Is it OK to throw temper tantrums and pout on social media since only our friends see it? Is hacking into other people’s networks a good way to be recruited by the CIA? Why should we worry about third parties accessing our data? Saint Rose cybersecurity experts weigh in on these and other topics, and offer tips for maximizing our safety.
The cybersecurity experts
Zumrut Akcam, Ph.D., assistant professor of computer science
Kimberly Cornell, Ph.D., assistant professor of computer science
Mark Gilder, Ph.D., assistant professor of computer science
Ian MacDonald, Ph.D., professor of computer science, dean of the School of Mathematics and Sciences
Are there hackers who turn their criminal experience to good purpose?
Cornell: You mean the glorified hackers on TV? The geniuses who end up working for the FBI? People may think that they’re testing their knowledge and training for the real world by hacking into places.
This is not an appropriate career path.
I knew some people who hacked into a game, hoping to get some sort of online reward. Well, lawyers showed up at their house.
Do not do this.
You will go to jail.
In addition, if you ever apply for security clearance, you will be required to declare all your previous hacking activities.
But we’ve heard that actual hacking is the best way to learn.
Cornell: There are ways of penetration testing with permission that falls into ethical hacking if you are interested in putting your skills to use in an appropriate manner.
MacDonald: As part of our cybersecurity undergraduate curriculum, we train students to get into the minds of hackers. We will make sure they fully understand the threats and attack methods, so they can defend systems when they graduate.
OK, then. How do we defend ourselves against hackers?
Gilder: It is important to first identify what your critical assets are – and build rings of security from there outward.
A lot of tools that companies use to detect malicious activity are based on usage patterns or behaviors. They monitor all activity: email, internet access, etc., and establish baseline patterns. For example, you arrive at work at 9 a.m., log onto your computer, open Word documents and so forth until 5 p.m. Now all of a sudden, we see activity after hours or on weekends.
Since this is outside of the baseline, the tool would raise an alarm, sending a notification to the IT group to investigate.
So we only have to watch for unusual activity.
Gilder: Think about the IT arena, where you have folks who, as part of their jobs, have access to critical assets/infrastructure. When we see accesses like this, we have to identify whether the access is just part of their normal work, or if it’s something malicious. We need to identify what they’re doing with the data. Reading? Updating? Deleting?
The biggest problem is false alarms, where teams are investigating these incident reports, and it turns out it was OK – this costs organizations in terms of lost productivity.
MacDonald: We’re seeing advances in artificial intelligence (AI) and machine learning, which allow you to better analyze these types of patterns. You can build models to reduce the false alarms. However, as you reduce false alarms, you risk a false positive, where you miss an actual incident.
The good news is that we have to worry only about the companies we sign up for, right?
MacDonald: What complicates matters is that virtually every organization uses a lot of third parties, consultants, software, and so forth. You might have a third party that does the maintenance for your company, such as HVAC. That’s how the Target breach took place.
Trying to manage all these third parties, and wrapping them into your view of where your risks are, creates a lot of headaches.
Sometimes it feels like, the more advanced we become, the more problems we have.
MacDonald: The growth of cloud-based storage creates new challenges. Some 10 to 15 years ago, if you wanted to steal my personal information, bank records, or grade books, they were physically on a computer at my house, and you’d have to break in.
Now those physical barriers are gone, and your files are on the cloud. You have to trust that Amazon or Google is storing those things safely and using the right forms of encryption. Your data is only a username and password away.
That doesn’t seem very secure.
MacDonald: For example, suppose someone stole a user name and password for an Amazon account. People often use the same credentials for many of their other accounts – now they have files, documents, photos, and any other confidential information.
Gilder: If you have an iPhone or an Android phone, when you take photos, as part of your agreement with Google/Apple, those pictures are being pushed up to the cloud.
Hackers can get to the photos on our phone, too?
Akcam: If your phone is hacked, your photos could show up anywhere online.
Cornell: Having compromising photos anywhere is a bad idea.
MacDonald: Some students use Snapchat to send photos or text that they assume are confidential and self-deleting, but there are apps that can capture screen shots without alerting the sender.
Akcam: Hackers can even get into your direct messaging on social apps – they might send you links to hack into your account, or message you directly.
Gilder: Any connection – your Bluetooth or wifi connections, for example – can all be hacked.
Is there no more privacy?
MacDonald: Nothing is safe. It is difficult to simultaneously protect data at rest, data in motion, and data you’ve received. Once you take and send a photo, you’ve done all three: It’s on your phone, it’s on its way to the cloud, and when it’s received, the recipient can spread it.
I would never take a photo that I wouldn’t want to see on the front page of a newspaper.
Gilder: That’s a good rule of thumb: Any time you’re composing a message or taking a photo, ask yourself, “What would happen if this were on the front page of The New York Times?”
Cornell: Anything you put up – photos, posts – lives forever.
Next time: The Internet of Things and the Safety of Those We Care About.
Did you miss the previous installments? Take a look at:
Part 1: How Our Behavior Puts Us at Risk
Part 2: Protect Yourself Without Becoming a Hermit