Jared Stroud understands that cybersecurity begins and ends with humans. In his research project, called Fuzzball, the RIT computing security graduate student is looking for coding errors and security loopholes in web applications that were mistakenly put in place by developers.
Using a fuzzer—a tool that generates massive amounts of random data—Stroud tries to crash an application and find any vulnerabilities, such as buffer overflow.
“Ever since I got into computing, I wasn’t so interested in making apps or building games—I wanted to break things,” said Stroud. “I like the whole idea of testing a network in order to help improve a company’s security.”
With recent cyber breaches hitting the U.S. government and companies such as Target and Sony, the need for computing security experts like Stroud has skyrocketed.
By 2019, the United States will need 2.5 million cybersecurity professionals to protect its networks and computer systems, but more than a quarter of those jobs will go unfilled because there aren’t enough qualified workers.
RIT is helping to close this gap as a leader in computing security education. Since the university created one of the first graduate and undergraduate degree programs in computing security and networking a decade ago, the number of students enrolled in the programs has jumped from fewer than 40 to more than 400 this past fall.
In 2012, RIT broke the mold of traditional cybersecurity education by creating the first academic department devoted solely to computing security, a department that integrates faculty from other computing disciplines, including computer science, software engineering, information science and technology, and public policy.
That department graduated 59 students last academic year, and more than 96 percent were hired at places such as Google, Cisco, and the federal government. Graduates also get hired at security companies such as Raytheon, FireEye, and Dell SecureWorks.
“I really believe students studying computing security at RIT are very well prepared to address a lot of the needs in the industry,” said Kirk Striebich ’89 (economics), supervisory special agent in the FBI Cyber Division. “Cybersecurity students at RIT are well rounded and can think in terms of the whole business or whole government approach to the
problem, which will enhance their value on any team approach to cybersecurity.”
Nationally, RIT has become recognized as a leader in this arena—the National Security Agency and Department of Homeland Security designated RIT one of its National Centers for Academic Excellence in Cyber Defense and the National Science Foundation awarded RIT $4 million to join the federal CyberCorps® scholarship program. The program, a partnership with the Department of Homeland Security, provides students full tuition and a stipend in exchange for future government service.
RIT will invest $1 million to study and implement sociotechnical approaches to cybersecurity. In addition, RIT’s B. Thomas Golisano College of Computing and Information Sciences is committing $2 million toward the research effort.
Bo Yuan, chair of RIT’s Department of Computing Security and associate professor, wants to see individuals and organizations consider cybersecurity before attacks and breaches ever happen. He also understands that defending against threats to a cyber infrastructure demands perspectives and efforts far beyond software and hardware technology.
“Basically, human factors have been identified as the weakest link in cybersecurity ecosystems,” said Yuan. “If we can fully understand the human factors in cybersecurity, then we can help design applications, systems, and security measures that defend against attacks more efficiently.”
To address the main sociological and technological components of the cybersecurity ecosystem, RIT researchers from various disciplines will work together. Faculty from such areas as computing, engineering, psychology, mathematics, public policy, business, and English will use their expertise to gain insight into human behavior and tackle the challenges of cybersecurity.
Faculty work will be the foundation for the opening of a new Center for Cybersecurity in fall 2016. The center will be led by Matthew Wright who comes to RIT from the University of Texas at Arlington where he was an associate professor in the Department of Computer Science and Engineering. Wright is an expert in internet security and privacy. He researches systems for providing internet privacy, usable security, and secure and reliable peer-to-peer and ubiquitous computing. The center will be located in the Center for Integrated Manufacturing Studies (CIMS) and provide a venue for collaboration of faculty and student researchers.
The initial cybersecurity team of 25 faculty researchers come from five different colleges at RIT (B. Thomas Golisano College of Computing and Information Sciences, Saunders College of Business, College of Liberal Arts, Kate Gleason College of Engineering and College of Science) and 11 departments. Four additional faculty, specializing in cybersecurity, will be hired in the Golisano College this summer. Collectively, team members have published more than 800 peer-reviewed journal and conference articles, received more than $20 million in external research funding.
“Interdisciplinary work is critical to addressing the range of social and human-centered issues involved in this area, and to provide multifaceted solutions for ensuring cybersecurity,” said Cecilia Ovesdotter Alm, assistant professor of English in RIT’s College of Liberal Arts who studies computational linguistics. “We are fortunate to have useful expertise spread across RIT, in addition to a strong track record of being successful at interdisciplinary collaborations that span multiple colleges.”
The team’s objectives include modeling human behaviors of legitimate users and adversaries within the context of cybersecurity problems, to explore vulnerabilities and defense mechanisms; investigations into human behavior-informed secure, resilient, and privacy-preserving cybersecurity ecosystems; and data collection, analysi, and refinement of real-world security scenarios. Six research themes have been identified to address these challenges (see above).
“Each of these themes leverages existing faculty and student research strengths and can potentially lead to high-impact research outcomes through external funding,” Yuan said. “More importantly, incorporation of research outcomes into our curricula will culminate in the production of hundreds of graduates, erudite in contemporary security and privacy issues and equipped to tackle adversarial situations.”
Kyle Murbach is flying a drone at a local park, but it’s hurtling in the wrong direction. Using a cybersecurity attack known as GPS spoofing, he has the ability to tell the drone that it is somewhere it’s not.
The computing security graduate student is one of dozens of RIT students conducting research in order to tackle security and privacy issues that people face every day.
Working with Ben Short, a fifth-year computer science student, and Derek Leung, a fourth-year software engineering student, Murbach is researching vulnerabilities in the popular 3D Robotics and DJI drones. The team is conducting the research as part of a requirement for the CyberCorps® Scholarship for Service program.
“We are looking at known vulnerabilities, including ways for people to connect wirelessly to drones that are not secured correctly,” said Murbach, who will begin working with the Department of Defense after graduation. “We’re also going through the firmware and essentially reverse engineering it to see how developers created the software.”
For students like Murbach, the Center for Cybersecurity will provide a space to bounce ideas off and collaborate with faculty and other student researchers that they wouldn’t normally meet. It will also promote partnerships with industry and help with outreach to high schools and middle schools, to create awareness of computing security as a career.
In addition, the center will include a Pentesting Laboratory, where businesses can penetration test software and hardware vulnerabilities with student pentesters.
“We imagine providing pentesting services for medium and small companies that would not typically be able to afford large contracts to do a pentest,” said Yuan. “This would help companies verify the security of their networks, systems, and software services, while giving our students real-world experience.”