University Researchers Changing the Focus on Hacking to Humans
A computer in a brightly lit office somewhere on the campus, in Patuxent Building maybe, or the computer science building, registers an attack — digits on a monitor. Someone, somewhere, is probing, looking for a weakness.
They’re in. There are credit card numbers, passwords, Social Security numbers - all ripe for the taking. Someone, somewhere, cracks his or her knuckles and gets to work.
Right there, in that instant, cybersecurity professionals could have attempted to dissuade a hacker from making a real attack - once a hacker has entered a system, but before he or she has decided to gather information or attack others, said Michel Cukier, Maryland Cybersecurity Center education associate director. Though few cybersecurity professionals normally speculate on the human element of hacking, that’s exactly what Cukier is exploring in his research with criminology professor David Maimon.
The pair hopes their interdisciplinary approach to cybersecurity can add perspective to a field dominated by the search for technical solutions.
And any fresh technique is welcome in advancing the study of defending networks because if a person follows through with the hack, “the game is over,” said Cukier, a reliability engineering professor and director of the Advanced Cybersecurity Experience for Students honors program.
“We’re some of the first scholars to try to pay attention to the human element behind cybercrime,” Maimon said. “The focus before was on the technical components of the issues: How would you patch the system, fix the network. It would be the equivalent of me as a criminologist trying to solve a murder by looking at the gun only.”
It’s not the easiest task - a hacker can attack at any time, from anywhere in the world, and hide behind a maze of proxies and slave computers.
But Maimon and Cukier have enlisted the help of the Division of Information Technology, which allowed them to set up hundreds of phantom computers - “honeypots”- in the university network. Without any sensitive information at risk on the dummy computers, the cybercrime researchers can let attacks play out and test hackers’ reactions to different stimuli. Maybe an automatic warning message will appear. Sometimes the surveillance software is more sophisticated than other times. The goal: see what the hackers pay attention to.
“In cybersecurity, access to data is considered the Holy Grail,” Cukier said.
And he and Maimon have it. In addition to the honeypots, DIT gave Maimon and Cukier access to closely guarded data about the estimated 6,000 attacks the university receives daily.
It’s a gigantic amount of information and they’re still working through it, they said, but Maimon said they’ve noticed some interesting connections. Reports between 2007 and 2009 show more than 50 percent of attacks happened during normal 9 a.m. to 5 p.m. business hours. And when more foreign users accessed the university’s network, attacks from their specific countries of origin increased.
Cukier was quick, though, to point out that they found correlation, not causation. Hackers, he said, don’t necessarily attack when certain users are on the network. As their research progresses, they will determine whether such information could be fashioned into practical security solutions.
Published April 23, 2013