and the efforts to measure the effectiveness of its use still under development,” he said. “That being said, it is one thing to initiate a risk assessment utilizing the CSF, but it’s quite another to initiate action to remediate the issues identified in the risk assessment.

Kronick listed a number of steps that should be done, including nitiating mandatory CSF training for agency executives, risk managers and cybersecurity staff; developing a uniform method for assessing the effectiveness of the CSF implementation and use; requiring mandatory escalation of critical and high risk issues such that they are resolved in a timely manner; initiating cybersecurity awareness training for all citizens, making it mandatory for all employees and workers of federal agencies and critical infrastructure entities – and require it more frequently than once per year; establishing a cybersecurity training and recruiting program to facilitate short-term and long term staffing within the agencies; requiring budgetary funding for remediation of CSF findings/gaps such that agencies will execute remediation measures with sufficient budget for tools, resources, etc. As well, he said, metrics should be established for centralized tracking of agency CSF risk assessments and centralized risk register to track remediation efforts.

Click here to view full article.

Trump Executive Order Tackles Concerns About Cybersecurity

Trump Executive Order Tackles Concerns About Cybersecurity

By Kelly Phillips

On the same day that Daniel R. Coats, Director of National Intelligence, testified in front of the Senate Intelligence Committee hearing committee about the danger of cyber threats to our national security, President Donald Trump signed an executive order intended to “strengthen the cybersecurity of federal networks and critical infrastructure.”

Cybersecurity has been a concern for many Americans of late – not just because of allegations of Russian hacking during the elections – but also because of the increased risk at home. Phishing and identity theft, for example, were #1 and #3 respectively on the Internal Revenue Service (IRS) list of the Dirty Dozen Tax Scams for 2017.

In response to increased concerns, Trump touted cybersecurity as an issue during his campaign. Shortly before taking office, in January, he promised, “I will appoint a team to give me a plan within 90 days of taking office… Two weeks from today I will take the oath of office and America’s safety and security will be my number one priority.”

On his 111th day in office, the President finally delivered. The order focuses on three areas:

  • Cybersecurity of Federal Networks
  • Cybersecurity of Critical Infrastructure
  • Cybersecurity for the Nation

Cybersecurity of Federal Networks. 

To address cybersecurity of federal networks, the order requires the heads of each federal agency to use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology (NIST) to manage cybersecurity risk. Each federal agency will also be required to provide a risk management report for evaluation within 90 days. The report will include, among other things, “unmet budgetary needs necessary to manage risk to the executive branch enterprise.”

The order also directs federal agencies to show a preference for shared IT services, where allowable and feasible, including email, cloud, and cybersecurity services.

Security of federal agencies has been a concern following hacks which included the theft of more than 20 million records from the Office of Personnel Management (OPM) and attacks on individual taxpayer records at the Internal Revenue Service (IRS).

Cybersecurity of Critical Infrastructure. 

When it comes to critical infrastructure (think power grids, water, and telephones), the order calls for a report on those infrastructures which are at “greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The report, which is to be submitted with six months, must also identify how risks to those systems could be mitigated.

The order also requires that strategies be developed to reduce cyberthreats perpetrated by botnets. Botnets can basically “hijack” computers for the purpose of carrying out automated tasks such as stealing valuable information and launching distributed denial of service (DDoS) attacks.

An issue that has been raised multiple times – the specter of a prolonged power outage associated with a significant cyber incident – is also addressed in the order, which calls for an assessment of not only the potential scope of such an outage but also the readiness of the country to manage such an event. The order requires similar assessments be made with respect to a cyber attack on the military, including the supply chain, as well as systems, networks, and capabilities, as well as recommendations for mitigating those risks.

Cybersecurity for the Nation. 

Finally, the order calls for developing a strategy for “deterring adversaries and better protecting the American people from cyber threats.” The strategy is expected to include education and training for the “American cybersecurity workforce of the future.” The order also seeks to establish policies that will serve as deterrents for foreign nations targeting Americans, a move some suggested might be a direct response to the allegations of Russian hacking. At a press briefing held earlier today, White House Homeland Security Adviser Tom Bossert downplayed that suggestion, noting “the Russians are not our only adversary on the internet.”

You can read the order here.

Responses have been mixed. Some security experts welcomed the order as a good start while others suggested it was merely “a plan to make a plan.”

“This is a good step in the right direction,” said Jeff Engle, VP, Government Sector, UDT in response to the order. “When it comes to assessing the cyber workforce I think the focus is a bit acute on the personnel who may have cyber in their title rather that the evolution in the general workforce. Even now we are all part of the cyber workforce and can either be a conduit for vulnerabilities or part of an active defense. Lack of education of both this generation and the next on cyber risk awareness has to be addressed or no technological solution will keep us safe.”

The Information Technology and Innovation Foundation (ITIF), the top-ranked U.S. science- and tech-policy think tank, issued a statement which began, “We are disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats.” The statement went on to say, “We’ll have to wait to see how well this administration can implement its stated goals for cybersecurity. Notably, this order leans heavily on the government for ideas and implementation rather than a public-private partnership approach. This is somewhat surprising given this administration’s belief that the private sector can generally do things better than government. Moreover, the private sector has the deepest bench of cybersecurity talent, so the federal government will likely need to look outside its ranks to stay on top of these issues.” ITIF concluded, however, that it is “a good sign though that the White House included much-needed government IT modernization and consolidation as part of the executive order.”

(Author’s note: The article has been updated to include a statement from Jeff Engle, VP, Government Sector, UDT.)

Click here to view full article.