By Jesse Drake
Treat login credentials like the keys to the kingdom, Jared Baker said, because they are.
"If Netflix is breached, what does that mean for you as a consumer of Netflix? Probably nothing. Maybe they can see what you've been watching. But if they take your user credentials and those of 199,000 others ... pulling in financial data … even at a 1 to 2 percent success rate, that's a pretty good payday."
Baker, lead security operations analyst at Shape Security and master sergeant in the U.S. Army Reserve, spoke at a November 7, 2018 panel discussion "U.S. Military Impact on Cybersecurity," alongside Col. David Becker, chief information officer (CIO) for the Utah Army National Guard, and Phil Bates, chief information security officer (CISO) for the state of Utah's Department of Technology Services. The event, held at Gardner Commons, was moderated by Dr. Randy Arvay, the University of Utah's CISO and 24-year U.S. Army veteran.
Baker's message that end users are the last line of cyber defense against social engineering attacks (he recommends multi-factor authentication and a password manager) was one of many topics covered during the event, which was cosponsored by the Gardner Policy Institute and the university's Veterans Support Center.
Arvay asked a series of questions related to how government, military, and private-sector entities approach cybersecurity. While all vary in their missions — the U, Arvay noted, must weigh security against academic freedom — many of the same challenges exist.
Bates, coming off a long night in the state's Emergency Operations Center (EOC) during the midterm elections, said that automation defenses at the state level are now the norm. Five years ago, he said, the state's network ports would see about 100,000 breach attempts on an average day. Today, it's more than a billion.
"It's not because so many more hackers are out there, it's that they've become that much more sophisticated ..." Bates said.
Baker likened the challenge of keeping ahead of cyberattacks to hunting improvised explosive devices (IEDs) in the Army.
"We would come up with a tactic to defeat an attack, they would innovate, and we were always one step behind," he said.
Becker said that the top three challenges from a military perspective are recruiting and retaining top cybersecurity talent, maintaining an appropriate balance between security and services, and insider threats.
"Whether through malicious design, or a simple mistake, you can have a very well-defended effort that can't account for threats from within," he said.
Arvay noted that nefarious actors have also become more adept at using news and events to exploit vulnerabilities. He said that after the U named Dr. Ruth Watkins its new university president, UIT's Information Security Office received reports of of phishing emails that fraudulently used her name as the signature.
Bates sees similar targeted attempts to exploit the state's purchasing and payment units by people impersonating suppliers.
"It's become such a problem across the country that insurance companies will not cover social engineering attacks against us," he said. "These [attackers] are very clever, they love to use social media, and let's be honest, we're all guilty of putting too much information out there and making it easy for them."
Becker concurred about the need for the public to be more cautious online.
"Stop being so curious and clicking on everything," he said. "You don't have to take the latest survey or whatever promises free this or free that. Find a different hobby. That's so often where these threats arise from."
As for sourcing information security talent, Arvay said the pull of Utah as a startup and tech hub remains strong. The panelists agreed that military personnel have a leg up in landing great information security jobs – attitude.
Becker used words like "leadership," "teamwork," and "work ethic" to describe veterans entering the cybersecurity field. Baker said veterans "bring a certain mindset that's just perfect for security."
"When a veteran shows up at my office, I know they’re going to be an adult and show up for work on time, probably 15 minutes early like they should ..." he said.
"I can train people in security and help them get all the certifications they need to do the job, [but] I don't have somewhere to send them to learn to show up when they're supposed to and approach the job seriously," Bates added. "That's something you just can't put a price tag on."
The panel also briefly discussed Presidential Policy Directive 20, a policy memorandum that outlined an interagency framework for U.S. cyber operations. PPD-20 was rescinded this year. Critics, Arvay said, have expressed concern that the move signaled more aggressive U.S. use of offensive cyber operations against nation-states and associated hacking groups.
The panelists agreed that it's a sensitive issue that calls for restraint.
"One might think that an IP address that comes from Russia is always bad, but that's not necessarily the case when talking about hospitality and travel companies," Baker said. "Thankfully I don't have to makes these decisions, but I think it can be a very slippery slope."
"When you read summaries of our national policies, something that's made very clear is that the U.S. recognizes that free use of web is important to our way of life, our freedoms, our economic development, and we emphatically claim the right to defend that," he said.