Twenty-seven years later, computer viruses are everywhere and cyber crime is a $400 billion global industry with the potential to impact nearly any person or type of organization. Bank accounts, intellectual property or confidential information belonging to large- and mid-sized corporations, small businesses, public utilities, charitable organizations and even churches are vulnerable to cyber-attacks.
In response, organizations have turned to cybersecurity, or the practice of protecting computer systems by identifying and addressing vulnerabilities from various vantage points. “Hacking is big business,” says Reg Harnish, founder of GreyCastle Security and cyber consultant to Excelsior College.
The technological aspects of cybersecurity – firewalls, badges, anti-virus and intrusion detection software – often garner the most attention. Also key are processes which establish the framework of an organization’s systems, describing what can and cannot be accomplished from a cybersecurity perspective.
“Social engineering” refers to a criminal practice in which individuals or groups attempt to secure access to finances or other critical data through deception. This is often accomplished by employing a variety of false pretenses with a single objective: convince an employee to click on a link containing a virus, visit a malicious site, or even provide access to company hardware. In fact, criminals have been known to pose as a company technician in order to access an organization’s mainframe.
Dr. Jane LeClair says “technology is not enough” when it comes to cybersecurity.
“Companies and organizations need to focus on the human-side of the equation,” said Dr. LeClair. “That means focusing resources on not just the latest anti-virus software but on the education and training of employees – the human element.”
Social engineering has become such a problem, that hackers can even demonstrate their skills at Social-Engineer.org’s Capture The Flag (CTF) contest at DefCon, a hacking conference started in 1993. There, participants work to gather information on a pre-determined targeted company via “passive” information gathering such as public websites, Google searches, etc. The purpose is to illustrate the ease to which private information can be accessed due to lax information security practices.
As recently as 2012, participants were even allowed to use more deceptive means to reflect with greater accuracy the practices of criminal social engineers. For instance, former CTF champion Shane MacDougall, won the contest by posing as a company executive and convincing a Wal-Mart manager to divulge key company data, including the make and model numbers of his computer’s “operating system, Web browser and even (his) antivirus software.” If MacDougall had been an actual criminal, the data would have provided a doorway into the corporation’s computer system.
To combat these types of attacks, many companies are taking a more pro-active approach to protect their data from the confluence of deception and complacency. Policies and training programs educate employees on how to browse the Internet safely, handle and use confidential data appropriately, and identify and prevent potential social engineering invasions.
“Technology is not enough,” said Dr. LeClair.
Cybersecurity Programs at Excelsior
Excelsior College is developing graduates capable of working on the front lines of the cybersecurity field and leading initiatives that take an interdisciplinary approach to combat cyber breaches through several undergraduate and graduate certificate programs in cybersecurity.
The college’s Bachelor of Science in Cyber Operations, which was developed with input from industry leaders, focuses on prominent contemporary issues such as cyber-attacks and defense, cybersecurity defense, computer forensics, crypotography and security-focused risk management among others. Excelsior’s BS in Information Security (Cybersecurity) also explores cyber-attacks and defenses as well as cyberterrorism, cloud computing and systems architecture.
Excelsior’s graduate program, a Master of Science in Cybersecurity focuses on IT risk assessment, information assurance and communication security, as well as project management, digital crime and ethical and legal issues in the growing field. The educational focus on the human element, says Dr. LeClair, is what helps a technician advance into a leadership role.
“Excelsior’s programs prepare graduates to detect and analyze cyber attacks, conduct risk and vulnerability assessments and develop the policy frameworks necessary to protect enterprise-wide information assets,” said Andrew Wheeler, assistant dean for the School of Business and Technology at Excelsior. “Our curriculum contains everything that students will need to become leaders in the cybersecurity field.”