If you are addressing the blindspots in your online security, you cannot prevent the costly impact of lost or hacked data. Today’s guest is Ralph Russo. Ralph retired from the New York Police Department after over 20 years and served as the commanding officer of an organized crime control task force of local, state, and federal law enforcement. He is currently the Director of Tulane University’s School of Professional Advanced Information Technology where he has taught in both homeland security and information technology programs. Ralph holds a bachelor’s of Business Administration and a master’s degree in Information Technology. As an entrepreneur he has co-owned two startup technology firms.“It is so much harder to secure something when you have to retrofit it rather than designing it for security.” - Ralph Russo Click To Tweet
- [1:01] – Ralph shares his current role at Tulane University and shares his interest in information technology.
- [2:15] – As more people become dependent on online systems, the more valuable it becomes.
- [3:50] – As an educator, Ralph engages students in the growing field of cybersecurity.
- [4:42] – Ralph describes qualities of great cybersecurity students.
- [6:32] – Cybersecurity can be compared to traditional security.
- [8:48] – Using traditional security as an example, Ralph says that a single door just isn’t enough.
- [9:41] – “It is so much harder to secure something when you have to retrofit it rather than designing it for security.”
- [12:02] – In some ways it is harder to bring older companies that work more traditionally on board with updated cybersecurity.
- [13:12] – Ralph believes there is a misunderstanding that small and medium sized businesses may not believe they are a target.
- [14:22] – Sometimes the target is not money, it’s data.
- [15:53] – Now, there is cybersecurity insurance offered which Ralph believes is a good thing.
- [17:01] – In the near future, Ralph believes that if you do not have the most updated software, you will be denied access.
- [18:40] – At Tulane University, the program is designed to have graduates provide value to cybersecurity immediately.
- [20:44] – The separation of tech and cybersecurity from a company’s team is over.
- [22:35] – From a leader’s perspective, a data breach is also a loss of money.
- [23:31] – If you lose your company’s server, can you afford to be down for a week? Likely not.
- [25:08] – In the cloud does not always mean secure.
- [27:40] – Hacking is now being done by massive criminal organizations.
- [29:21] – Malware is coming from every direction.
- [32:27] – Responsible disclosure is extremely important.
- [34:05] – Your backup should not be in the same place as your primary location for stored data.
- [35:45] – Ralph shares his ideas on what cybersecurity governance will look like in the future.
- [37:33] – There are daily news stories of cyberattacks. Ralph shares an example.
- [39:33] – Phishing is still a huge problem, but awareness is being raised constantly to help.
- [41:06] – Cybercrime undermines a lot of the good that technology does. It reduces trust and introduces fear and confusion.
- [43:40] – Courses and resources are available no matter where you are.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Tulane University Information Technology Program
Ralph, thank you so much for coming on the Easy Prey Podcast today.
Thanks, Chris. It's great to be here.
Can you give me and the audience a little bit of background of who you are and what you do?
Sure. I'm Professor Ralph Russo. I work at Tulane University's School of Professional Advancement. I am the chair and program director for information technology programs at the university.
Awesome. You obviously deal with cybersecurity. I know that you had done work before coming to Tulane. What sparked your interest in cybersecurity?
I always had an interest in technology and programming computers, networking computers going all the way back to the '90s. As I married up my interest in homeland security and criminal justice with technology, I found myself looking at cybersecurity ever more deeply.
Awesome. While we've talked about information security, information technology has been around for decades. I think cybersecurity is not a thing that has been taught at universities until the recent past. When I was in college, I don't think even cybersecurity was even a phrase that people used. Now, you can't turn on the news for more than 15 minutes without someone talking about a data breach, compromise, or cybersecurity this or that.
It's really this field that has gained a lot in prominence recently. Also, having to figure out how to teach it, I imagine, has been quite interesting. Can we talk about the cybersecurity field and what's going on in the field?
Absolutely. I always think that cybersecurity—the old saying, “The appetite comes with the eating.” As more and more people became dependent upon systems, those systems became ever more important and ever more valuable. As soon as you have valuables, there are going to be some people looking to remove them from you.As soon as you have valuables, there are going to be some people looking to remove them from you. -Ralph Russo Click To Tweet
Cybersecurity has grown. I created and taught the first course in cybersecurity at Tulane University. I believe that was 2010. It's just grown and it's expected to continue to grow. For example, cyber attacks have grown over 50% just since 2020. They cost the world $6 trillion annually in 2021, according to Seesaw Magazine.
With that, the US Bureau of Labor Statistics predicts that jobs in cybersecurity will grow by 31% more by 2029, which is seven times greater than the US average growth rate for jobs. This is going to keep growing exponentially, it seems.
Also, as educators, it's our job to see what skills and talents need to be nurtured to have our students do things that will give them a rewarding career and enriching their lives. Cybersecurity is something people get excited about. We make sure we scratch that itch.
Yeah, definitely. I wonder, what is the mindset that makes for a good cybersecurity student?
You hate to generalize because there are always exceptions to the rule, very much like other forms of technology, people who are curious, people who like to follow leads to the natural end. The New York Times ran a great piece yesterday on DNA investigators.
People on their own time are going off and doing investigations that were traditionally left to police. Those types of people with that kind of interest that are willing to follow a trail to dig in deep, that curiosity is something that a lot of people who are really good at securing systems have and forensic and also forensic follow-up of systems that have been violated.
Kind of the people who like to pull out threads, “And what happens when I do this?”
That's exactly right. People who see a door and it's closed, they don't just see a door, they see, “What other way could I get in? How often is that door locked? Who locks it? How strong is the code?”
They look at the world from a position of curiosity about health. “What if things didn't go as planned? What if people didn't come in the door? What if they started coming in the window?” That kind of curiosity, that kind of mindset, I think, is great for the field.
I was talking with someone else previously about this. It's the concept of trying to get people to think way outside of the box. It's not even a box, it's a circle. It's not a box anymore. People who just kind of don't accept the status quo in the way that they think seem to be attracted to do well in the cybersecurity and information technology field.
I would agree. To me, when I teach a fundamentals-type course, sometimes the light bulb comes on when I relate cybersecurity to traditional security. You could spend a couple of hours talking about defense and depth or layered security. But when you tell them that's not a new concept. Look at the way kingdoms and castles were constructed. You don't just get over the first wall and the next thing you're in the king's lap. There are multiple ways to what you need to continue to breach before you get to the most important people, the most important information.
Sometimes you see the light bulb come on when you start relating these things to traditional security because everybody can relate to—for instance, you talk about the threat to a large company system from an integrated smaller company. For example, if the target was breached, they wrote it from an integrated system. You could get puzzled looks. I always say, “What is a $10,000 door with a $2 lock worth in terms of security? Two dollars.” Since the light bulb will come on there too when you start realizing it seems very nebulous, but it's really not.What is a $10,000 door with a $2 lock worth in terms of security? Two dollars. -Ralph Russo Click To Tweet
I've also heard the analogy and seen the picture of you. You've got this really nice, gigantic safe door with all this fancy lock on it. It's just a wall that's made out of sheetrock and two by fours. It's just, “Oh, just punch a hole in the wall.”
I've actually seen that. I won't say where, but in a fusion center, I've seen this amazing ram-proof steel door and the walls of the center were sheetrock over traditional two-by-fours. Actually, aluminum studs. Yeah, that would take about a second to break through that.
That's the kind of picture that we have to watch out for. You're so in the big picture of like, “Oh, we just need big doors,” that we start forgetting about the finer details of things.
Yeah, and understanding that a single door is never the answer. You may want a big door, but you're going to also want some other hurdles for people to get through.
How does that work in terms of making sure that you're either not so focused on the key card lock on the door versus what does the whole castle look like? I assume that there are different people that it's very easy for them to focus on. Well, we need multiple layers of defense, but they don't think about the specifics of it. Or they're so down into the weeds on the specifics that they lose the big picture.
Yeah. Again, to go back to it, I've always found that helps if you think of it in terms of trying to solve a physical security problem, retrofitting security rather than building for security. It's so much harder to secure something that you're trying to retrofit in real life.
When you buy a warehouse and it's got 100 windows in it and four doors, what do you do? Think through it and you got a safe in the middle, what do you do? Trying to educate people, using real use cases, and also providing labs, which we do both of those things in our courses that make the students experience how easy it is to get around something and then have free rein in a system versus having to defeat several blocks.
In your courses, do you teach both the red team and the blue team, or are you just thinking from one perspective or the other?
No, we try to change the perspective to look at it both ways—from pen-testing, to blocking, to creating a security posture that's viable. Just to change that a little, to turn the prism, we look at it with a lot of courses in three ways. One is technical and academic. That's understanding and going hands-on with technology.
We also want our students to understand these things from leadership and an ability to communicate to say, for example, to C-suite stakeholders or whatever. The third way of rather technical, and from a leadership perspective, is governance, and repeatable success. We try to frame everything we've got from those perspectives—all three because you're going to need all three.
That takes away that kind of myopic technical thing that happens, which you alluded to. It provides our students with the ability to step back. While they're technical, it provides them the ability to step back and create a repeatable process.
Do you see difficulties with the leadership and the governance aspect of it? I think maybe younger tech companies are more attuned to cybersecurity, but I think of companies that have just traditionally been, “Oh, we're pen and paper. We don't need cybersecurity.” Is it harder to bring some of those old business models into the current way of doing things?
I think we're getting better. But are we getting better fast enough? Are we doing enough? For example, I don't know if there are so many of those old, “Hey, I'm pen-and-paper-type things around. They're around, for sure.
I try to look at things on a continuum of maturity from the pen and paper, to nobody will ever hack my system, to why they want me, all the way down to processes, governance, systems, and security that is absolutely the most mature and informed by best practice. There's a long continuum there.
What businesses should be doing is making their way down that continuum as time goes by to get stronger and better at cybersecurity. I think there's a lag there. I think there's still a misunderstanding that even if you're a small business or a midsize business, you may be a target and you should consider yourself a target.
You may be a target, but you should say, “I am a target.” Because for no other reason than you may be a stepping stone in an advanced persistent attack. You may be a stepping stone to somebody else. That's it. Along the way, you can suffer damage and brand damage, and so on, and so forth.
I suppose just thinking of it from the perspective, if money's flowing through your business bank account, there is something that people want from you.
That's right. There are all kinds of things that are being missed. Sometimes it's the money they want, sometimes it's the data. Somebody says, “You know what? My data is encrypted […] and they're not going to take it.” If they can encrypt it, then you're going to pay for it.
While you're paying them in Bitcoin or cryptocurrency, while they're doing that, they may keep a copy of your database. Why? Because in five years, the technology may be such 10 years quantum computing that they'll burn through that encryption in seconds. They'll just hold onto it until they can decrypt it in seconds. If you've got data, if you've got money, or if you're a stepping stone to someone else, you're a target.
Yeah. There are just people who are opportunistic. You might not be a specific target, but they're just going after anybody and everybody they can get into the systems.If you've got data, if you've got money, or if you're a stepping stone to someone else, you're a target. -Ralph Russo Click To Tweet
Yeah, that's right. Again, a lot of people say, “If I get crypto-jacked and my stuff’s encrypted, I'll just pay and it'll be good.” OK, but what are you going to pay to restore your systems if you need to? What are you going to pay to restore your brand? What if you need to hire lawyers at that point? These costs add up rapidly.
Other people say, “Well, I'll just get cyber insurance, right?” That's kind of the new approach. “I'll get cyber insurance.” This is good, by the way. This is going to have a great effect on our overall cybersecurity posture.
As more people go for cyber insurance, insurance companies are requiring a certain level of cyber process and cybersecurity just to give you the insurance. That's creating a baseline amongst companies that are seeking this protection.
I think that's good for the market in general, but just saying, “I'll just go out and get some cyber insurance” may also be expensive as you're being told, “You need to take certain actions to bring—you need multi-factor authentication, and you need to communicate through a VPN.” That kind of stuff.
Yeah, I think that is one of those good things about the compliance aspect of insurance and things like that. You have a minimum of responsibility that you have to maintain on your platform now in order for the insurance to be effective.
Yeah, and it's only going to get tighter. If you're a business, an organization, or a government agency, anybody feels like it's not coming to you, it's only going to get tighter. I think in the near future, you won't even be able to connect to certain systems.
You'll have a gateway gate check kind of situation where if you're not running the latest version of the operating system and it's not up to date, you'll be denied access to a financial site or to a business site. Or if you have certain types of software on your system, you'll be denied right before you're ever able to connect. I see that coming.
Yeah. It is a sign that someone's using Firefox 45. If they're using a version that's 50 versions old on their browser, then there are probably other things that they're not doing.
Exactly. I totally see that an automated risk-based approach to allowing connectivity, it's on the internet, but is it in the future? It's on the internet, but maybe there's an additional step there to connect. Anybody who wants to come through my site is going to be forced to go with this. It's going to be automated, and it's going to be seamless, but it could lead to rejection. No Windows 98 connection to my financial institutions.
No, not going to happen.
What are some of the blind spots that you're trying to address in the industry through your programs?
For example, we have a Master of Science in Cybersecurity Management. That degree, while there are technical pieces throughout it, there are labs throughout it, it focuses on the governance aspect and best practice so that a student can leave the program, or while they're in the program for that matter, since we have online courses at night and completely online courses.
While they're in the program or after they get out of the program into industry, they provide value on day one and can bring some of that best practice with them. They can look at what NIST has got and say, “This is what we need to be doing for best practice.” They can understand the idea of continuous improvement along the scale of the maturity model.
Pick a maturity model in cyber. They can understand what that means and take a company there. Even as a new employee, they can use that voice to say, “Well, we could be getting better at this.”
Do you think on the governance side that—I'm going to make vast generalizations here—there are a lot of board of directors, people more advanced, well along in their careers and older, and they haven't had the experience with cybersecurity issues so that's just not even on their mindset?
Do you think some of it is just purely an issue of cybersecurity being around long enough that people that are now starting to sit on boards have had cybersecurity incidents in their careers and they're now thinking about it?
I do. I think that cybersecurity is money. I think on boards and at the CEO levels, you've got to understand, day and night, you're thinking about the finances, the profit, and the sales of your company. Now it's a money thing.I think that cybersecurity is money. -Ralph Russo Click To Tweet
The idea of when a certain company got hacked and their CEO went in front of Congress and said, “Well, I leave that to my tech people.” I think those days are over. I think you can't be the CEO of almost every modern company in an organization and completely disavow yourself of anything technical. I think those days are over because it's money. At the end of the day, it's money. It's brand, and it's all the other things.You can't be the CEO of almost every modern company in an organization and completely disavow yourself of anything technical. -Ralph Russo Click To Tweet
Like you said, if you're a victim of a breach, whether it's your platform or your customer data, the cost to undo that to your reputation, the processes that you don't have to go through to remediate things is no longer just a million-dollar fine, or, “Oh, I’ve just got to make this disclosure that everybody else talks about. We valued your security and privacy.” But now, companies are getting fined. It's destroying the reputations of companies now when they have breaches.
Yeah, no doubt. That's a huge part—they’re destroying reputations. I hope it never happens. But if a major bank was hacked and it caused some interruption to people's relationship with the bank, that would almost be unrecoverable at that point.
Also, when these companies go down for the amount of time, you discover a breach and they've been in your system for two months. They've created administrator accounts, covered their tracks, or exfiltrated information, you may be down for days, weeks. At that time, what kind of cause was that?
From a leader's perspective, at the C-level, president, CEO, you've got to understand that that's a key part of your business. The joke used to be that the CIO stood for career is over because you'd be the first one to get blamed. I think that's slowly going away. I think it's all hands on deck because of the risk involved. Businesses have to look at risks—cyber risk and market risk.
It's not just Fortune 500. It’s not just big entities that have to worry about this. That's the conversation I've had with small business owners. Maybe we're not talking about cybersecurity. We’re maybe just talking about backing up your data. If you lose your company server, can you afford to be down for a week as you recover it?
Yeah, you probably can't.
How can you run your business without being able to communicate with your customers for a week?
It's tax season. If you're a CPA and you were to get hacked now, you might lose your business. You might be done. We're seeing a lot of small to midsize businesses, in addition to everyone else, but we're seeing them pivot to the cloud. This has been going on for a while, but more and more people say, “Well, I don't have what it takes to secure what I have, so I'll just leverage the cloud because Google, Microsoft, Amazon, or whoever will secure my information.”
Those people can secure your information. But unless your customers go on the public internet to the cloud, not passing through your business at all, there's still a responsibility at the business level for all size businesses to secure between the cloud and the business. We find that most cloud-type hacks that we think of as cloud-type hacks are really happening. The weak point is on the user side. There's a responsibility that comes with that as well.
In the cloud doesn't automatically mean secure.
That is correct. Like everything else, you need to plan for any business change, including technical. You've got to follow through to make sure it's viable, secure, and all the things you need to do.
I remember seeing a sticker that says, “There is no cloud. It’s just somebody else's computer.”
That's exactly right. Surprisingly, in some of our real introductory courses to undergraduates, one of the first things we tell them is, “Well, the internet is really just a bunch of cables dropped under the ocean and through your neighborhood. That's all this giant network is. It's physical. There are machines everywhere. There's no vapid, nebulous thing going on.”
These are just what somebody else—cloud, in particular—manages your stuff for you. It's all machines. As we're seeing now in Ukraine, you can bomb those things, burn those things, and target those things.
When there's physical infrastructure, physical infrastructure can be targeted, regardless of politics.
That is correct. You can bet that the countries have lists of technical comps-type stuff that's on their list to hit, should it come to that. Again, we saw that in Georgia, not the country Georgia. We saw that in other activities around the world.
Although not so much in the current conflict in Ukraine, but in other activities, cyberattacks led before the kinetic attacks occurred. We can expect to see more of that. I think I'm not the only one surprised that we didn't see more of it in this particular instance.
Not that you teach people how to conduct cyber wars, but is that now starting to come into play in the education of starting to think more of state actors and trying to protect systems from not just the horrible stereotype of the guy in his mom's basement, but realizing that hacking is now being done by major corporations, by nation-states, massive criminal organizations, and not just some random guy anymore?
That's correct. We actually have courses at the graduate and undergraduate level that look at cyber threats from that perspective. We do teach it because part of the business is understanding threat actors, whether they be nation-state or script kitties using a piece of software that someone else wrote that makes it really easy to conduct a hack.
We make sure the students have the full view of the threat picture. Part of that has to include the nation-state. It's easy to say Russia and China, but everybody, including our country, is engaged in a cyber buildup. That's part of the current military picture. It's part of the levers of cyber power, which is part of another level, like diplomacy or physical and kinetic wars, cyber attacks. As countries pull these levers, it's important to understand the motivations and the threat.
When we're talking about nation-states and organized crime, is that where the new malware packages are coming from, or is this still from individual hackers that are building these packages?
I think it's coming from everywhere. I think that our nation-states are obviously incentivized to do it. But if you discover Zero Day in your basement tonight, Chris, and it's a serious one that can give serious access, you could probably get on the dark web and sell it for a million dollars if it's the right kind today. You may have nation-state bidders.
I know you know, but I'm sure your listeners know, Zero Day, that's how many days it's known to have been a threat. No one has a chance to remediate it yet or patch it. It's a vulnerability that the bad guys know about and the good guys haven't taken steps to remediate it again.
From that perspective, nation-states are obviously interested, but since there's money involved, financial advantage, and military advantage, they're coming from everywhere and anywhere because the incentive is that great.
I suppose that kind of leads to the incentive of trying to counter it through bounty programs and things like that where we're going to offer you money for finding that Zero Day and pay you and it's not going to be illegal.
Right. That exists and then it's a great idea. I think it's great. There's actually an organization out there who will pay. You don't have to sell your Microsoft vulnerability to Microsoft. There's actually an organization out there that will buy it from you and then tell Microsoft about it. It's all above board. I worry that the amounts of money that we're talking about from the white hat guys don't come close to the amounts of money from the black hat guys. That's a concern.
You just hope that the, “I'm willing to take less money for it not to be illegal,” will overweigh the, “If I do something illegal, I'll get more money.”
Yeah. Like a lot of other things that come down to that kind of personal makeup. I agree. I think you want to make it as easy as possible, you want to compensate for it as well as you can, and you want to make sure that the powers that be look to punish the ones who are selling it on the dark web, but less so for people trying to come forward.
We've seen examples of people telling companies, “Hey, I've got this thing.” And the company is just blowing them off until they say, “You know what, I'm going to publish it now.” But then, they've been arrested. Things have happened. But hopefully, there's less of that going on right now.
We do want as much responsible disclosure as possible.
Absolutely. The software is so complex. How many lines of code are in Microsoft Office? How many lines of code are in the Windows operating system or Linux? There are going to be vulnerabilities. You want to process to identify those and get them past as quickly as possible.
I suppose some aspects of cybersecurity are risk mitigation. We're working from the position of assuming that systems are going to be compromised. Rather than saying, “OK, nothing can be compromised. OK, if this gets compromised, how do we prevent people from getting from there into other platforms and spreading portraits of words like a virus?”
Yeah. In our programs, we teach risk management, risk analysis, and then ways to mitigate things. Again, you should assume you're going to be hacked. If they want to bad enough, they probably can. But there are ways like segregation of your systems. Does your billing clerk need access to the database server where credit cards are stored?You should assume you're going to be hacked. If they want to bad enough, they probably can. -Ralph Russo Click To Tweet
Segregate your systems. Your backup should be as offline as possible. It should not be physically in the same places or even on the same company network. There are many, many, many ways to mitigate these things.
That's why we look at governance as so important in our programs because just the very activity of reviewing your risks from the most outlandish risk to something you should have seen coming. What if there's a tornado? What if there's a hurricane? What if somebody plants a bomb? What happens if we lose this, where are we? Then say, “OK, well, we wouldn't be in such bad shape if we took this low-cost activity.” Spend the $10,000 to avoid the $100,000 in loss.Spend the $10,000 to avoid the $100,000 in loss. -Ralph Russo Click To Tweet
Governance will continue to be important and growing as time goes by. Fealty to best practice is a must. That's where I see some lacking and repeatable success in cybersecurity that I think is growing but needs to grow more.
Where do you see the cybersecurity field going over the next few years?
Again, I think there's going to be more frameworks, maturity models, and best practices that are continually fleshed out with recommendations. That's going to bring the level of security in the country up. Again, cyber insurance is playing a part in this. They can force companies of all sizes to be better at these things. Actually, through their analysis and review before they provide you insurance, they can actually provide you the tips you need to get better.
I see cybersecurity being an arms race. I don't think I'm the first to say that, but it's going to be an arms race. We mentioned quantum computing before and quantum computing to attack encryption. Your cybersecurity then, your analysis, and your IDS, IPS seems will all get smarter with faster AI-driven analysis. It's an arms race. They'll get better, we'll get better.
Hopefully, the consumer wins in all of this and not loses.
Yeah. Again, I think some of the move to the cloud is good for consumer cybersecurity. There isn't a day you don't open The Wall Street Journal or The New York Times and see an honest article on cybersecurity from one perspective or another that can’t help to be noticed by everyone, including consumers. Even if they don't really understand what that means, they know it's something they should be concerned about.
I'll give you an example of that. A friend of mine—we’re in Louisiana down in New Orleans. A friend of mine said, “Hey, online betting has come to Louisiana. I can go on DraftKings or whatever some of these things are.” He said, “But when I went to sign up, they asked me for my Social Security number, my date of birth, and all this stuff.”
This is not somebody who's in technology. This is not somebody who's in IT and that's somebody at the university. This is a friend of mine that works 9:00–5:00, blue collar. He said, “Should I be putting that stuff in there?” I said, “You're going to have to put it in there, because if you get winnings, there's going to be taxes for sure. Did you look into how they secure that information?”
I don't have anything good or bad to say about it because I haven't looked into it. But he was concerned enough about his information being eventually stolen by a hacker that he asked me about it.
I hear too many cases where people just, “Oh, the field asked me for this really personal stuff. Let me just type it in so I can get through the gate.” But someone's asking the right questions. Why do you need that? What's going to happen if it gets out there?
Yeah. I like to think that, over time, we're just slowly getting better at that, more aware, and that people just won't click a link because it's in an email. We know it's still a problem. We know phishing is still a problem and spear phishing to target people that they feel will result in big paydays.
We know that's a problem. Companies do training and many companies will send out a phishing message. There are companies that specialize in helping companies secure against phishing. As we start to see these niche businesses pop up, and as we start to see employees kind of tested, warned, and it's in the news every day, you like to think that that's raising all boats.
Yeah. I did see an article today on a new one that I hadn't thought of before. Threat actors, whatever you want to call them, using compromised email accounts of people in law enforcement, and using those emails to correspond with businesses and to get them to turn over personal information.
When I'm talking with the police officer, I'm more inclined to share stuff than I would with a random person on the internet. Now having to think like, “Oh, gosh, if people are getting emails—OK, you say you're a police officer, but now I need you to send this over and prove it. I need your subpoena and go back to my lawyer to verify that it's a real subpoena.”
Yeah, that's the danger. Cybercrime undermines a lot of the good that all this technology does. It reduces trust and introduces fear and confusion. It's a natural kind of a thing, but it's not a good thing.Cybercrime undermines a lot of the good that all this technology does. It reduces trust and introduces fear and confusion. -Ralph Russo Click To Tweet
I think that local governments and state governments, for sure, but local governments do have a lot of catching up to do. I would say, local governments are particularly targeted and probably don't have the budget. They've got huge stores of data and they probably don't have the budget, or they haven't seen fit to move the budget to secure that information. A school system may have PII for thousands of students.
Going back 20 or 30 years.
That's right. Somebody who's 10 years old now, if you have that Social Security number and date of birth, that person is going to be around a long time to be impersonated. It's troubling. Not to single out local government. They don't have giant budgets, but they do have giant stores of PII that are valuable.
Like you said, impersonating the police in our lives, they carry authority and it's automatically gained. I like to think that multi-factor authentication is going to be a solution to some of this on mail accounts. I like to think that training is part of it for everybody, but there are still growing pains and it's going to be for a while.
If people want to learn more about the programs that your department offers at Tulane, where can they find that information?
Our website is sopa.tulane.edu/it and you'll see all my programs. We've got on-ground programs if you're in the New Orleans area. We've got online programs. Again, we try to ensure that you get an education that is valuable in the workplace from day one.
One of the things I love about what's happened in the last 10 years is that anyone, anywhere in the world can now go to an incredible school and an incredible program without having to be in that particular location. To me, this is really cool. If you want to learn something and you're passionate about it, you can find the resources out there to help you learn and be the best in your field that you can be.
Yeah, it's amazing. I get asked a lot. A lot of people contact me about the programs. Of course, I like to think we're building Tulane quality courses and offering them in ways that people could access them. I have students from all over the world. I actually have instructors from all over the world who teach online for me, adjunct instructors.
I'm able to bring the best and the brightest, people who are in the industry and have terminal degrees, or at the very least, master's degrees for undergraduate students. We're able to bring all this quality together and offer some great courses. I think it's wonderful.
Another thing I get asked a lot, if I can kind of inject this, is people come to me and say, “Hey, I've got a great job. I write code for […]. I get paid well. Why do I need a college degree? Shouldn't I just go get a professional cert from Amazon, Google, Microsoft, CompTIA, or somebody?” My answer is, “Yes. And like what?”
Certifications are awesome. By the way, we're partners with CompTIA, partners with AWS, partners with EC-Council for certified ethical hacking. You can earn those professional certifications in some of my courses.
At the same time, certifications prepare you to do something right now, to turn, as we say, the nerd knob right now, whatever that is. An academic foundational education prepares you to understand how it all works, not just the how, but the why, and the evolution so that when the technology changes, you're not left in the dust.
I tell my students, “Get your professional certs. You can get them here at Tulane at a discount. Get your academic degree.” They say, “Well, OK, but what if I got nothing at all? I'm still coding and making money.” I said, “All right. Well, you're 22. If you're OK with being a 50-year-old coder and your boss is 27 making more money than you, then that's great.”
Really, that is fine for people. There's nothing wrong with that. But you may find that you aspire to something else. You start to see that you've got the ideas in the room and you'd like to be a leader in a company. That's what these programs, and even these professional certifications, will prepare you for the wider scope.
Yeah, that's great. Ralph, thank you so much for coming on the Easy Prey Podcast today.