News

Five questions with …

Laurent Michel

Laurent Michel,  Ph.D.,UConn engineering professor and co-director of the Comcast Center of Excellence for Security Innovation

Panelist at the Jan. 19 UConn Science Salon, “Lock It Down: Protecting Your Personal Information”

 

UConn Science Salon: As a cybersecurity expert, what additional precautions do you take in safeguarding your personal online accounts, e.g., banking, shopping, messaging?

Laurent Michel:I make sure that any site where I must enter “sensitive/personal” data is using HTTPS rather than HTTP to avoid snooping, information stealing or replays. I do not click on links sent to me via email, unless I made the request myself just prior from the website to avoid phishing. As a rule, if I wish to interface with a company, I initiate the digital process. I don’t respond to “out-of-the-blue” emails, however legit they might look.

I use a password-manager application. With that, I do not reuse passwords and I create strong passwords for every site that requires authentication. There are multiple such applications available for various operating systems (and mobile OS). I use 1Password, personally. I use two-factor authentication whenever possible (iOS/Google/…). I use Apple Pay when possible for financial transactions. Google Wallet is probably equally good.

USS: Yahoo! just reported a second, and larger, security breach. It’s been reported that they were targeted, in part, because security wasn’t a high priority for the company. Do you think that’s the only reason?

LM: I don’t know specifics about the Yahoo breaches or why they might have been targeted. I will not speculate

USS: Russia was accused of hacking the recent U.S. presidential vote. Do you think that’s something new or routine?

LM: Again, there is very little known publicly in terms of details. But the CIA has indicated that cyber attacks from Russia are still ongoing. It is maybe worth remembering that the accusations with regard to Russian involvement have to do with:

  1. Hacking DNC emails.
  2. Selectively releasing information acquired through #1 above to sway public opinion.

Any claim of actually hacking voting machines themselves are quite a bit more shady and I have not seen anything to substantiate them. In Connecticut at least, the voting equipment, processes, and auditing done around the electoral process should assuage any concern at that level. Optical scan machines (with paper ballots) are much better than Direct Recording Equipment in this respect.

USS: Ransomware, nasty malware that encrypts your files and then holds them hostage, made headlines in 2016. Do you think this trend will continue?

LM: Unfortunately, yes. Don’t install/click on sites and software you do not know. This type of malware is typically delivered through Trojans and rely on social engineering (the active participation of the victim) to get installed.

USS: Recently, a botnet, consisting thousands of household devices such as webcams and DVRs, kicked off a massive, crippling distributed denial of service (DDoS). What can we do to prevent our devices from being hacked for that purpose?

LM: This is a complex issue where a solution should involve both the vendor and the consumer. The consumer alone cannot fix the issue if the vendor is not proactively providing fixes for security flaws. This particular DDOS was the result of multiple failures involving firewalls automatic configuration through SNMP and poor credential practices for the IoT devices. Consumers must educate themselves about the risks, research the equipment they are considering, and choose those products wisely as a result.

 

pskahill

Patrick Skahill, WNPR reporter

Moderator of the Jan. 19 UConn Science Salon, “Lock It Down: Protecting Your Personal Information”

 

UConn Science Salon: As a reporter at WNPR covering science with an emphasis on health care and the environment, how do you think online security and personal privacy concerns effect our well-being?

Patrick Skahill: I think it varies person to person. Some people/companies take online security very seriously, others just don’t have the time or the inclination to look into it much. Security can be seen as a kind of distant threat – until you get hacked.

USS: Have you had your personal information exposed by any of the big, well-known hacks, e.g., Target, Home Depot, Yahoo?

PS: Not yet, no.

USS: What’s your personal interest in cyber security and privacy?

PS: I try to keep my physical devices and online accounts secure, but I’m not really that sophisticated or obsessive about it. I probably should be more aware. That said, I use two-step verification when possible and I change my passwords, although not as frequently as I probably should.

USS: Does WNPR perform any digital marketing based on your members’ personal information?

PS: Not sure.

USS: Is WNPR taking any special precautions in their systems to stay ahead of the bad guys?

PS: You’d have to ask our IT folks, but I’d be interested to learn more about how our panelists think companies are doing at guarding employee data.

 

Jacob Gregg

Jacob Gregg, Senior Manager, Deloitte & Touche LLP

Panelist at the Jan. 19 UConn Science Salon, “Lock It Down: Protecting Your Personal Information”

 

UConn Science Salon: In your SAP Security & Controls role, in addition to implementing role-based security for your client’s system users and IT professionals, what other information security and privacy concerns are your focus?

Jacob Gregg:  Identifying the “crown jewels” and specific data that our clients want to protect is key.  Once that data is identified, we focus on designing and implementing automated controls within the system so that users cannot circumvent processes; implementing tools and technology to help monitor outside users trying to access systems, as well as tools to harden and protect systems; and developing procedures and processes to help our clients recover when a cyber incident occurs.

USS: What, if any, safeguards are in place to prevent unauthorized access of personal information contained in the system?

JG: There are a variety of internal and external tools that can be used to prevent, monitor, and detect unauthorized access of personal information.  These tools are dependent on identifying and knowing what data needs to be protected, and having strong policies and procedures in place to grant access and monitor access.  We are seeing many companies go through processes to classify their data and, based on that classification, incorporate specific approvals and monitoring procedures to grant and use the data.

USS: To the best of your knowledge, have bad actors hacked into any company’s enterprise resource management system (ERP) with the intent to steal personal information?

JG: There are varying requirements for disclosing cyber-attacks at the state and federal levels for a variety of reasons which include protecting reputations, allowing fixes to be put in place quicker, and containing problems.  You can say that ERPs are beginning to get more attention in this space as shown by Alert TA16-132A issued by the Department of Homeland Security warning of a vulnerability that affects outdated or misconfigured SAP systems.

USS: What are examples of how ERP vendors are staying ahead of the bad guys?

JG: ERP vendors are developing or partnering with other companies on threat detection, code scanning, data protection capabilities, and governance, risk, and compliance (GRC) solutions.

USS: What are Deloitte’s thought leaders’ predictions for the future of information privacy?

JG: There is no crystal ball, but that the market has recognized the threats and generated new positions like CISO and Chief Privacy Officers as a result of the need to be secure, vigilant, and resilient.  This trend will continue to evolve as hackers become smarter, companies try to stay ahead of the hackers, and landscapes change such as moving from on-premise to cloud solutions. Deloitte has published a number of articles and case studies that can be referenced.  Some of the trends that I have seen include having and finding the right resources, educating the board of directors on cyber risk, balancing preventative and detective controls, and staying educated.