image title

ASU expert on how businesses are dealing with data breaches

ASU Cybersecurity Education Consortium hopes to help fill industry talent gap.
September 18, 2017

'Evening of Cybersecurity' event at ASU West for students looking to become cybersecurity professionals and help fill field's talent gap

The recent Equifax data breach is just one in a growing list of businesses experiencing cybersecurity failures. So how are they dealing with it?

Professor of Practice and Director of ASU’s Cybersecurity Education Consortium Kim Jones doesn’t want to be cynical but feels businesses are “using a risk-versus-return attitude toward exposure of data.”

That said, Jones does believe they’ve made great strides in understanding the value of data and the threat posed by hackers. But with a 300,000-job talent gap in the cybersecurity arena, there’s definitely room for improvement.

On Wednesday, Sept. 20, ASU West will host “An Evening of Cybersecurity” for students looking to become cybersecurity professionals and help fill that talent gap.

ASU Now spoke with Jones ahead of the event to learn more about how businesses are dealing with the threat and what students can expect from a career in the industry.

Question: How are businesses responding? Are they stepping up their cybersecurity defenses?

Answer: I hate to sound cynical … I do believe businesses are beginning to better understand the value and need of data on one end, which is better than when we talked one year ago. They’re spending a lot more time understanding the threat and ways people can get into their data. But, as much as I hate to say it, I think they’re also using a risk-versus-return attitude toward exposure of data. Name the last organization that went out of business because of data breach. [We couldn’t.] So from a reputation-risk standpoint, has this sort of thing become passé? Is the consumer going to respond in any sort of negative fashion? To date, unfortunately, consumers have become more accepting of the fact that their data is going to be out there. So in my opinion, businesses are beginning to look at security, instead of being something essential, as something that is a value add. We’re at the point where, if I’m more secure than my competitor, I might be able to draw more customers, but it’s still not seen as essential as one might hope it would be. And that’s being driven by the fact that the consumer has accepted that more of their data are out there and they’re continuing to put more out there in the name of convenience.

I’ve had friends approach me about the Equifax breach saying, "My data has been exposed so many times, I can’t even count anymore." In that sort of environment, where data has been compromised three or four times over, it depends on what the demand will be by the consumer to take additional action.

Q: What advice would you give to startups or businesses with limited resources?

A: The Cybersecurity Education Consortium is actually in the midst of putting something together for small businesses to give them practical skills. In Arizona, a majority of businesses are classified as small to medium, so we’re putting together some practical knowledge workshops for them that should be available in the next few months.

For me, it’s important to understand that you can’t create Fort Knox, but you can get to a heightened level of care associated with your network and data. And that mind-set of care will help. Think about it: A retailer looks at his or her foot traffic with that kind of care on a day-to-day basis. They look at things concerning availability of inventory, quality of inventory, how the inventory is positioned, how that affects foot traffic of the store. I’m not saying that it should overshadow everything else, but the care of understanding your data is an asset and a resource. And businesses usually meet about 80 percent of the threats out there. So I can’t give you Fort Knox; just because I have a sign out front saying I have a security system doesn’t mean someone won’t try to rob me, and they might succeed. But I can at least make it harder for them.

Many network providers have packages with basic security tools out there that are available as part of a business subscription, and there are small firms out there that provide different levels of protection, such as Terra Verde, an Arizona-based cybersecurity firm. And those will allow you to scale to certain levels of protection. You need to understand your data hygiene and treat your data and network as resources within your environment that need care and feeding.

Q: What can students looking to become cybersecurity professionals expect to be dealing with when they enter the field?

A: Two things: The term "typical day" is an oxymoron because every day is different. To quote the Navy SEAL team, the only easy day was yesterday. It won’t grind you into the ground, but it’s not just a career — a big portion of it is a calling. Cybersecurity people are absolutely the biggest optimists in the world. Every day, there is someone out there threatening to get access to resources and data you are trying to protect. And for every thousand of them, there is one of you. And you have to plug those holes. But you make people safer every day, and there are very few careers that are that rewarding. It’s also mentally engaging for me; it’s like playing three-tier chess. Every day you have to think like the bad guy, but you also have to think how to make something secure and work in an environment without just shutting the environment down.

There is a huge talent gap in cybersecurity of about 300,000 jobs in the U.S. Part of the reason it exists is because security technologists don’t really do a good job of taking about what we do and how we do it. When my kid was younger, he wanted to go into the gaming industry. Well, what does that mean? Coding? Design? He didn’t know. Lots of folks think it sounds sexy and cool, but they don’t know how to get in there.

Cybersecurity is the same way. There’s a lot more to it than hacking. It requires skills beyond just technical; it requires creative thinkers who know how to communicate, who understand business and policy. All these interdisciplinary things we teach at this university go into forming a great cybersecurity team. So a lot of what this event is about is showing kids, hey, the fact that you haven’t hacked by the time you’re 15 doesn’t mean you’re not good for cybersecurity. And we have lots of fun; we expose them to people from all walks of life who found their way into the field. It’s a good step if we’re going to try to close that 300,000-job talent gap.

Answers edited for clarity and length. Top photo: Professor of Practice and Director of the Cybersecurity Education Consortium Kim Jones at his office on ASU's West campus. Photo by Charlie Leight/ASU Now

image title

Shining a light on forensics

September 18, 2017

ASU program director Kimberly Kobojek delves into the world of crime-scene analysis ahead of Tuesday event on the latest in DNA

Shows like “CSI,” “The First 48” and “Forensic Files” have captivated audiences, keying into a general fascination with murder, crime and forensics. In the world of make-believe, high-tech laboratories, fancy gadgets and instantaneous lab results solve a murder in 60 minutes (43 minutes with commercials).

But what really happens behind the scenes in a crime lab, and who are the real-world people who discover, examine and connect the clues left behind?

Kimberly Kobojek, program director of forensic science at Arizona State University’s New College of Interdisciplinary Arts and Sciences at the West campus, worked for 17 years as a forensic scientist for the Phoenix Police Department before joining ASU as a clinical associate professor.

ASU’s forensic science program is more than savvy investigation. It emphasizes laboratory coursework in chemistry and biology, both essential to work in a crime lab. The program also features its own crime lab, where students begin to learn how to investigate scenes.

Video by Ken Fagan/ASU Now

To celebrate National Forensic Science Week, Sept. 17–23, the West campus is hosting Scott Rex from the Arizona Department of Public Safety’s Central Laboratory at “One Step Closer to CSI — Rapid DNA Analysis.” Rex will discuss the latest breakthroughs and answer questions about the technology and what it means for Arizonans at the free public lecture Tuesday evening.

Here, Kobojek delved into the world of forensic biology with the ASU Now team.

Question: What is forensic biology?

Answer: Forensic biology, in its “purest” definition is the application of biological sciences to matters of law. In other words, it's the analysis of evidence that may contain biological material that is collected from a crime scene. Forensic biology includes both serological tests [testing and ID of body fluids] and DNA analysis.

Q: Why is forensic biology an integral part of a potential or actual crime scene?

A: Like other pieces of physical evidence, forensic biology evidence can demonstrate a link between a person and a location or another person. It could be a link between victim and suspect, suspect and location, or victim and location, or all of the aforementioned (and possibly more). Some forensic biology evidence may be “invisible” or latent, so a person may not know it's there. Examples of this include “touch DNA,” or the DNA from skin cells that may be left when someone handles an object.

Q: What is the role of a crime-scene investigator?

A: It is the crime-scene investigator's responsibility to document, preserve and collect evidence at a crime scene while working in tandem with other law enforcement and (if necessary) medical-examiner personnel. This includes recognizing what may or may not be potential evidence.

Q: How is forensic biology applied in a criminal case?

A: Forensic biology can be applied in a few different ways. An analyst may test evidence for the presence of biological material and then conduct DNA analysis to obtain a DNA profile for that person/biological stain. If there is another person to whom that DNA sample may be compared, a comparison will happen.

For instance, if a suspect's shirt is found to contain a blood stain, the blood stain will be tested and a DNA profile is generated. The DNA profile will then be compared to both the suspect and the victim. If the victim’s DNA matches the bloodstain on the suspect’s shirt, we now have a link between the victim and the suspect. Statistics are then calculated to determine how unique that DNA profile is.

DNA analysis can also be conducted on samples from missing persons, unidentified remains and biological samples belonging to family members of missing persons.

Q: You mentioned DNA, and we know it is a significant tool in a criminal case. Is there value in extensive DNA collection and storage?

A: DNA can be an extremely useful tool in a criminal investigation and has helped “crack” many a cold case. However, as with any forensic science, its use needs to be tempered with common sense and the notion that just because you can do something doesn't mean you should do it. What I mean by this is that companies have advertised and collected a number of DNA samples from individuals all across America. I don't know how strict these companies’ rules are regarding allowing agencies such as law enforcement, immigration and insurance companies to access the DNA profile or the sample itself. 

Crime labs who participate in the national DNA database, CODIS, have very strict rules about what can and cannot go into the database. There are also expungement procedures in cases of wrongful entry or wrongful conviction. And while crime labs typically keep the whole reference standards from individuals who submit them for testing in a criminal case, the samples aren't subject to transfer without at least an order from a law-enforcement official if not a court order.

I believe this technology is amazing, and it will keep getting even more sensitive, which means the DNA evidence must be collected, analyzed and interpreted with even more caution.  

Q: One usually relates forensic biology to crime scenes and courtrooms. Does forensic biology exist outside the criminal justice field?

A: Yes, it does. DNA fingerprinting, first developed by Alec Jeffreys in the United Kingdom, was created in his university laboratory. It was only after the Restriction Fragment Length Polymorphism (RFLP) technique was used in a criminal case that its use exploded outside of the academic environment.

Today, DNA/forensic biology is used by public and private crime labs, academic researchers, medical researchers and businesses who specialize in creating your ancestry profile.

Answers have been edited for clarity and length. Top photo: ASU Clinical Associate Professor Kimberly Kobojek uses an ultraviolet light to fluoresce certain biological fluids in the forensics lab on the West campus. Kobojek’s lab focuses on reconstructing an incident through discovery and forensic science. Photo by Charlie Leight/ASU Now