Wanted: A Few Good Geeks

Posted:

Cybersecurity, a rapidly growing field for the future 
By Jeff Schwachter
It’s not just guns, tanks and boots on the ground that will help protect America in the modern fight against terrorism.
According to experts, sophisticated tools (and qualified people who know how to use them) to fight cyber crime are becoming needed more and more, and they will become an even greater asset to the nation in the near future.
Along with organizations such as the U.S. Military, the Pentagon, local law enforcement and other agencies actively recruiting specialists in cybersecurity, experts warn that individuals and businesses (of all of sizes) need to be prepared for cyber crimes, which are on the rise.
Even in Cumberland County.
While local law enforcement and government agencies at all levels police cyber crime and offer tips to both citizens and businesses, other groups and organizations are helping to spread the word about cyber crime prevention. Last month, the Greater Vineland Chamber of Commerce’s membership luncheon included a speech by David Weinstein, the director of cybersecurity and chief information security officer for the State of New Jersey’s Office of Homeland Security and Preparedness, on cybersecurity and available resources for local small businesses (watch his speech on the video accompanying this article and on Comcast TV 22 in Cumberland County beginning this week).
“Contrary to popular thinking, small businesses are attractive targets for cyber-criminals,” says Weinstein. “Not only do they possess a lot of valuable data, but they often lack the human and technical resources to detect, mitigate, and respond to cyber threats. For small businesses, cybersecurity is about protecting their reputation and limiting liability in the event of an incident involving customer or proprietary information.”
Edwin Alicea Sr., public safety director for the City of Vineland and a retired lieutenant with the Glassboro Police Department, is one of the county’s experts on cybersecurity. Not only does he speak at similar business gatherings in the area on the subject, he also teaches classes on cybersecurity at several local colleges and universities.
He tells The Grapevine that there are many precautions individuals and business owners can take to help avoid becoming the victim of hacking or cyber crimes.
“There are precautions that most people do not really give a whole lot of thought about,” says Alicea. “[For example], they will open an e-mail regardless of who it’s from. These are types of things that people don’t some pay attention to. For example, they will get an e-mail with a logo from a [well-known] company, be it Paypal or Amazon or companies of that nature where they have shopped before and a frequent [hacking] attempt is through these types of fake e-mails telling you that your information has been hacked and to ‘please provide your information to confirm if it indeed has been hacked’ and a lot of people fall for that. They’ll go ahead and just provide their information. Now, they’ve basically given a key to somebody to use their identity. It’s calling ‘phishing,’ where they basically fishing for more information.
“It is very prevalent, and it is very lucrative for the people who are trying to get your information.
Aliciea, who spoke about cybersecurity at a recent Big Brothers Big Sisters event, held at the NJ Motorsports Park in Millville, says that for businesses all of size, “you can have the biggest firewalls, most security cameras, tightest access control to [the digital side] of your company, but your employees are the weakest link.”
He adds: “Just take social networking. Say, I meet you at a Starbucks and we start having coffee and I ask you, ‘Hey, who do you work for? What do you do? What kind of security do they have?’ What seems to be a social, friendly conversation, it [could be] really designed to get information about your company that you wouldn’t give a second thought about giving, however, it’s important from the person who’s trying to get it from you. For example, ‘What kind of firewall do you use? How good is it? Who do you use for IT?’ — things of that nature. So you think you’re having a social conversation with someone you met [online] but in reality they’re looking for information that’s going to help them get they want.”
Citizens should not only be weary of cyber crimes taking place in the digital sphere, but in personal conversations as well. You never know who is listening — and why — around the corner, says Alicea.
“I’ll give you another good example. And I’m guilty of this, where on a holiday just in a sheer panic of time I will order something online from a coffee shop and here I am, although I’m trying to be careful of who’s around me, I’m still giving out my personal information by talking to someone or giving my debit card over the phone — ordering something for my wife or for my family or something.”
There are a number of resources for both citizens and businesses on the county, state and federal levels. Alicea says the Vineland Police Department gives out information (and gives presentations) pertaining to cybersecurity. There is also the state Web site cyber.nj.go, which includes numerous links, resources and information for New Jersey residents and businesses.
“Our police department often does presentations on cyber crime,” says Alicea, recalling recent presentations to local business owners and at the Civilian Police Academy.
“Civilians come and officers speak on all sorts of crime-prevention issues and this is a major one these days.”
And the crimes aren’t just happening to the stereotypical “gullible type,” but to consumers, businesses of all size, individuals, organizations and the government.
Alicea is adamant about businesses protecting their information, even from employees.
“No employee should have full access to everything in the computer,” warns Alicea.  “Think about it. The most secretive organization in the world — the NSA — the weakest link was an employee walking away with hard drives full of national secrets.
“So even they let their guard down there. But when I talk to businesses, I say, ‘Unless you absolutely need the employee to have access to your USB ports, so they are able to plug something such as a thumb drive in, disable them. If there’s no need for that specific employee to have a USB port to use, just disable them. Because, let’s be realistic, here, I could walk up to any computer, put a little thumb drive in, a little thing the size of your thumbnail, and I can download all the information from your computer.”
This includes such things as a businesses’ customer lists, customer base, all of their accounts and all of their internal information. Not to mention the social security numbers and other confidential information of everyone in the company.
“It’s really a very vulnerable position to be in,” says Alicea. “Think about this. If I’m leaving the company because I’m not being treated properly, the day before, all I have to do is come in, use a couple USB ports, and download everything and I can definitely ruin your company. “
Alicea says it’s like leaving a physical door open to all of your information for thieves to get access to when and if they want to.
Along with aforementioned preventions, Alicea offers the following advice for business owners to prevent such criminal activities and help safeguard their businesses from cyber crime.
“Talk to your IT guy and make sure that only the person that really, really needs to have that much access — for example, your manager, he should be the one with access to all of your company files, nobody else should have that much access.”
Employees should be safeguarded as well, says Alicea. Making sure screen savers are active for all computer users (for when they walk away from their work stations) is one simple line of defense.
Turning off Wi-Fi connections when not in use is another.
“Twenty-four connectivity is 24-hour vulnerability,” says Alicea. “Same thing with our phones. How much information is on our phones? I mean, I order things on my phone all the time. I hope that, despite all the precautions I take, [my system] is safe.
“Everything that we use today to communicate, even our voices, can be tapped from a distance. There is nothing you can communicate with today that cannot be tapped.
“These are little preventive things that almost sound like they’re insulting somebody’s intelligence, but a lot of people don’t think about them,” he points out.
Alicea also recommends that companies put clear and concise policies in place with relation to employee computer use.
“One of the ways employers can protect their businesses is by having clear and concise policies with regard to employee use of company computers and networks,” says Alicea. “For example, the policy could be ’no personal e-mails or social media on office computers,’ or ’no outside jump drives or external hard drives are allowed to be used on office computer USB ports.’”
In Vineland, for example, the Police Department is very advanced in protecting its computer systems and information. No outside jump drive or hard drive can be plugged into a single USB port on any computer in the entire department’s computer infrastructure. They use what is called an “Iron Key,” which is an encrypted system that does not allow computers to retrieve data from a flash drive.
“Employers should hold brief training sessions at least once a year to remind employees of the damage cybercrime can cause,” adds Alicea. “In addition to the training, employees should sign a form indicating they have received such training and understand their responsibilities.”
Such policies help employees know what they should and shouldn’t do while protecting the company at hand from such things as cyber crimes, attacks, hacking, data theft, and viruses. These policies are important not only to help employees focus on their work during office hours rather than on their Twitter feed, but also to prevent intentional or accidental harmful actions stemming from their personal computer use.
“We trust our employees,” says Alicea, adding that if they become unhappy for any reason they can do a lot of damage to the business if the company’s computer systems are not protected enough.
“If they’re not happy there, you never know the amount of damage that they can do,” says Alicea. “I’ll give you a good example: If you’re going to fire or dismiss someone I would definitely stop their computer access at least four hours before that dismissal happens. Change the keys, the code, change the passwords, and disable any access they have to the computer or to even the building itself.”
While cybersecurity has been a buzzword for a while now, the actual crimes have been around much longer. Remember those e-mails landing in your AOL inbox every so often seeking financial assistance?
“Back in the old days,” says Alicea, “they used have a guy sending physical mail from Nigeria — and that’s how it got the name, ‘The Nigerian Scam,” — and then they could send 10,000 e-mails in one minute.” It changed the game,” says Alicea. “And you’d be surprised at how many people onto that. The last statistics that I believe I read was 33 percent; that’s a heck of a return.”
Why does he think that percentage is still so high after years of cyber crimes being in the media and more awareness in general about such “suspicious” e-mails?
Where’s the disconnect?
“I think it’s the mindset,” says Alicea.  “‘Oh, that’s never going to happen to us. Nobody’s going to want my secrets.’
“Yet, let’s be realistic. You and I start researching something, we’ve been at it for two years and have spent thousands of hours [on it], and next thing you know we’re getting ready to get a publisher’s patent and someone steals the information from us. We just lost all that. Industrial espionage is huge.”
Alicea, who is also Commandant of the Marine Corps Detachment in Vineland (Semper Marine Detachment), says that military recruiting has changed as its needs have changed.
“Right now, the military is actively recruiting hackers,” says Alicea. “I have a PowerPoint that has three soldiers with a rifle and one with a laptop and my questions to the students is: ‘Who do you think can do more damage?’ Obviously, they can do a lot of physical damage with the machine guns, it’s three guys, but if I have a laptop I can destroy your communications system, everything.
“Just before the United States attacked Iraq in 2003, 250 military computers were hacked and they had to do with sending supplies and launching weapons and for the life of our Department of Defense they couldn’t figure out where it came from, where the hacking was happening.”
The U.S. government thought it might be China, North Korea, Iraq, but when they found out where the hacking was stemming from, says Alicea, it was “two 11-year-olds in a basement in the Napa Valley [California].
“Your firewall is only as good as its designer,” adds Alicea. “So if you designed the very best one, I can sit there for hours and literally try to break it. And a lot of hackers do that, believe or not, some just for the thrill of say, getting into the Pentagon.”
While the Pentagon gets threatened with hack attempts “thousands” of times a day, Alicea says for many hackers, it’s only so they can brag about doing it, not because they want any classified information.
“It’s a challenge to them,” says Alicea, “to break in.”
Alicea says that although he couldn’t imagine the number of [cyber-crime specialists] the military has working under its umbrella today the country is on the lookout for a few good geeks.
“They’re actively recruiting,” says Alicea. “The military actually created a special MOS [Military Occupational Specialty] to attract people to get into [the field of cybersecurity].”
This is the new wave, adds Alicea.
The days of sending military personal behind enemy lines to gather information before attacking them is passé says Alicea. Today, both sides would be hacking each other’s computer systems for information.
“The computer system, their communication system, their launching system, their aircraft control tower system, you know, you got ’em,” adds Alicea. “Once you knock off communication you really have the upper hand.
“The numbers change from year to year, but the last numbers I saw, where [cyber crime] was costing us on the commercial side, we were losing $350 billion a year,” he says.
Alicea recommends folks check out the FBI Web site for all things related to cybersecurity.
“The F.B.I. has a tremendous, very-well put together information guide on their Web site,” he says. “The State Police does, too. There are numerous resources online to help you protect yourself better and your personal information.”
Alicea, who used to be a recruiter for the Marine Corps, when he first moved to Vineland, says that recruiting for the military has changed dramatically with regard to the new threats of the 21st century. Station in the area since 1985, he witnessed the transformation occurring slowly in the subsequent years.
“Right around the mid-1980s to the early ’90s there was a critical shift,” says Alicea. “Instead of recruiting from the gyms, from the football teams and the athletic fields, we were now looking into the libraries, and more academically inclined recruits.
“In other words, instead of brawn, we were looking for brains.”
One of the text books that Alicea uses in his classes — he teaches at Cumberland County College, Rowan College at Gloucester County, and is an adjunct professor at Fairleigh Dickinson University — claims that there will be a need for close to two million new jobs in the IT field over the next decade and there is only going to be 200,000 people qualified for those jobs.
Alicea urges his students not to focus on only one topic of education, but to look into the subject of cybersecurity and IT as possible fields to explore.
“There’s a new field that needs to be discovered,” says Alicea. “It needs to be challenged, it needs to be taken into consideration when you’re making your career decisions.”
He believes that children should begin being taught about IT-related topics at a younger age.
“For the generation that is coming up now, this is just a regular thing for them. For you and I, a pair of pliers and a screwdriver, those are normal tools for us. For these kids, they’re born with this technology and their surrounded by it. And, in my opinion, they can adapt to it a lot quicker, than, say, my generation.  It becomes so natural for them because they’re surrounded by it.  For [my] generation, though, it’s still a little challenging for us.”
Alicea notes that the Pentagon recently held a well-promoted contest daring anyone to hack their systems for a reward. “Basically, right there, that’s a recruiting tool,” he says.
With regard to the controversy surrounding Apple’s recent decision not to hack into its own software after requested to by the F.B.I. in relation to the San Bernadino terror suspects’ iPhones, Alicea says he knew that Apple wouldn’t turn over the “key,” but that after a certain amount of attempts a hacker would get in.
“And that’s just what happened,” says Alicea. “Nothing is impossible with this.”
Is it a double-edge sword to prepare our children to hack into any computer system they want to get into?
“Pretty much,” says Alicea. “It’s like the old saying, ‘Keep your friends close, but keep your enemies closer.’”
Alicea gives another example of the absurd blending in with today’s reality. The son of a big IT guy creates a virus that ruins several thousand computers. After paying his penalties, he gets hired by one of the largest computer companies.
“Think about it,” he says, “’I want you. You hacked into my computer system, I want you to protect my system from people like you.’”
“You commit the crime and you get hired?” says Alicea. “You’re a criminal, well, welcome aboard!”
What opportunities are there in Cumberland County for students interested in helping to join the fight against cyber crime?
While Fairleigh Dickinson has a “very interesting program” on cyber crime, on a local level, Alicea says he knows that area high schools are preparing kids and that Cumberland County College offers a few general computing programs.
“It’s a wide open field for the future,” says Alicea. “So these kids have good opportunities now to prepare themselves knowing that it’s going to be a wide open field in several years.”
It’s not like some fields that got heavy for a while, and are now oversaturated, says Alicea. “Lawyers, I mean, they’re a dime a dozen,” says Alicea. “They’re all over the place. Do you really want to go into a field that’s so overcrowded or do you want to get into something that you already know, and that, based on the statistics that are coming up, there is [going to be a great need for in the near future]?”
Kyle Permuy, a senior at Millville Senior High School, has taken it upon himself to organize an upcoming “Hack-a-thon” called “HackSJ” (May 21, visit hacksj.org for more information, including the location, which is still to be determined) for students interested in computer programming and design.
“It’s an invention marathon,” says Permuy, director of HackSJ. “We have lots of workshops on building apps, and we have experts and mentors on hand to help students figure out any problems they may have while coding.”
The Web site for “Major League Hacking” is a good tool for parents to learn about what they’re children have signed up for if attending one of the many hack-a-thon events popping up around the country and in Europe. Permuy explains that such events are not to teach kids how to hack into computers, but how to create and learn more about inventing and working in the digital sphere. He adds that the word “hack” has both positive connotations (as in hack-a-thons) and negative ones (as in “hacking” crimes”).
“The government is already starting to use hack-a-thons such as mine as recruiting baselines,” says Permuy. He points to a recent event held at the University of Maryland that was sponsored by the NSA.
“I would see [the upcoming HackSJ event] as a recruiting tool,” says Alicea. “If I was a college recruiter I would be there to find out who the best hacker is. Or to even hire them to keep an eye on my computer systems at work. I see those types of events as opportunities. Or, on the other side, to identify future criminals!”
But you still need to keep an eye on the said protector, warns Alicea. Trust plays a big part, as it does in any relationship.
“Some of these kids are so smart in a field that some people are still trying to grasp.”
“It’s not only all branches of the military, but all branches of law enforcement at every level, from the local police departments to the federal agencies, that are going to be looking into attracting people from this field and do that line of work. … The IT business in all aspects of our lives is going to change in the next couple of years.”
Aside from bringing a new crop of jobs for young Americans, cybersecurity means a new crop of crimes for criminals.
“You put the word ‘cyber’ in front or after just about any sort of crime and you’ve got the same old crime with a new twist.”


Tips from the Top:
Edwin Aliciea Jr., Public Safety Director, City of Vineland, offers the following tips to help protect against cyber crimesalicea

  • Be careful where you use your debit card

  • Disconnect from Wi-Fi when not in use

  • No employee should have full access to a businesses’ computer systems

  • Don’t be careless with your password information

  • Protect your personal information

  • Your firewall is only as good as its designer

  • Companies should have a clear policy in place regarding computer use

  • Become aware about cybersecurity via online resources, events and government organizations that offer relevant information


 


Three Questions with Dave Weinstein, Director of Cybersecurity and Chief Information Security Officer, State of NJ / New Jersey Office of Homeland Security and Preparedness

  1. What can small businesses do to prevent hacking, and to be prepared for hack attempts?


Small businesses can take a number of easy steps to reduce their cyber risk profile, but it starts with educating their workforce on the latest digital threats and instituting a culture of best practice adoption. Most small businesses victimized by cyber-attacks can be traced to human vulnerabilities. That said, on the technology front it is extremely important to embrace data encryption —both at rest and in transit — as well regular software patches based on known vulnerabilities.

  1. Hackers and specialists in cyber-security are being contacted and sometimes hired by organizations such as the Marines, CIA, government, etc.; is this a field students should be looking into as a profession?


Students should absolutely consider cybersecurity as a career field. Cybersecurity is unique among other professions in that the unemployment rate in the field is virtually zero percent. In particular, we need more female students to pursue career opportunities in cybersecurity. Sadly, female participation in the field is among the lowest of any profession, yet there is such high demand for smart minds across the public and private sectors.

  1. What more do you think needs to be done to ensure security in cyberspace?


There a lot of areas for much-needed improvement, but one in particular is coordination between local, state, and federal government. In this respect, building institutional capacity at lower levels of government is critical. Doing so will require more participation in the cybersecurity labor force, but also education reform at the primary and intermediate levels and increased "cyber savyness" among elected officials and government executives.


Cybersecurity Online Resources
The State of New Jersey’s Cybersecurity Web Site
The Official FBI Web Site
The SANS Technology Institute
Parent Hackathon Guide
About HackSJ
To find out more about the “ethical hacking” event, HackSJ, organized by Millville Senior High School student Kyle