Ninety-one percent of all breaches start with an email.
A teacher clicks on a link and it redirects to a malicious website. Or a CEO accidentally downloads an attachment that triggers a ransomware attack. Users can even unknowingly give their personal login and password away while trying to log onto a fake website that is designed to look real.
There is a common link in these and almost every other cybersecurity problem, said Matthew Wright, director of RIT’s Center for Cybersecurity. “It involves people.”
That’s why Wright is working with other researchers at RIT to think beyond the technology and focus on a human-centered approach to cybersecurity.
“While most research attention in cybersecurity is on technology—from cryptography on chips to using machine learning to detect attacks—many security problems are due to people,” said Wright. “Understanding and designing for the human beings using, administering, and even attacking our computing systems is the key to making them more secure, not just on paper but in practice.”
Yes, the internet has given us Snapchat and virtual banking, but these online activities come with the risk of cyber threats. Professional criminal organizations are building malware and running scams to steal money and personal information. At the same time, military secrets, critical infrastructure, and even elections are under assault.
In 2016, more than 4 billion digital records were exposed in cyber breaches against companies, including attacks on Yahoo and LinkedIn. That number skyrocketed from the 1 billion records compromised in 2013, according to a report from Risk Based Security.
RIT is helping to address these challenges as a leader in computing security education and research.
Through the Center for Cybersecurity, founded in 2016, the university is bringing together expertise from across RIT. Faculty and student researchers are working to better understand and address these real-world challenges in cybersecurity through projects that analyze past incidents, by studying the current state of phishing on social media, and by modeling how attackers will strike in the future.
“We are developing the next generation of cybersecurity experts and we want to continue enriching our educational offerings,” said Bo Yuan, chair of RIT’s Department of Computing Security. “We’re doing this by creating opportunities for students and faculty to engage in cutting-edge research and industry experiences.”
The interdisciplinary center is funded by a $1 million signature research grant from RIT and $1 million from the B. Thomas Golisano College of Computing and Information Sciences. The center includes two parts—the Security Assessment and Forensic Examination (SAFE) Lab and research laboratory.
In the SAFE Lab, industry and education collide, as student pentesters are hired to test a business’s networks, create a report, and make recommendations about its cybersecurity needs. Here, companies are able to verify the security of their networks, systems, and services, while giving students real-world experience.
In the research lab, faculty and student researchers from across the campus are coming together to develop human-centered projects that will help people and organizations get and stay ahead of their adversaries.
Wright’s own research pulls from the lessons of cognitive psychology. He is developing a system designed to generate random passwords that are also easy for people to remember.
Other researchers are using natural language processing to mine software repositories.
The work will create a better understanding of how security bugs happen and ways that developers can avoid making those mistakes in the future.
“There’s no silver bullet for cybersecurity problems,” Wright said. “But gaining a better understanding of how humans play a role in the past, present, and future of cybersecurity might teach us the best spots to aim.”
Those who do not learn from history are doomed to repeat it. These are words that Josephine Wolff lives by.
As an assistant professor of public policy and faculty affiliate of the Department of Computing Security, Wolff serves as a bridge between the technology world and social sciences. Through her work observing and questioning cyberattacks of the past, she hopes to uncover lessons for the future.
“A lot of today’s cybersecurity incidents are actually taking advantage of technology that we already know how to fix,” said Wolff. “Oftentimes, the failure is in the decision making.”
By looking at a series of cybersecurity incidents over the course of the past decade, Wolff is tracing their economic effect, legal aftermath, and their impact on the current state of technical, social, and political lines of defense. Through funding from the New America Cybersecurity Initiative, a nonpartisan think tank, she plans to publish her research as a book in 2018.
Wolff started by looking at one of the first large-scale breaches—the 2006 breach of TJX, the parent company of Marshalls and TJ Maxx. Computer hacker Albert Gonzalez and his co-conspirators cracked the Wi-Fi encryption of two Marshalls stores in Florida, quickly found their way into the company databases, and stole payment card, social security, and driver’s license numbers belonging to 45.7 million of the chain’s customers.
“It’s a dangerous narrative to say that all you need to do is update Wi-Fi encryption and you’re all set,” Wolff said. “I ask, who do we hold responsible for ensuring this security—the retailers, the credit card companies, the software developers, or maybe the hardware manufacturers?”
Wolff has also looked at who is bearing the cost and how they try to make sure someone else ends up with the bill. “Are we making good policy decisions about how liability is assigned to different actors involved in breaches?”
Her research explores financially motivated breaches, cyber espionage incidents, and revenge-motivated breaches. She is also observing how insurance has emerged around cybersecurity and how companies implement safety measures, such as two-factor authentication.
Skimping on cybersecurity can’t be seen as a way to cut costs, Wolff said. Cybersecurity can’t be an afterthought.
With more available attack vectors and stronger hackers, it has become harder for users to keep themselves safe. Sovantharith Seng, a computing and information sciences Ph.D. student from Cambodia, is working to change that.
When deciding what to study in graduate school, Seng debated between his love of working with people in student affairs and his background in computer science.
“I found a compromise in the field of usable security,” said Seng. “Here, I get to work with psychology and social behavior to take a human approach to the security problem.”
At RIT, Seng is beginning research into the social engineering attack known as phishing. A traditional phishing attack will try to steal personal information or deliver malware by fooling a user through malicious email attachments or fake websites.
However, Seng is looking toward the growing trend in phishing today—social media.
Attackers can use LinkedIn to target a company’s most influential people, who may have access to trade secrets. Or scammers could create a duplicate Facebook account of a clergy member and send out a link asking the congregation to donate money to a “good cause.”
“I am conducting a small study with a simulated Facebook interface, where users scroll through a newsfeed and see multiple posts from their Facebook friends,” Seng said. “I ask participants, ‘would you click on this and why?’”
Through the survey, Seng hopes to better understand the important context factors of Facebook posts that influence a user’s decision of whether or not they interact with a post.
Seng wants to know why they think it might be a scam and what actions they would take after encountering this kind of post.
In the future, he hopes someday to work with social media companies to help detect and combat phishing on their platforms.
“But we need to stay aware, because nothing works completely,” said Seng. “You will see another phishing attack in your lifetime, I guarantee that.”
While there is currently no crystal ball for cybersecurity attacks, RIT researchers are working on one.
Led by Shanchieh Yang, RIT’s department head of computer engineering, researchers are getting into the mind of hackers and modeling their attacks. Using tools from machine learning, data analytics, and theories in criminology, Yang hopes to develop algorithms and models that help experts predict which security technologies and practices are the most effective for protecting networks given hackers’ behavior and tactics.
“Attackers can be eccentric, but they are still human beings,” said Yang. “We hope to discover and explore their attack strategies and patterns of behavior for achieving their goals.”
Working with an interdisciplinary team of faculty from engineering and computing, Yang is developing a system to characterize attack patterns and combinations of exploit behaviors that attackers use. They even hope to reveal additional attack scenarios that may not have been known before. Part of their model and system development is based on interviews with student pentesters who attended RIT’s annual Collegiate Penetration Testing Competition, held each fall.
Funded by more than $800,000 in grants from the NSF and NSA, the research seeks to quantify what might happen in an attack.
And the key word is might, said Yang.
“In a simulation, we might find that a particular machine was attacked a high percentage of the time,” said Yang. “It doesn’t necessarily mean that the machine has more vulnerabilities—it’s just that the typical path of a hacker leads to that computer. Now we have a suggestion of where to enhance our security.”
Additionally, Yang has been part of a research project through the Intelligence Advanced Research Projects Activity (IARPA) to develop methods that forecast cyber incidents. Using data from social media and other nonconventional indicators, the tool aims at generating early warnings of cyber incidents before they happen.
“The success of the project will lead to a proactive cyber defense,” said Yang, “likely preventing some critical information espionage and financial losses from even taking place.”
But in the end, Yang’s best advice for preventing cyber breaches for individuals is to always stay under the radar. “Don’t expose yourself and let anyone know that you have information worth stealing.”
2006 TJX Breach: Attackers crack the Wi-Fi encryption of two Marshalls stores, find their way into the databases of TJX— parent company of Marshalls and TJ Maxx—and steal payment card, social security, and driver’s license numbers belonging to 45.7 million customers.
2011 DigiNotar Compromise: Dutch certificate authority DigiNotar discovers that it has been compromised—an attacker tunneled through its 157 firewall rules, bypassed multiple levels of physical security and keycard requirements, and issued rogue certificates for domains including google.com, CIA.gov, and others.
2012 South Carolina Department of Revenue Breach: Millions of tax records, social security numbers, and other personal information for more than 75 percent of the population of South Carolina are stolen after a South Carolina Department of Revenue employee unwittingly clicks on an embedded link in a phishing email.
2013 Spamhaus Denial-of-service Attacks: The Spamhaus Project, a nonprofit organization that compiles and distributes lists of DNS servers, IP addresses, and domains known to be used by spammers, begins experiencing an unusually large volume of traffic to its website in retaliation for blacklisting Dutch hosting company Cyberbunker.
2013 Chinese PLA Unit 61398 Espionage: Security firm Mandiant releases a detailed report describing the years of cyber espionage activities it linked to Unit 61398 of the Chinese People’s Liberation Army. The Chinese army of hackers stole trade secrets, business plans, and legal documents from aerospace, satellite, and telecommunications companies in the U.S.
2014 Gameover ZeuS Takedown: The FBI, working along with private companies, research universities, and international law enforcement agencies, successfully seizes the computer servers being used to operate Gameover ZeuS, a massive international botnet that distributed CryptoLocker, one of the early successful strains of ransomware.
2014 Sony Breach: A group calling itself “Guardians of Peace” publicly releases a trove of internal emails, scripts, and spreadsheets from Sony Pictures Entertainment over several months, allegedly in retaliation for a forthcoming film mocking North Korea.
2015 Office of Personnel Management Breach: The U.S. Office of Personnel Management (OPM) reveals a breach, in which it would later be discovered that personal information belonging to more than 20 million current and former federal employees had been stolen from its computer systems.
2015 Ashley Madison Breach: Ashley Madison, a website intended to help users pursue extramarital affairs, is breached, leading to the public disclosure of records associated with millions of the site’s users.
2016 Mirai Dyn DDoS Attack: Cybercriminals launch a malware called Mirai that infects more than 100,000 Internet of Things devices and conducts major distributed denial-of-service attacks against Domain Name System (DNS) provider Dyn, disrupting Twitter, Netflix, PayPal, Pinterest, and the PlayStation Network for several hours.
2017 Equifax Data Breach: The personal data of 143 million Americans is compromised and Equifax, one of the nation’s three major credit bureaus, reveals that it was attacked between mid-May and July.