Large universities and scientific communities generally have the technology and know-how to safeguard their research archives and computing grids. But for smaller colleges and organizations, knowing what expertise and resources are available — and how to access them — is key.
As part of a project to help smaller campuses and organizations with their cybersecurity challenges, Joshi and additional experts from Pitt, Carnegie Mellon University and elsewhere, presented at a two-day workshop in June as part of the National Science Foundation-funded project Security Assured Cyberinfrastructure in Pennsylvania (SAC-PA). The goal of SAC-PA is to establish a framework for regional collaboration and sharing of cybersecurity resources, expertise and information in Pennsylvania.
Western Pennsylvania is a citadel in progressive thought on the digital challenge.
David J. Hickton, founding director of the University of Pittsburgh Institute for Cyber Law, Policy, and Security
Joshi is the director of Pitt’s Laboratory of Education and Research on Security Assured Information Systems. He pointed out that insider threats represented 30 percent of all cybersecurity incidents reported between 2004 and 2014. More than 60 percent of these insider attacks are attributed to employee negligence. Other types of insider attacks include credential thieves who use stolen records to gain insider access and malicious insiders who deliberately attack the system. According to Joshi, insider attacks can inflict millions of dollars in financial damages.
Session topics at the workshop included cybersecurity challenges institutions have faced and how experts developed solutions to address them; an update on training modules offered by CERT, a division of CMU’s Software Engineering Institute; and updates on research on critical infrastructures, the internet of things and cloud environments.
“There should be nothing that should concern you more than cybercriminals,” he said.
Hickton, who prosecuted international cyber thieves in his former career as U.S. Attorney for the Western District of Pennsylvania, reminded attendees of the damage that can be inflicted on a company or university. He recapped the indictments of major cybercriminals such as members of the Chinese People’s Liberation Army, who hacked into entities including Westinghouse Electric, U.S. Steel and ALCOA to steal trade secrets.
Hickton urged attendees to assume the responsibility to install active defense systems and to take advantage of what experts in the region have to offer.
“Western Pennsylvania is a citadel in progressive thought on the digital challenge,” he said, adding that Pitt’s Cyber Institute plans to host forums worldwide to discuss these challenges.
Jeff Gennari, a senior member of CERT who analyzes malware samples, says CERT offers a training program called STEPfwd (Simulation, Training, and Exercise Platform) — which provides tools and content for a workforce to build its cyber expertise — as well as advice on digital forensics, an overview of the procedures an IT team takes on after an incident occurs.
For attendees like Bill Thompson, director of digital infrastructure at Lafayette College, the information was welcome.
“We don’t have a large team solely dedicated to information security,” he said. “The only way to get ahead of any of it is to work together and address these challenges in ways we can’t do on our own.” Lafayette — a small liberal arts college in Easton, Pennsylvania — has already experienced phishing scams and compromised accounts, Thompson said.
There are more collaborative SAC-PA sessions planned — one in Pittsburgh in November and another for the spring of 2018.
“This is a human problem,” said Hickton. “It is not beyond us. And there is a role for us to play together as we forge resources.”