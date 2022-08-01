1 You’ve recently been named to Gov. Eric Holcomb’s Executive Cybersecurity Council. What is the purpose of the council?
A: As we frequently see in the news, the cybersecurity threat landscape doesn’t discriminate. Enterprises, small businesses and critical infrastructure such as utilities, health care, financial services and more are all subject to significant economic disruption – or even safety of the citizens. The Indiana Executive Cybersecurity Council was formed with Gov. Holcomb’s signing of Executive Order 17-11 in January 2017. The purpose of this council is to both advise and produce materials to aid organizations classified as critical infrastructure in the state of Indiana.
2 Are there cybersecurity initiatives you hope to focus on while on the council?
A: My focus on the council is within two working groups – health care and workforce development.
I’ve spent the last part of my professional career working with health care organizations related to both their digital transformation and cybersecurity efforts, and it is frequently made clear that those organizations that are below the “cybersecurity poverty line” have a disadvantage against threat actors who will make use of that fact.
Working to help empower those organizations that make their lives work taking care of everyone else is a necessity. Additionally, the workforce development working group is designed to make sure that programs are put in place to develop the next generation of cyber defenders. Creating that future is just as important as protecting the one we have now.
3 The FBI recently reported that more than $43 billion has been stolen through business email compromise attacks since 2016. Why do social engineering and phishing techniques continue to flourish?
A: Social engineering, which is simply the act of tricking someone into taking action or presenting information, continues to be successful because many times it’s human nature to trust other people.
If someone comes to your place of work dressed in coveralls and a name tag that has a contracting company’s logo on it with a ladder in one hand and a toolbox in another, you’re likely to open the door for them and not think twice.
The same methodology can be used in other situations where we see or hear one thing, and we instinctively know what we’re supposed to do or how to react.
The same holds true for phishing; the attacks are extremely sophisticated and even more so if they’re targeted. They will send from a fake address using a familiar format to something you see every day hoping you won’t think twice.
4 You coach Indiana Tech’s cyber defense team – a national powerhouse. How does a cyber defense competition work?
A: We compete in eight to 12 competitions year-round that vary in topic and format, though our flagship cyber defense competition is the National Collegiate Cyber Defense Competition. In this competition students are placed into a fictitious company where a previous disgruntled IT staff not only did a poor job with proper security but performed malicious actions. It’s the student’s job to enumerate all of the IT systems, fix the security flaws, keep core services functional and respond to business needs, all while defending against live-action hackers.
In other competitions we will perform computer forensics, vulnerability assessments, and most competitions are done to mimic an exaggerated function of an industry professional.
5 Hollywood’s influence touches so many points in our culture. Knowing that drama is what drives fiction and nonfiction, is there a movie, documentary or TV show that gets cybersecurity “right” in terms of people involved, threats, etc.?
A: Hollywood absolutely influences what society thinks about cybersecurity. As with most professions that are portrayed in film, there are inaccuracies that are either due to a lack of understanding or simply because it wouldn’t be entertaining otherwise.
I am repeatedly asked if spectators can come watch the Indiana Tech Cyber Warriors compete, and the answer is – you can if you want, but it’s just a bunch of people quickly typing and clicking!
“Mr. Robot” is a TV show that really gets it right. The show had great cybersecurity advisers and is one of the only productions that doesn’t make industry professionals cringe.