High-profile cyber attacks, including recent ones that have targeted Google, allegedly destroyed nuclear centrifuges in Iran and brought down the websites of major financial firms JP Morgan Chase and American Express, have led more people to realize what security experts have been saying for years: In the digital era, cyberspace is a battlefield.
Attackers’ impact on the companies and governments targeted can be costly, many times involving the loss of sensitive intellectual property.
Few people likely understand the stakes better than Corrinne Sande, coordinator for the Computer Information Systems program at Whatcom Community College in Bellingham.
Since joining the college in 1999, Sande has built the school’s CIS program in one that regularly earns national recognition and has expanded its educational offerings. In August 2012, WCC was given a $500,000 grant from the National Science Foundation to help develop a new two-year “information assurance” degree, with Western Washington University and the University of Washington developing similar four-year degrees in tandem.
Sande said the CIS program is a vital component in training future professionals to secure sensitive information in cyberspace.
There is an increased demand for IT security professionals in a variety of industries. What do think is causing that?
Since everything is now connected and there’s a lot more commerce done on the Internet, there’s more demand to secure the networks that are connected. For most companies, their most important asset is their data, and there’s a lot of criminals out there who would like to steal that data.
In addition, it’s actually a national security issue in that cyberspace is considered a fifth domain of warfare. We have air, sea, land, we have outer space, and we have the Internet.
All those things combined, along with our critical infrastructure like refineries, electricity and so on, they need to be protected. So there’s multiple reasons that we need these people that have these skills.
When it comes to IT security risks for private companies, what do you think should be among the biggest concerns?
In this age now, the most important thing that the companies own is their information—so their recipes, formulas, databases, customers, credit cards and things like that. At a minimum, any IT person they have at their company should have some security training.
There’s also this idea that an IT team itself is solely responsible for the security of a network, but the fact of the matter is you need the entire company. All employees need to be invested in this. One of easiest ways to break into a network is through social engineering, and that’s done through using an employee who doesn’t understand security.
Also, a lot of attacks are insider attacks. So for example, even if you have a very secure network, if you have an employee who wants revenge, then you’ve got another problem. One common thing that has happened is an employee is terminated but their network access is not, so that employee will then be able to later log in from home. You’ll also have situations where a company doesn’t even have a security policy, or they have a security policy and they don’t enforce it.
How important is it for a company to hire talented and well-trained IT security professionals?
It’s really important. An IT person typically, like a network manager, has total access to all of the information about the employees and the database. You have to make sure that not only do they have the training, but also make sure that they are someone you can count on for that. It’s a sensitive position.
And a lot of things that happen [within a computer network] are not because someone intentionally did something, it’s because they didn’t know any better. That’s where the training comes in.
I think that the biggest mistake people make is assuming that an IT team is securing their networks, because it’s really everybody in a company that should have some kind of involvement.
How has WCC’s Computer Information Systems program managed to be so successful?
Probably the main thing is that I’ve always looked at this program as not just a little program at Whatcom Community College, we’re actually part of this nationwide strategy to secure cyberspace. It’s our responsibility to turn out people that are highly skilled.
Also, our program is not just a series of classes that people take. The students in our program have a lot of different opportunities.
We run a free help desk where they fix computers for people. Students can participate in a national collegiate cyber-defense competition. We also have a grant for high school cyber camps, and our Whatcom students serve as mentors.
The main thing is that our focus is not on just this program, but it’s on national initiatives and how we can participate in those. And also that we’re making sure our program is recognized by outside sources as being valuable; that we’re teaching the students the right things to succeed.
For someone who might have an interest in a career in IT security, what is the best way to get started?
I do tell students when they come in and they’re trying to figure it out that they have to remember that this is a way of life. Working in IT is not a 9-to-5 job. You’re always having to learn new things.
If a person really wants to pursue this field, in order to do the security for IT, you have to understand how everything works. So I would suggest they take classes in networking, operating systems and hardware, and learn how to secure those things.
In our program we have veterans, and we have people coming back to school to get re-trained because they’ve lost their jobs. So, it’s not a field just for people right out of high school.
For business people without much technical training in IT security, are there some basic tips or lessons that can help keep personal or proprietary digital information safe?
At the very least, don’t click on a link in an email from someone you don’t recognize. You have to just be aware that there are people trying to get into your network and they are using various means.
They can social engineer their way in. So, you might get an email or a phone call from someone saying they need to reset your password, but they need your old one to do it. That’s an oldie, but a goodie.
Then, you can also have phishing attacks, where someone will send you an email [in order to break into your network].
But a lot of things happen just because somebody isn’t aware of everything that could happen. I think it’s important to just increase your understanding of what could happen to your machine and your network.
At the very least you should be running an antivirus and a firewall on your computers. At our help desk, the majority of machines that come in are infected with something. Either somebody downloaded something from a bad site, they browsed to a bad site or they installed a program from somewhere they didn’t recognize, and they’ve infected their machine.
In a business, there’s simple things that everyone should have, such as an acceptable-use policy for their employees and a security policy. Then they should also enforce those policies.
I’ve seen situations where companies do have policies, but they are never enforced. So for example, passwords should be changed at certain intervals, and passwords shouldn’t be posted on a sticky note.
Another thing, especially for private companies, is that they should be careful about what they are putting on their websites.
Because really, when an attacker is doing re-con, the first place they’ll go is to your website to find out about your company.
What information is risky to put on a website?
It’s not so much risky, it’s just that the more information that’s available, the more an attacker can use.
So, an employee directory, for instance, or information about your vendors. It depends on the nature of your business, but if you’re using a particular type of device in your network and you put your vendor on your website, then you giving information to an attacker.
Evan Marczynski, lead reporter for The Bellingham Business Journal, can be reached at 360-647-8805, Ext. 5052, or email@example.com.