Keynote speaker Elizabeth Petrie describes the evolution of hackers and other cybersecurity threats.

Combating cyber threats

Insiders visit UD to share insights at cybersecurity conference

TEXT SIZE

9:27 a.m., June 3, 2015--Today over 15 billion devices are connected to the Internet; in the next five years, that number will grow to 50 billion. With each new device presenting an opportunity to be infiltrated and compromised by hackers, it’s easy to understand why the importance of cybersecurity continues to skyrocket.

So explained keynote speaker Elizabeth Petrie, director of strategic intelligence analysis for Citigroup, who kicked off a one-day conference at the University of Delaware on cybersecurity issues impacting the global financial industry.

Campus Stories

From graduates, faculty

As it neared time for the processional to open the University of Delaware Commencement ceremonies, graduating students and faculty members shared their feelings about what the event means to them.

Doctoral hooding

It was a day of triumph, cheers and collective relief as more than 160 students from 21 nations participated in the University of Delaware's Doctoral Hooding Convocation held Friday morning on The Green.

The SWIFT Institute partnered with UD’s Cybersecurity Initiative (UDCSI), Alfred Lerner College of Business and Economics and College of Engineering to host the conference, which Petrie called a step toward better industry communication about cybersecurity.

Collaborative conferences like these are critical, she said, because attackers “could go after your major competitor today, but they’re simply going to pivot and come after you tomorrow if you have the same vulnerabilities.”

During her presentation Petrie set the stage for the conference’s discussions, describing the current landscape of cyber threats and the evolution of hackers over time, including nation-state actors, cyber criminals, cyber terrorists and hacktivists like Anonymous.

These groups have shifted from what Petrie calls “hacking for fun” to “hacking for profit,” to now “hacking for destruction.” 

As businesses continue to digitize their records, she continued, increasing amounts of data are also at risk. 

From recent high-profile hacks of corporations like Sony Pictures and Target to hacks of small businesses’ unencrypted records, Petrie explained that the costs of such attacks in the U.S. total over $113 billion, and could grow to $3 trillion in the next five years.

“What that means for some corporations is that if they are not appropriately postured in cybersecurity, they could potentially go out of business,” she said.

“But there is good news: There’s a lot that we can do about this,” she continued, walking the audience through an “anatomy of attack” and corresponding responses.

Tools available for businesses discussed both by Petrie and by other presenters throughout the day include data protection, vulnerability assessment, incident management and more. Petrie discussed businesses that hire hackers to find vulnerabilities in their systems, and others who run simulated hacks to practice their response.

She said that another promising tool lies in the growing field of big data, which allows professionals to utilize data to proactively examine the threat stream. 

She added that the financial services industry must be a leader because their services “are truly at the heart of all business that is being done,” making them a “highly valued target.” 

Petrie also emphasized the importance of securing not just a company’s computers, but the employees working behind the computers as well. Insider threats – both unintentional and malicious – make up a sizable percentage of the threats that companies face.

Conference panelists, including cybersecurity experts from a variety of businesses, governmental and academic institutions including the FBI, Deloitte, IBM, Barclays, AT&T and others, shared their opinions on similar issues.

The panel discussions were conducted under the Chatham House Rule, which is designed to encourage open discussion by allowing those in attendance to share information without commentary being specifically attributed to individuals.

“Cybersecurity is not a technology problem; it’s a people problem,” said one panelist of insider threats.

The panelist explained that employees “may become disgruntled, upset, annoyed at their employers, annoyed with life.”

“That may lead them down a road that they never intended when they first joined an organization,” the panelist continued.

Another panelist explained that companies are beginning to utilize big data to identify employees who could present a security risk. The panelist calls these at-risk employees “falling stars.”

“A falling star is someone who is no longer getting tasks or information being pulled from seniors, so their position is being diminished in some way,” the panelist said. Falling stars also are, he noted, “not as active in communication with their peers, and the flow down of information to subordinates cools off, while communication patterns outside of the organization begin to grow.”

This is one way, the panelist said, that companies can implement preexisting in-house data to improve cybersecurity.

Panelists also provided practical advice to conference attendees seeking to stay ahead of the curve in what participant Craig Young, chief technology officer at the SWIFT Institute called, “an arms race between hackers and financial institutions.” 

One panelist recommended the use of control frameworks, which allow IT auditors to assess various areas of company performance to determine strengths and weakness. Auditors can then recommend dozens of best practices to improve weak areas.

Another participant said that the most effective programs are those that bring an “organic art” to the problem, involving collaborations between IT professionals and employees with deep understanding of the company’s business, culture and networks.

In a session that focused on cybersecurity tools, the panelists agreed that one of the major obstacles facing the industry is the tools used to monitor and analyze the data don’t “speak a common language” and don’t work well together. 

Another noted that “security noise is the biggest problem we have,” explaining that a system can produce “hundreds of thousands of alerts per day,” of which only a few are important and worth notice.

All also agreed that cybersecurity tools could be made stronger by standardization of information across systems coupled with simple training and education. It was stated that phishing – an illegal attempt to gain sensitive information online, often for malicious purposes – accounts for 80 percent of cyberattacks and could be reduced dramatically just by making users aware of how to safely navigate the Internet.

Chairing the conference was Starnes Walker, founding director of the UDCSI and former chief technology officer for the U.S. Navy's U.S. Fleet Cyber Command, director of research at the U.S. Department of Homeland Security and technical/executive director at the Office of Naval Research.

“The University of Delaware has the advantage of being located in the corporate capital of America and halfway between the commercial capital of New York City and the military and intelligence capital of Washington, D.C.,” Walker said. 

“As such, UD’s Cybersecurity Initiative is uniquely positioned to be a bridge between our nation’s best experts from government, industry and academia.”

“Cybersecurity is not the next big industry; it is the industry,” Petrie said during her keynote speech. “We are all in it today, actively working together to figure out how to mitigate the threats that are coming at us each and every day.”

For a full list of panelists and discussion topics, click here.

Article by Deborah Blanchard and Sunny Rosen

Photos by Kathy F. Atkinson, Doug Baker and Wenbo Fan

News Media Contact

University of Delaware
Communications and Public Affairs
302-831-NEWS
publicaffairs@udel.edu

UDaily is produced by
Communications and Public Affairs

The Academy Building
105 East Main Street
University of Delaware
Newark, DE 19716 | USA
Phone: (302) 831-2792
email: publicaffairs@udel.edu
www.udel.edu/cpa