Cybersecurity Co-Director David Schwed
By Dave DeFusco
While mastering technology is a prerequisite for being a cybersecurity professional, understanding the psychology of a cyber-criminal is indispensable for protecting against the theft of an organization鈥檚 assets.
鈥淚n order to be good at what we do,鈥 said David Schwed, co-director with Lev Feldman of the cybersecurity master鈥檚 program at the Katz School of Science and Health, 鈥渨e need to think like the bad guy.鈥
Ninety percent of hacking incidents, said Schwed, involve people who fall prey to scams. That鈥檚 why, he said, IT professionals install tools on computers and other electronic devices to scan links that might contain malware. 鈥淧eople are your weakest link when it comes to security,鈥 he said. 鈥淲e can鈥檛 stop people from doing it, so that鈥檚 what we鈥檙e trying to educate students about. If I鈥檓 trying to break into an organization, how am I going to do it? And then from there, we try to establish defenses for it.鈥
Hackers employ surprisingly low-tech methods at times to infiltrate an organization鈥檚 computer systems. Schwed said they鈥檒l pose as couriers who are recognizable to an organization and then once inside they plant listening devices or keystroke loggers on the back of keyboards that vacuum up passwords. Or, hackers will drop USB sticks in an organization鈥檚 parking lot or other high-trafficked areas, and unsuspecting employees will retrieve them and insert them into their office computers, unleashing malicious code.
Schwed himself is a security professional who has spent a career searching for vulnerabilities, hoping to find weak links in computer systems before criminals can exploit them. He has 21 years of experience in information technology, information security and risk management, and he helped build the information technology infrastructure for Citigroup before joining the Katz School. He said the Katz cybersecurity program offers an elective course on Cybercrime, Cyberwar and Threat Actors, which examines the profiles of hackers, members of organized crime, and nation-states that conduct espionage.
鈥淲e discuss what they鈥檙e after鈥攎oney, information or intelligence, and who the potential targets are and how they鈥檙e going to execute their schemes,鈥 he said. 鈥淲e talk about how there鈥檚 intrinsic value to some types of data that are a target in financial services, health care and retail, among others.鈥
The Katz School program develops students鈥 technological and managerial expertise to plan, implement, upgrade, monitor and audit cybersecurity protocols and procedures, as well as mastery of state-of-the-art technologies and practices. Students gain cybersecurity know-how in systems architecture, operating systems, applications, endpoints, securing data, networking, cloud security and software development. They also analyze threat landscapes and security frameworks, as well as legal, compliance and audit frameworks; develop internal and external communication strategies to promote a cybersecurity culture; and prepare for industry certifications, including CISSP, CISM, CRISC and CEH.
鈥淪tudents get hands-on experience with threat mitigation, detection and defense,鈥 said Schwed of the 30-credit program. 鈥淎nd then when they graduate, they have access to jobs at the biggest companies in the heart of New York City, which is a global epicenter for cybersecurity.鈥
He said an important component of the program are guest speakers from the cybersecurity industry. He recently brought in a cybersecurity professional who rolled out a smart vacuum in class to demonstrate how simple it is to tamper with the machine鈥檚 brain. From a nearby computer, he uploaded software that swapped the unit鈥檚 Siri-like voice for his own, putting the vacuum under his command. Since those machines are already pre-programmed with a floor's layout, they can yield important information. Too many cybersecurity professionals, he said, just throw technology at a problem.
鈥淭hey ask, 鈥楧o we have a firewall? Do we have data loss prevention? Do we have network access control?,鈥 he said, "without stepping back and asking what they鈥檙e trying to protect against internally and organizationally.鈥
A good cybersecurity professional would defend Planned Parenthood from hackers who are hostile to its mission rather than protext against the theft of its data. 鈥淪omeone using a telecommunications interface, like PRI technology, could flood the phone lines of Planned Parenthood by setting up a computer to make multiple calls at once,鈥 said Schwed. 鈥淭heir lines would be busy all day, preventing people from making appointments, and the perpetrators wouldn鈥檛 have hacked anything. Our program is about doing this kind of risk-based analysis to determine what the bad guy is after and how they鈥檙e going to get it.鈥
