By Pete Brillhart ’04, M.S. ’07
One of the side effects of higher education is the feeling you really don’t know as much as you thought. For my computer science master’s thesis on “honeynets,” I spent six months watching what happens to machines intentionally left unprotected and exposed to the Net.
The thesis consumed my life. I learned a lot of things, including how to use about 30 different open source tools, and also that I was an overachiever. My wife suffered through the process as much as I did, maybe more.
I was tracking efforts by strangers in little Third World countries, as well as in Russia, China, Israel and other nations, to take over computers that were set up against our guest room wall. This was 2007, when Microsoft was putting out almost a patch a day to cover holes in security.
Honeynets had been conceived as a way to bait and to turn the tables on computer hackers, yielding valuable information about their activities. I used various operating systems, three physical machines and one machine running a virtual network, so that it looked to hackers like a collection of vulnerable computers.
A light sleeper, I heard the beeps as machines rebooted at all hours. Most of the reboots were caused by opportunistic attackers known as “script kiddies” or by viruses in the wild. Others were botnet attacks designed to add machines to a bot legion that might later circulate spam or carry out a larger attack. You had to look closely at the traffic down at the packet and protocol level to tell the difference. I had gigabytes of data to examine.
I would usually get up for a quick look, note the time, and leave the machine running. At that time, you had about seven minutes to act before something modified your computer. I ought to note that my computers were firewalled from creating new connections to the outside world, to prevent them from being misused.
Today, I work for the Department of the Navy in Ventura County as a senior engineer, cyber security. The job gives me a window on the evolution of information technology in a global economy, so I’m aware of trends that everyone is likely to hear more about.
In the rush to connect more devices and infrastructure to the Internet, many corporations and governments have done too little security testing and evaluation. Entities now are feeling the whiplash effect of having to secure systems after the fact. Some are redirecting budgets toward cyber security and away from profit-making projects.
Corporations are disclosing massive data breaches where cyber criminals have obtained information on millions of people. Theft of credit card information is so prevalent their fraud departments are overwhelmed. We have also seen the growth of militarized cyber attacks by nation-states.
Amid all of this, it’s still not clear that home computer users know whether their antivirus software is working. Mobile devices can hold gigabytes of data, some of which could be very embarrassing if it got out. I am especially concerned about senior citizens on fixed incomes and all the Internet scams directed at them.
Linking medical systems and having that data hosted on Web servers accessible via the Internet is also troubling.
Cyber security would be a tough job even without challenges such as these. As a security pro, you are perceived as a roadblock by the innovators and a budget hog by middle management. Some days you question your sanity for working in this field, and on others you just concede you must be a masochist. I do what I do because I have an affinity for this type of work and can communicate extremely technical topics in plain English.
I enrolled in the Bachelor’s Degree for Professionals program, then known as ADEP, soon after hitting the pay ceiling for non-degreed employees in 2001. My career had started at a sod farm in Camarillo, where I worked on a mainframe and did data entry. From there, in the early ’90s, I built computers and learned networking at a mom and pop shop across from the naval base in Port Hueneme, and went on to work for multiple defense contractors and the government.
I’ve had many titles and don’t put much stock in how a position is labeled. I loathe the word “guru” and the phrase “subject matter expert.” If the work is interesting and accomplishes something, there is nothing better than being able to say I achieved this goal today.
Pete Brillhart is a Certified Information System Security Professional. He is grateful to former MBA program director Ron Hagler and associate professor of computer science Craig Reinhart for their interest in his education.