It is easy to fall victim to the vastness of defending a security enterprise. After all, budgets are tight, personnel a few and far between and you have to be right all the time because a chemical plant’s system cannot go down.
Yes, hackers can figure out a way into the network, but it is much easier to attack the weakest link to find a way in. That is the human side.
Experience Tops Skills for Security Roles
ICSJWG: New Reality for Safety, Security
Defense from Tainted Mobile Devices
SANS: Know the Security Mission
That is where Indiana State University Professor Bill Mackey, along with his students come in.
He works security from the human side.
One of the biggest stories in the past year involves the Russians, the Democratic National Committee and, possibly, the Trump White House. It also involves the exact focus of Mackey and his cyber security company, Alloy.
“A Russian cyber security team, part of the Kremlin … basically phished John Podesta’s (former chairman of Hillary Clinton’s presidential campaign) email,” Mackey said. “It was a fake email, trying to get somebody to click on it. It looked like a Google email, saying somebody is trying to access your account, you need to change your password immediately, click here to change your password.”
Podesta did take the time to show the campaign’s IT experts the email because something didn’t look quite right.
“So the IT guy sends an email back saying, ‘This is a legitimate email.’ But the IT guy, he committed a typo. What he meant to write was, ‘This is not a legitimate email.’ To his credit, it appears that he told Podesta to go through official Google channels to change his password, but he used the phishing link instead.
“That’s how Russia gained access to all of the Democratic National Committee files, gave them to Wikileaks, who then distributed them,” said Mackey, a 2012 graduate of Indiana State.
Preventing the human missteps is exactly what Mackey’s enterprise does that’s different from almost everyone else: They marry the technological part (the computer-code breaking) with the human element for a mixture of tech and cybercriminology.
“That human element is what we focus on,” Mackey said. “There’s still plenty of people out there writing code, but the vast amount of hacking now takes place through the human element.”
“That human element is what we focus on. There’s still plenty of people out there writing code, but the vast amount of hacking now takes place through the human element.”
Like the human mistake made by Podesta and his associate, when Mackey is hired by a business that wants better cyber protection, he looks for the weakest link — human beings.
Beginning in the 1990s, the defense against cyber attacks began to grow, he said. Big cyber walls got put up making most systems pretty safe, particularly banks and other financial institutions.
“You can break into those systems, but it’s tough, and it takes time and the chances of getting caught are a lot higher,” Mackey said.
Hackers found the weakest part of a system is the person sitting at the computer, Mackey said.
Hackers think “Why should I go to all that trouble, with all of that risk, to get illegitimate access to a system, when I can just phish the assistant over there, log into their system with those credentials, and be there as long as I want to, and nobody knows it because I’ve got legitimate access,” he said.
Mackey said his company goes about protecting a company in four steps:
1. Social engineering, which is pure behavioral penetration testing
2. Individual differences, provided by Joe Nedelec, assistant professor of criminal justice at the University of Cincinnati
3. Computer/technical end by Mark Stockman, associate professor of IT at the University of Cincinnati.
4. They get businesses demographics
Those demographics then end up compared to Mackey’s large database of businesses that have suffered data breaches. His data set combines information about each breach with a substantial amount of business demographics, which allows Alloy Cybersecurity to find the most common vulnerabilities based on various business demographics.
“The basic idea is that we do what others don’t — we use evidence-based practices to tailor our recommendations for optimal cybersecurity from behavioral threats,” Mackey said.
For Mackey’s portion, he will employ a number of social engineering attacks, including sending phishing emails to employees.
“We’re going to do research on all of the employees and find out how vulnerable they are and why. I’m going to find where your favorite place to eat is and when you go to lunch. Then I’ll send you a phishing email say, ‘We appreciate your business. Click here for your free meal.’
“And inevitably, we’ll get somebody to click on it. And if we don’t, we’ll just send another round out tomorrow. All it takes is one click.
All About Access
“We might pretend we’re somebody we’re not to get access to your server room. Because if I can physically get into your office, I don’t need to destroy anything, just plug a device in the back of your computer, which will recognize every keystroke you’ve made. Or I’ll tape on the outside of a USB drive the word, ‘Private,’ and then I’ll drop it on the floor. Somebody will pick it up, plug it into their computer and then it will begin recording data and give us access. Every business is only as strong as its weakest link.”
The good news is Mackey is teaching the next generation of cyberwarriors by helping to build the two new Indiana State classes, Intelligence Analysis and Cybercriminology.
“We’re teaching students about the behavior behind cybercrime, how to apply criminological theory to that, prevent it and the lingo of computers. It’s important that they can work alongside current IT staff in the field,” he said.
Alloy is already hiring Sycamores, and it’s paying off.
“I have four interns right now. So, these students can get some actual, practical field experience,” he said. “Two of the students I work with have been offered internships with penetration-testing companies starting in the fall. So far, the feedback has been good. Companies are saying, ‘This is the stuff we want. We want these students.’ It’s exciting. Really exciting.”
The more students who turn professional cybercrime fighters, the better, said Mackey, because right now the future looks pretty bleak.
“Cyber war is imminent, and it will be the most destructive thing the United States has seen,” he said. “They’re already in; they just lack the motivation right now to do more, but that’s changing. This is not merely a prediction from a purely academic sense, but is backed up by reports by the National Security Agency.”