Category: Cyber defense

Cybersecurity trends for 2020?

Photo by vipul uthaiah

What are the top cybersecurity threats and trends you should watch out for in 2020?

Tulane University expert Joseph Dalessandro predicts hackers will continue to focus on what works best and augment it with new and novel methods of attack.

Joseph Dalessandro, an expert and professor in information technology in Tulane University’s School of Professional Advancement, breaks down the top cybersecurity threats and trends in 2020.

Dalessandro predicts hackers will continue to focus on what works best and augment it with new and novel methods of attack. Here are his top five cybersecurity trends to watch in 2020. 

  1. The cybercriminal has become a mainstream occupation, and America is finally waking up to this fact, even though many countries have known this for several years. Many Americans wake up each day, dress and head off to work. Cybercriminals are no different. Around the world, these individuals do the same thing. They head off to an office where they spend all day trying to steal data and find ways to access bank accounts. It is now a “regular” job in some countries, including the U.S., and is currently very profitable employment. This trend will continue to grow and become more accepted in the future. This will impact new areas that have not previously had cybersecurity problems. 
  2. Phishing and whaling will reach the next level. Phishing is when criminals use fraudulent emails in an attempt to steal usernames and passwords or to plant a virus or ransomware on computers. Whaling is the same thing, except the target is a specific executive or executive type or business owner. Criminals are targeting specific emails because it is one of the most common forms of business and personal communication. Malicious emails are very successful, and criminals are well-versed with what to say, how to follow-up, and in some cases, have 800 numbers for these victims to call. 

Some statistics to know about this trend:     

  • 48% of all malicious email attachments are Microsoft Office files (Word, Excel, PowerPoint)
  • Top 5 scams in order: bill notices, email delivery failure, package delivery, legal/law enforcement, scanned document.
  • 55% of email is spam (and potentially dangerous)
  1. Connected devices (watches, wearables, appliances, toys, cameras, smart home automation) will continue to present both opportunities for businesses and problems for businesses and consumers. Twenty years ago, I had high-speed (1.5 Mbps at the time) bandwidth in my home, and I had a total of three devices connected: a laptop personal computer and two servers.  I controlled everything, and security was tight, and I still had problems. Today I do not run a business from my home, and my bandwidth speed averages 30Mbps and I now have 19 devices connected at all times, most of which I have little or no control over. Many businesses are no different. This increased attack surface will present more significant problems in 2020 with attackers looking to leverage these in-home aids, medical devices and smart-home appliances to steal data
  2. Website attacks. The No. 1 attack method is still SQLi (pronounced Sequel-injection or S-Q-L-i). SQLi recently reached a milestone, celebrating a successful 20 years of existence. It is a sad commentary on cybersecurity. Website attacks will continue to rise in 2020 because they still work. Criminals are nothing if not consistent. If it works, they use it and rely on it.
  3. Cryptocurrency will continue to grow with more “regular” people moving toward cryptocurrency use in 2020.  We will hear more about Bitcoin and Libra (Facebook’s cryptocurrency) and other “stablecoin” (backed by what we today call “real assets”) players in 2020 with more mainstream acceptability.  This will present opportunities for both consumers and criminals.

Post-9/11 wars may have killed twice as many Americans at home as in battle: Analysis

Photo by Anthony Fomin

An analysis by a Vanderbilt economist whose research focuses on fatality risks finds that the post-9/11 wars may have resulted in more than twice as many indirect deaths back home as were lost in battle. These indirect deaths are due to the diversion of war costs from the U.S. economy and the subsequent impact on the nation’s health. 

The Mortality Cost Metric for the Costs of War, by W. Kip Viscusi, University Distinguished Professor of Law, Economics, and Management at Vanderbilt University and co-director of the Ph.D. Program in Law and Economics, appears in Peace Economics, Peace Science and Public Policy

“When a government spends $100 million on a war, it leaves its citizens $100 million poorer,” Viscusi said. “We know that during a recession, more people die. People have less money to spend on better nutrition, health care, safer products or living in a safer neighborhood. For much the same reason, war spending would have a similar effect by redirecting those dollars away from consumers.” 

To examine the question, Viscusi first had to work out the total cost of war. The U.S. government estimates that the post-9/11 wars, which include military operations in other countries such as Syria and Pakistan in addition to Afghanistan and Iraq, have cost about $1.95 trillion. But, Viscusi said, those are just expenditures. To tell the whole story, you need to include the value of the lives lost in battle. 

And in fact, a dollar value for these lives does exist—Viscusi invented it, and the government already uses it in its risk calculations. It’s called the “value of statistical life,” and it’s the average amount you would have to pay a group of 10,000 people to increase their risk of certain death from zero to one. It’s based on the hazard pay workers receive for dangerous jobs, and in the United States, at the height of the Iraq and Afghanistan wars, the VSL was about $8.9 million. (Today it’s about $10 million.) 

By multiplying the number of direct U.S. fatalities in the post-9/11 conflicts—10,371, by conservative government estimates—by the VSL, $8.9 million, Viscusi calculates that these war deaths are worth an additional $95.3 billion, bringing the total cost of these wars to $2.05 trillion. 

War expenditures have an additional impact that causes deaths, Viscusi said, because money spent on war is diverted away from the U.S. economy, including everyday spending on well-being. In previous research, Viscusi has found that Americans spend about 10 cents out of every dollar on health and safety. His analysis shows that dividing the VSL by $0.10 results in what Viscusi calls the “mortality opportunity cost of expenditures.” That is, for every $89 million that we’ve spent on the post-9/11 wars, we would expect to see one additional, indirect death here at home. 

This results in an additional 21,910 indirect deaths since 9/11 due to the diversion of war costs away from U.S. households, bringing the total toll to 32,619—more than three times the official government estimate.  

“Every time we spend money on wars, we’re not spending that money on other things. There are actual costs to society,” Viscusi said. “So we have to ask ourselves, what are we losing because of that?”

Combating Human Trafficking

Photo by Jordan Whitt

Each year, more than 40 million men, women and children are trafficked worldwide. It manifests in numerous forms and has grown into a multi-billion-dollar illegal enterprise that is difficult to detect, prosecute and examine. Risk analysis is a critical tool for combating human trafficking and is central to informing global policy recommendations and assisting with targeted local and organizational efforts. Several studies will be presented during the Addressing Human Trafficking Risk symposium at the 2019 SRA Annual Meeting at the Crystal Gateway Marriott in Arlington, Virginia.

Many non-governmental organizations (NGOs) work to reduce human trafficking but often fail to understand the context and environment before taking action, resulting in ineffective and sometimes detrimental policies. JD Caddell, U.S. Military Academy, studied how girls were lured and trafficked by reframing the situation as a supply chain and looking at both supply and demand.

Caddell’s study, “Using system dynamics to set strategic priorities to address human trafficking,” revealed that NGO’s actions aimed solely at removing girls from the system yields few long-term benefits and creates more victims in the long run while raid and rescue operations only yields short-term gains.

“Many organizations use raid and rescue models because they provide “results,” in terms of girls saved, which provides validation and a mechanism for future NGO fundraising,” states Caddell. “However, our study showed that focusing on the demand side of the problem is more likely to generate large scale and sustainable progress.”

Because human trafficking is hidden, illegal and dangerous, it is difficult to gather the data needed to develop effective quantitative models and their response to interventions. Kayse Lee Maass, Ph.D., Northeastern University, has been working with survivors, law enforcement personnel and social scientists to better understand the structure and operations of trafficking networks, how they adapt and the dependencies between their cyber and social networks.

Maass’s study, “Modeling operations of human trafficking networks for effective interdiction,” provides non-profits, service providers, policy makers and other anti-trafficking stakeholders with decision support tools to effectively allocate resources to disrupt networks and ensure survivors have access to support services.

Similarly, Julia Coxen, University of Michigan, has approached the problem by decomposing the risks of human trafficking into the risks to public health, to security and to the community. Coxen’s study, “Risk analysis as a critical tool for human trafficking,” helps decision-makers better understand the complexities of human trafficking. The study also highlights the need for more evidence-based and quantitative risk analysis research to combat this global issue that impacts all levels of society.

** Coxen, Caddell, and Maass are available for media interviews at the 2019 SRA Annual Meeting. Please contact Natalie Judd at natalie@bigvoicecomm.com for all interview requests.

Protecting data, recruiting students to cybersecurity

Cyber Defense Competitions are one of the events Doug Jacobson is using to attract students to cybersecurity studies and careers.

AMES, Iowa – Well, Doug Jacobson acknowledged, the Cyber Defense Competitions at Iowa State University aren’t exactly lessons from a software manual. 

“They’re a party,” said Jacobson, a University Professor of electrical and computer engineering, the director of Iowa State’s Information Assurance Center and the holder of three degrees from Iowa State. “They’re a two-day party. There’s food. It’s loud. Students are all together. And it’s chaotic.” 

It’s also challenging. 

The latest version of the campus cybersecurity experience, contested on Oct. 12, asked Iowa State students to protect the computer servers and applications of the “Chris and Doug Construction Co.” 

Students worked to protect the company’s information, electronically monitor the company’s cranes and other equipment, take care of the time clock application and run the company’s website. 

All the while, attackers tried to bring the systems down.

And these attackers were motivated: “Our next client has caught some flak from internet forums for its recent work on data analysis and has been receiving large amounts of attacks on its infrastructure,” said the contest’s written scenario. “As such, we need to make sure we are up to spec and protected before we move equipment over and get set up.” 

Setting up the construction company’s information systems and protecting them for eight hours was a unique experience for students. 

The competitions really offer students a “moment,” said Nate Evans, an Iowa State graduate – undergrad and doctorate – a former Cyber Defense Competition director when he was a student, and the current cybersecurity program manager at the U.S. Department of Energy’s Argonne National Laboratory near Chicago and lead developer of Argonne’s own Cyber Defense Competition. 

Evans believes a few special, hands-on moments can inspire and influence students. 

“The excitement of defending in a Cyber Defense Competition,” he said, “is a moment that gets students excited about working in cybersecurity.” 

Reaching thousands

Jacobson launched Iowa State’s Cyber Defense Competitions in 2005 – “That was an era when people didn’t know about cybersecurity” – after learning how the military was running information-security exercises. He decided to make the contests a little more fun and, to date, nearly 2,000 Iowa State students have competed in 20 contests.

(Another 1,588 Iowa high school students, 967 community college students and 918 students from Midwestern colleges and universities have also participated in contests at Iowa State.) 

And, the best estimate says Jacobson’s tradition of making breakfast on contest Saturdays has resulted in about 15,000 pancakes.

Why go to all the trouble? 

First, Jacobson said, the competitions are great for teaching and learning.

“Learning how to detect, mitigate and report attacks in real time and under pressure – I can’t lecture on that skill,” he said. 

Second, they’re a great way to introduce students to real jobs in cybersecurity. That includes introductions to industry professionals who often come to campus to play the role of the competitions’ hackers. 

Because of headlines about cybersecurity failures, “students now know what cybersecurity is,” Jacobson said. “But they don’t know what it is from a career perspective.” 

Learning at the cyberparty

With nearly 2,200 students, Waukee High School just west of Des Moines is the second largest high school in the state. 

It has a HyperStream Technology Club that has had as many as 80 students. It has an APEX Program offering work-based learning opportunities for 600-plus students interested in business or technology. 

But, even with its size and resources, it’s not able to offer a cybersecurity curriculum. 

And so the district has turned to the programs Jacobson and his team have developed. Schools across the state are offered a year-long curriculum – including books, videos and access to faculty. Plus, there are trips to campus for Cyber Defense Competitions and IT-Olympics. 

“The competitions are where students get hands-on experience with cybersecurity,” said Michelle Hill, the director of Waukee High School’s APEX Program and adviser to the technology club. “They’re also able to meet with business partners who do that for a living. That is so valuable to students.”

Plus, there are opportunities to visit a research university, listen to expert speakers, win scholarships and, for girls, be inspired by the success stories of women in the field. 

“I wouldn’t miss it,” Hill said. 

That’s another reason he’s doing these outreach programs, Jacobson said. 

Yes, of course, he has other things to do. There are research projects to manage, such as the $3.5 million Internet-Scale Event and Attack Generation Environment he developed to study cyber defense. There’s also helping with Iowa State’s new major in cyber security engineering. 

But he’s at the Cyber Defense Competitions on several Fridays and Saturdays a semester, flipping pancakes, talking to students, visiting with corporate partners and making sure everything is on track. 

“This has a great impact – on society and on the students we bring in,” Jacobson said. 

Besides, it’s still a party with a purpose: “It’s just as much of an educational component as a competitive one,” he said. “I hate to use the word competitions. We want it to be fun.

“We’re an intramural sport.”