Author: Will Schuett

Get Smart! Mitigating Risks in Connected Devices

Connected devices shown in house with person standing next to the datacenter

Smart/IoT devices may be the panacea for consumer convenience. Do you want to know and change the temperature of your house or even your fridge remotely? There’s an app for that. Such devices also raise extreme privacy concerns about the data collected about you. Devices can track or discern details about your life based on usage and interaction. And that data could potentially be aggregated with data coming from other smart devices, painting a fairly robust and accurate profile of you and your life. My fitness-tracking device serves as my wake-up alarm. Not only does it track the time that I set for the alarm, it also tracks my interaction when I shut it off. Maybe your coffee maker tracks when you start the brew (mine doesn’t because I’m Coffee Old School). My car tracks what time I start it, how far I drive it, and the GPS location where I park it. These data points are provided to me as the consumer but are also presumably stored by the device provider. It’s only 9:00 a.m. and my smart world already has collected or observed several key privacy factoids about me. And where data exist, risk to data exposure also exists.

Devices geared toward consumers will continue to push convenience over privacy, and consumers will continue to call for greater connectivity and convenience. That means more connected devices and ongoing evolution for more information, interaction, integration, and automation. It’s no longer a question of whether your home devices should be connected. Instead, we need to proactively assess the risks of such connectivity. When those risks are greater than our threshold risk tolerance, we need to take steps to minimize those risks.

Take the following steps to protect yourself when you start using a new device:

  • When you bring home a new consumer device, check to see if it’s transmitting. Ask whether you need that device to be connected. What are the advantages of having your fridge broadcast the whereabouts of your cheese? Is the potential to activate remote maintenance with the device provider important to you? Do you want to interact with that device remotely? Then by all means, keep that connection. If you don’t need the maintenance options or to monitor or interact with the device remotely, turn off the device’s connectivity.
  • Periodically scan your networks to make sure you know and manage what’s online. If you want devices to be connected, be proactive. Find out how they connect; how devices are patched; what the default security settings are; and what data are collected and how/when/where the data are transmitted. Protect your home wireless network(s) with strong password management, active maintenance practices, and vigilance.
  • Use the same cybersecurity hygiene on your smart devices that you use on your computer. While it may be revolutionary that your car is now essentially a computer on wheels, it’s still just a computer. You don’t have to become a cybersecurity expert, but you may want to find a few trusted sources of security advice for consumers.

It’s time to get smart about your devices, manage them appropriately, and reap the rewards of their convenience.

word cloud of connected information


Stay Secure while Cyber Shopping

Cybersecurity  Black Friday  Cyber Monday Shopping Credit Card Personal Information Reviews Hacked Click Bait Lock Mobile Scammers Passwords Online

Black Friday and Cyber Monday are the biggest shopping days of the year. When you’re looking for the best deals online, keep these cybersecurity tips in mind:

  • Stay secure—Look for the lock in your browser’s address bar or https:// in the website address
  • Don’t give away unnecessary personal information
  • Avoid mobile purchases from unknown sites—Stick with a site or app you regularly use
  • Read reviews about the seller—Scams are often uncovered by the people who fell victim to a scam as fast as they are created by the scammers
  • Use a different password on every shopping site—If an online retailer is hacked, your login information for other sites will stay secure
  • Avoid clicking on links in unsolicited emails and be wary of email attachments

How Can Higher Ed Better Prepare Cybersecurity Students for a Hot Job Market?

Behind every new report of a data breach, data leak, or computer hack is a company scrambling to put out the fire, which is great news for job seekers or soon-to-graduate students with cybersecurity skills. Unfortunately, this is bad news for most companies because there is currently an imbalance between the supply and demand of skilled professionals to address these vulnerabilities.

Cybersecurity person looking at tablet

The 2018 (ISC)2 Cybersecurity Workforce Study estimates a global shortage of cybersecurity professionals of around three million workers. This shortage of skilled job seekers is having a real-world impact on companies and the people responsible for cybersecurity at those companies. The study also points out that Gen X and Baby Boomer workers make up about half of the current cybersecurity workforce, leaving many entry-level opportunities for new college graduates and pathways for growth as these more experienced workers approach retirement age.

The need for trained cybersecurity professionals is not going to go away. The US Bureau of Labor Statistics projects a 28% growth in US employment for cybersecurity consultants between 2016 and 2026. How can we help our students go beyond the theoretical concepts taught in computer science or cybersecurity classes and make themselves more attractive to future employers? We need to take the lead to encourage students to take the initiative to learn more about current issues in cybersecurity and take advantage of the many cybersecurity resources available.

Here are some ways you can help your students and contribute to narrowing the cybersecurity skills gap:

  • Hold informational sessions on cybersecurity. Help spread the word on your campus about the cybersecurity skills gap and job opportunities. You could ask your CISO or information security team to conduct a cybersecurity seminar or invite local experts to share their knowledge and expertise with your students. The Enterprise Security Team at The Ohio State University has already implemented this idea, and they sponsor an annual and free on-campus Cybersecurity Days event to expand knowledge of security and data protection for their entire college community.
  • Sponsor or encourage membership in student associations. There are two student cybersecurity organizations for your students to explore—National Cybersecurity Student Association and Women in CyberSecurity (WiCyS). The National Cybersecurity Student Association has a number of resources on their website, and you can sign up for their newsletter or follow their Snapchat account to view a day in the life of a cyber student or industry professional. The WiCyS is dedicated to bringing together women in cybersecurity from academia, research, and industry to share knowledge, experience, networking, and mentoring. You can also explore setting up a local WiCyS student chapter on your campus.
  • Offer campus internships. In addition to knowledge of advanced cybersecurity concepts, the most important qualification for cybersecurity employment is relevant work experience. You can help your students by hiring them as interns in your institution’s information security department. This offers students real-world experience while providing supplemental staffing for your department. For suggested qualifications and responsibilities, use the Information Security Intern Job Description Template on the EDUCAUSE website as a starting point.
  • Identify scholarship opportunities. The CyberCorps: Scholarship for Services, funded by the NSF, provides up to $22,500 per year for undergraduates and $34,000 per year for graduate students. In return, students commit to work in a for a federal, state, or local agency for a period matching the length of their scholarship. The Cyber Security Degree website provides a comprehensive list of additional cybersecurity scholarships and other career resources.
  • Encourage students to deepen their knowledge. The NICCS Education and Training Catalog is a central location where cybersecurity professionals across the nation can find more than 3,000 cybersecurity-related courses. Anyone can use the interactive map and filters to search for courses offered in their local area to add to their skill set, increase their level of expertise, or earn a certification. You could also direct your students to take advantage of the free online courses offered through edXUS Department of Homeland Security, Cybrary, or SANS Cyber Aces Online.
  • Attend cyber competitions. Institutions with an information assurance or computer security curriculum can give their students an additional way to hone their skills and have fun by participating in regional events hosted by the National Collegiate Cyber Defense Competition (NCCDC). The top regional teams can then go on to the National Championship, which was won by University of Virginia in 2018. Another cybersecurity competition for high school and college students is the National Cyber League (NCL), is a defensive and offensive puzzle-based, capture-the-flag style competition. All participants play the games simultaneously and are tested with real cybersecurity challenges they will likely face in the workforce.
  • Participate in cybersecurity conferences. Students may be interested in the educational and networking opportunities from attending the annual conferences for the National Cybersecurity Student Association or Women in CyberSecurity. For additional conferences in your area, InfoSec publishes a comprehensive list with hundreds of cybersecurity events in the United States, Europe, and Asia.

Campus Security Awareness Campaign 2019

This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).