Home Sections Archive by category Cybersecurity

Cybersecurity

Cybersecurity Special Coverage

Threat Level: Constant

Brian Levine says the UMass Cybersecurity Institute

Brian Levine says the UMass Cybersecurity Institute’s work is “security for the common good.”

 

Make no mistake, we live in an increasingly interconnected world, and the technology that makes that possible is always under threat from those who would mine, expose, and exploit data — often in life-altering ways. So while it’s no surprise that the cybersecurity field is rife with job opportunity, exactly how much opportunity (a half-million open jobs nationally, according to one study) may still raise eyebrows. Area universities with cybersecurity degree programs hope those statistics also raise interest in a challenging field that offers good pay and the chance to do some truly meaningful work.

It’s impossible to envision a world that doesn’t need cybersecurity, Brian Levine said, and that’s not exactly good news.

“I don’t think there’s any way this will go away, unfortunately,” he said, after listing common threats ranging from malware and ransomware attacks to massive breaches of consumer data. “It’s an ever-present problem. So what we do here is really important.”

He was referring to the UMass Cybersecurity Institute on the Amherst campus, which launched in 2015 with the mission of advancing what it calls “security for the common good,” said Levine, the institute’s director. For example, he has worked over the past decade to build tools used by law enforcement around the country — and the world — on cases of internet-based child sexual abuse (for example, the sharing of exploitative photographs).

“That’s a privacy issue, and a forensics issue,” he said, stressing that the institute’s researchers never lose focus on the human benefits of their work — in other words, it’s never just a technical exercise.

“The courses we offer are influenced by research that we do,” he went on. “We have a lot of pride in moving the research we’re doing into the classroom.”

That high-impact work is appealing to many who enter this profession, but one of the most obvious draws is the career opportunity. Matt Smith, director of Cybersecurity programs at Bay Path University, noted that a half-million jobs in cybersecurity are open across the U.S. — more than 20,000 of them in New England, and roughly two-thirds of those (13,389, according to the national CyberSeek research project) in Massachusetts — the 12th-highest total among all U.S. states.

“The industry is changing so rapidly.Turn on the news — one day they’re talking about ransomware, another day it’s the Colonial Pipeline attack … it’s all about security. So, workforce in this industry is in demand.”

“The industry is changing so rapidly,” Smith said. “Turn on the news — one day they’re talking about ransomware, another day it’s the Colonial Pipeline attack … it’s all about security. So, workforce in this industry is in demand.”

That’s the other side of the ‘bad news’ coin — at least for people who want to make a career of defending against threats that will only continue. “It’s real job security, with high starting salaries. You’re going to retain employment and have opportunities to upscale.”

Reflecting the many different niches in cybersecurity, Bay Path offers three undergraduate degrees in the field — digital forensics and incident response, information assurance, and risk management — as well as a master’s degree in cybersecurity management.

“We renew the courses every time we go live, sometimes two times a year,” Smith said. “Every time it’s being presented to another cohort, we look at the information being presented and decide if it’s still applicable, or how it can be improved upon.”

Matt Smith says the constantly evolving nature of threats means job security

Matt Smith says the constantly evolving nature of threats means job security and advancement opportunities for today’s cybersecurity professionals.

For example, “the Colonial Pipeline incident hadn’t happened two years ago — so, let’s talk about that this year and remove something else from the course. We’re always going through the courses, tweaking them, fine-tuning them, and I think that sets us apart from other universities. We handpick the material we incorporate, and we update it, and we use the best forensic software we can.”

And that’s a challenge, said Beverly Benson, Cybersecurity program director for the American Women’s College, Bay Path’s all-online arm, which offers intensive, accelerated versions of the undergraduate cybersecurity programs taught at the main campus.

“I am constantly doing research on threats, making sure my curriculum and content is fresh, because the reality is, those individuals who are trying to attack systems, they don’t take vacations,” she told BusinessWest. “We need to stay abreast of everything to make sure students are getting as up-to-date a curriculum as possible.”

The industry’s constantly evolving nature makes it attractive to many career seekers, she added.

“It’s not a repetitive type of field. There may be a framework to adhere to, but as technology advances, so does the work that needs to be done. Our world is becoming more connected and interconnected, and data is everything. Think about the gadgets in our homes — even washing machines, dryers, and stoves are connected to the internet. We need people to understand how to keep that data safe.”

For that reason, Benson went on, “cybersecurity touches everyone, whether it’s healthcare, financial services, food service, the travel industry, the Department of Defense, you name it. We’re a very interconnected world, and we’re able to do things faster because of data — so we need to protect that data, whether it’s at rest, in transit, or in use.”

 

Defending Data

Levine listed a number of ways the cybersecurity research — and classwork — at UMass affects real people.

“One professor looks at ensuring that people have censorship-free access to information on the internet, which can be very important if you’re a dissident in a country that has censored or filtered it,” he said. “Another professor works with differential privacy, and his technology is being used by the U.S. Census.”

That term refers to technology that allows the government, corporations, or anyone else to release statistical information while not exposing people’s individual data.

Beverly Benson

Beverly Benson

“It’s not a repetitive type of field. There may be a framework to adhere to, but as technology advances, so does the work that needs to be done. Our world is becoming more connected and interconnected, and data is everything.”

“One problem with studies that collect information about you and release it later is the possibility that someone’s personal details can be inferred by looking at the data set,” Levine said, noting that differential-privacy measures ‘fuzz’ the information so the statistics are accurate, but don’t reveal information about any one person.

“We have courses on what some people call ‘ethical hacking’ — how to analyze a computer for its vulnerabilities and learn to defend those vulnerabilities. It’s teaching students to be white hats,” he explained, adding that other classes delve into reverse-engineering security, digital forensics, ethics and law, and securing distributed systems — which, these days, means cryptocurrency.

“Cryptocurrencies are one of the hardest challenges — no one is in charge, and people are exchanging things of value,” Levine said, adding that, whatever the topic, UMass brings in experts with practical experience in the field to teach students. “We don’t want everything taught from an ivory-tower point of view. And we want to teach techniques that will survive past graduation in a quickly evolving field. It’s not just computer science.”

At the American Women’s College, Benson said the average age of a cybersecurity student is 35, many no doubt drawn by the expansive opportunities in the field. “We have career changers, we have people in IT fields who are looking to specialize, and some are new to it, looking to learn more about cybersecurity and join the workforce.”

She’s also gratified that the program is making a small dent in what is currently a male-dominated workforce, to the tune of 80%. Part of the pitch, she said, is the reality that work in this field is wildly varied.

“We have the opportunity to demystify cybersecurity,” she said. “I explain to our women that cybersecurity is more than someone being in a basement coding. Part of cybersecurity is things like risk management, which can be a more consultative approach, helping someone understand assets, risks, and how to protect against vulnerabilities. Those are not technical skills; those are essential business skills.”

Smith agreed. “This hits on financial services, healthcare, government, you name it. Every industry has been affected in one way or another by cybersecurity.”

He should know, having worked in a number of sectors, ranging from the Pentagon to the financial-services world, and he often calls on professionals who actually work in those fields to bring their real-world expertise to Bay Path students. “A lot of programs are computer-science-driven; they’re experts in coding and programming. When you jump into cybersecurity, it’s a different animal.”

Introducing more women into the field, and all the sectors it influences, would be a healthy development, he said.

“I’m the program director, but also their cheerleader,” Benson agreed. “They know my motto is ‘dare to dream,’ and having a diverse workforce will bring about diversity of thought, diversity of problem solving, diversity in the ways people will collaborate. And I think that’s so needed.”

 

Making Connections

Another needed element is networking and making connections in the field early, Smith said. Many Bay Path students take advantage of a Mass Cyber Center mentorship program, working with large companies like Baystate Health, Travelers Insurance, and MassMutual.

“Networking doesn’t happen only when you go to conferences,” he said in explaining the value of such programs. “And most employers, after an internship, offer something on the spot — they’ll say, ‘please, when can you start?’”

That’s huge for new graduates, who typically enter the work world in significant debt. “We’re one of the industries that actually tackles that cohesively. We’re actually getting them employed at a very high-level-paying job, thus cutting down on student debt,” Smith noted, adding that a graduate’s employer will often pay for further education as well.

Speaking of connecting students with careers, the UMass Cybersecurity Institute recently secured a renewal of its CyberCorps Scholarship for Service program, sponsored by the National Science Foundation, which began in 2015.

The latest grant will support approximately 31 scholars at the undergraduate and graduate levels in the university’s computer science and electrical and computer engineering degree programs by offering them full tuition and fees, a stipend ranging from $25,000 per year for undergraduates to $34,000 per year for graduate students, and a professional-development fund for one to three years of their degree program. In addition, students complete an internship at a federal agency during the summers and, upon graduation, work full-time at a federal agency in a cybersecurity role for one to three years at full pay and benefits. Then they’re free to move on, but many don’t.

“We’ve done this for 34 students already, and the vast majority have stayed in the government after their service period is up,” Levine said, noting that federal opportunities range from working at the Pentagon to protecting land and wildlife with the Environmental Protection Agency; from tracking down cybercriminals with the FBI to joining the Cybersecurity and Infrastructure Security Agency, which swoops in to manage ransomware attacks.

“This program will help create a new generation of cybersecurity professionals and researchers to address novel and challenging problems facing society,” said Sanjay Raman, dean of the College of Engineering at UMass Amherst. “These students will help to modernize the executive-branch workforce, advance science and technology at government laboratories, and secure our national defense.”

It’s that kind of real-world impact that inspires those who teach the next generation of cybersecurity pros.

“This is why I get up in the morning,” said Bay Path’s Smith, who worked in counterintelligence around the time of 9/11 and remembers how the world changed. “We did a lot of things to protect our country, and I’m proud of that. Now, I want to give back to the students and help them pick up some of the stuff I’ve learned, so they can excel in a workforce that’s begging for anybody with interest in their field.”

His job, and that of his department, is to stay at the forefront of developments in the field — and, again, they are constant — and continue to hone and evolve the program so it remains relevant and on the cutting edge.

“We want our students to stand out in the industry and get hired,” he said. “And we’ve been very fortunate — our students are landing some amazing jobs.”

 

Joseph Bednar can be reached at [email protected]

Cybersecurity

Vulnerable Population

 

When people think about cybersecurity threats, Stephanie Helm said, they often think only about the technical side — the ways in which electronic devices can be compromised and data stolen.

They sometimes forget about the human side of the equation — but that’s where older adults are often especially at risk.

“There’s a technical vulnerability that can be exploited, whether it’s somebody’s password, exploiting a vulnerability because they failed to update the device to include a patch, or maybe they’re using an unsecured WiFi when they’re in a public location,” said Helm, director of the MassCyberCenter. “So there’s a technical component that everyone using the internet is facing today.”

Just as critical, however, is what she calls the “social engineering of the individual,” where a victim willingly divulges information based on the fact that somebody’s engaging them in a personal way.

Stephanie Helm

Stephanie Helm

“These are professional people who know how to hit those emotional buttons and continue that relationship with the hope that somebody is going to divulge information.”

“Older folks might not have the comfort level with the technology to secure their information,” she said, “and they may be more vulnerable to the social engineering.”

Helm shared these thoughts and others during a webinar presented last week by LeadingAge Massachusetts, titled “Cybersecurity: Helping Older Adults Stay Safer on the Internet.” She joined Rubesh Jacobs, managing director of 24/7 Techies USA, and Judy Miller, director of Technology and Accounting for Kendal at Oberlin in Ohio, to discuss the reasons seniors are increasingly falling prey to online and e-mail scams, and what can be done about it.

“The number of scams leading to financial loss has been dramatically increasing since 2019,” Jacobs said, citing a Federal Trade Commission (FTC) report that the number of online scams tripled between 2019 and 2020, outpacing phone-call scams — which actually declined slightly — for the first time. Meanwhile, e-mail scams more than doubled.

“The acuteness of that spike is shocking,” he added. “We’ve also noticed this trend in our own call centers; 28% of calls we get for help are somehow related to fraudulent activities online.”

According to the FTC, Americans age 60 and up are falling prey to tech-support scams — in which someone poses as a computer technician to gain remote access to the victim’s computer — about 475% more often than those ages 20 to 59. (By contrast, the younger group falls victim to online-shopping scams 60% more often than seniors.)

“Senior citizens are really in that nexus where a criminal can get at them through technical means, or they can get at them through social engineering” — and often a combination of both, Helm said. “The protections you put in place have to look at both of those aspects because you’re not quite sure which of those things a person might be most vulnerable for. I think that’s really troublesome.”

Judy Miller

Judy Miller

“Seniors lose an average of $500 or more when they’re scammed, sometimes due to the fact that they are often trusting and polite, they own their own home, and they have good credit, so they make a good target.”

Effective cybersecurity, she explained, considers people, processes, and technology working together to make someone more resilient and likely to recognize scams.

“The components of social engineering are worth thinking about,” she added, noting that a scam might begin with a realistic bot, either on the phone or online, that shifts over to a live scammer if the victim responds.

Those victims, Helm said, are often lonely and want to talk to someone, or they’re trusting and grateful that someone wants to help them solve a problem, which is why scammers try to establish trust.

One reason for the recent spike in cases is that many older adults were much more isolated starting early in 2020, with family members avoiding most visits until after COVID-19 vaccinations arrived, she noted. But families do need to engage with these topics. “Having an ability to ask questions or to talk about things they’ve been presented with in a safe manner is really important.”

But seniors are far from the only victims, Helm said. “If they continue the engagement, these are professional people who know how to hit those emotional buttons and continue that relationship with the hope that somebody is going to divulge information.”

 

It Takes a Village

Miller has worked for Kendal Corp. for 28 years, so she’s seen these threats evolve at her own facility, which offers units for independent and assisted living, memory care, and skilled nursing.

“Seniors lose an average of $500 or more when they’re scammed, sometimes due to the fact that they are often trusting and polite, they own their own home, and they have good credit, so they make a good target,” she explained. “They have also been falling prey to cyber incidents because of their increased use of the internet.”

Scams that have targeted her residents have taken many forms, from imposters posing as legitimate government agencies or companies requesting payments to fake but attractive offers for gift cards, and much more. Most originate from e-mail, she noted.

When Jacobs asked Miller how often she hears such things, she responded, “it’s almost more important how much we don’t hear about them.”

To make sure people stay educated, if she hears of a scam targeting a resident, all residents are alerted, and some tech-savvy residents will even spread the word themselves if they encounter a scam attempt. “It’s really engaging the entire community to help each other in preventing some of those things from happening.”

Once a scammer gains someone’s trust, Helm said, they often introduce an element of urgency — the idea that the victim has to act now to get a deal or avoid a penalty or legal trouble.

“We should talk about how these scams exist and give senior citizens the confidence that they can recognize when this doesn’t make sense and avoid that sense of urgency to act, because that’s where you make a mistake,” she explained. “It’s perfectly acceptable to say, ‘I do all my business by mail — put a letter in the mail to me, and I’ll respond to you.”

But it’s easier said than done, she admitted, especially at a time when many seniors — and younger people, for that matter — have been more isolated than usual.

“I think it’s difficult for anybody in society to be fully armed and resilient. I feel if people become isolated in their old age and are not as familiar with some of the technology, they can get intimidated. So this is an area where we’re trying to see if we can be more helpful to them.”

Family members can help educate their older loved ones by asking gentle but probing questions about what may be going on, the webinar participants noted, and encourage residents of senior-living communities to call an administrator if they encounter a suspicious e-mail or think their information may have been compromised. And, of course, they should emphasize the importance of protecting passwords and other sensitive information, not clicking suspicious links, and shopping only at reputable, well-known websites.

“If it sounds like it’s too good to be true, it probably isn’t true,” Helm said. “I like to talk with senior citizens about having confidence in the skeptical skills they had throughout life. These are scams that happen to be on a computer, but they’re scams we grew up with since we were kids — bait and switch, or acting like an imposter.”

She takes a broad view of threats, having served in the U.S. Navy for 29 years. After her retirement as a captain, she taught military operations, specifically on integrating cyberspace operations into wargames.

“That was an opportunity to talk about how cybersecurity or cyber operations can affect operations that you traditionally would not think they would impact,” she explained. Now, in her role with the Mass Cyber Center, she knows there are few areas cybersecurity doesn’t impact — and that older Americans are often especially at risk.

“Today,” she said, “we all know this has great consequences to our daily lives.”

 

Joseph Bednar can be reached at [email protected]

Cybersecurity Special Coverage

Risk and Reward

If the COVID-19 pandemic has taught businesses anything, it’s that employees, in many cases, can do their jobs from home — which can, in theory, lead to cost savings. But also expenses — the type of expense that, if ignored, can lead to much bigger losses.

We’re talking about data security. And what remote workers need depends, in many cases, on how long they plan on staying home, said Sean Hogan, president and CEO of Hogan Communications in Easthampton.

“We have some clients investing in the home office and planning on shrinking their bricks and mortar, so they’re going to save money on bricks and mortar or the lease,” he told BusinessWest. “But then they have to invest in bandwidth and security for the remote office. It’s a huge issue.”

And a sometimes messy one. In a shared workplace, Hogan noted, “you might have great security, firewalls, routers, you have security installed, you make sure all the security is updated, you constantly have the latest patches and revisions.”

But working from home poses all kinds of issues with the unknown, the most pressing being, what programs are running on home devices, whether those devices are loaded with viruses, and whether they can infect the company’s servers when they connect remotely.

“We’re trying to control security at someone’s own bandwidth at the house, where three, four, or five people may be trying to jump on at the same time,” he added. “It’s not shaped at all; it doesn’t prioritize any applications or traffic. Now, there are ways to do that — we can install SD-WAN software that allows us to monitor the connection and prioritize traffic like Zoom, Microsoft Teams, or GoToMeeting. That way, you don’t have everyone breaking up and having issues.”

Sean Hogan

Sean Hogan

“We have some clients investing in the home office and planning on shrinking their bricks and mortar, so they’re going to save money on bricks and mortar or the lease. But then they have to invest in bandwidth and security for the remote office. It’s a huge issue.”

But that doesn’t solve the issues of security holes in the home wi-fi — which have weaker protocols, allowing hackers easier access to the network’s traffic — as well as the human element that makes workers vulnerable to phishing scams, which are the top cause of data breaches, and insecure passwords, which allow hackers easy access to multiple accounts in a short period of time.

“The Internet has become the Wild West over the last 10 years,” said Jeremiah Beaudry, president of Bloo Solutions in Chicopee, starting with scam e-mails — from phishing attacks to realistic-looking but nefarious sites that try to wrench passwords and data from users and install malware on their computers.

“I get e-mails from clients three or four times a day — it used to be once or twice a week — saying things like, ‘I got this e-mail asking me to wire money to a client,’” he noted. “You can’t stop people from pretending to be someone else, and the language is getting more and more clever.”

That combination of possibly flawed technology and human errors make the home office a particular concern in the world of cybersecurity.

“Nobody has the exact answers right now for how to make the most secure connection at a remote office,” Hogan said, adding that going to the cloud has been an effective measure for many businesses, while others have taken the more drastic step of setting up physical firewalls at remote sites for key employees — say, for the CEO or CFO. “We’ll lock them down if they’re actually connecting to files and servers that are really confidential.”

Possible solutions are plenty, he said — but it all begins with knowing exactly what equipment remote employees are dealing with, and what threats they pose.

Viral Spread

COVID-19 isn’t the only fast-spreading infection going around, Hogan said. In fact, “45% of home computers are infected with malware. That’s an eye opener for many people. It’s a huge issue, and removing it is a huge challenge.”

One problem is the human element — specifically, how users invite threats in by not recognizing them when they pop up. Take the broad realm of phishing — the setting in which people receive such pitches can actually make a difference in how they respond, Beaudry said.

“It’s harder to sift through it when working from home; it’s not natural. You’re out of your element when you’re sitting at our desk in your pajamas, as opposed to being in your office at work. You may not be reading your e-mail as carefully as you normally would. You may not be on alert.”

A big piece of the puzzle is end-user awareness, he said. “You want to have your employees educated about what’s out there, so they know how to spot forgeries.”

Alex Willis, BlackBerry’s vice president of Sales Engineering and ISV Partners, recently told Forbes that companies trust their employees to do the right thing, and workers are generally honest, but trust can be a dangerous thing.

“The problem with just trusting people is that employees don’t always do this on purpose,” Willis said. “Sometimes, it’s just purely unintentional. They are working on a home machine that’s riddled with malware. They need access to corporate data. For instance, if the company issues a slow laptop to an employee and the employee has to get their job done, they are going to use their home computer that is faster to do the job. In that scenario, the home computer might not be as secure.”

Jeremiah Beaudry

Jeremiah Beaudry says home networks aren’t typically built to run as efficiently — or safely — as those in a workplace.

Again, it’s that issue of the unknown, Beaudry told BusinessWest. “You don’t know what they have going on with their home networks. We didn’t set up the home connection, we don’t know what they have, and everyone has different people on it. Some are borrowing it from their apartment complex or sharing it with the neighbors, and they expect the internet to work perfectly. It’s not going to.”

In an office, on the other hand, everyone is using the same network, running at the same speed, with the same level of security and firewall protection. “Then, when they go home, there are so many variables.”

The best-case scenario is to give employer-owned devices to employees so they can remotely manage information.

“You can put antivirus on an employer-owned device; when they’re using their own devices, you don’t know what they’re doing to protect it,” Beaudry added. “And if the employee is laid off or fired, you would have the ability to control any employer-owned data.”

At the very least, he said, companies should encrypt the traffic between their network and individual users’ home computers.

“We put monitoring agents on remote clients that monitor for any viruses or malware and will update their antivirus and malware protection in some cases,” Hogan added.

Vigilant Approach

None of this completely addresses the speed and efficiency issues of home devices. “Usually, in a home office, they pay for their own bandwidth, and the business can’t say, ‘we don’t want your kid playing Fortnite,’” Hogan said. “That’s the challenge.”

“I get e-mails from clients three or four times a day — it used to be once or twice a week — saying things like, ‘I got this e-mail asking me to wire money to a client.’ You can’t stop people from pretending to be someone else, and the language is getting more and more clever.”

“Some clients will pay for a second, business-only connection for remote workers, he added. “But that’s pretty extreme; not many are doing that.”

More popular — and effective — is the move to a virtual environment. Working in the cloud, he noted, means not worrying about the hub-and-spoke relationship between physical servers and computers that’s the biggest weak point for security. “Most of my clients have eliminated that weakness.”

For some clients, the cybersecurity issue is especially critical — take medical businesses, for whom privacy is paramount in the HIPAA era. “That changes the game completely,” Hogan said, noting that one resource for companies handling sensitive data is a SOC, or security operations center.

“Clients who really value security can sign up with a SOC team that responds in case of a breach,” he explained. “It’s a lot of monitoring, detecting, and responding.”

Delcie Bean, CEO of Paragus IT, said any investment in platform migration and remote work has to be accompanied by investment in strong security tools — and education.

“The legacy tools and technologies used to secure networks for the past 10 years need not apply for this next wave of mobile workers,” he told BusinessWest. “Security of the future will be a lot more about multi-factor authentication, deep encryption, and will involve a lot more end-user training as well as testing than the command-and-control style approach of the past.”

Hogan agreed. “Password management is so massive,” he said, noting that people resist simple protections like multi-factor authentication, or even just using complicated passwords, or different passwords for different sites.

“We are also dark-web monitoring pretty consistently,” he added. “The dark web has been on fire lately — a lot of breaches.” Once data fall into those hands, the damage is done, he added, “but the important thing is to know what got breached, and if you can tell what credentials are out there, so you can change them.”

The bottom line, Beaudry said, is to make sure employees use unique passwords and encrypt connections remotely, and not using tools that are potentially vulnerable.

“And there’s a long list of tools known to be exploited by hackers, so it’s good to check with an IT professional before using any remote desktop method,” he added. “Some methods require you to open firewall ports that can leave you vulnerable to ransomware and all sorts of awful data breaches. The main thing is to make sure your firewall is locked down and no unnecessary ports are open, and you have backups of all data.”

That’s a lot to consider when moving into an era of expanded remote work — some of which comes at a cost. But the cost of ignoring it is much higher.

Joseph Bednar can be reached at [email protected]

buy ivermectin for humans buy ivermectin online buy generic cialis buy cialis