Bloomington Students Learn Importance of Combating Cyber Criminals

Marc Peterson, a senior analyst in information protection at Target Corp., and Jake Bernier, a senior information security specialist at U.S. Bank, covered three main topics during the event. They addressed how large breaches can happen, reviewed information on information security jobs focused on defending this type of crime and examined security from the attackers’ perspective.

Security breaches are increasingly becoming more of a problem

Security breaches have become a huge issue, especially in the past five years. You may recognize some of these breaches, including the cyber-attack on J.P. Morgan Chase that compromised information from 76 million households or Home Depot where cyber thieves stole up to 56 million card numbers.

Unfortunately, only reported breaches are known and companies may not be required to report breaches. Additionally, most companies do not know they’ve been breached, and sometimes they don’t find out until six months after it’s happened depending on the industry.

Many breaches often happen at the point-of-sale (POS) devices, which are dependent on the ever-popular nationwide credit card system.

“Current POS malware can easily steal credit card data,” Peterson said. “If you research it, you can buy the malware very inexpensively.”

This elevates the problems for credit card holders, merchants and issuers because they are all affected if credit card fraud were to occur. For example, the credit card holder will need a new card and to be reimbursed for any money that was taken. Cybercrime also poses a problem for the economy. McAfee Intel Security estimates the annual cost to the global economy from cybercrime is more than $400 billion. Some companies have been forced to shift their employment away from areas that create the most value, and could cost as many as 200,000 American jobs.

The Ponemon Institute Research Report of 2013 cited some alarming statistics on the average loss for organizations when a breach occurs. Some of the most poignant include:

• 28,765 (the average number of records lost)
• $5.4 million (the average cost of a breach for an organization)
• $395, 262 (the cost associated with detection and escalation)
• $565,020 (the cost associated with notification)
• $1.4 million (the cost of cleanup or response)
• $3.03 million (the loss of business due to a breach)

Computer vulnerability has become an increasing problem across the world. For example, there were about 100,000 pieces of malware created in 2011 and more than 7 million created in 2013, according to Peterson.

“Our tools that are created to spot it can’t keep up with the increase in malware,” he said.

How information security employees help

After the losses are determined, it is the information security employees’ jobs to determine vulnerability that existed in the organization to allow the breach to occur, the key things impacted and other secondary loss factors.

When addressing these situations the most important question will always be ‘the why’, Peterson said. He says the questions organizations fail to ask themselves include: ‘Why did the breach occur?’ ‘Why was this system or that one targeted?’ ‘Why didn’t we catch it earlier?’

“You need to constantly challenge yourself to get to the ‘why’,” Peterson said.

The good news is that the most proactive organizations are starting to face up to their computer vulnerabilities. Penetration testers are internal employees hired to simulate a hacker’s path and behaviors. To be successful at this position you need to think like a hacker. The idea behind “pen-testers” is that they are trained to identify a company’s digital vulnerabilities and recommend solutions before the real hackers even know a weakness exists.

This allows the organization to be ahead of the game, as the pen-tester will discover new findings that might have originally fell through the cracks, perform stress tests and detect and respond to possible threats. The most common tests pen-testers conduct include infrastructure and application testing; internal versus external testing; and manipulating input data.

Information security career & interviewing advice

Peterson and Bernier agree there are multiple transferrable skills from other jobs that allow you to be a great match for a career in information security.

“It doesn’t matter if you make keys, or own your own business, and then get into information security,” Peterson said. “There are always skills you learned in those jobs that will be applicable to information security.”

Before taking the leap into information security, both Peterson and Bernier agreed education and certifications were among two things that are necessary to have. While earning a degree or certification, it’s important to test yourself. They recommend tinkering with programs in your free time to understand the architecture being used. They also suggest attending presentations and conferences that feature industry leaders as they often provide inside tips for free.

“A lot of [information security] jobs will ask for experience, so you have to go outside the classroom to learn,” Bernier said. “Make sure to network with real people. Employers are looking for a great attitude and someone with passion and curiosity.”

Once you’ve nailed down the degree, there are things to keep in mind when you begin your job search in the field. Pay close attention to the descriptions of the positions, as they may have a variety of titles including “security engineer,” “security consultant” or “security research penetration tester.”

The good news is companies are in dire need of more of these employees. The market for “information security analysts” is projected to grow 37 percent through 2022, according to the Bureau of Labor Statistics.

“The best advice I have is to make sure to get good at something, set goals to learn and become passionate,” Peterson said. “Don’t ever stop learning.”

The biggest takeaway

As the world relies more heavily on “big data”—the term coined to describe the exponential growth and availability of both structured and unstructured data—the opportunities for malicious hackers increase. This trend is also leading to a greater need for technology professionals who are skilled in information security and protection.

“It was really good to see the different areas of the profession, and to hear the different avenues it took the speakers to get where they are in their careers,” said Jessica Oftelie, a current Rasmussen College cyber security student.