Author

Dr. Nicole Drumhiller

Browsing

By Dr. Nicole Drumhiller, Dean, School of Security and Global Studies and
Andre Slonopas, faculty, SSGS

The cybersecurity field is finding it difficult to build the workforce it needs to protect businesses and individuals. In this episode, AMU’s Dr. Nicole Drumhiller explores the intriguing aspects of cybersecurity with Andre Slonopas.

Listen to the Episode:

Subscribe to In Public Safety Matters
Apple Podcasts | Spotify | Google Podcasts

Read the Transcript:

Nicole Drumhiller: Hi everyone. My name is Nicole Drumhiller, and I’m in the School of Security and Global Studies at American Public University System. With me today is Andre Slonopas, also within the School of Security and Global Studies. And today we’re here talking about the interdisciplinary nature of the global security job market. Unlike some saturated career fields, as I understand it, the cybersecurity field lacks qualified workforce members. Is that correct, Andre?

Andre Slonopas: Yeah. Thank you for having me, Nicole. And thank you for doing this podcast as well. That is correct. As a matter of fact, something like 30 to 33% of the cybersecurity positions are currently unfilled.

Nicole Drumhiller: Wow. And so where do you see the need for growth in most of this field? Are there specific areas within cybersecurity that are hurting the most?

Andre Slonopas: I think that’s a great question. Cybersecurity itself is very diverse. There’re so many routes, there’s so many areas that you could pursue, everything from even physical security is going to be a proportion of the cybersecurity. If somebody can have access to your physical hardware, to your server, to your rack, it doesn’t matter what passwords you put in there, they can clean out your server and then reset and then wreak havoc. So, there’s that component of it. But also, you have the virtualization, you have the automation, you have the cybersecurity, the entire cybersecurity onion. You want to put in these layers and layers and layers and layers of cybersecurity to make your system more resilient. And you want to be a little bit better than your neighbor. You want the attackers to go after your neighbor, not necessarily you.

Nicole Drumhiller: So, can you break that down for me when you’re talking about the different components of the onion, so to speak, what does that look like? Can you talk a little bit more about those layers?

Andre Slonopas: Yeah, I think this is a great question. The analogy would be the defense in depth. And I’m going to use military terminology here because I think military can relate to a lot of this. You put in an obstacle, then you put in an anti-tank obstacle, then you put in some mine fields, then you put in some anti-personnel concertina wire, then you put in some triple strand and so on. And you really want to build out that really deep defensive line.

And so, the idea behind it is that somebody penetrates through the first line of defense, well great, now they have another 25 to go. And then they penetrate through the second one and the third one and the fourth one. But each time it takes a little bit more resources, a little bit more commitment, a little bit more time and energy consumption and resource consumption and funding consumption. And so eventually, by the time they get to your seventh or eighth or ninth line of defense, hopefully they realize that onion could go on for much longer and they kind of move on to a softer target.

So, the cybersecurity world, obviously you’re not going to be putting mines like in the cyber field or digital concertina wire, but really the way it would look is you would have your edge router. Now on the edge router you would put in all sorts of firewalls. Stateful firewalls, artificial intelligence, something that will actually establish some sort of a threshold of what the normal communication looks like. So, anything outside of the normal is going to be dropped. Then behind that, you actually don’t put in your real network, you put in some sort of a DMZ, demilitarized zone. So essentially it’s going to be a small little network that’s actually going to be facing the big bad Internet. Then behind that, you put another server that’ll actually have some sort of another firewall. They’ll only filter the traffic that comes in from the DMZ to your internal network.

And then on the internal network, what prevents you from putting in five or seven internal networks, four or five of them can be fake, but only one of them could be real. So now even if somehow these malicious actors get through all of those lines of defense, they actually don’t know who you are in reality. You may have an office space that will have all sorts of corrupted false data, and that person, the malicious actor, could just knock themselves out for hours and hours digging through data that isn’t real. So that’s what you want to build out. You want to build out this very resilient network and in the last line of defense sort of virtualization, make your network look so much more than it really is. For the most part the majority of the people aren’t that interesting for somebody to commit years of their life to compromise their networks.

Nicole Drumhiller: So, it’s really interesting. I think it’s funny when you say you want to be just a little bit better than your neighbor. It reminds me of people having their wireless networks named so that people can see them publicly.

Andre Slonopas: You bring up a really great point because why is that happening? This was very, very common. It was just drive-by Wi-Fis essentially. And so, a lot of this was done for research and it was done actually at the, I want to say Stanford has done a lot of this, Berkeley has done a lot of this work. But essentially a professor or researcher would put a Wi-Fi puck on his bike or on his car and just drive through San Francisco just to see how many people would actually hook up. But what he would do, he would say free Wi-Fi San Francisco, that’s the way he would actually name his SSID. And so, a lot of people naturally assume free Wi-Fi from San Francisco, hundreds of thousands of people would hook up. But in reality, it was a researcher who was actually collecting data unwitting. But imagine if this could be done by a malicious actor. You go to Starbucks, and it says free Wi-Fi Starbucks. I mean, is it really? We don’t know.

Nicole Drumhiller: Right? Or even the airport, right? The airport seems to be an amazing place to collect that kind of stuff. If you were a researcher wanting to check that out, that’s one thing that I can just think about doing just as a layperson seeing that I’m traveling through this airport and I need to get some work done, so let me connect to the Wi-Fi and go from there. And then that puts me at risk, right?

Andre Slonopas: That is absolutely correct. And if it’s a malicious actor, how many people are checking their bank accounts and their emails and everything else? You could collect a lot of information just putting up this fake Wi-Fi that people connect to, and you can name it airport.

Nicole Drumhiller: What would you recommend as the alternative option just for that? I know we’re getting a little bit off topic, but let’s just bring this home for our listeners.

Andre Slonopas: Yeah, absolutely. So, I think one of the best recommendations that I have out there, and especially with the way the laws are being structured on Internet now, I would highly recommend some sort of encryption. VPN, virtual private network. It’s a plug and play, download and play type of a solution. You can get a lot of the free VPNs out there, they’re available, or you can pay the $2 a month, get your VPN, install it. It’ll encrypt all of your network. So even if you hook up to a Wi-Fi somewhere in Starbucks or airport or whatever be the case, all of your communication is going to be encrypted and chances are your neighbor is not encrypting their communication.

So, a malicious actor it’ll take him months to break through the encryption, years even in some cases, he’s not going to do that. That person will probably move on to an easier target. So, a VPN, there’s some really good ones out there. They’re really good ones out there. They’re actually headquartered in places like Panama and Virgin Islands and other countries that don’t have very strict cyber laws. They don’t store any of your information, and that’s an easy solution to protect your data.

Nicole Drumhiller: Oh, wonderful. Thanks for wrapping that up just for lay people like myself, just to make sure that we’re doing all that we can to be a little bit better when it comes to protecting our own information. One of the things that I always find fascinating is that unlike physical structures, the world of cybersecurity is always changing as people find new techniques for overcoming security measures. And these issues are not specific to any one field. And I know we need to take a little bit of a break, but when we come back from our break, let’s talk about some different notable hacks that have occurred across government, business and education sectors.

We are going to start talking about some different notable hacks that have occurred across government, business and education sectors. So, to kick us off, Andre, the US government has been faced with cyber-attacks in the past. One exercise that comes to mind is Operation Eligible Receiver where the NSA hacked the Department of Defense network using only publicly available techniques and equipment. What prompted this exercise? How did this situation really unfold?

Andre Slonopas: Yeah, I think that’s a great question and I think that’s a great scenario that actually sort of evolved right as we were hitting the digital revolution. Human beings, we’re so set in our ways and very often it’s so difficult for us to change the way we do things. And for so many centuries, millennia, we have done things in an analog way. You write things on a piece of paper, you mail it, and you kind of communicate that way. Once we hit the digital revolution, our communications really went over the wire, over these Wi-Fi, over these electromagnetic waves around the world. Trying to change a lot of the decision makers have been doing things one way, in an analog way, and trying to have them understand the importance of digital security was extremely difficult.

And so, what ended up happening is NSA sort of coordinated this operation, the whole thing was reviewed by JAG and make sure everybody stayed within their legal limits, but they called it Operation Eligible Receiver. And so, the stipulation behind these operations that NSA will actually hack Department of Defense, the Pentagon, but they will only use tools that are available out there in the wild on the Internet, tools that anybody can download and sort of leverage. They weren’t actually using any of their highly specialized tools. And the idea behind it was to actually show the power, I guess, of offensive digital attacks, that’s one of it. But also, to get the DOD finally behind the cybersecurity. And that’s essentially what ended up happening. That’s sort of the idea and how this exercise evolved and initially took place in ’97 and there was a repeat in 2003.

Nicole Drumhiller: Well, that’s really interesting. I always like hearing about that since I know there’s been a number of interesting things that have come about as a result of that situation. Let’s move on and talk a little bit about some of the things that have occurred in business. One business or energy business hack that comes to mind is Colonial Pipeline. For those of you in need of a refresher, this story broke around the time that the Colonial Pipeline, which is a 5,500-mile-long pipeline that moves oil across the East coast, was compromised. When the story broke, the headlines seemed to focus on how this was an act of possible state aggression to disrupt the energy supply. What really happened in this situation?

Andre Slonopas: Yeah, thank you, Nicole, another great case. I think there’s a lot of ways we could actually tie what happened on the Colonial Pipeline with actually what Eligible Receiver demonstrated. So, the Eligible Receiver demonstrated that you can really wreak havoc on an organization using a lot of the stuff that is actually available out there. The simple solution is to simply take information and delete it, but a lot of that information can restore. We keep backup files. Everybody has an external hard drive where they back up their pictures or whatever else they do. What if that data was actually corrupted? And so, in the operation Eligible Receiver, that’s actually one of the things that they have done is they didn’t just delete the data. No, they corrupted the data. So, the meeting places were changed, the rooms were changed, the floors were changed, the emails themselves were corrupted. Important information was taken out, information was added and so on.

So, in the end, the Pentagon shut down, not because they didn’t have communication, it shut down because nobody could trust anything. There was just destruction of trust. And that’s essentially what happened also in another operation that took place in Natanz’s nuclear processing plant out in Iran, the Stuxnet, the infamous Stuxnet case where a lot of the information was corrupted. So how do you purify uranium if you don’t know how fast your centrifruges are working and so on. And so, in the Colonial Pipeline, sort of similar things began happening. Although from my understanding at least, I was not involved in this directly, but my understanding is that these malicious actors actually did not go out to the control systems, they began to compromise a lot of the RTUs, or remote terminal units that are out there in the field. A lot of the sensors and actuators or whatever else was there.

And once this attack actually transpired, what ended up happening is Colonial Pipeline decided to shut down the whole thing because they didn’t know how far the compromise went. But this malicious group, they called themselves The Dark Side, they actually made a comment. They said “we are apolitical” and I’m quoting here – “We are apolitical. We do not participate in geopolitics, do not tie us with defined government and look for other motives. Our goal is to make money and not create problems for society.” So at least they’re saying they’re not working for a government. And also, they’re saying they’re not here to create problems for society, but sure enough they did.

There’re some closures with some of the gas stations and the energy transportation portion was also disrupted. So, you do have these very persistent, malicious actors out there, and they are focusing on these really interested and unique critical infrastructure components. They claim that they’re not working for a government. The ones and zeros, they don’t necessarily align themselves with a nation, if you will. Then there’s a lot of obfuscation that goes around, trying to track things through the big Internet around the world is also extremely difficult. So, I think we’re left to wonder, at least into the foreseeable future, what really happened and who these guys were.

Nicole Drumhiller: Yeah, no, it’s absolutely another fascinating case because it does show you some of the different things that are possible and the destruction that it can cause. Another fun one that is kind of, it’s gaming oriented, still kind of hits on the business side of things, is the Manfred story. This one is really interesting to me since it’s about a guy who’s into playing what are called massive multiplayer online role-playing games, or MMORPG, but then when he gets bored with the game itself, he goes and starts looking for bugs in the game. So, on the surface, to me it seems pretty harmless since he basically would find loopholes in the games that would give him an edge over others. But what do you see as the implications of this?

Andre Slonopas: For the first time, arguably first time in the history, the Manfred story was so phenomenal because it actually showed that you can make a lot of money doing something that really seems pretty harmless on the surface. So, I’ll give you an example of some of the themes that actually Manfred was doing. But he actually played this game called EverQuest, and it was a multiplayer online role-playing game. And basically, he realized that it took him a very long time to run around as this character, fighting all these different monsters. So, what he did, he actually programmed a bot that would actually just fight these monsters 24/7 nonstop. He came back a couple days later just to see if the bot is still fighting. Sure enough, after about a week or so, he had one of the most advanced characters in the game, and then he realized that he could actually essentially defeat the entire competition by not just playing the game, but by having his bot essentially playing on his behalf. And then he just comes in and collects a reward.

But then he started explaining a little bit more. And so, we had to realize a little bit on how the computers work. The computers are in these bits. So, we have the eight, the 16, the 32, the 64, the 128, and so on bits. So, these first games, like the EverQuest, they were operating in this 16 or maybe even the 32 bit. So, these packets were fairly small. What he would do is he would essentially take a packet that would go from his computer where he was playing the game into the Internet into the game server, but he would actually capture these packets before it left his house. So go from his computer to the computer where he was intercepting these packets. He would change the packets and then send them to the game server. But the game server never actually checked where the packets are coming from. So now once he actually captured those packets, he could change them in whatever shape he wanted to change them into.

So, for example, if you can think of a clock, a clock will show 1 PM. Now if you subtract one second away from the clock, you actually get 12:59. So you actually get a much bigger number. You started with a 1 PM, you subtract one second, now you have what, 12:59. You have a much bigger number. It’s the same thing that he tried with his packets. He would take a packet that was 0000, so he had zero game currency, but he would subtract one from it. Well, now he just got basically the maximum amount of currency that he could have. Let’s say he took a weapon, whatever it was, a sword, subtract a one from this very basic sword, which would max it out. So, he was doing what was called a buffer overflows. He was maxing himself out, not by playing the game, but essentially changing these packets before he would actually send them out. So, people started complaining obviously and what ended up happening is he would always get kicked out.

Nicole Drumhiller: That’s wild that there’s a market for these types of things. That’s something that I would never think about. But then when I start thinking about how games can be monetized, now you have a whole bunch of more possibilities.

Andre Slonopas: And that is correct. And in many ways, I mean this guy was an entrepreneur. He figured out you could actually make a lot of money selling things that aren’t really real, but to a gamer they are, because they’re digital things that the gamer values. And a lot of these companies, so why actually Manfred ended up going out of business? Because a lot of the companies realized that they’re competing against this, I don’t know, shadow market, whatever you want to call it, where these malicious actors were selling digital items for their games. So, the companies themselves began selling digital items for a lower value and they didn’t do it on eBay, they actually did it in the game itself. And so, Manfred eventually had to go out of business because now he was competing against the company itself who was under bidding him in a video game and the company didn’t have to do anything about it.

Nicole Drumhiller: Right, and he had to force that market to adapt because of what his actions were.

Andre Slonopas: But I think he actually helped out the video game industry, which actually blossomed because he showed what can be done. And at some point in time the way the packets move around the world, sometimes so difficult to actually know where they are from. But there was a report about North Korean hackers who actually picked up on the Manfred story as well. And so, they realized that they could actually compromise a lot of the video games and make money for the North Korean government by selling these things on eBay. So, in many ways this gentleman also helped North Korea circumvent a lot of the sanctions.

Nicole Drumhiller: Or at least spawn some ideas. I mean, you can get good ideas and turn them into something nefarious in pretty much any kind of situation. Yeah, it’s fascinating. I don’t recall, was he one that would also send in tips to the different companies telling them how to fix bugs? That could be another case that I’m thinking about. Since it’s a very human side of things there are examples where people will find a bug, report it to a company, and then the company gets mad at them for bringing this to their attention.

Andre Slonopas: He did report, he does talk about reporting a bug in one of the games. The bug essentially was that the game would not check whether your house was built over the ground or under the ground. So, he would build these houses under the ground and anybody who walked in, he would essentially rob these people walking into his house, even though the people didn’t know that the house was there because he would build them under the ground. So, he actually reported this bug to the video game company through the game manager, the GM. Well, the game manager reported it to the cybersecurity team, and the cybersecurity team accused the game manager of actually working with hackers to compromise the video game and they actually fired the gentleman. It’s an unfortunate case that Manfred was trying to help somebody, and it eventually cost that person a job.

Nicole Drumhiller: So, we’ve talked about government, and we’ve talked about some of the business hacks. I definitely don’t think the education field is immune to hacks by any means. And so, when we think about notable hacks specific to universities, what comes to mind for you?

Andre Slonopas: And academia is definitely not immune to compromise. As a matter of fact, that .edu domain was one of the favored domains, the endings, by malicious actors for a very long time. There’re several reasons for that, but the .edu, they try to be fairly open. It’s all about research, collaboration, which actually makes them a little bit more susceptible to attacks. So that’s why there was a period of time, I want to say from like 2008 to maybe like 2016-17 where a lot of the .edu websites were actually blocked by a lot of the companies. And the reason for that is because malicious actors would use .edu domain names as a pivot point. So, remember how we talked about, it’s so difficult to actually track somebody through the Internet because that person will come in one network and then from that network they’ll actually execute their attack. So that’s called the pivoting. So essentially the malicious actor, I don’t know, in North Korea, will use a .edu in United States and then they’ll pivot, and they’ll do their attack.

So, universities and academia in general sort of attracted attention to themselves because they do have these open networks and they try to be fairly transparent. And so, one of the maybe more humorous cases that actually end up happening is the Washington State University compromise. And my understanding is it was actually one of the disgruntled students and he ended up compromising the network, in the middle of a classroom the projector would go down, it would turn on, and there would be some video of this student talking about how Washington State University is not a great place. There was a compromise that happened and there was a lot of data that was leaked out from that. It showed the vulnerability that a lot of the faculty, the staff and the student body actually could be exposed to. Washington State University ended up settling for 4.7 million in the data breach lawsuit that actually followed.

So, as you can see, nobody’s actually immune to cyber-attacks. Sometimes people think that the malicious actors have a big heart, and they’ll never attack a hospital. That’s not true. A lot of the hospitals have been compromised. As a matter of fact, hospitals are also arguably some of the biggest targets, same with the universities. And the cost associated with a data breach or any type of a compromise, we’re talking in millions. A single compromise will bankrupt about 60% of the small businesses. So, if a small business is compromised, they have about a 60% chance of failing within the next couple of years. Just think about that. A lot of the small businesses actually end up going underground because they cannot pay these exorbitant fees and associated damages that they have to pay out. Cybersecurity is a very, very serious matter.

Nicole Drumhiller: One of the things that all of these cases seem to have in common is that human element or that human gatekeeper. And given this, I would imagine that there is a lot of need for having educational roles within the cybersecurity field. And specifically, people that just don’t do the tech-heavy part, but then also provide cybersecurity education, but would need to be able to translate that to different types of individuals with different types of learning styles and things like that, if you will. So, what kind of roles do you see are available in the cybersecurity industry for somebody that’s not necessarily tech focused?

Andre Slonopas: And cybersecurity is so much more than technology. Technology is extremely important, but if the management of the company is not on board with the digital security, then the techies are going to have a really hard time making a very robust, good cybersecurity posture for the company. A great example of it is the Pentagon. People who’ve been working for the government for decades, they did not see a need for digital security. And so inevitably Eligible Receiver brought it to their attention and the Pentagon and the government in general, they changed, started in late 1990s. Well, it’s the same thing within any type of entity. What you have to have, you’re going to have to have somebody who’s not necessarily technical, but somebody who understands the strategy of the company, who can write out the policies, the standards, the guidelines, the procedures, and hold people accountable to them.

And it’s extremely important to have that connection between the technical person who’s actually doing a lot of the programming and the information assurance manager, the management person who may not be as technical, but who nevertheless needs to have a very good understanding on the cybersecurity posture and the technical posture that their company needs to have. So, cybersecurity is a lot more than just people sitting in their basements on a computer hacking video games. Cybersecurity is also a lot of the management. A lot of the strategies are developed not necessarily by the technical people, it’s actually being developed by people who have a vision of how they want to see their company grow, how they want to actually maintain the data, data protection.

And also, you need to train both. Having purely technical people or having purely management people on the information assurance, both are going to be a failure. You have to intertwine the two and you have to make sure that they actually understand each other. And you have to make sure that the policy that people write can actually be implemented and translated into the technical world, because otherwise you’re kind of working in vain. Overall, I think there’s a lot of opportunities for cybersecurity people to grow, even if you start on the technical side, grow into the management. There’s a lot of opportunities like that.

Nicole Drumhiller: Wonderful. And so, I know I want to be respectful of your time as we kind of wrap up our chat today, but if there’s any one key takeaway that you’d want somebody to take from this conversation today, what would that be?

Andre Slonopas: If you’re looking for a great career field, something to get into, something you could stay with for the next 30, 40 years of your life, cybersecurity is great. Cybersecurity is sticking around. We’re not going back to analog. As a matter of fact, cybersecurity is only going to grow. Cybersecurity jobs are predicted to grow at 15% annually over the next 10 to 11 years. We already talked that 32% of the jobs are actually unfilled at this time. The cybersecurity product sales are going up over 13, 14% annually. The organizational cybersecurity budgets are increasing. The salaries in the field of cybersecurity are increasing. So, if you’re looking for a great career field to get involved with, I think cybersecurity is it.

Nicole Drumhiller: Wonderful. Thank you so much for your time today. Again, thank you for joining us, listeners. My name is Nicole Drumhiller, and Andre Slonopas, it was a great chat and I look forward to doing more of these in the future.