September 2025
Protecting yourself and our information from cybersecurity threats.
October is Cybersecurity Awareness Month, and we’ve lined up some exciting events to keep you informed and engaged. Join us for a series of webinars packed with practical tips, expert insights, and strategies to help you stay secure both on and off campus.
• October 9th - CISO discussion panel: Securing the Mission: Building Awareness and Resilience in Higher Ed
• October 14th - Beyond Trust
• October 21st - Google: AI on the Frontlines: The Role of AI in Today’s Security Landscape
• October 22nd - Scary Cyber Tales: Don't Let Your Data Go Bump in the Night
• October 29th - Rachel Tobac: Exploiting Trust – The Human Element of Security
Register to attend these webinars here:
https://intranet.uchicago.edu/tools-and-resources/it-services/security/security-awareness-and-training/cybersecurity-awareness-month/cybersecurity-month-webinars
Also… back by popular demand, there will also be a few e-waste destruction events planned. Safely dispose of old drives, devices and media at our upcoming destruction events - a secure and eco-friendly way to properly dispose of e-waste. Let’s make October all about learning, protecting, and (securely and eco-friendly) destroying!
Destruction Events
- Saturday, October 11th 2-5 p.m., University Shred Fest – University Press Parking Lot 1427 East 60th St. - Paper and E-Waste
- Wednesday/Thursday, October 29th and 30th 9 a.m.-3 p.m., Secure Destruction Event, Brain Research Pavillion,5812 S. Ellis Avenue Room J-103, E-Waste and USB Transfer
https://events.uchicago.edu/event/252364-secure-destruction-event
This September, our newsletter is shining a spotlight on the BSD Cybersecurity team… specifically the leads of the Red Team, Blue Team, and Purple Team. You may have heard these terms in cybersecurity before, but what do they mean? Think of them as three different perspectives working toward the same goal: keeping our organization cyber safe.
- Red Team plays the role of the attacker, simulating real-world threats to test our defenses.
- Blue Team acts as the defender, monitoring, detecting, and responding to keep those threats at bay.
- Purple Team bridges the two, works on ensuring that lessons learned turn into stronger protection(s) for everyone.
To give you an inside look, I asked the team leaders a few high-level questions about the challenges they face, and how they help protect our BSD community every day.
Red Team
Can you explain the primary mission of the Red Team in simple terms?
The Red Team’s primary mission is simple: think like an attacker so we can find weaknesses before real attackers do. We run authorized tests that mimic real-world threats targeting systems, processes, and people to uncover gaps and help fix them. This helps make the organization stronger and faster at detecting and responding to security incidents.
How do you decide which systems, processes, or people to test?
We work closely with the Blue Team and leadership to identify the systems and processes that are most important to the organization. We also rely on findings and trends identified by external auditors and agencies (PWC, FBI, CISA, etc.) to conduct more thorough scans that target specific, well-known and emerging cyber threats.
What are some common security gaps you uncover during these exercises?
The most common gaps we find are usually simple things: weak passwords, systems that haven’t been updated in a while, and overly permissive system privileges. These issues may seem small, but attackers often rely on them as an entry point.
How does your team’s work ultimately strengthen the organization’s defenses?
By simulating real-world attacks, we help the organization find weaknesses before actual attackers do. Every test gives us valuable lessons that are shared with the right teams so they can improve defenses and make the whole organization stronger and more resilient.
Without revealing sensitive details, what’s one of the most eye-opening lessons your team has learned from a past exercise?
By far the most consistent threat we encounter is what’s known as “shadow IT”. This refers to those apps, tools, or systems that individuals set up on their own without going through established IT channels. These systems can introduce significant risk because they usually aren’t properly secured or maintained. Often these systems are set up by well-meaning individuals who are not aware of similar services that are already offered by BSDIS or ITS.
What do you wish employees understood better about cybersecurity threats?
Cybersecurity isn’t just about technology - it’s about people. Attackers often go after individuals first, because one click on a bad link or sharing the wrong information can give them the access they want. Every individual and system on the University of Chicago network is connected – even though an individual system might not contain sensitive data, doesn’t mean an attacker won’t leverage it to target higher value assets. By staying alert and following security guidance, every employee becomes part of the defense team.
Blue Team
What is the core responsibility of the Blue Team in our organization?
The Blue Team oversees BSD’s vulnerability management program, working to maintain a secure digital landscape. We continuously monitor and respond to evolving threats ranging from viruses to malicious links and Microsoft zero-day vulnerabilities, all of which can be mitigated through proactive vulnerability management.
How do you monitor and defend against potential attacks? Any tools or techniques that you rely heavily on?
We utilize security tools such as Armis Centrix and Crowdstrike, among other industry leading security tools. CrowdStrike is a cybersecurity company that provides cloud-based solutions to protect organizations from threats, such as malware, ransomware, and other forms of cyber-attacks. Armis Centrix is a security platform that gives us a clear view and protection for all the connected stuff in our organization. With its super-smart discovery and threat detection, Armis Centrix lets us find, watch, and keep safe your whole digital world without the need for agents. We take a proactive approach by continuously monitoring anomaly activity, analyzing threat intelligence, and leveraging automated tools to detect anomalies. Our team uses real-time alerts, behavioral analytics, and vulnerability assessments to stay ahead of potential threats. Collaboration and rapid response are key to ensuring our environment remains secure.
What’s the biggest challenge your team faces in keeping our environment secure?
One of the biggest challenges for the BSD Blue Team is effectively managing the organization’s security landscape. Key constraints include time-sensitive tasks, such as detection, containment, and root cause analysis, as well as managing alert fatigue, triage, and ensuring clear communication and coordination across teams. In addition to these demands, the team is focused on achieving long-term goals—like building automated processes using industry-leading security tools to enhance efficiency and resilience.
How does your team measure success in stopping or responding to threats?
In today’s rapidly evolving cybersecurity landscape, threats are becoming more persistent and sophisticated especially within educational institutions. Traditionally, Blue Teams have operated with a reactive mindset, responding to incidents after they occur. At BSD, the Blue Team is shifting toward a prevent-and-protect model, focusing on proactive incident prevention rather than post-incident response. This strategic shift allows the team to anticipate and mitigate threats before they impact critical systems, ultimately strengthening the institution’s overall security posture and redefining how success is measured in defending against attacks.
Can you share a success story where the Blue Team stopped a threat in its tracks?
The BSD ISO’s blue team received a concerning alert from the CrowdStrike’s Falcon console that someone was trying to install a remote desktop tool that wasn’t allowed. The ISO’s incident response team sprang into action and sent a TSS desktop worker to investigate. Thanks to CrowdStrike’s advanced capabilities and the quick response from the support technician, they were able to stop an employee from calling a suspicious number and prevent any further issues. The adversary was thwarted, and another phishing threat was averted.
What can employees do day-to-day to make your team’s job easier?
Endpoint Security is super important, and it’s always best when we work together as a team! We can make a big difference in supporting the BSD ISO’s Blue Team by following a few simple steps.
- Notice anything suspicious in an email or activity, report it right away.
- Make passwords strong and never share them with anyone.
- Keep software up to date and patched as soon as possible.
- Reboot systems in use at least once a week (where possible).
- Feel free to reach out to the BSD ISO team with any questions.
- If a security mistake is made, don’t worry, we’re here to help!
Purple Team
How does the Purple Team differ from Red and Blue Teams?
The Purple Team is a bit different here since we run lean. The Red Team focuses on attacking and finding weaknesses, while the Blue Team focuses on defending and responding to threats. The Purple Team exists to connect the dots between the two where possible. Normally it would be collaborative with the teams. An issue could stem from process inefficiencies, communication gaps, or even organizational workflows that are missing and need to be created or need to be modified for efficiency and accuracy, etc., just to name a few items that can pose cyber risk.
What’s the Purple Teams role in bridging the gap between offense and defense?
Traditionally, the Purple Team’s role is to facilitate communication and collaboration between Red and Blue Teams by reviewing data from simulated scenarios and exercises. However, at BSD, we operate with a lean structure and a technically skilled team, which allows the Purple Team to take on a broader set of responsibilities. In addition to bridging tactical insights between Red and Blue Teams, the Purple Team reports directly to the Chief Information Security Office and plays a key role in supporting compliance efforts. This includes identifying gaps in processes, aligning with security frameworks, and ensuring our defenses are both effective and accountable. Beyond technical and compliance work, the Purple Team also helps raise cybersecurity awareness across BSD. We contribute to initiatives like Cybersecurity Awareness Month, organize secure destruction events, and create educational content—like this newsletter. These efforts not only support compliance with security standards but also empower our community to be more informed and resilient against cyber threats.
What skills are most important for working on a Purple Team?
Strong communication and problem-solving are essential. You need enough technical knowledge to understand attacks and defenses, but just as important is the ability to translate those into clear next steps. Curiosity and teamwork are also huge! We’re always asking questions!
Where do you see the Purple Team making the biggest impact in the coming year?
Strengthening our security standards with the compliance of the security frameworks from National Institute of Standards and Technology (NIST). NIST provides a detailed catalog of security and privacy controls designed to protect information systems and organizations from a wide range of threats that includes cyberattacks, human error, and supply chain risks. As the technology industry continues to face frequent security breaches and data compromises, organizations are moving toward more proactive and intelligent defense strategies. Proof of security is now an expectation, and gaps or exceptions are no longer tolerated regardless of the type of data being used. By strengthening our NIST frameworks, we establish a standardized way to demonstrate and communicate our security practices with other organizations. One of the most impactful shifts here is the adoption of the threat-informed defense model —an approach that aligns cybersecurity efforts with real-world attacker tactics with recognized security frameworks.
What’s the biggest challenge your team faces in keeping our environment secure?
The biggest challenge is security adoption. Technology alone can’t keep us secure. It requires people to use it correctly, consistently and follow through by taking the time to understand it. We can put strong password tools, multi-factor authentication, and secure file-sharing options in place, but if employees don’t adopt them or try to work around them, the protections lose their effectiveness. Security adoption also means building habits, like reporting suspicious emails, keeping software updated and following approved processes instead of turning to shadow IT. Our role isn’t just to enforce rules; it is to create awareness, provide training and make security feel like a natural part of how we work. The more our community adopts security practices into their daily routines the stronger and safer our environment becomes. This is especially important when it comes to contractual obligations. We want to prevent false claims that can get our institution into major trouble as has been prevalent in the news these last few years…. here are some examples:
- https://www.gtlaw.com/en/insights/2024/8/doj-files-complaint-in-first-cybersecurity-false-claims-act-qui-tam-case-intervention
- https://www.justice.gov/archives/opa/pr/pennsylvania-state-university-agrees-pay-125m-resolve-false-claims-act-allegations-relating
- https://www.justice.gov/usao-edca/pr/health-net-federal-services-llc-and-centene-corporation-agree-pay-over-11-million-0
- https://www.quarles.com/newsroom/publications/dojs-civil-cyber-fraud-initiative-utilizes-false-claims-act-to-settle-allegations-of-knowing-non-compliance-with-nist-sp-800-171-against-raytheon-and-its-successor
If you have any questions for the security team? Topics you would like us to write about in our newsletter? Please feel free to drop us a line and let us know by e-mailing security@bsd.uchicago.edu.