Panelists boot up the conversation on cybersecurity
By Lana Sweeten-Shults
GCU News Bureau
It was a cybersecurity debacle to beat all.
Equifax, a major player when it comes to credit reporting, revealed hackers had breached its network in a series of hacks over three months this summer and that the sensitive information of about 143 million customers had been compromised.
Yahoo’s parent company, Verizon, on Tuesday divulged that, in 2013, the identities of all its users – roughly 3 billion of them – were at risk when cybercriminals cracked into its network. That number is three times as many users as the company previously reported.
Those cybersecurity rifts highlight how vital the field of cybersecurity has become as the world’s digital footprint continues to take larger and larger strides – something emphasized at a cybersecurity speaker panel Wednesday in the Antelope Gym’s North Lecture Hall. The event was a way to introduce those with an interest in the field to some industry experts and, ultimately, to try to build the cybersecurity workforce.
GCU is positioning itself as the go-to place for cybersecurity education, and this was the first of several such speaker panels, all on different themes, organized this school year by the College of Science, Engineering and Technology.
“Equifax was hacked because they didn’t do a (security) patch,” said Rachel Harpley, an Arizona Cyber Warfare Range recruiter and cybersecurity workforce developer for Recruit Bit and one of six panelists. A patch is software used to address a security flaw and keeps hackers from continuing to exploit that flaw.
She emphasized the importance for businesses and other organizations to address these security risks. “The business tradition has said, ‘We don’t have time to do patches. Doing patches costs us money.’ Thankfully, if anything, the Equifax (incident) will help us teach the businesses that not patching will cost you more.”
“It’s very hard to be the CEO of Equifax,” said panelist Scott McCrea, a CSET faculty member. “We didn’t update and patch our systems because it would have cost us $3½ million, and their stock value is down by something like 80 percent and billions of dollars that maybe they’ll recover. … They’ve earned their position as the laughingstock in the cyber universe because they were foolish beyond any kind of defense, and there will be legal liabilities that they’ll face for years. … Equifax is going to be damaged by this for a very long time to come.”
Panelist Nereo Loresto, a senior manager in security analytics at Charles Schwab, said, “Equifax’s problem was not their vulnerability. It was a culture of not caring. That’s what it was.”
Still, he said cybersecurity goes beyond companies not caring enough to secure their systems. The government has to do the same, and something has to change in the culture of the government as well.
“Security is not us (the cybersecurity experts). Security is everybody, literally everybody,” Loresto said. “Believe me, if you don’t think China is hacking your data, you are really putting your head in the sand. … It is the American public’s lack of desire to be part of the solution that they are taking advantage of.”
She relayed that countries outside the United States operate with armies of hackers, and the U.S. needs to do the same.
“These nation states have skyscrapers full of people that go to work every day to hack our country and to steal our data. … There are armies of people doing this. That’s why there are people like us who are so passionate about creating an army here in the U.S.”
GCU has focused on building a cybersecurity program over the past few years and now offers a bachelor’s degree in Information Technology with an Emphasis in Cybersecurity as well as a master’s degree in Cybersecurity.
Saturday, the new GCU-based Arizona Cyber Warfare Range – Metro Phoenix will make its debut with a soft opening and open house, to be followed by a dignitary-filled grand opening Nov. 15. While the range is not operated by GCU – it is a volunteer-run community organization – the University has partnered with the range and has provided the space and infrastructure to the group. It is a move that provides students with networking and hands-on opportunities and is yet one more tool in their technology education arsenal.
The panel of experts – it also included GCU IT Director Mike Manrod, GCU information technology security analyst Jim Biddle and Arizona Cyber Warfare Range core volunteer David Hernandez – shined a beacon on the industry and served as examples of individuals who have found a career in the cybersecurity world.
The panelists found their way into cybersecurity in different ways.
McCrea said his path started when he was young and began taking things apart.
“I was poor as a child,” he said simply. “Back then they had payphones. I was required to call home from time to time and check in. Frequently I didn’t have the dimes (to pay for phone calls).”
So he learned how to fix payphones so he could make free calls. He eventually joined the Air Force and, after showing an aptitude for electronics, was sent to work in a secure environment, where he learned about working on jamming enemies’ radars and radios.
Then he got a call: “Hey, we need somebody to help us build the space shuttle launching and landing system.”
“I immediately said, ‘You have the wrong number,” said McCrea, who told the audience about a conversation he once had with a general in the KGB.
“He explained how they had been taking over our systems and planting worms.”
McCrea was recruited into cybersecurity, and GCU ended up hiring him.
“I’ve had a wonderful time. … Now it’s your turn,” he told those in attendance, advising them to learn by taking things apart and putting them back together and by hanging out with people who are doing the job they want.
Biddle, who told the audience he had taken some wrong turns in his cyber career, used to work for Microsoft. Cybersecurity had always been a hobby.
“There are a lot of resources on the web,” he said, for those who want to learn.
The Arizona Cyber Warfare Range is a good resource, too, and is an organization that panelist Loresto refers people to when they mention they want to go into cybersecurity.
“We have $100,000 of donated equipment,” said Hernandez of the Metro Phoenix range, which is in Building 66 at the University’s 27th Avenue location. “… Oh! This is a cool one. We have a POS (point of sale system).”
Those who want to learn can go there to hack into systems or clone security badges, for example, so they can better learn what hackers do and can better learn to fight them. It’s a place for hands-on experience and for something important in cybersecurity – networking.
One person to network with is Hernandez, who is a program coordinator for the National Initiative for Cybersecurity Education RAMPS grant. In addition to his volunteer work with the range, he promotes cybersecurity internships and apprenticeships.
College of Science, Engineering and Technology Assistant Dean Heather Monthie asked the panelists each to leave attendees with security advice.
“Be aware of what you click on, beware of what you open,” Manrod said.
Harpley added that, whatever you do, never accept standard security settings on your computer.
McCrea advised audience members to use the administrative privileges they have on their computer and make a new user account that has no privileges.
“My family hates me,” he said with a smile.
Earlier in the talk, Hernandez told the audience to know how to network: “Know how to say hello and continue with the conversation.” He also said to attend cybersecurity meetups and rattled off a host of helpful sites, such as hack.me. Fellow range volunteer Harpley directed attendees to www.swcse.com, which aggregates the cybersecurity events in the state.
Loresto had this one piece of advice: “Don’t be afraid to learn … I assure you, the hackers are using it against you.”
And Manrod emphasized that one important piece in the cybersecurity puzzle these days is talent. “We need more people in the game. We need you. We need intelligent, forward-thinking people to come in, to plug into the range, to go into cybersecurity degree programs.”
He added, “Just because you’re three months from graduating with a degree in something noncyber, that doesn’t mean you can’t play, too. It’s that knowledge development.”
Contact Lana Sweeten-Shults at (602) 639-7901 or la[email protected].