The Talent Shortage Epidemic in Cybersecurity

by Terry Vahey
The cybersecurity shortfall in the workforce remains a critical vulnerability for companies and nations, according to Intel Security.  In a report called Hacking The Skills Shortage, 82 percent of IT professionals confirm a shortfall in the cybersecurity workforce in companies and nations.

The FBI has predicted that cybercrime will be a massive crime wave and a national security problem unlike anything the world has ever seen.  Today, the IT security skills shortage is occurring right as the volume of sophistication of cyber attacks continues to rise.  This battle means that companies might be in danger of losing simply because they lack the manpower to deal with it.

There are several reasons for this problem.  One is the changing nature of cyber attacks.  The sophistication of the technology and tactics used by online criminals have outstripped the ability of IT and security professionals to address threats.  Another phenomenon is the expanding attack surface.  More things are connecting to the internet than people.  Last year, there were 5 billion cell phones, 2 billion broadband connections and 1 billion people who are on Facebook and Twitter.  By 2020, there will be 50 billion devices connected to the network.

The skills gap is so large it can’t be closed in a year or two.  Some experts estimate we are already 1 million security professionals short just this year.  In the U.S. alone, 209,000 cybersecurity jobs went unfilled in 2015.  By 2020, we expect the global cybersecurity talent shortage to reach 2 million.  It requires a multi-year effort, innovative approaches, and collaborative efforts across industry and academia.  Higher education plays a critical role in solving this difficult challenge.

CyberGirlz Silicon Valley
Only 10% of information security professionals are women, and that needs to change. Offered by SJSU’s Jay Pinson STEM Education program, in collaboration with Facebook and local schools and afterschool programs, CyberGirlz Silicon Valley is a project that encourages girls in grades five through eight to participate in cybersecurity and computer programming activities during their afterschool programs. The project culminates with the CyberGirlz Silicon Valley Summit  – an exciting event held at SJSU where girls from local schools showcase their Cyber skills, engage in panel discussions with STEM professionals from local industry such as Facebook, Anomali, and Cisco, and test their cybersecurity, hacking, and team work skills in a Capture the Flag competition.

Virginia Lehmkuhl-Dakhwe PhD is director of the Jay Pinson STEM Education Program in the College of Science and leads the CyberGirlz program.  According to Lehmkuhl-Dakhwe, “We listen to the girls and adapt our methods based on what we’re hearing.  The girls come prepared as contributors, not attendees.”

Collaboration, ongoing funding, and partnership are key to the success of programs like CyberGirlz.  In addition to funding the program, partners like Facebook put skin in the game and provide bus transportation, chaperones and hands-on assistance with applications.  But sustaining a program for the long-term requires that cybersecurity becomes core in the educational curriculum in schools, afterschool programs, and at SJSU.  “We need more advocates and champions and a career path now for people who pioneer innovation in cybersecurity education,” said Lehmkuhl-Dakhwe.

The Silicon Valley Center for Big Data and Cybersecurity
Part of the College of International and Extended Studies, the Silicon Valley Center for Big Data and Cybersecurity was established in 2014 to provide interdisciplinary training to our students in the emerging fields of big data and cybersecurity, and to provide exciting and sustainable career paths into these fields to students with a wide variety of skill sets and interests.  According to Dean Michael Parrish of the College of Science, “SJSU has received a clear message from many of our corporate and government partners that the biggest unmet need in the coming decades will be in the areas of cybersecurity and big data science.”

Currently, a number of certificate and degree programs at SJSU are in various stages of development, most notably in Software Engineering, Computer Science, Computer Engineering, Management Information Systems, and the School of Information.

The global search for a skilled cybersecurity workforce requires unique strategies as organizations face shortages, and encounter stumbling blocks ranging from performance issues to the political climate.  Innovation and collaboration will be key to creating a new generation of cybersecurity professionals.

Cybersecurity Safeguards: How to Keep Your Identity and Your Information Safe Online

by Terry Vahey, Associate Vice President for IT Services, Chief Information Officer

While data breaches are a hot topic these days, most articles and statistics focus on “infiltration” – getting into a company’s network.  You may have heard about Target, Home Depot and other breaches in the past year.  There is very little information on how data is taken out – exfiltration. Just under 60% of data breaches are initiated by external actors – primarily hackers and malware authors. 40% of breaches are initiated by internal actors or are attributed to 3rd party suppliers and vendors.  Nearly half of those initiated by employees are reported to be intentional.

Common programs used to steal your information or identity – MS Office (Word, Excel, PowerPoint), CSV, and PDF – the formats we use most at San Jose State, are the most common data exfiltration formats. Information and identity stolen could also come from general web surfing to malicious websites, social media, and phishing. About 40% of all data breach incidents involve the use of physical media, with laptops/tablets and USB flash drives being the most prevalent. A technology that offers the convenience of accessing photos from any device anywhere in the world, Apple’s iCloud can also be used by malicious third parties to expose your most private moments.

How does it happen?  There are several ways.  Attackers use a mix of legitimate and malicious tools and techniques to extract specific data from the target’s perimeter.  “Back doors,” intentional or otherwise are mechanisms attackers can use to circumvent security controls. File transfer protocol (FTP) is a standard (insecure) network protocol used to transfer files and can be used to exfiltrate data. Attackers open their own browsers and can directly access information. Cybercriminals use this to easily gather these files for transferring data to which they don’t have legitimate access rights.

What can we do to protect ourselves?  There is no way to completely win the war on cybersecurity.  The bad guys and people with bad intentions are creative and will constantly find new ways to attack.  They generally have more time on their hands to poke at vulnerabilities most people don’t think about.  Sometimes the bad guys have full-time jobs trying to break into other systems.  Vigilance and precautionary steps are key to keeping you, your identity, and your information safe online:

  • Set strong passwords with numbers, letters, mixed case, more than 8 characters and one that doesn’t contain words found in a dictionary, and don’t share them with anyone. http://its.sjsu.edu/docs/security/SJSU_%20Password_Standard.pdf
  • Don’t use the same password for all web sites. Make your bank password different from your work password, your email password different from your credit cards.  Be creative!
  • Use a password safe to keep your passwords secure so you don’t have to write them down. Here is a review of some of the best password managers: http://www.pcmag.com/article2/0,2817,2407168,00.asp
  • Keep your operating system, browser, and other critical software optimized by installing updates regularly. You can do this in the settings so this is initially automatic for you…but you still have the ability to confirm when it’s started so it doesn’t disrupt what you’re doing.
  • Install anti-virus software: https://anivirus.sjsu.edu  Along with computers, smart phones, gaming systems, and other web‐enabled devices also need protection from viruses and malware.
  • Maintain an open dialogue with your family, friends, and community about internet safety.
  • Protect your valuable work, music, photos, and other digital information by making an electronic copy and storing it safely.
  • Limit the amount of personal information you share online, and use privacy settings to avoid sharing information
  • When banking and shopping, check to be sure the site has security enabled. Look for the lock icon in your address bar. Look for web addresses with “https://” or “http://”, which means the site takes extra measures to help secure your information. “Http://” is not secure!
  • Be cautious about what you receive or read online—if it sounds too good to be true, then it probably is. If you are not expecting an attachment or a link from someone, don’t open it, don’t click on it!  Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or if appropriate, mark as junk email.
  • Report stolen finances or identities and other cybercrime to Internet Crime Complaint Center and/or the Federal Trade Commission.
  • Take a few minutes to take the phishing training and awareness quiz: https://phishingquiz.mcafee.com/
  • Visithttp://cyberaware.securingthehuman.org/ to access dozens of tools, videos and articles all related to security awareness and National Cyber Security Awareness Month.  Five of the most popular resources include:
  1. Securing Your Kids Handout –
    https://cyberaware.securingthehuman.org/securing-your-kids/
  2. Top 3 Takeaways from 2015 Security Awareness Report –
    https://cyberaware.securingthehuman.org/2015-security-awareness-report-takeaways/
  3. Phishing Planning Kit –
    https://cyberaware.securingthehuman.org/phishing-planning-kit/
  4. How to Use Mobile Apps Securely –
    https://cyberaware.securingthehuman.org/use-mobile-apps-securely/
  5. How to Use Social Media Securely –
    https://cyberaware.securingthehuman.org/use-social-media-securely/

Getting locked out of your SJSUOne Account?

Screenshot of new campus login pageDid you know that one of the most common issues on campus can be solved with just a few steps?

Today the world is more connected than ever before. The average student carries on campus at least one smartphone, laptop, or tablet, which connects to Wi-Fi—some carry 2 or 3! We check our email with them, access our SJSU Calendar, and of course, access the lightning-fast SJSU_Premier Wi-Fi!

But what happens when you change your SJSUOne password? That cell phone trying to join Wi-Fi, that laptop trying to check your SJSU email on Mac Mail—they all hang on to your old password. A tablet trying to connect to SJSU_Premier with an old password can lock your account faster than you can blink! So what can you do?

Next time you change your SJSUOne Password, a few steps can help save you a lot of headaches:

  1. Put your phone in airplane mode. Turn off Wi-Fi on your laptop. Tell your devices to “Forget this Network” for SJSU_Premier. Instructions for mobile devices are available at Wi-Fi Guides, Tips & FAQ.
  2. Make sure your devices are not trying to check email or calendar. This means closing Outlook, Mac Mail, and Thunderbird on your laptop and desktop computers. Pull out the network cord, turn off Wi-Fi—do whatever you have to do to make your email and calendar stop working.
  3. Go change your password at SJSUOne.
  4. One at a time, bring your devices back online. Join SJSU_Premier with your new password. Open up mail and enter your new password. Open up calendar and enter your new password. Make sure all applications on all your devices know your new password.

Remember, if you (or one of your devices) enters the wrong password 5 or more times in a row, your account will be locked for 30 minutes. So next time you change your password, be sure to take a few precautions to ensure you don’t miss your next quiz on Canvas, or be late registering for classes!

If you need additional assistance, please see SJSUOne Password Help and SJSUOne ID and Password Frequently Asked Questions.

Stay Safe on Your Mobile Devices

More than 1 billion personal records were stolen last year. Malware increased 60% in 2014. 30% of all cyber attacks are now targeted—hackers coming at specific people with sophisticated ways to gain access to what matters most. There are over 400 new threats emerging every single minute.

Almost all students are using mobile devices to do much more than make phone calls. We bank, shop, access work and personal email, and connect with friends and family through social media. While continued access to the Internet provides us with the flexibility and convenience to stay connected no matter where we are, it can also make us more susceptible to cyber crime.

October is National Cyber Security Awareness Month (NCSAM) and San Jose State University is joining with the Department of Homeland Security and its partners across the country to share these simple tips to stay safe online when connecting to the Internet from a mobile device:

  • Think Before You Connect. Before you connect to any public Wi-Fi hotspot—on an airplane or in an airport, hotel, train/bus station, or café—be sure to confirm the name of the network and exact login procedures with appropriate staff to ensure that the network is legitimate. Using your mobile network connection is generally more secure than using a public Wi-Fi network.
  • Guard Your Mobile Device. Never leave your mobile devices, including any USB or external storage devices, unattended in a public place. If you plan on leaving any devices outside of your home, like a hotel room, be sure those items are properly secured.
  • Keep It Locked. The United States Computer Emergency Readiness Team (US-CERT) recommends locking your device when you are not using it. Even if you only step away for a few minutes, that is enough time for someone to steal or destroy your information. Use strong PINs and passwords to prevent others from accessing your device.
  • Update Your Mobile Software. Treat your mobile device like your home or work computer. Keep your operating system, software, and apps updated. This will improve your device’s ability to defend against malware.
  • Only Connect to the Internet if Needed. Disconnect your device from the Internet when you aren’t using it and make sure your device isn’t programmed to automatically connect to nearby Wi-Fi networks. The likelihood that attackers will target you becomes much higher if your device is always connected.
  • Know Your Apps. Be sure to thoroughly review the details and specifications of an application before you download it. Be aware that the app may request that you share personal information and permissions. Delete any apps that you are not using to increase your security.

Maintaining a cyberspace that is safer and more resilient requires a united effort. Join San Jose State University in making the Internet safer for everyone.

For more information on NCSAM 2015, visit www.dhs.gov/national-cyber-security-awareness-month.

To receive cyber security tips year round, visit www.dhs.gov/stopthinkconnect or http://its.sjsu.edu/services/info-security/tips/index.html and become a Friend of the Campaign. To help you start an online safety dialogue, the

Stop.Think.Connect. online toolkit is filled with tips, facts, and shareable resources: www.dhs.gov/stopthinkconnect-toolkit.