Digital Defenders

Frederick Scholl, professor of cybersecurity, records a lecture in the QU Online studio

Digital security system

Frederick Scholl, program director for Quinnipiac’s new MS in cybersecurity, says cybersecurity is everyone’s responsibility, from consumers to chief information officers.

M

odern refrigerators have every imaginable convenience. You want a built-in camera to check out the milk situation while you’re at the grocery store? Done. How about a door panel to mirror your TV while you’re in the kitchen? Check. And who couldn’t use a voice-activated shopping list?

Today’s technology delivers a cold place to store your food and a home entertainment system, all in one slick, stainless steel package. Of course, this convenience — whether you’re accessing it through Bluetooth, Wi-Fi or both — requires a home network connection.

And that could be a problem. This connection increases the possibility for a “malicious actor,” more commonly known as a hacker, to compromise other devices on a home network and potentially access your family’s personal information.

“The bad guys are out there looking for information, and they know no bounds. Whether that information belongs to an individual or group of people, a company’s proprietary intellectual capital, or to sensitive or classified government data, they will do whatever they can to gain access to their targets,” says John Rian ’02, MBA ’04. Rian is a lead technologist/cybersecurity engineer at Booz Allen Hamilton, a Virginia-based management and information technology consulting firm.

The technical details are a bit more complex, however. “If a hacker can compromise your smart refrigerator, for example, he could then gain access to your home network, and in turn, other devices attached to your network — your PC, your tablet, your phone, etc.,” Rian says. “Once he does that, he has access to your most sensitive personal information — bank accounts, contacts, passwords, everything you do in the digital world.”

Security experts predict these cyber threats and breaches will only increase. In 2017, the FBI’s Internet Crime Complaint Center received more than 300,000 complaints with reported losses in excess of $1.4 billion.

Never before has the world been as vulnerable to cyber breaches as it is today. That’s the bad news. The good news is that cybersecurity is one of the fastest-growing and best-paying fields, according to ISACA, a cybersecurity peer organization with 140,000 members in 180 countries. 

Seizing the opportunity to educate those professionals and fill those jobs, Quinnipiac designed and launched a master of science in cybersecurity program this fall. The fully online curriculum is the School of Engineering’s first graduate degree. Program director Frederick Scholl, who has taught at Vanderbilt University and earned his bachelor’s degree and PhD from Cornell University, thinks cybersecurity is everyone’s responsibility, from consumers to chief information security officers.

Story Continues

An illustration of a masked burglar being imprisoned in a kitchen refrigerator

“If you’re sitting at home, usually you’ll lock your door. You may have a home security system. You may even have cameras and lights,” Scholl said. “But only a few people will be coming by your neighborhood — maybe 5, 10, 20, something like that. Well, there are 7 billion people out there who can knock on your electronic front door.

And it’s not just consumers at risk here, Scholl said. Businesses — from Fortune 500 companies to department stores — are susceptible to attacks. Over the past few years, Yahoo, Lord & Taylor, Home Depot, Target, JPMorgan Chase, T-Mobile and Equifax, among others, have made national headlines after their networks were compromised. A recent ISACA survey concluded that only 38 percent of IT professionals believe their organization is prepared for a sophisticated cyberattack.

“The bad guys will always readjust to whatever you’re doing from a defensive standpoint,” said Brian Kelly, Quinnipiac’s chief information security officer. “With all these consumer breaches, none of them has ever been the fault of the consumer. So the question now becomes: ‘How do we advocate, how do we insist that companies keep our data secure?’ All you did that made you a victim was shopping at Target or any of the other stores with data breaches.”

At the same time, hospitals around the world have fallen victim to ransomware, a blackmail scheme that shuts down vital systems with malicious software. Meanwhile, social media has become a digital destination for influencing elections and peddling fake news. And financial, transportation and energy networks have become targets of cyber breaches.

“These [network] threats are real. Malicious attackers are smart people. That’s their job,” said Karolyn Maloney ’08, a senior director of IT hygiene, identity & access management, and global security at Aetna in Hartford. “The nation states and governments that sponsor these people are making huge investments in them. The United States is also very skilled in cybersecurity and making huge investments of its own. It’s a constant battle.” Rian agreed with Maloney’s assessment.

“You now have more sophisticated, conniving attackers trying to compromise everything from companies down to individual people to open a door that will lead to important information,” Rian said. “Devices that have made our lives easier, like tablets and smartphones, have also made it easier for attackers — so much that I tell family members to think twice about where they leave their phone. After all, you wouldn’t go and leave your wallet on a table at a busy restaurant. Why would you leave your phone unattended?”

Big Business, Big Data

At Aetna, Maloney and Sofia Bayne ’84, a director of IT hygiene and privileged user management solutions — are critical members of an exhaustive cybersecurity department.

They are among those charged with protecting the sensitive information of Aetna’s customers and vendors. That’s a big job, a really big job considering that in 2017, Aetna served 22.2 million medical members, according to its annual report.

“Cyber threats are real and they happen every day. A clean IT environment is critical to what we do,” Bayne said. “If there are vulnerabilities, we need to track them and neutralize them. How do you manage your assets? That’s a really important question. Aetna doesn’t have one giant server with all of our assets. We have 20,000-plus servers. Strategy is all about risk mitigation.”

While it’s easy for consumers to focus on financial vulnerabilities, protecting medical records is also important, maybe even more so. Unlike credit cards and bank account numbers that can be replaced, your medical profile is like a fingerprint. It’s uniquely yours.

This is why hackers will pay $1,000 or more for your electronic medical records, according to a story published by Forbes in April 2017. You can’t put a freeze on your past.

“It used to be that all the attention was on the financial industry, but then hackers realized health care has all that data and more,” Maloney said, adding that hackers have grown more aggressive in attempting to access these digital records. She said Aetna’s response has been comprehensive and proactive. “We’ve selected the people, the technology and the processes to minimize and mitigate our exposure.”

Aside from accessing a person’s medical information, including birthdays and health histories, hackers also can manipulate prescriptions and billing claims once they compromise someone’s electronic files.

What’s more, as technology and medicine advance at blinding speed, even more health data is being collected and stored, from fitness trackers that count your steps to smartphone apps that measure your sleep patterns.

Maloney said next generation authentication adds another layer of security for web and mobile app users, including those customers who interact with Aetna.

“Next generation authentication works with behavioral authentication — how you walk, the Wi-Fi connections that you connect with, who you call,” Maloney said. “All of this information can be aggregated so that NGA can tell with very high confidence that this is me. Or, if the information is different from my profile, it can conclude that this is not me. It’s really a unique tool in our industry.”

The advances and the challenges of technology are constantly redrawing the cyber roadmap.

People are already wearing prosthetic devices that use microcomputers to improve joint functionality and mimic nerve signals. Likewise, there are pacemakers and other devices that transmit data to doctors with remote monitoring via smartphones and home networks.

“When you’re in IT, nothing really surprises you,” Bayne said. “We’re always reading and going to conferences. Robotics and [artificial intelligence] are going to play a huge role in our everyday lives in the future.”

Expert Advice

Expert advice

Cybersecurity isn’t just for large corporations with significant resources. The most effective and most important cybersecurity defense begins with personal accountability, both at home and at work, the experts say. Here are some strategies you can implement right away:

  • Never use the same password for multiple accounts
  • Change passwords often, include numbers, symbols
  • Always use anti-virus software and keep it updated
  • Don’t post vacation photos on social media while you’re still away
  • Don’t open emails that look unfamiliar, suspicious
  • Never conduct personal business on public Wi-Fi
  • Never leave a device, such as your smart phone, unattended in a public place

Sources: Frederick Scholl, Quinnipiac; Brian Kelly, Quinnipiac; Karolyn Maloney, Aetna; Sofia Bayne, Aetna; John Rian, Booz Allen Hamilton 

Story Continued

New Program, New Opportunities

When Quinnipiac officials decided to add an MS in cybersecurity, they sought input from alumni who were already working in the field. There were countless details to work out — the curriculum, the online delivery of classes, the ability for students to earn credentials while they worked on their degrees.

Maloney and Bayne were two of the alumni who provided direction. Others included Robert Potter ’91, chief revenue officer at Verodin, and Mark Santino ’91, a head of sales operations and strategic planning at Palo Alto Networks. Jonathan Blake, a professor of computer science and software engineering who served as interim program director before the program launched, also offered valuable insight. Kelly, the university’s chief information security officer, also helped to make corporate connections and pull together resources.

“Quinnipiac will need to keep pace with the industry, and that’s tough in cyber,” Bayne said. “For the program to be successful, you really have to look out two or three years and then ask yourself, ‘OK, what should we be offering?’ It’s very important to keep looking ahead.”

As part of that strategy, Scholl said he constantly leverages his relationships with cybersecurity experts, both in the public and private sectors, to stay involved with current and future trends in the industry. But like others in the field, Scholl said problem solving and tenacity also are vital skills for today’s cybersecurity professionals.

“To me, the most important factors in pursuing a cybersecurity career are curiosity and a desire to learn,” Maloney said. “It’s not so much about having the technical background at this point in time. If you’re committed to the work and have good critical thinking skills, it’s a great job with a very bright future.”

Twelve students are enrolled in the inaugural class of the MS in cybersecurity program. Their backgrounds are in business, finance, security and computer science.

This 36-credit program teaches IT infrastructure, networking technology, database security, cryptography and the advanced cyber operations management skills needed to assume a leadership position in the rapidly evolving field. The curriculum is closely aligned with the knowledge units established by the National Security Agency/Department of Homeland Security National Centers of Academic Excellence in Cyber Defense Education. The program is also open to non-degree-seeking students interested in taking individual course modules as stackable credentials to expand their current knowledge in operating systems, cryptography, networking, databases, security and computation theory. Scholl knows that cybercrime is a moving target with an accelerator pedal pressed to the floor. He is committed to building a robust program that will be constantly and purposefully evolving.

Professor Fred Scholl records a lecture on cybersecurity in the QU Online studio

Experienced professional

Cybersecurity program director Frederick Scholl was a consultant on Wall Street and worked as a security manager for Nissan America before coming to Quinnipiac. He holds 13 U.S. patents and graduated from Harvard's internet law program in 2001.

“We want our students to be lifetime learners of security, absolutely. We want to be a resource for them because the field is changing so quickly,” said Scholl, who holds 13 U.S. patents and graduated from Harvard’s internet law program in 2001.

Scholl comes to Quinnipiac after helping design and launch the College of Computing and Technology at Lipscomb University in Nashville. “It was very challenging, but it presented a lot of good opportunities,” he said. “We graduated about 130 students [in IT, security, data science and software engineering] over three years.”

Before Scholl was named the cybersecurity program director at Quinnipiac, he was a consultant on Wall Street and an entrepreneur. He also worked as a security manager for Nissan America. Earlier in his career, Scholl said he was the “geek in a white lab coat” conducting research and product development for 13 years.

It’s precisely this blend of higher education initiatives and business experience that gives Scholl the credentials to prepare cybersecurity students for the real world. And the virtual one.

“My vision and the vision of Quinnipiac is to make cybersecurity technology as accessible to as many people as we can,” Scholl said. “I’m really interested in the adult learner, people who may want to change roles. It’s going to create new opportunities. This program is not going to be a mass-produced product. It’s really focused on career transitions and jobs.” Rian is eager to see how the program evolves.

“There are always going to be bad guys trying to do bad things. I’m hopeful this new program will help more Quinnipiac alumni contribute to the greater good.”