Fighting hackers takes an offensive approach

They’re in.|

Soon the city is dark and water service halts as utility plants shut down. Once civil order is restored, many businesses and individuals find a nightmare scenario­—wiped out accounts, compromised sensitive information and stolen identities.

But who are “they?” In popular film, “they” often range from isolated pockets of brilliant malcontents to self-taught teenagers making mischief with a laptop in their basements.

The truth, according to cyber operations professional and Mississippi State graduate Wesley McGrew, is actually much scarier.

“It’s not the teenager in the basement,” he said. “That’s something out of the 1980s. Your hackers are organized crime syndicates looking for profit or nation-states looking for intelligence. Hacking is big business now, and every aspect of it is funded and skilled.”

Staying ahead of the hackers requires pre-emptive strikes, McGrew added. But in his business, it’s not strikes against potential attackers. He strikes potential victims.

McGrew is director for HORNE Cyber Solutions, located in the Thad Cochran Research, Technology and Economic Development Park at Mississippi State. He and his team of cyber operations specialists—otherwise known as “white-hat hackers”—run penetration tests for public and private sector clients, identifying network vulnerabilities and recommending solutions to make networks safer.

Quite literally clients hire HORNE to aggressively hack into their computer networks and tell them how and where it breached the systems. HORNE even tests clients’ systems from within to see what kind of damage employees could cause if they went to an unsecure website or opened an email containing a virus or other software that made the system vulnerable.

He added his team’s success at finding system vulnerabilities approaches 100 percent.

“There are different levels of compromise,” he said. “But I’ll put it this way: We’ve never submitted a blank report to a client. There are always findings, which means there are always some vulnerabilities. It’s better that we find them than someone with ill intent. Everything we find is a potential disaster averted.”

A former full-time employee at Mississippi State, McGrew earned three degrees as a Bulldog, including a bachelor’s in computer science and master’s and doctoral degrees in computer science with an emphasis in cybersecurity. In February 2015, he partnered to start the Halberd Group for professional penetration testing, a company which HORNE LLP—a certified public accountant and wealth management firm—purchased in January for its cyber solutions division.

“It’s not the teenager in the basement,” he said. “That’s something out of the 1980s. Your hackers are organized crime syndicates looking for profit or nation-states looking for intelligence. Hacking is big business now, and every aspect of it is funded and skilled.”

Now, the firm’s team of more than 40 cyber operations professionals focuses on serving clients in the fields of banking, construction, health care, government and beyond.

“Anybody who depends on network infrastructure to conduct business is potentially at risk to hackers,” McGrew said. “That’s basically everyone now.”
McGrew, still an adjunct professor, is a product of the university’s pioneering efforts in cybersecurity education and research. Initiated in 1997, the program gained National Security Agency designation as a Center for Academic Excellence in Information Assurance Education in 2001. Seven years later, MSU became one of the first universities in the even more prestigious Center for Academic Excellence in Information Assurance Research.

The university, in 2013, became one of 14 to earn a cyber operations credential, which focuses on the offensive side of cybersecurity. Mississippi State is one of only six universities in the country who hold all three CAE designations.

“Our students don’t just learn theory; they learn what to do. Everything we teach here is hands-on,” said Dave Dampier, professor of computer science and engineering, as well as director for MSU’s Distributed Analytics and Security Institute (DASI) in the research park.

From classes focused on basic information and computer security, to other components like digital forensics, cryptography, network security and security policy, Dampier said MSU’s cybersecurity program is recognized as one of the nation’s best. In fact, a Ponemon Institute Study in 2014 ranked MSU third nationally in cybersecurity education.

More substantially, as results go, Dampier said graduates from MSU’s cybersecurity program enjoy 100 percent job placement. Suitors like the National Security Agency, the federal Defense Systems Information Agency and Army Cyber Command “come out of the woodwork” to recruit graduates. This speaks highly to MSU’s program, which produces 10-12 graduates per year, and to the public need for professionals with cybersecurity expertise, he added.

“No school in the country is producing enough graduates to fill the need,” he said. “The Internet is so pervasive that it is inherently insecure. The need to secure people’s information is greater than anyone’s ability to fill it, but we are doing everything we can.”

That includes, Dampier added, reaching out through DASI to help others help themselves.

From 2005-15, the National Forensics Training Center, a precursor to DASI, led an effort to build 15 digital forensics labs across Mississippi to equip and train law enforcement to solve computer crimes. Most of those cases involved child pornography.

While the exact impact of the program is hard to quantify, Dampier said, the Lee County lab produced 30 cyber-crime convictions in its first three operating years. Now, he said DASI is building a forensic cloud app, which will offer a centralized and secure digital space, maintained by an agency like the Mississippi attorney general’s office, where law enforcement agencies can upload evidence and access investigative tools without the expense of running individual labs.

As one of the undergraduates carrying the torch for the continued success of MSU’s cybersecurity program, junior computer science major Evan McBroom of Starkville has zeroed in on cyber operations as a future career. And he already has experience beyond his years.

McBroom started working with Dampier at NFTC at age 16 and and will complete a security internship this summer. He now works with McGrew at HORNE and helps lead Capture the Flag at MSU—a student organization that competes in penetration testing simulations.

Established in fall 2015, the team, which averages about 10 members, meets each Monday to practice in Butler Hall, and tends to a rigorous schedule of 48-hour competitions administrated through websites all over the world.

“We use time zones to our advantage,” McBroom said. “We wait for the times when we believe the administrators are probably asleep, and then we get to work. That’s usually a good strategy.”

McBroom’s passion for hacking is Hollywood-influenced. He particularly enjoys movies about government and computer system breaches, and dreams of one day being one of the good guys. During his work at DASI and HORNE, and through his studies at MSU, he is speeding toward that dream becoming a reality.

“He’s a very impressive student,” Dampier said of McBroom. “He started in sophomore-level courses as a brand new freshman. He’s been well ahead of the curve the whole time.”

McBroom, like McGrew and Dampier, stressed that the need for good guys in the cyber world becomes greater every day.
“Nobody believes that a hack will happen to them or that they can be damaged by technology, but it absolutely can happen,” McBroom said. “I don’t think it’s as much about the knowledge of the adversary as much as it is the awareness of the public to protect itself.”

As technology becomes more sophisticated, McGrew said gone are the days when hackers simply gain administrative privilege to the most valuable device on a network. Today, hackers can penetrate multiple devices on a network, such as phones, printers, fax machines and security cameras—hijacking documents, monitoring meetings or worse.

“It’s a death by a thousand cuts,” McGrew said.

More dangerous than even penetrating a business or personal network, hackers also could access public utility and transportation systems, causing havoc for entire populations. McGrew said that’s possibly even easier to pull off.

Public infrastructure uses different software than a typical Web-based network. McGrew said mainstream research on how to protect that software is behind the times, meaning vulnerabilities are more abundant and easier to find. He explained most of those systems have manual fail safes in place, but a successful hack into a critical service—even if it only caused a brief stoppage—could cause a domino effect of negative consequences.

Regardless of what vulnerabilities arise from ever-evolving technology, McGrew said those are risks we are all forced to take in today’s society. A booming global population has bred a need—and a market—for instant communication, fast product delivery and more efficient ways to provide people’s needs.

So, while there’s no turning back the clock on technology, he said, likewise there’s no way to dial back hackers’ efforts to use those advances to their advantage.

That’s why, in the growing field of computer security, Mississippi State is leading the way to produce professionals who can identify the risks and develop solutions for whatever threats are on the horizon.

“Everybody is vulnerable,” Dampier said. “It’s a game, and we’ve got to work to stay ahead of the competition.”

By Zack Plair | Illustrations by Eric Abbott | Video by David Garraway