Grooming cybersecurity sleuths with Purdue University
Cybersecurity is no longer languishing on the side-lines of an information technology strategy.
When hackers could almost get away poisoning drinking water in the city of Oldsmar, Florida, or shut down an Italian Covid-19 vaccine-scheduling website, or take down the largest fuel pipeline in the U.S. resulting in shortages across the East Coast, there is a re-think on cybersecurity positioning in the overall technology domain. Add to this the numerous reports of data leaks across the globe.
According to industry experts, it is morphing into a force majeure, mutating into alarming shapes and strains - creating new avatars of malware, ransomware, and crypto crime, phishing, and distributed denial of service (DDoS) attacks - all veiled and laced with sophisticated algorithms, codes, and encrypted keys.
Cybercrime is no longer confining itself to hacking large enterprises or financial institutions. It has become all-pervasive – anything on the Internet is game for the hacker – either for money or perverse fun.
For instance, a few years ago, a hotel database theft would have resulted in sending innocuous promotional mailers to the guest list. But today, this data is ignominiously tied to ransomware – unless the hotel pays the ransom, guests cannot access their rooms because the electronic card system is hacked or selecting customers’ data for future ransom demand.
Even children and toys are not spared by cybercriminals as in the case of the CloudPets’ attack when the ‘Teddy Bear’ breach affected more than 800,000 user accounts which meant that all the personal audio recordings, which toy owners made, could have been compromised to get future ransom.
“Currently cybersecurity is shaping your personal life, your corporate life, your digital transactions, online banking transactions, your social profile, and of course, your corporate credentials. This data carries a significant amount of confidentiality, right from social media profiles, your identity and privacy and there is a dire need to protect it,” says Vishal Salvi, Chief Information Security Officer, Infosys.
New malware has become increasingly complex thanks to the pandemic that accelerated the shift to digitisation, work-from-home concept and mobile-linked financial transactions.
Moreover, with the number of devices connecting to the Internet, vulnerabilities are on the rise each day.
“We are living in a highly interconnected world, be it in the US or anywhere else in the world,” says Mathew Trampski, cybersecurity evangelist and Executive Director, Technical Assistant Program at Purdue University.
“The threats are increasing each day and so are the vulnerabilities. All of us have an average of seven to 10 devices regularly that connect to the Internet. When all these vectors, and all these services are being opened up they are throwing up more vulnerabilities which create more opportunities for the bad actors,” says Trampski.
Convincing people to take cybersecurity seriously can be a challenge. “You have to personalize it. Your cybersecurity hygiene, your awareness about cyber and information security issues, is very critical for not only you as an individual, the company you work for or your own business but also for your own family. This is something that you certainly wouldn't want to be compromised,” he points out.
Now, threats are harder to spot
Although there have been fewer mobile attacks in general, the attacks we are still seeing have become more complex and harder to spot.
Cybercriminals tend to mask malicious apps under the guise of legitimate applications, which can often be downloaded from official app stores.
On top of that, with mobile banking and payment apps becoming even more widespread, there is a higher chance of cybercriminals targeting these more actively.
Staying cautious and careful on the internet and avoiding downloading unknown apps is good practice.
When it comes to the security of finances in particular, it is better to be safe than sorry - Tatyana Shishkova, security researcher at Kaspersky
Today, it is no longer corporations and large brands that are being held to ransom. Be it an individual or a corporate user or a government employee, the risk factors remain the same for all. Except, perhaps the large corporations may have resources to get back on their feet but not so for several smaller companies and businesses.
Democratization of Cybersecurity
To mount a good defence mechanism, you need to first understand the offense. But in this curious case of cybersecurity, the offense is intangibly widespread – and pops up in the least expected and endless manner like moles in a Whac-A-Mole game (players use a rubber mallet to hit toy moles, which appear at random, back into their holes).
“If you look at the current awareness level or rather the lack of it, with respect to cybersecurity, it is clearly a major challenge – spread across different stakeholders,” says Salvi.
Every player in the ecosystem, has a different way of responding to digital technology and computer systems. Unfortunately, the fear factor is not so easily perceivable when it comes to use of digital and computer systems. That may be one of the reasons why people are unable to evaluate the kind of risks and challenges out there which manifests itself into ignorance and a complete lack of awareness.
“I think it's imperative for all of us, in the cybersecurity domain to create a higher awareness level. Call it change management, or a behavioural aspect of cybersecurity, or psychological aspect of cybersecurity,” Salvi says, while noting that he believes change is imperative.
“I believe this is crucial - apart from implementing various checks and balances in security protocols, we have to create a change within the organizational ecosystem, a cultural change call it as democratizing cybersecurity - making every individual understand his or her role, and accountability with respect to cybersecurity in their organizations.”
Catching them young
Although companies and individuals are realising that the most critical and intangible asset is data – be it personal data, financial information, security data or behavioural data – there still exists a wide gap in terms of public awareness and the critical or rather the imperative nature of cybersecurity.
Trampski thinks there are some positives too. “Almost every kid, at least in the U.S. grows up with a device in hand. Technology is second nature to them, and they are already connected to the world,” he says, reminiscing his time right before the personal computing revolution.
“If we can make a concerted effort to address cyber information security and data privacy, at a very young age, we can make them realise a career in cybersecurity is as exciting as say, a firefighter, and start to impact that skills gap,” he says.
Is cybersecurity a fun place to be in ?
“Well, it’s kind of a cool job – it’s like a Crime Stopper on the technology side. Sounds a bit cheesy but it’s fun. You're trying to prevent people digitally from accessing other people's information and having too much access and all those kind of things. So, you're like behind-the-scene a Crime Stopper. So, it’s fun. Kinda cool, too.” – Kristen Welk, cybersecurity professional at Infosys. Tweet
The other major challenge lies in harnessing talented individuals.
“We need to create a capacity building exercise – develop more university courses and even community college courses with certifications and give access to a larger population of individuals,” notes Salvi, while adding that there’s a need to create a proper career stream and a career graph for cybersecurity individuals so they actually know what they're getting into and chart a well-defined path for their growth and success.
“If we do adopt this two-pronged strategy, then we will be able to make good progress in terms of creating the right talent available for the demand, which is there in the market,” Salvi points out.
Moreover, this is in an extremely complex area with a large number of technologies and tools – always evolving. Therefore, for someone to become a well-rounded cybersecurity professional, the amount of investment of time and energy is much higher as compared to other domains.
“I don't think people realize how much goes into making their applications work and protecting people and assets – the firewalls and all the different checkpoints that keep the outside people from getting their information, their personal information especially when it comes to online buying or any digital transactions involving credit card numbers, passwords, any personally identifiable information (PIIs),” says Kristen Welk, a cybersecurity professional at Infosys. Welk doesn’t think people realise how the information available behind the scenes can be used against them.
Cybersec TAP at Purdue
Against this backdrop of burgeoning cybercrime attacks, the cybersecurity skills gap could not have come at a worse time.
In 2018, Infosys entered into a five-year Technical Assistant Program (TAP) with Purdue University to form a strategic partnership for technology innovation and U.S. workforce development. Through this partnership, Purdue provides classes and training for Infosys cybersecurity professionals.
Alarming shortage of cyber ninjas
Study by the Centre for Strategic and International Studies (CSIS) focusing on IT decision-makers across eight major countries indicates 82% of employers have a shortage of employees with cybersecurity skills.
Similarly, the 2019/2020 Official Annual Cybersecurity Jobs Report reported a 350% growth in open cybersecurity positions between 2013 and 2021.
The statistics don’t bode well according to the experts.
“There are 3.5 million cybersecurity jobs open across the globe, and 500,000 in the US. And only three per cent of bachelor's degree holders have the right skillsets for a cybersecurity position,” says Trampski, adding, “If you look at the statistics on the threat and vulnerability landscape, they're just as bleak considering the fact that 95% of everyone will be impacted by a cybersecurity breach within the next year.”
“It merely shows us that we have a big job to do. And the job that we're doing is important,” Trampski emphasises.
The genesis of the Infosys -Purdue collaboration began when Infosys drew up plans to increase its U.S. base workforce and started hubs around the country.
“The collaboration in cybersecurity was a natural fit. We've been studying and researching cybersecurity and involved in projects even before it was called cybersecurity. And our excellence in higher education combined with the incredible work that Infosys was perfect for us to start working on some things together,” says Trampski.
The mandate was clear from the start - to have a foundational cybersecurity understanding for every individual who works in the cybersecurity practice. And the search for the best led to Purdue, which has a robust curriculum to teach fundamentals and foundational elements of cybersecurity.
“That creates that competence which can then help them understand and interact with our clients and provide the right solutions for the problems the encounter,” says Salvi.
“Based on my experience, I can say, I didn't know anything about cybersecurity before I came in here. But as a young professional entering this industry, I believe cybersecurity is the future,” says Prudhvi Latha Kolanuvada, a cybersecurity professional at Infosys who underwent the training at TAP.
“This is certainly not a nerdy subject, for sure. Because once you are aware of what the threats are out there, there’s a lot more interest in the cybersecurity space. It is not the bookish knowledge that matters but the practical knowledge, you need to secure the assets,” says Kolanuvada.
Vile nature of the beast
Unfortunately, these days you don’t have to be a target to be a victim.
The security risk is manifested when a threat or attack comes in contact with a vulnerability. The moment you're on an information highway, malware is running there. And the moment you also go there, you have a good chance of getting compromised. That’s how the lateral movement works.
Suddenly, everybody's realizing this problem - right from a small-time chartered accountant who has maybe five computers or an architect who possibly never even bothered about antivirus. Now, suddenly, they realize that ransomware is coming in, and their whole data is getting lost, leading to significant impacts.
What’s even more compelling is the real-life events that affect the community at large and demonstrate the tangible and intangible impact on individuals from cyber-attacks. And, in a strange way, it is actually now creating the awareness to adhering to simple cyber rules. Today, there is a beginning - people are gradually starting to take cybersecurity seriously because now they're seeing the actual impact happening to them as well as to your neighbours.
Today, you realise the malignant nature of the cybercrime beast which is hitting back at everyone with a vengeance when:
- Your drinking water supply could have been poisoned and was just thwarted in time because an alert employee in Florida’s Oldsmar’s water treatment plant noticed the unusual movement of the cursor moving from 100 ppm to 11,000 ppm of sodium hydroxide (fatal in large quantities) and brought it back to the safe level.
- Or, you couldn’t obtain a date for vaccination for several days in the Italian region of Lazio where a cyber-attack forced the website to temporarily shut down.
- Or, you had a complete disruption of fuel supply to the south eastern part of the U.S with several flights being cancelled and long queues for fuel – all because of a single-factor authentication in the legacy VPN of the Colonial Pipeline Co., a child’s play for the hacker to break into.