Combating Ransomware Attacks: The Reasons for Their Rise and the Ways We Can Prevent Them

As has been widely reported, a new wave of cyberattacks has hit Europe, possibly a reprise of the widespread ransomware assault in May that affected 150 countries.

Ransomware, typically delivered via malicious email or infected third-party websites, is a family of malware that either blocks access to a PC, server, or mobile device or encrypts all the data stored on that machine. Similar to a kidnapping or hijacking with a ransom demanded in return for release, the perpetrator of a ransomware attack takes possession of valuable data or files belonging to individuals or businesses and then demands payment in the form of electronic currency called “Bitcoin” for their return.

According to a report earlier this year by NBC News writer Herb Weisbaum, citing the FBI, ransomware payments for 2016 are expected to hit a billion dollars compared to the $24 million paid in 2015. And that figure is expected to rise, with more victims and more money lost. Why the dramatic rise?

  1. Easier access to technology. Criminals have increased access to sophisticated technology to conduct these attacks. Even highly sophisticated tools developed by NSA and other similar advanced tools are now in the hands of criminals. Also, criminals are making continuous improvements to such technology, and have banded together to turn this type of crime into an organized business.
  2. Increased profitability. The business of ransomware has become highly profitable. Therefore, highly talented programmers are choosing to make this their profession— and they are making a lot of money in this way.
  3. Organizations are lagging in innovation. Arguably, the most important reason is that individuals and organizations are not paying attention to continuous improvement or innovation in the technology they use or the protection systems they have in place. Without innovation, such individuals become sitting ducks. Without innovation, regardless of how good your technology is, hackers will eventually get in. Because the probability of a higher payout with organizations is greater, criminals are targeting organizations at a higher rate. However, everyday computer users are also being targeted.

Shegoftah Nasreen Queen (SNQ), Bangla Service, Voice of America, recently interviewed Dr. Mansur Hasib, program chair, Cybersecurity Technology, The Graduate School at the University of Maryland University College, to learn more about the reasons for the rise and solutions for combating this pervasive cyber threat. Read the full interview.

The Internet of Things Is Changing the Way We Live—Should We Be Worried?

The Internet of Things (IoT) is on the rise, and so are the threats associated with the interconnectedness of our devices. Eighty four percent of organizations that have adopted IoT report experiencing at least one IoT-related security breach—and 93 percent of executives expect IoT security breaches to occur in the future—according to a February 2017 Aruba Networks study. Malware, spyware, and human error are the most common problems the study also reported.

It’s widely accepted that the number of IoT security breaches will only grow in the near future. To quote a 2016 Forrester Research report: “When smart thermostats alone exceed one million devices, it’s not hard to imagine a vulnerability that can easily exceed the scale of other common web vulnerabilities, especially if multiple IoT solutions include the same open source component.”

IoT affects everyone, not just large corporations with industrial equipment. From smart thermostats to smart refrigerators, dishwashers, and washers and dryers, we’re all part of the landscape and vulnerable to threats.

What are we to make of the proliferation of the IoT and how concerned should we be?

For answers, read the white paper by Balakrishnan Dasarathy, UMUC collegiate professor and program chair for information assurance, The Graduate School.

UMUC’s Mansur Hasib Gets Serious About Cyber Education

MansurMansur Hasib, program chair for Cybersecurity Technology, University of Maryland University College (UMUC) Graduate School, and a well-known thought leader in health care technology and cybersecurity, recently won the Cybersecurity Association of Maryland’s (CAMI) People’s Choice Award for lifetime achievement.

Before a sold-out crowd of 250 attendees at the American Visionary Art Museum in Baltimore on March 22, CAMI presented 13 awards to Maryland companies, organizations and individuals judged to have outstanding cybersecurity products, services or programs, or to have made a substantial contribution to Maryland’s cybersecurity industry.

Hasib, who holds a doctorate in cybersecurity and is a former chief information officer with 30 years of public and private sector experience in health care, biotechnology, education, and energy, has always maintained that cybersecurity has three core elements — people, policy and technology. People make the decisions on what technology to use and how to support it. People determine the strategy, they configure the technology, and they use it. Leadership is critical because we need to engage people toward a business purpose and a mission.

Hasib recently spoke to HealthManagement.org and shared his thoughts on cybersecurity governance and offered his insights into how critical cybersecurity education is to Health Information Technology students.

Read the full interview.

Bridging the Gap for Women in Cybersecurity : Five Questions for Loyce Pailen, Director of the University of Maryland University College Center for Security Studies

Women hold 56 percent of all professional jobs in the U.S. workforce, but only 25 percent of IT jobs, according to the National Center for Women and Information Technology. And among women in IT, only 11 percent work in information security, reports the Women’s Society of Cyberjutsu (WSC).

Earlier this month, on March 8, we celebrated International Women’s Day, so there is no better time to explore why this deficit exists and, perhaps, offer some solutions to help expand the pipeline of women in the cybersecurity field.

LoyceUMUC’s Cyber Connections caught up with Dr. Loyce Pailen, director of the Center for Security Studies and a cybersecurity pioneer with more than 35 years of wide-ranging experience in software development, project management, telecommunications, risk management, and network and systems security and administration. She shares her thoughts on the future of women in cybersecurity.

CC: For starters, what keeps you up at night in the cybersecurity space? What should we be focusing on?

LP: During the 2016 presidential election, there was considerable discussion regarding cybersecurity issues that related to email servers, election hacking and nation-state cyber intrusions. As a cyber-professional, I was concerned that the media and politicians tossed around cybersecurity-related stories, terminologies and notions to a general populace that did not understand cybersecurity concepts well enough to make sense of what they were hearing and make intelligent decisions.

For those girls and women inclined toward technology, do not let any imaginary barrier stop you from entering the field. For those women in non-technical fields, embrace cybersecurity and make your positions more valuable to your organization or agency.

Nonetheless, this dilemma was a call-to-action for my second issue of concern, the dearth of skilled individuals to fill current and future cybersecurity workforce needs. Experts say that more than 300,000 jobs exist today—jobs that are vacant because, nationwide, we do not have people with the cybersecurity skills to fill them.

For the future, that number of openings will increase exponentially. For example, results of the eighth Global Information Security Workforce Study (GISWS) indicated that the projected workforce shortage would reach 1.8 million professionals by 2022 (ISC2). And forget about minimum wage jobs. Even at entry level, these are high-paying cybersecurity positions in the public and private sectors.

My concern is that we are not raising our children with the cybersecurity awareness and education required for the digital age in which we live. My call to action was to author a series of fun, illustrated children’s books on cybersecurity so that youngsters—and those who like to read to them—can grow familiar with cyber terms, technologies and careers. Just think where we would be today with cybersecurity workforce needs if Harry Potter were a cybersecurity person!

CC: Tell us a little bit about your career path, as a woman in the field, and the hurdles you’ve overcome?

LP: I’ve been out of the public and private sector for several years now, so some of the hurdles that I experienced in my career path to information technology and cybersecurity have faded. Only recently, I did reflect on the obstacles as I watched the movie “Hidden Figures” about African-American women at NASA entering the field of data processing.

It recalled the days of punched cards, Fortran programming, large mainframes, and the discrimination in the male-dominated field of information technology, and once again it became familiar. But the issues were never insurmountable. Dwelling on those problems tends to stifle one’s growth and productivity.

CC: What do you think canand shouldbe done to expand the cybersecurity pipeline for women and minorities?

LP: My entire career, both in information technology and in software development for a large media company’s circulation systems, has been male-dominated. My current concern after more than 30 years in the cybersecurity industry, it’s disheartening to see, is that the field’s male domination is still the same, and many of the issues that existed early on still occur.

The gender and racial imbalance was evident to me in workshop sessions I attended at a recent 2017 Black Women in Computing (BWIC) Conference at Howard University, where continuing racial concerns in the technology and cybersecurity fields dominated the conversations of up-and-coming female computer scientists.

I recently witnessed an amusing incident at the 2017 RSA Conference in San Francisco that underscored the male domination of cybersecurity. Possibly the largest conference in the cybersecurity arena with 40,000 attendees, the male domination was so overwhelming that the lines to the men’s restroom stretched down long hallways and, for once, women experienced no lines at all. I found this a refreshing turnaround from the traditional.

In its own way, the lines illustrated the male domination of the cyber field. More realistically though, I believe a quick analysis of each conference-speaker’s gender would also accentuate the imbalance.

CC: So, why do you think we are we still at this juncture?

LP: Unfortunately, outside of the fact that we have not done well educating our youth, I am not sure why, because it seems that when society wants to instill something in children’s minds and produce positive habits, we find a way.

Likewise, in the 1980s my daughter was influenced by the major campaigns directed at schoolchildren to “never smoke” or to “stop smoking.” She became part of a generation that never adopted the cigarette habit and that convinced their parents to stop smoking. I was a target of her campaign and it worked.

Connected with this behavior modification concept, the “CSI Effect” from the popular television show “CSI: Crime Scene Investigation” proved to have a profound impact on careers related to forensics science. So, why can’t we lobby for and create TV shows and campaigns that would be just as effective to support existing STEM, WIT, WIC, BWIC and other such efforts?

Rather than merely being consumers of tech products, we need to instill interest in their underlying technologies. And we need to fire-up the interest in cybersecurity for girls and other minorities.

CC: What advice and encouragement would you offer women entering the cybersecurity field?

LP: My advice for anyone entering the cybersecurity field is simply to embrace the multi-disciplinary and global nature of the careers in this arena. Of course, there is a need for highly technical workers who understand concepts like secure software development, secure systems, networking and cloud computing, access control, incident handling and cyber defense.

However, cybersecurity is part of everyone’s job nowadays. Individuals in the fields of human resources, accounting and finance, law, health care, marketing, management and the like all have an obligation to understand the impact of cybersecurity on their careers.

For those girls and women inclined toward technology, do not let any imaginary barrier stop you from entering the field. For those women in non-technical fields, embrace cybersecurity and make your positions more valuable to your organization or agency. I encourage them to seek education, training and certification opportunities to “bolt-on” cybersecurity knowledge and learning that will enhance their current careers.

Public Policy Forum Hosted by UMUC Focuses on Personal Data and State Infrastructure

The University of Maryland University College (UMUC) recently hosted the Maryland Cybersecurity Council’s public policy forum on cybersecurity, which featured questions and answers from public and private sector experts on personal data collection and privacy protection, and infrastructure protection and incidence response.

The Dec. 6 event, organized by the Maryland Cybersecurity Council, featured opening remarks from Maryland Attorney General Brian Frosh and UMUC President Javier Miyares, followed by panel discussions with Allison Lefrak, senior attorney, Privacy and IP Protection, Federal Trade Commission (FTC); Claire Gartland, director, Consumer Privacy Project, Electronic Privacy Center; and Phyllis Schneck, chief cybersecurity official for the Department of Homeland Security (DHS). Maryland State Senator Susan Lee and Michael Greenberger, professor and director, Center for Health and Homeland Security, Carey School of Law, University of Maryland, Baltimore, moderated the panels.

What follows are some session highlights.

Reining in the “Three Vs”

High points of the panel discussion on personal data issues with Lee, Lefrak and Gartland focused on the collection and digitization of data, a top-of-mind concern to many citizens because the amount of data collected has increased due to the proliferation of pervasive communications networks.

The growth of big data, according to Lefrak, results from the “three Vs”—the volume of data that can now be collected; the velocity at which companies can collect, analyze, and harness the power of data; and the wide variety of data that companies can access and analyze.

For its part, the FTC focuses on a three-pronged approach to data protection. Enforcement is key. The agency sends a strong message to companies about the need to protect consumers. The FTC also addresses consumer privacy from a legislative standpoint through its policies. Finally, the agency educates the public to make sure that both businesses and consumers are apprised of the laws around data collection and protection.

Can federal and state governments ensure appropriate privacy protection? For starters, according to the panelists, privacy laws and courts need to reflect modern technologies. For example, video protection laws commonly use the phrase, “videotape service provider,” which is an antiquated term in today’s digital world.

The bottom line, from the FTC’s perspective, is that privacy protections are critical to maintain consumer trust. With the transition to a new administration, the state of balance among data collection, consumer privacy and consumer benefit remains to be seen.

Mitigating Large-Scale Cyber Attacks

In the panel discussion on infrastructure protection, Greenberger and Schneck discussed federal and state efforts to secure critical infrastructure and respond to incidents.

How do we bring cybersecurity together with infrastructure protection? Schneck discussed how federal sector-specific agencies work with owners and operators in each sector to develop plans to enhance their security and resiliency.

In light of federal efforts to secure the infrastructure and respond to significant incidents, what should states be doing and how can the federal government and states work in tandem?

“For the federal government, one challenge is that states constitutionally have a lot of power,” Schneck said. “The federal government has to be sensitive to this authority.”

The threat of our adversaries, whether it’s Russia, China, North Korea or Iran, is alive and well. “They are executing with an agility we have yet to enjoy,” Schneck said.

He added, “We can mitigate future attacks through data collection. If we don’t have enough data, then the cyber adversary wins because we lack the situational awareness.

“We can combat cyber attacks by arming our networks, by understanding that when a threat or computer instruction comes in, we know not to run it. It’s as simple as that.”

Cybersecurity Roadtrippers Stop in at UMUC During Their Cross Country Journey

UMUC's Antwan King and Roadtrip Nation

Fellow Roadtripper and current UMUC graduate student Antwan King meets his “cyber” superhero as the group made its way to the Washington, DC area before heading west.

On Friday, December 2, the three participants in Roadtrip Nation’s “Cybersecurity” trip, which kicked off on November 27 in New York City, made their way down to the Washington, D.C. region. During their stop in the D.C. area, a visit that included interviews with cyber leaders and a tour of the National Cryptologic Museum, roadtrippers Mansi Thakar, Emily Cox and UMUC’s own Antwan King rolled into the UMUC Academic Center at Largo to share with family members, supporters, and UMUC faculty and staff their first impressions of the trip, their career aspirations, some life lessons, and what it’s like traveling together in an RV with the cameras rolling. (Roadtrip Nation will produce a documentary about the cross-country journey that will air on public television in spring 2017.)

UMUC's Antwan King

UMUC’s Antwan King kicks off his “cyber” journey.

For UMUC’s King, the visit to DC was especially meaningful because he was able to meet his “cyber superhero,” Michael Echols, CEO of the International Association of Certified ISAOs and former director of the Cyber Joint Programs Management Office at the Department of Homeland Security.

When asked about what this opportunity meant to him, King said, “You wake up every day, you try so hard, and sometimes people tell you “no,” but now I get to talk to the people who can help me define a path and discover what works.”

For the three participants, the trip thus far has been chock full of many unique experiences. However, they all agree that driving the RV stands out as one of the most thrilling. Said Cox, “I’ve never been to any of the cities on the trip, and I’ve never even been in an RV. Now I get to drive it across the country!”

Learn more about Roadtrip Nation at roadtripnation.com and roadtripnation.org. To stay up to date on the journey, follow @RoadtripNation, @UMUC, and #CybersecurityRoadtrip on Twitter.

Roadtrip Nation and UMUC Kick Off Cross Country Cybersecurity Adventure

Roadtrip Nation

UMUC teams up with Roadtrip Nation to shine a light on this century’s most exciting and challenging career field – cybersecurity.

Jobs in the cybersecurity sector have increased by 73 percent over the past five years, making it one of the hottest career fields for America’s students and young adults. Recent headlines about cyber warfare, cyber crime, and cyber espionage demonstrate the need for qualified professionals with the skills to succeed in cybersecurity—a field that is growing 12 times faster than the average American industry.

That’s why career exploration organization Roadtrip Nation and University of Maryland University College (UMUC) are teaming up to send three people interested in cybersecurity on a three-week road trip across the nation. The journey—termed the “Cybersecurity Roadtrip”—will be filmed and produced into a one-hour documentary, set to air on public television in 2017.

The Cybersecurity Roadtrip launched officially on November 27, 2016, in New York City. Next up is a celebratory kickoff event at UMUC and the National Cryptologic Museum in Maryland on December 2. Winding their way across the country with highlighted stops in New Orleans, Austin, and Los Angeles, the road-trippers will book and conduct a slate of in-depth interviews with leaders from different specializations within the cybersecurity field.

Candidates selected for the opportunity have unique backgrounds and challenges, but all possess a passion for cybersecurity. Mansi Thakar is pursuing a master’s degree in cybersecurity, Emily Cox recently discovered a love for the field after attending an immersive coding boot camp, and Antwan King is enrolled in a master’s program in digital forensics and cyber investigation. On the journey, they expect to find new mentors and explore the diversity of career paths available within the field.

You can learn more about Roadtrip Nation, known for its New York Times best-selling career guide, award-winning documentary television series, and acclaimed classroom curriculum at roadtripnation.com and roadtripnation.org. To stay up to date on the journey, follow @RoadtripNation, @UMUC, and #CybersecurityRoadtrip on Twitter.