Hackers have become increasingly sophisticated. How can companies and consumers protect their information and mitigate risk?
By Leslie Mertz
Imagine that today there are 20 billion devices connected to the Internet, and in 30 years, that number grows tenfold. According to Babak Forouraghi, Ph.D., professor and chair of computer science, increasing connectivity shrinks our world and eases our daily lives — but dramatically threatens our security.
“Think about the microchips we put in our pets and refrigerators with applications,” he says. “Cybersecurity needs are never going away; the discipline is becoming more and more integrated into daily life.”
As Forouraghi explains, all of these smart devices require software to manage and monitor their functionality — prime fodder for hackers and other security threats, the results of which we have already seen. The Cambridge Analytica scandal, where data gathered on millions of people through a Facebook app was used to send targeted political messages, was an attack on free elections, the very core of democracy.
“I think it is important to understand that services like Facebook, Google and Uber are not truly ‘free,’” warns Scott Billman ’18 (M.S.), one of the first graduates of Saint Joseph’s master’s in computer science with a cyber security concentration. “By using their applications, you are agreeing to allow these companies to mine your data and target ads based on your posts or demographics. Any information that you provide to a company has a good chance of getting compromised one way or another.”
"Any information that you provide to a company has a good chance of getting compromised one way or another."
Scott Billman ’18 (M.S.)
Take Uber, the location-based app that connects drivers and riders. A data breach in 2016 exposed the names, phone numbers and/or email addresses of more than 57 million people.
The data leaked in September 2017 from over 140 million people who used Equifax was even more sensitive, possibly making them vulnerable to identity theft: names, social security numbers, birth dates, addresses, and for some, driver’s license numbers.
The Girl Scouts of America have even unveiled new merit badges for cybersecurity this past March. “There’s no avoiding this reality,” says Forouraghi.
• • •
Security vulnerabilities often arise because executives view cybersecurity as something separate, rather than as an integral part of operations, says Dawn-Marie Hutchinson ’13 (MBA), executive director, Office of the Chief Information Security Officer (oCISO) in the Philadelphia office of Optiv Security. A strong and integrated data-protection program — including making the CISO a full member of the senior executive team — will help prevent the curtailed operations and damaged consumer confidence that can result from a cyberattack and allow companies to focus on their business objectives.
“One of the first steps to keeping electronic data safe is vigilance by individuals, both at work and at home,” says Hutchison, who was named one of 12 Amazing Women in Security by CSO Magazine in 2017. “If we learned anything from the Cambridge Analytica incident, it was that most people had no idea what information they were sharing or why.”
She says that just as a person should avoid clicking on malicious links in emails, giving out login credentials or other sensitive information, or sending money to unverified solicitors, they should do the same at work.
Companies and organizations need to entrench cybersecurity within operations, agrees Dan Clarke ’11, ’14 (M.S., homeland security), a cyber risk security senior consultant at Deloitte in Washington, D.C. “With our clients, we get all the stakeholders together — people in the IT department, the engineers, developers, testers and evaluators — and we’ll have discussions about the mission and the proper implementation of cybersecurity requirements from the very beginning of the project,” he says. “The more minds you get together early, the better, because cybersecurity is all about information sharing to prevent information stealing.”
To meet the growing demand for cybersecurity specialists, the Department of Computer Science has added a new and fully online certificate program in cybersecurity that premieres this fall, an addition to the master’s degree program concentration in that area established this past year. Students from any discipline can complete the certificate in only two semesters with the option to continue onto the master’s program for an additional year of study.
Together, the programs cover security in mobile app design, ethical hacking, digital forensics and cyberattacks in social networking. According to Forouraghi, the programs use a virtual box environment and hands-on simulations such as an SQL injection attack — a technique that inserts codes in software to exploit vulnerabilities in web applications and database servers — to help students understand how cyberattacks work and how to combat them.
• • •
While cybersecurity is all about protecting data, the data itself can also provide information to boost security, says Marcello Balduccini, Ph.D., assistant professor of decision and system sciences in the Haub School of Business. “There is a huge potential for combining our current understanding of cybersecurity with analytics tools,” he says.
He points to so-called cyber-physical systems, in which computers control an automated car, a large power plant or some other physical component, and in doing so, collect exhaustive details about every aspect of the system. On a massive scale, like a U.S. Navy ship, for example, the stakes can get quite high. Through analysis of that data, Balduccini found ways to make the military’s systems run more efficiently and effectively, and at the same time, pinpoint security vulnerabilities.
“It’s not enough to look at a ship’s blueprints anymore,” he says. “If a Naval crew is in the middle of the ocean, and there’s an error in the air conditioning system, they need to know if their missiles are also compromised.”
"… cybersecurity is all about information sharing to prevent information stealing."
Dan Clarke ’11, ’14 (M.S)
To help leverage these data to yield actionable intelligence, the Department of Decision and System Sciences has added a cyber analytics track to its master’s program in business intelligence, along with a cyber analytics certificate program. Both will begin this fall. Faculty will apply their expertise — in analytics, operations research, artificial intelligence, statistics, systems engineering and systems thinking, and cyber topics — to teach students how to use big data, modeling, analytics and statistical learning methods to improve security. Students will analyze complex systems and processes, uncovering dependencies, weaknesses and risks, and identify corrective actions, both within the cyber domain and outside of it.
Sifting through massive amounts of data to find issues and patterns that may raise concerns, cyber analytics blends with the technical expertise of computer science to form an effective cybersecurity strategy to protect data, privacy and information.
“Together,” says Balduccini, “they essentially can provide answers to all sorts of questions in terms of functionality, safety and security.”
Leslie Mertz is a freelance writer who specializes in science, medicine and technology.
Katie Smith ’15 contributed to this reporting.