Indiana Cybersecurity Hub

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In today’s blog, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, examines the balance between using Artificial Intelligence (AI) and its many potential benefits with making sure we adequately protect ourselves when it comes to our privacy.

By David Dungan

Artificial Intelligence (AI) is one of the most impactful contributions in modern technology to date. And yet, for all of the advancements it could and does represent, it is very much a work in progress.

Of course, in as much as we’re beginning to use it for a variety of purposes, including, but not limited to, our work, personal advice, translating languages, research, and simply asking random questions, AI is still very new with very little restriction and monitoring.

The U.S. government has yet to implement new nationwide AI and data privacy laws. There are some fragmented policies and a blueprint for an AI Bill of Rights is being developed. However, as all of this unfolds and, arguably, begins to take shape, it is necessary to understand the importance of protecting yourself online in an age where everything is online.

While AI can be an incredibly useful tool, it has the potential to collect all of the data you provide. Some AI engineers may not all follow the best practices or industry standards when it comes to protecting private data, AI can be programmed to remember anything you might tell it, including passwords, IP addresses, phone numbers, family names, the addresses of your home or office, even faces from the images (featuring all of us).

This all can lead to a potentially very dangerous leak, as collecting this data allows for potential cybercrimes like spear-phishing or AI plugins, which can be used to commit theft or fraud. You can always change your password in this occurrence, but you cannot take away any information that you give to AI. That being said, until it becomes more regulated and safeguarded, all of us need to be aware of the steps we need to follow to protect ourselves from cyber threats.

Here are some ways to keep your data private:

• Understand the technology and its privacy policy or policies
• Avoid entering private information (known only to you)
• Use strong passwords for sensitive data
• Utilize a strong antivirus to protect against malicious programs
• Use two-factor authentication

Understanding AI and any website or app you are trying to use is crucial to keeping yourself safe, including as to how it works or what its privacy policy is can help you better understand why it does certain things. A privacy policy is especially important: it details how the AI uses your data. Strong passwords and not revealing private information is not just great for helping to avoid trouble against hackers, as well as guard against password leaks. If the AI doesn’t have your personal information, there is nothing to find. Finally, having a strong antivirus and using two-factor authentication is the, consistently, the best way to secure and protect yourself online in the event there’s a breach.

Ultimately, AI is a tool that needs to be used with care. Any time you share personal information, you risk your safety and privacy, especially given the fact that your data isn’t always being stored and used in ways you would expect. Use it with caution and respect and you will reap many of the benefits that can come from using AI while, at the same time, avoiding some of the consequences that can come from being online (in any form). The more you understand about AI, the more control you’ll have over your privacy.

In case you missed it (or ChatGPT didn’t generate the answer for you), today, July 16^th, is National Artificial Intelligence (AI) Day!

In this space, we do our best to share with you the latest information about what’s happening in cyberspace – everything from the latest best practices, free resources and tips to the knowledge and expertise from recognized experts to provide their guidance in a way that’s intended to protect all of us.

That being said, there are few topics related to cybersecurity that have generated more attention, excitement and concern than AI and its tech savvy mechanism, you might say, machine learning.

Yet, for all of the talk about just how rapidly AI is advancing, it’s been around longer than people realize.

In fact, the idea of AI started in 1950 when Alan Turing published "Computing Machinery and Intelligence" and presented the question of whether a machine could "think for itself." Not long after that, in 1956, John McCarthy coined the term "artificial intelligence" while at the Dartmouth Summer Research Project on Artificial Intelligence. McCarthy, along with several other researchers interested in the project, gathered to create systems that could mimic the thought process of humans, including solving problems and improving learning. At the time, the research project brought some of the brightest minds in computing and cognitive science at the time.

There was a period in the 1970s and 1980s where AI advancements were stagnant due to limited advancements in computing power. However, increased data, more powerful hardware, and advanced algorithmic approaches have brought AI to the forefront to where it is today. The development of large language models like Gemini and ChatGPT in the 2020s marked a significant leap, bringing generative AI into the public consciousness and demonstrating AI's incredible potential for creativity and human-like interaction.

Here in Indiana, with cybersecurity and cyber resilience as a priority, AI is beginning to get a good amount of attention, as evidenced by the Hoosier State’s forming of an AI task force and information provided by the Indiana Department of Education that offers an overview of artificial intelligence (AI) in K-12 education. Focused on AI literacy, instruction and learning, impact, security, and resources, the guidance emphasizes the importance of responsible AI use, critical thinking, and preparing students for an AI-driven future while providing practical guidance for educators and school leaders.

Amid the progress that’s being made statewide and across the country, it’s important to keep in mind that one of the most significant benefits that AI offers is that it is constantly evolving through user interaction. In doing so, that interaction contributes to increasing the intelligence of the AI platform, which is beneficial for increased efficiency and automation for the user because each AI platform has its strengths and unique characteristics. Because of that, AI powers personalized recommendations and adapts to learning the user's needs, customizing their experiences.

Conversely, for all the benefits AI offers, it is certainly now without its challenges and concerns. For instance, in a report by Pew Research, 52 percent of Americans say they feel more concerned than excited about the increased use of AI. And just 10 percent say they are more excited than concerned, while 36 percent say they feel an equal mix of these emotions.

The share of Americans who are mostly concerned about AI in daily life is up 14 percentage points since December 2022, when 38 percent expressed this view.

As with any new technology, it’s safe to say that AI and machine learning are taking a permanent place in our digital lives. The impact that will come, as it progresses, is still, arguably, in our hands, as is the ability to embrace its benefits and the outcomes – for good – that it can provide for all of us.

It’s National Video Game Day.

The fact that it’s actually true reveals some interesting numbers about an activity that isn’t just for kids, especially when you consider:

• Globally, it’s estimated there are 3.32 billion active video game players.
• There are more than five million video games in existence, everything from Minecraft and Fortnite to MLB The Show and the other games we play on a PlayStation 5 or a Nintendo Switch to the games we can play on our phones that are advertised on TV.
• In 2025, it’s projected that the amount of revenue that is generated by gaming will reach $522.46 billion.

Unfortunately, amid all the fun we’re having with that kind of activity, cybercriminals are using phishing attacks to trick gamers into revealing their personal and financial information and their account credentials using a variety of tactics, including:

• Impersonation - Scammers pose as game developers, platform providers (like Steam or Roblox), or even popular streamers to gain trust.
• Fake Offers - They may offer free items, exclusive access, or "beta" testing opportunities to lure players into clicking malicious links or providing information.
• Account Verification Scams -Scammers may send emails claiming your account needs verification, urging you to click a link that leads to a fake login page.
• Browser-in-the-Browser Attacks - These attacks create convincing fake browser pop-up windows that mimic legitimate login pages, even displaying the correct URL, to steal credentials.
• In-Game Scams - Scammers may pose as other players, offering in-game items or upgrades for a fee, then disappear with the money.

Fortunately, just as there are a lot of strategies, we can use to win the game we’re playing, there are some steps you can take to protect yourself when you’re online, including:

• Be Skeptical - Question any unsolicited emails, messages, or offers, especially if they seem too good to be true.
• Verify Links – Be sure to carefully examine the sender's email address and the URL of any links before clicking. Look for misspellings, unusual characters, or different domain names.
• Use Strong Passwords and Multi-Factor Authentication - Create strong, unique passwords for your gaming accounts and enable multi-factor authentication whenever possible.
• Stay Updated - Keep your gaming platform's software and your operating system up to date with the latest security patches.
• Report Suspicious Activity - Report phishing attempts to the gaming platform or service provider and warn your gaming community.
• Be Cautious with Information - Avoid sharing personal information like your address, phone number, or date of birth in public forums or chat.
• Educate Yourself - Stay informed about the latest phishing tactics and security best practices.

Regardless of the type of gaming you’re into, you just want to have fun, right? Yet, as we’ve learned with everything else we do online, there are risks, even if we think we’re going up against our friends, turning back the clock to play a game of Donkey Kong, or dusting off our ATARI Home Pong console for some (now) vintage video gaming.

Even with that, you don’t have to use any cheat codes to keep your gaming experiences safe and secure. Instead, be sure to stick to the best practices that are recommended and just as you would when you’re in the game, trust your instincts to make sure it’s “game over” for any would-be cybercriminals or scammers.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In today’s blog, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, discusses some of the steps all of us can take to avoid being the victim of a phishing attack.  He’ll also examine the different types of attacks that cybercriminals are using and why it’s important for us to keep in mind that there’s a few things we shouldn’t do when it comes to protecting our personal and financial information.

By David Dungan

In 2000, there were approximately 361 million people with internet access worldwide; a figure that accounted for roughly six percent of the global population.

Fast forward a quarter century and that number has increased (extra) exponentially, you might say, to 5.64 billion people; a more than ten-fold increase that represents 68.7 percent of the world’s population

Of course, just as we’ve gone from accessing the internet to relying on it to help guide a lot (more) of us through many aspects of our daily life, it’s safe to say that the sophistication and frequency of phishing attacks have increased rapidly. So much so, that 1.2 percent of all emails sent are malicious. And, if that doesn’t seem like a lot, it adds up to 3.4 billion phishing emails every day.

Generally speaking, phishing attacks are used to gain login access by taking up a different identity and pressuring the victim; a scam that is engineered either by eliciting someone’s trust or generating fear by applying undue pressure. Phishing attacks are also designed to gain access to entire enterprise networks simply by stealing the personal information of a single user.

In addition to fraudulent emails, these attacks occur using text messages, and even apps like Microsoft Teams or WhatsApp to trick users into revealing their information. It is essential to understand how to mitigate phishing attacks, as we’ve come to realize, collectively, that they’re not going away. That’s both because of reasons related to human nature and the rapid rate at which technologies are being created.

Some of the more common types of phishing attacks include:

• Email phishing
• Malware phishing
• Spear phishing

Phishing attacks can be difficult to detect and combat, so knowing how to avoid a potential attack is important. There are a couple of best practices that users can do to mitigate and overall reduce the chances of being attacked. The best anti-phishing practices include strong multi-factor authentication, awareness of what phishing attacks are in our educational systems and news, setting up internal email protection, and enabling database shutdown features for company systems. Additionally, making sure the spam filter is activated can as well. These methods can go a long way toward measurably reducing the likelihood of a phishing attack.

Users also need to know common phishing tactics that attackers use to gain victims' trust, including:

• Emotional manipulation
• False Trust
• Perception of Need

When it comes to phishing attacks, knowing what not to do is just as important as knowing what to do. For example, over-reliance on software could result in users who don't know how to properly respond when a threat happens. Never assume that your security knowledge is perfect. There is always something new to learn. Secondly, be sure not to leave inactive accounts open. Attackers target these accounts as a pivot point to gain trust quickly when gaining access to another account. Alternatively, if you are a business owner, ensure you close the accounts of previous employees or vendors that you no longer work with, as their accounts can be used for the attacker's benefit as well.

As phishing attacks evolve, the best protection is a combination of smart habits, utilizing and orienting everyday tools that we already have to behave more securely, and having constant awareness that computer risks in general are ever evolving. Staying informed, cautious, and consistent is key to keeping yourself and your loved ones safe.

A package of chewing gum.

Fifty-one years ago this week, a 10-pack of Wrigley’s Juicy Fruit Gum, sold at a Marsh Supermarket grocery store in Troy, Ohio, was the first retail item scanned with packaging that featured the black and white stripes of what we now know as a Universal Product Code (UPC).

It’s from that little bit of history, you might say, that we’ve come to celebrate National Barcode Day. With it, of course, we’ve gained the convenience of scanning our own items, but it’s also provided cybercriminals and people engaged in what is known as Organized Retail Theft (ORT) with an unprecedented opportunity to disguise all kinds of mayhem and malware in barcodes and, more recently, QR codes.

Broadly defined, there are five types of retail-related crimes that are trending that include:

• Using stolen or cloned credit cards to obtain merchandise
• Changing bar codes to pay lower prices
• Returning stolen merchandise to obtain cash, gift cards, and/or store credit
• Reselling merchandise using:
  • Online auction sites
  • Flea markets
  • Retailers
  • Pawn shops
  • E-commerce marketplaces
• Gift card theft/altering gift cards to steal the funds added to the cards when they are later purchased by legitimate shoppers

At the same time, barcode theft occurs primarily in two ways:

• Barcode swapping, also known as “price switching” refers to a method of retail theft where a customer attaches a barcode from a cheaper item to a more expensive one; it’s a crime that has been occurring more frequently at self-checkout kiosks, where employees may not be closely monitoring each transaction.
• QR code theft, also known as quishing, in a retail setting is not done through a physical theft of the code itself, but by using them to redirect shoppers to fraudulent websites designed to steal their personal information or financial data.

Criminals will create fake QR codes that appear to be legitimate, and they place them on packaging, in-store displays, or even on top of existing QR codes. Some of the situations are simpler, such as placing a fake menu on a restaurant table or a fraudulent payment link at a parking meter.

As with a lot of online fraud, there are steps you can take to avoid being scammed, including:

• Being cautious and making sure that you don’t scan codes you weren’t expecting or that look out of place.
• Looking for signs of tampering, such as stickers, overlays, or misspellings in the URL the code leads to.

It’s a good idea, too, to verify the website address carefully after scanning it, making sure it is the legitimate site you’re expecting to visit. And instead of scanning QR codes to download apps, use the app store for your device.

As always, if you encounter a fraudulent QR code, or you’re at a retail store and you believe that the UPC code is not the correct one for that product, be sure to bring it to the attention of the business owner or the authorities to help prevent others from falling victim to the scam.

There’s a lot of trusted sources out there, with additional information to help you stay safe when it comes to checking a price or downloading a QR code for that “free trial” that was featured last week during a broadcast of the NBA Finals. (Spoiler alert: it was an offer to try out YouTube TV and it was legit).

There’s a popular phrase I’ve heard some people say – before heading out to their favorite store – that “you don’t know what you need, until you look” (or, in this case, shop). And while that may be true or, at the very least, should be considered good advice, you’ll want to make sure your experience with QR codes and barcodes is a memorable one, whether you’re buying a cool new stereo speaker or a pack of gum. Here’s hoping you can scan fearlessly!

Summer is an interesting time of year.

We spend, at least, some of the time trying to take advantage of the warmer weather to get away on vacation. And, of course, we hope that the weather – when we arrive at our destination – is nicer than it is at home, right?

Or, maybe, we decide to stick closer to home and do some summer cleaning, mostly by closing our eyes and getting rid of some of the stuff we know is cluttering up our closet or garage. Yet another option is to get out in the yard and plant some flowers or take care of the garden. In fact, there’s some people who will tell you that digging in the dirt is their therapy!

So, you might ask, what does any of this have to do with cybersecurity?

In Salem, Indiana, and all over the country, June is National Internet Safety Month!

Established by the U.S. Senate in 2005, it’s focused mostly on families and kids (of all ages). With school out and the opportunity to spend more time together, the intention of Internet Safety Month is to raise our awareness about online safety and remind all of us of the recommended tips and best practices that are out there to protect us from cyber threats and, at the same time, help us make our way more securely through the digital world we live in.

It’s important to keep in mind, according to one recent survey, that, on average, a child in Indiana received his/her first cellphone or mobile device at 10.82 years of age. In the same study, parents in Indiana were asked at what age do they wish they had given their child a cell phone, the answer is 12.18 years old. That’s a key factor when you consider that by the age of 12, 50 percent of all children have social media accounts, primarily on Facebook and Instagram.

That being said, in today’s ever-changing world, there are plenty of things we can do this week and this month (and year-round) to celebrate our Internet safety, including these 10 helpful tips from the National Cybersecurity Alliance, such as:

• Keeping all software on all of your Internet connected devices current to reduce the risk of infection from ransomware and malware.
• Create and use long and unique passwords.
• Think before you click. When you get an email or text message, it’s a good idea to count to five, as usually that’s all the time you need to determine if it’s authentic or not.
• Report Phishing – One of the best ways to take down cybercriminals is by reporting phishing attempts. Here in Indiana, you can visit the Indiana Cyber Hub website and report a cyber incident. Best of all, it’s free and it’ll help others from being impacted by the scams that are out there.

Of course, because it’s summer, we’re mobile and whether we’re meeting up with our friends for lunch or we’re on the road, there are a few steps you’ll want to follow that’ll add to our own personal cybersecurity, including:

• Actively manage location services. As great as some of these features are, it can expose where you’re at (as in, not at home), even with your photos. Be sure to turn those services off when you’re not using them.
• Avoid sharing personal information or making any purchases on unsecure networks (think free or public Wi-Fi). Instead, use a private virtual network or use your phone as a personal hotspot to surf the Internet more securely.
• Share with care – always think twice before posting any pictures or any content that you would not want to go public or, worse, viral.

Now that you’ve got a few more things to add to your summer “to do” list, have fun and for the latest resources when it comes to enhancing your cybersecurity awareness, visit the Indiana Cyber Hub website and enjoy your summer!

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In today’s fourth and final part of our “cyber impact” blog series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, explores one of the most sensitive aspects of our life – our health care.

He examines the challenges that hospitals and health care providers and practitioners – of every size – are dealing with as a way to deliver all of us a compassionate level of care while, at the same time, safeguarding not only our personal information and medical records, but also the instruments and systems they rely on to keep us healthy.    

By David Dungan

In today’s high-tech healthcare environment, connected medical devices have transformed patient care, but they’ve also introduced a new and dangerous threat - cyberattacks.

As hospitals, as well as healthcare providers and practitioners, increasingly rely on networked devices, understanding the risks of hackable medical equipment is more critical than ever.

A prime example of this is the integration between medical devices and clinical systems. However, this connectivity also exposes medical devices to greater cybersecurity risks. As medical devices, software, and operating systems become more interconnected within healthcare environments, managing and securing these complex systems becomes an increasingly difficult and complex challenge.

Given this, it is essential to understand that medical devices are vulnerable to a range of cyberattacks such as ransomware, man-in-the-middle (MitM) attacks, denial-of-service (DoS) attacks, and unauthorized access, which could lead to disrupted care, data breaches, or even the loss of life, if their security is compromised. Fortunately, there are several steps that can be taken by the hospitals and healthcare providers to help reduce these risks, such as regularly updating device software, conducting security audits, and choosing vendors that prioritize cybersecurity.

Just as we’ve seen a rapid increase in the interconnectivity of medical devices, so, too, have we seen the emergence of several critical vulnerabilities that can directly impact patient safety.

Some of the more vulnerable devices include:

• Hospital networking equipment (such as routers, switches, and wireless access points)
• Surgical robots
• Insulin pumps
• Patient monitors
• MRI machines

Many hospital networks often run legacy or end-of-life systems, leaving them vulnerable to a variety of potential attacks. Threat actors can remotely gain control of the movements of surgical robots, which could have significant consequences. Fortunately, cyberattacks on pacemakers are extremely rare, and usually require physical access; however, they have been vulnerable to wireless signal interception.

Insulin pumps can be safely controlled remotely, and dose information or instructions are transferred in plain text. However, any changes in the insulin dosage could result in hypo- or hyperglycemia. MRI results can also be intercepted and altered. Medical machines may fall victim to wider-scale attacks on hospital networks. Many times, once one device is infected with malware or ransomware, the attack can be replicated through other similar devices throughout the network.  Different devices and functions of the hospital may be impacted by downtime from a chain of devices or even a single device.

In conclusion, the growing reliance on connected medical technologies demands a proactive approach to cybersecurity. Without strong safeguards, the very systems designed to save lives may become tools that could compromise our, otherwise, good health.

For example, should an MRI image be compromised and modified by an attacker, the entire treatment plan for that patient could be drastically different than what is needed in reality. Situations, such as this, underscores the urgency for more robust security measures to protect their patient’s data and their quality of life.

To proactively defend against cyberattacks and cyber incidents, hospitals, providers, and practitioners are advised to adhere to cybersecurity standards and best practices, particularly as it involves a patient’s privacy with HIPAA, and the requirements involved with HITRUST certification. It’s also a good idea to be sure to develop and maintain a System Security Plan (SSP) and consider joining information-sharing networks like the Health Information Sharing and Analysis Center (H-ISAC).

Here in Indiana, another resource for the health care industry – at all levels – that can be used at no cost is the Healthcare Cyber in Box 2.1 Toolkit. With materials that are free to download, the Cyber in a Box provides organizations with three levels of expert guidance to help create even more of the systems needed for keeping their operations secure while, at the same time, helping to protect their patients and preserve both their digital, as well as their physical well-being!

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In today’s part three of a four-part “cyber impact” blog series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, takes a look under the hood at some of the potential cyber risks that exist with our vehicles – ranging from the key fobs we use and the navigation systems we rely on to what can happen with certain parts in the supply chain (as in before it’s manufactured and we get a chance to drive it off the lot).

He shares his perspective on what we need to look for when buying a new or used car or truck and some of the steps that are being taken to protect us, so we don’t get taken for a ride!

By David Dungan

As cars become more technologically advanced, the potential for cyberattacks on vehicles is rising at a rate that might surprise you.

In 2024, the automobile industry experienced a significant rise in cyberattacks with more than 400 reported incidents recorded, amounting to an increase of 39 percent compared to 2023. And not unlike the damage that occurs with a car crash, the impact of these incidents is devastating, affecting millions of vehicles, fleets, and mobility services. What’s more, the crimes that are committed range from vehicle theft, malware, and location tracking to car system manipulation impacting vehicle control and disrupting a service business to data privacy breaches.

Add to that, with digital dashboards replacing traditional instrument clusters, the advent of self-driving cars, and the growing demand for state-of-the-art electric vehicles, drivers need to be informed of the risks associated with the vehicles we’re driving.

In many passenger vehicles, the most vulnerable components include:

• Key fobs
• Embedded vehicle systems
  • Telematics
  • Navigation
  • Infotainment
• Wi-fi Connections
• Storage devices

Key Fob Vulnerabilities

Wireless transmissions from vehicle key fobs are susceptible to interception. Threat actors may relay these signals using wireless transmitters and gain unauthorized access to vehicles. With key fobs and a few inexpensive tools, cars can easily be started or hotwired. Key fobs should be stored in safe locations and drivers should be aware of any suspicious activities that’s occurring near your vehicles.

Embedded System Exploits

Embedded systems, such as infotainment and navigation, are vulnerable to cyberattacks. Threat actors can hijack vehicle location information and access stored data. Mobile devices connected to vehicles via Bluetooth can introduce additional attack vectors. Threat actors can also take over and compromise electronic control units (ECUs), which manage the telematics (vehicle monitoring and automatic safety measures), via connected smartphones. Embedded systems also pose a significant risk through several avenues to vehicles and drivers’ confidential data. For example, attackers may exploit vulnerabilities to manipulate and access sensitive data, like contacts or saved/frequented addresses, without the user being aware of any potential danger.

Supply Chain Risks

Another risk for luxury car models is the supply chain. Tech products produced in Russia and China have caused privacy concerns in some vehicles. According to the US Department of Commerce, vehicles that include Chinese tech products are considered national security risks. Some suppliers ship products that are inherently vulnerable to cyberattacks. Russian state-sponsored attackers have exploited back doors in Automated Driving Systems to control vehicles and their embedded functions remotely. Additionally, Russian products enable data compromise and continuous monitoring of drivers’ information. The Department of Commerce also issued a mandate to restrict the use of Russian and Chinese components in vehicles, with compliance required by 2027.

Cyberattacks: It’s Happened

In 2022, luxury car models from manufacturers including Mercedes-Benz, Porsche, and BMW suffered attacks that enabled remote code execution. Threat actors sent malicious commands to these vehicles to remotely start or stop vehicles, lock and unlock car doors, intercept navigation and location data, and compromise personal information within a vehicle’s storage system. Thankfully, these attacks were identified early through security monitoring. Because of this proactive response, security patches were deployed to ensure the user’s safety and prevent exploitation.

Wi-Fi and Cellular Network Risks

In some instances, in-vehicle Wi-fi systems have been exploited at close range. Researchers affiliated with the FBI studied several unnamed models of cars over a two-year period and discovered that exploits and remote control of the Electronic Control Unit (ECU) were possible using the car’s Wi-Fi connection from a range of 100 feet. The experiment also showed that vehicles could be compromised through cellular service from anywhere on the carrier’s network.

Because these issues are massive security concerns, vehicle manufacturers have diligently deployed patches. Car owners should regularly check for recalls according to their vehicle identification number (VIN) to keep their systems up-to-date and safe from cyber threats.

NOTE: Be sure to come back and check out Part 4 of our blog series on Friday, June 13th, as David Dungan wraps up our “cyber impact” blog series by exploring one of the most sensitive aspects of our life – our health care. He examines the challenges that hospitals and providers – of every size – are dealing with as a way to provide all of us with a compassionate level of care while, at the same time, safeguarding not only our personal information and medical records, but also the instruments and systems they rely on to keep us healthy.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In today’s part two of a four-part “cyber impact” blog series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, discusses the impact of the Internet of Things (IoT) devices we’re using and offers his perspective on how we can stay connected while, at the same time, reminding us of the steps we can take to keep a cybercriminal from using the smart controls on our refrigerator to steal our personal data.

By David Dungan

Having the ability to control your fish tank’s thermometer remotely seems like a handy tool with no downsides, right? Well, not exactly.

Because as one very large casino experienced a few years ago, it was that internet-connected thermometer that led to its operations being hacked.

Smart TVs, home assistants, and other Internet of Things (IoT) devices often reach the end-of-life stage, meaning they do not receive updates anymore, without us even realizing it. Around the world, 18.8 billion IoT devices are connected, many of which have reached their end-of-life and are vulnerable to new and existing vulnerabilities. Add to that, recent estimates predict that by year’s end there could be more than 30 billion connected IoT devices globally, with some sources suggesting even higher numbers at 75 billion.

Of course, there have been plenty of other instances involving a myriad of products we use inside at home that have been comprised or because of the access they were able to gain, someone’s personal data or financial information has been stolen.

Buffer overflow and denial of service are two examples of some of the most common cyberattacks against home IoT devices. Given this fact, IoT devices may also be vulnerable to other code injection attacks. Some IoT devices should be avoided altogether, whenever possible, while others must be used cautiously. End-users should also determine which devices are genuinely necessary and how much risk is acceptable.

For example, a company may decide not to encrypt non-sensitive public-facing data because the data doesn’t contain personal, financial, or sensitive information. In doing so, it provides a would-be cybercriminal less of an attack surface, upon which they could use to try to hack those devices with a ransomware attack.

Some of the more vulnerable home IoT devices include:

●       Smart home assistants

●       Smart TVs

●       Smart plug-ins

●       Media players

●       DVRs

●       Cameras

●       Video Doorbells

●       Internet-connected appliances

●       Automated lights, air conditioners, and heaters

For a business, the type of IoT devices that could be compromised encompasses everything from the aforementioned fish tank and the smart coffee machines in the employee break rooms to the automated equipment controls on a company-owned vehicle or piece of machinery.

Essentially, there are two main ways of mitigating the effects of IoT-based attacks: containment and maintenance. The first way of limiting the effect of an attack is to accept the fact that IoT devices are less secure than other devices and it’s best to keep them on their own network. By separating them from the network where your sensitive information is stored, you can reduce the risk of an attack that could, otherwise, result in your device being compromised and your personal and/or financial information being stolen.

The second way of limiting the effect is maintenance. By properly maintaining your IoT devices and ensuring that they are always updated and have the latest patches, you can help in mitigating the likelihood of an attack. This also means that when the devices are considered end-of-life you should either stop using the device or disable its IoT functionality.

Nothing in cyberspace, it seems, is completely safe from being hacked, so it falls to all of us to provide our own line of defense and take the extra (or even the necessary) precautions to secure our IoT devices – including these nine tips as featured in a recent article by Netgear.

For industrial applications, the path to achieving a greater level of security involving IOT devices will also vary depending on the market, segment or business you’re involved in, but it relies on the same principles for educating employees on best practices and proactively managing your assets as a solution for keeping your data and systems secure.

Of course, regardless of the strategy you decide on implementing, just make sure that someone takes a look at the fish tank and, just as you try to do when you’re on vacation, remember that it’s OK to unplug!

NOTE: Be sure to come back and check out Part 3 of our blog series on Wednesday, June 11^th, as David Dungan discusses some of the cyber threats involving the vehicles we drive. He’ll look at everything from the potential risks that exist in the supply chain to the key fobs and electronic control modules that we rely on to stay on the road.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, begins a four-part blog series that will focus on some of the products and sectors that we rely on, as an essential part of our everyday life, that are being targeted by cybercriminals.

In addition to discussing the potential risks and vulnerabilities, David offers his expert perspective regarding the steps that we can take to stay protected. In part one of this series, David examines our U.S. critical infrastructure and the significance of the work that’s being done to help protect everything from our electric power grids and our food supply to the behind-the-scenes systems and data that helps in keeping everything working properly.  

By David Dungan

The safety and security of our critical infrastructure stretches into every aspect of our daily life.

And, just as the complexity of those systems continues to advance rapidly, thanks to the advancements we’re making in technology, so, too, has the sophistication of the cyberattacks that are occurring, here in the U.S. and abroad. Because of that, companies are beginning to recognize the necessity of making sure that critical patches are made, along with the priority of fixing them to protect against these attacks.

If threat actors attack these vulnerable areas, it can lead to national disruption. Unfortunately, it doesn’t stop there, as a cybercriminal can try to impact food manufacturing, manipulate chemicals used for pesticides, or interrupt our critical communications channels. Any of these scenarios could impact us on a significant level, including our economy.

All told, there are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on our security, national economy and our public health or safety (or any combination involving any of these listed).

Within these sectors, there is a significant portion of our public infrastructure that has been impacted by cyberattacks and cyber incidents, largely because they are considered insecure targets due to limited budgets and less access to the resources needed to protect against more sophisticated attacks. Because of this, these entities are viewed as being more susceptible to a larger financial loss for a variety of reasons.

In 2024, U.S. utilities faced an increase of nearly 70 percent in cyberattacks compared to the same time period in 2023. Tens of thousands of customers were without power due to these attacks. State actors and hacktivists are highly motivated and often target critical infrastructure, especially power grids.

• For instance, on May 7, 2021, the U.S. had to shut down a gas pipeline that supplied 45% of the fuel used on the East Coast due to a cyberattack.
• Threat actors write malicious software and firmware in an effort to try and take control of the power grid breaker systems. They can leverage this ability as ransomware, enabling threat actors to demand millions of dollars in ransom payments.
• One of the key vulnerabilities in critical infrastructure that can occur is when end-of-life of software takes place. End-of-life (EOL) is when an operating system is no longer maintained or supported by the vendor. This means that there are no updates and patches to the system which leaves the critical infrastructure systems exposed. Threat actors will often focus on trying to exploit known vulnerabilities to gain access to a network.

To prepare for these challenges, a recent article in Forbes highlights seven key steps critical infrastructure companies can utilize to help solidify their cyber defenses including:

• Formulating a cybersecurity program based on risk
• Investing in the right technological controls
• Taking account of compliance and regulations
• Training employees on cyber hygiene
• Testing and validating defenses regularly
• Establishing a vendor risk management program
• Consider opting for cyber insurance

Here in Indiana, a key resource for supporting critical infrastructure owners and operators is the Indiana Information Sharing and Analysis Center (IN-ISAC). Developed by the state and its partners, IN-ISAC was created to mitigate cybersecurity risks among state agencies through the sharing of threat information and collaboration on strategies. It provides real-time network monitoring, vulnerability identification, and threat warnings. Nationwide, multiple states operate ISACs, and all 50 states participate in the non-profit Multi-State ISAC.

It is through channels, such as IN-ISAC, critical infrastructure owners and operators are able to gain access to high-level security consulting (at no cost), as well receive assistance with troubleshooting and identifying the resources they need as it regards incident response/preparedness.

NOTE: Be sure to come back and check out Part 2 of our blog series on Friday, June 6th, as David Dungan takes a look at what is known as the “Internet of Things” (IoT) devices. What are we talking about? Basically, anything you can hook up to an Internet connection (and, at last count, there are some wildly broad estimates that we'll have between 30.9 billion and 75 billion of these devices worldwide by the end of this year)!

At a time when it seems as though that part of the advertising pitch – from the people who try and entice us to purchase the latest, most advanced mobile devices – is that it’ll turn all of us into professional photographers or videographers.

Instead, let’s celebrate the people who are the real pros when it comes to creating artwork through a camera lens while trying our best to keep the image of our thumb out of whatever memories we’re trying to capture (and keep secure)!

If it’s true that the Indianapolis 500 is the “Greatest Spectacle in Racing” (and it is…), there’s a good chance that Memorial Day weekend may soon take its place as the “Greatest Spectacle in Road Trips”.

And while it’s true, that you’re not going to see any other place on Earth – besides Speedway, Indiana, host an event where more than 350,000 people will gather inside the Indianapolis Motor Speedway and create for a day the Hoosier State’s third largest city – Memorial Day travel is projected to beat a 20-year-old record.

According to AAA, 45.1 million people are expected to hit the road and venture out at least 50 miles from home beginning Thursday, May 22^nd through Monday, May 26^th!

Here in Indiana, nearly 971,000 people are expected to travel, with more than 883,000 driving while 52,000 will take to the skies and another 35,000 will use trains, buses, and other modes of travel to reach their destination. All of it adds up to the highest volume of travelers ever on record for the holiday weekend (and that includes National Road Trip Day on Friday).

Of course, for all of the fun we expect to have while we’re away, cybercriminals are already making their own plans to try and take advantage of all of us with a variety of online scams – involving everything from fake charity appeals (especially those targeting veterans and their families), fraudulent travel deals and counterfeit tickets (to sporting events) to all sorts of phishing emails and text messages.

Before heading out, it’s a good idea to follow just a few simple steps to stay protected, such as:

• Travel lightly, in terms of the number of devices you take with you. The more laptops, tablets, and/or smart phones you bring with you, the more risk you’ll, potentially, open yourself up to.
• Check the privacy and security settings on your web services and apps. Be sure to set limits on how and with whom you share information and consider changing some features, such as location tracking, while you’re away.
• Set up the “find my phone” feature – In addition to allowing to locate your phone, it’ll give you the power to remotely wipe data or disable the device if it gets into the wrong hands.

Once you arrive, be it at the track, your in-law’s house, or the resort where you’re staying, there are a few best practices you can follow, too, while you’re on the go, including:

• Turning off your location services (when you’re not using your device) and consider limiting how you share your location on social media. Your location can be exposed, even through the photos you take).
• Use secure Wi-Fi – Avoid transmitting any personal or financial information or making any purchases on an unsecure or public Wi-Fi network. Instead, use a VPN (virtual private network) or your phone as a personal hotspot to be more secure.
• Wait until you get home to post any pictures.

As you and your family, friends, and co-workers get ready for the weekend, it’s important to keep in mind that, in as much as we’ve reached a point where the Memorial Day weekend is recognized as a celebration (as well as the end of the school year and the start of summer), it’s also a time for reflection on Memorial Day (on Monday, May 26th); a day of remembrance of those who’ve died in active military service to our country.

With that in mind, here’s hoping that wherever you are and whatever you’re doing, that you experience not only safe travels in reaching your destination and returning home, but that you’re able to stay protected whenever you’re online!

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, examines the circumstances surrounding some of the high profile cyberattacks that have occurred globally, and offers his perspective on the impact and what we can to help ourselves (and the companies we work for) to try and avoid being impacted by online fraud.

By David Dungan

Cybersecurity is a massive industry.

According to a recent report, the global cybersecurity market size was estimated at $245.62 billion (USD) in 2024 and it is projected to grow at a compound annual growth rate (CAGR) of 12.9 percent between now and 2030.

Amid all of this growth, there are a multitude of companies – here in Indiana, across the country, and globally -- that host their own cybersecurity programs. There are those who specialize in everything from incident response, intrusion detection and prevention, to monitoring and more.

With so many programs out there to help us with our cybersecurity behind the scenes, it’s easy to wonder how big companies even get hacked in the first place. After all, they have copious amounts of money with which to buy these security solutions. But perhaps, therein lies the problem.

As we’ve learned, large corporations are appealing to threat actors because they have large amounts of money and assets. Successfully executing a cyberattack on a large company can lead to the loss of critical data from clients, customers, employees, vendors, and associates. In 2024, according to the FBI’s Internet Crime Complaint Center, reported losses due to cybercrime in the United States reached a record $16.6 billion; that’s a 33 percent increase from the previous year. In the same report, it was noted that there were 859,532 complaints, with the most significant losses reported in cases involving investment fraud, particularly involving cryptocurrency – totaling more than $6.5 billion!

Therefore, despite the risks of trying to hack a large company, there are additional rewards that are very appealing to threat actors, including:

• Personal customer data, which may contain names, addresses, login information, payment information, or even social security numbers and/or someone’s date of birth.
• Access to other companies, especially if the initial hack impacted a well-known distributor or vendor.
• Free use of the companies’ own tools and public facing information, such as websites.
• Logs and private information that could be used to negatively impact the company or organization.

The most common hacks on large companies are credential theft or known vulnerability exploitation. Credential theft happens when a trusted individual within an organization has their credentials stolen by a threat actor, allowing the threat actor to take actions that require elevated privileges. Credential attacks can be disastrous and represent the reason why many high-level organizations are adamant about relying on the practice of using secure credentials that are regularly changed.

Known vulnerability exploitation is another risk to large companies. Hackers exploit known vulnerabilities by finding out what systems a company uses. From there, they invest their efforts in discovering what vulnerabilities that system has had in the past. Then, they test these vulnerabilities against the systems, seeing if the company has yet to patch them. Large companies, especially ones that have thousands of devices in use across their organization, are prone to these types of attacks; after all, it’s exceedingly difficult and expensive to ensure every single last device is properly protected.

Large companies may seem like the paragon of security. However, with so much to look after, it can and is difficult to fill every crack. The next time you see a crazy password requirement, or an expectation to use multi-factor authentication (MFA), you can think about the outcomes of a credential attack, and, perhaps, take it in stride and it'll be easier than you think. In fact, there's a few (relatively easy) steps you can take to help you avoid trouble.

After all, it’s the resources of this massive industry that works day (and night) to keep you and your company as well protected as it can be in today’s ever-changing threat environment!

Every May, for more than 60 years, we’ve celebrated Older Americans Month; it’s a time for all of us to honor the contributions by older adults to our society – in the past and present –while at the same time, we, collectively, come together to reaffirm our commitment to support them with our compassion and respect.

This year’s theme, Flip the Script on Aging, focuses on transforming how society perceives, talks about, and approaches aging. It encourages individuals and communities to challenge stereotypes and dispel misconceptions. As part of the celebration, we’re also invited to explore the many opportunities for staying active and engaged as we age and highlight the opportunities that come with aging.

With that in mind, one of the issues that we need to “flip the script on” is taking the steps to help older Americans avoid being the victim of online fraud and cyber scams.

In 2024, according to a report from the FBI, older Americans reported that nearly $4.9 billion was stolen from them through fraud, with the average loss coming in at $83.000. That’s an increase of 43 percent. What’s more, adults 60 and older submitted the most complaints of any age group (more than 147,000).

Here in Indiana, in the same report, senior citizens experienced the largest financial losses due to cybercrime in 2024, losing more than $37.2 million. The figure represents a substantial portion of the total $125.1 million in losses reported by Indiana residents due to internet crime in 2024. All told, there were 23,659 internet crime complaints last year.

It doesn’t stop there, as these figures represent just a fraction of the actual amount, for two reasons. Some victims who submit reports to the FBI’s Internet Crime Complaint Center at IC3.gov don’t include their age. Add to that, many victims are reluctant to come forward to report these crimes, either because they’re embarrassed or they believe that there’s no point due to the fact they believe their money is gone for good.

There are four categories, nationally, that account for the biggest financial losses on victims, 60 and older including:

• Investment scams totaled more than $1.8 billion.
• Tech support scams at $982 million.
• Confidence/romance scams : $389 million
• Business email compromise (where cybercriminals impersonate leaders of a company or an organization to get employees to send money or share data) at $385 million.

Fortunately, there are steps we can take every day, both in terms of following a range of best practices designed to keep us safe, and reminding ourselves to listen to the numerous trusted sources who are out there providing their expertise and guidance to help all of us gain an even greater measure of awareness for all things cyber.

Among the steps that the FBI recommends includes:

• Pause and take time to think – and talk to someone. The agency has a Take a Beat campaign, advising people to stop and think before responding to unsolicited communications, and certainly before sending money to a stranger. Most importantly, get a second opinion from someone you trust. Say, ‘Hey, does this make sense that someone would offer me a guaranteed 20 percent return on this investment?’”
• Practice good digital hygiene. Among other safe practices, don’t click on unsolicited links or respond to unsolicited calls or messages. To learn more, check out a great story from AARP Magazine on 15 ways to prevent fraud.
• Report fraud. Report these crimes to local law enforcement and the FBI through IC3.gov. “Reporting is one of the first and most important steps in fighting crime so law enforcement can use this information to combat a variety of frauds and scams. As with most agencies, they’re only as successful as the reports they receive.

Through the state of Indiana, there are also free resources that you can download by visiting the Indiana Cyber Hub website, including a page (and more FREE resources) devoted to helping you in the event that you need to report a cyber incident. If you think you’re a victim of identity theft, the page includes advice on the immediate steps you need to take, along with a full list of the resources that are available to help you!

At a time when cybercrimes have been all too frequent and more sophisticated than ever, it’s easy to feel – regardless of our age or where we’re at in our life – to think that we won’t allow ourselves to get tricked out of our personal or financial information.

Maybe that’s what we need to do to celebrate Older Americans Month, is to flip the switch on the cybercriminals by trusting our instincts, but, at the same time, being willing to show that it’s OK to adapt to today's technology, just as we’ve done with a lot of other things that are popular in the world we live in. You got this.

For all of the technology, logistics, and, yes, the threats – both cyber and kinetic – that surround our global supply chain, there’s nothing more vital, for all of us, than to focus on the protection of our critical infrastructure.

After all, it’s the things that keep us up at night – in terms of finding solutions – is why we’re able to work on making sure it runs smoothly during the day, regardless of which corner of the world you’re in.

And it doesn’t matter if the problem that it’s in front of you exists at a shipping port in Seattle, a water and wastewater treatment facility in a small Indiana town, or you’re a field engineer overseeing the construction of a bridge that links together the boroughs of Manhattan, Queens, and the Bronx, it’s one of the reasons why, today, we celebrate the importance of National Supply Chain Day!

Supply chain cyberattacks are surging, with one report indicating a 431 percent increase between 2021 and 2023. In fact, there are projections that suggest this trend will continue, with Gartner predicting that by 2025, 45 percent of organizations globally will have experienced such attacks. This is a significant increase from 2021, and experts estimate the global cost of software supply chain attacks could reach $60 billion by the end of the year.

As grim as some of that is, there are steps that can be taken to try and help mitigate the frequency and impact of these incidents.

Starting with the premise that any issue involving cybersecurity and the supply chain cannot be viewed strictly as an IT-only problem, it’s important to keep in mind, too, that cyber supply chain risks touch everything from sourcing, vendor management, supply chain continuity and quality, to transportation security and many other functions across the enterprise.

Because of that, it requires a coordinated effort to achieve the kind of outcomes we expect, as it relates to protecting the data that exists within our critical systems, but also to ensure that what we’re doing provides for the safety of the people whose livelihoods depend on it all running smoothly.

Published by the National Institute of Standards and Technology (NIST), there are three key principles for maintaining a high-level security within the supply chain, including:

• Develop your defenses based on the principle that your systems will be breached. When one starts from the premise that a breach is inevitable, it changes the decision matrix on the next steps. The question becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach.
• Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem. Breaches tend to be less about a technology failure and more about human error. IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cybersecurity practices.
• Security is Security. There should be no gap between physical and cybersecurity. Sometimes the bad guys exploit lapses in physical security in order to launch a cyberattack. By the same token, an attacker looking for ways into a physical location might exploit cyber vulnerabilities to get access.

As you take all of that into account, it’s no secret that the risks to the supply chain are as varied as they are sophisticated, including from:

• Third party service providers or vendors – from janitorial services to software engineering -- with physical or virtual access to information systems, software code, or IP.
• Poor information security practices by lower-tier suppliers.
• Compromised software or hardware purchased from suppliers.
• Software security vulnerabilities in supply chain management or supplier systems.
• Counterfeit hardware or hardware with embedded malware.
• Third party data storage or data aggregators.

There are many different ways for companies, as well as local government, utilities, and other organizations that comprise our critical infrastructure to improve upon their supply chain management while increasing their operational efficiencies. At the same time, strides are being made to manage their costs, even as they take steps to protect themselves against the likelihood of experiencing a cyber incident or having their data or systems compromised by a cyberattack.

What’s more, there is a great deal of free resources available from trusted sources, including the Cybersecurity Infrastructure and Security Agency (CISA) and the Defense Logistics Agency. And, for businesses that are looking to build on their supply chain management, there’s a recent report from Oracle highlighting the 15 best practices that businesses can follow to stay protected and, most of all, secure.  Here’s hoping this adds to the celebration!

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, discusses the importance of the proactive role that cyber incident responders provide as it relates to keeping companies and organizations safe and secure when it comes to avoiding a cyber incident or falling prey to a cyberattack.  

By David Dungan

Cybersecurity is becoming more present in everyday life and business environments. Workers are dealing with new cybersecurity requirements every day - don’t click on links in your email, don’t use thumb drives, don’t breathe on the space bar, etc. But what happens when an employee makes that mistake? Accidentally clicking on a bad link, downloading a trojan virus - what steps does the organization take next? They call in the cyber incident responders.

Cyber incident response can be a difficult and high-stakes job. Cyber incident responders are in charge of making sure that the organization can be up and running, safely and securely, as soon as possible. Their job is to limit the impact of a cyber incident on an organization, often saving the company time, money, and resources. They do this through a number of steps before and after a cyberattack.

Before a cyberattack, companies and organizations are well advised to take several  precautionary measures, which can help hinder, or potentially stop, an event before it occurs in the first place. Among the steps you’ll want to initiate and follow include:

• Identifying network and device vulnerabilities specific to your organization’s operations.
• Prioritizing and instituting cybersecurity measures
• Consider monitoring your organization’s network traffic
• Developing policies and conducting training
• Developing a communications strategy

However, precautionary measures can’t always cover every situation; this is especially true when it comes to zero-day attacks. Once an event has occurred, incident responders often have to switch gears and dedicate time to:

• Tracking down the exploit via computer or firewall logs
• Fixing the exploit for all devices
• Returning devices back to operational capacity

So, how much money do incident response plans actually save? To measure this, IBM has their Cost of a Data Breach report, stating that companies that invested in cyber response were saving $1.7 million dollars per breach over companies that skipped it. Even if the incident has already happened, having proactive and reactive measures in place is vital for the company or organization to recover as smoothly as possible.

Of course, the precautionary measures that incident responders put in place are only as effective as the ability by everyone following through and implementing what’s been recommended. It comes down to doing the little things, or the basic steps we take every day, such as making sure you close your laptop whenever you get up, even if it’s just dropping off some paperwork next door.

And be sure, as always, to avoid opening any emails you find to be suspicious or clicking on any links that might be trying to take you – and your company’s critical data or its finances – to a scam from a would-be cybercriminal that could be from anywhere, even if that “anywhere” is halfway around the world.

In doing so, you’ll be better prepared and, for that, to borrow a line from the movie, “Ghostbusters” you’ll be able to answer the question of “Who you gonna call?” thanks to your cyber incident responders and the important role they play in keeping all of us cybersafe and secure!

April is Distracted Driving Awareness Month.

And whether you’re out for a drive, listening on the radio, or you’re at home watching TV or looking at something on your phone, there’s a good chance that you’ll see or hear a public service announcement with reminders to “just drive” and to focus on the road.

It’s good advice, considering that more than 3,000 people died and 400,000 people were injured last year due to accidents caused by a distracted driver. That’s an average of nine deaths every day.

What you might not realize is that in addition to the devastation that can (and does) result from someone trying to send a text, eat a sandwich, shave, or put on some makeup while they’re at the wheel, distracted driving can lead to someone being the victim of a cybercrime.

• The fact is, drivers distracted by their phones are more likely to be involved in accidents, which can lead to situations where their phones are compromised, and their personal information can be stolen.
• Additionally, cybercriminals can exploit the heightened stress and vulnerability of accident victims, potentially leading to phishing scams or identity theft.
• Some of the potential for a cybercrime can also stem from the confusion and delays that can occur as part of the insurance process.
  • For example, a fraudulent claim could be filed using stolen identities, making it difficult for the actual victim to get their claim processed.
• In the aftermath of an accident, there is a lot of property damage and that can extend to a phone or a mobile device, which could be lost, stolen or otherwise compromised.
  • The cybercriminals also could take advantage of the situation by contacting accident victims with false information, such as claims of needing emergency funds, in order to try and steal someone’s money by gaining access to their bank account and other sensitive information.

Likewise, if a driver is distracted while driving and is concerned that they are at fault for the accident, they may be slower to report it to the authorities or respond to emergency calls. They might try to avoid reporting it at all, or they leave the scene altogether. These types of delays can create opportunities for cybercriminals to exploit the situation, either by contacting the driver with fake offers of assistance or claiming to be an insurance adjuster.

While it’s true that, sometimes, there will be situations that you can’t avoid completely. Instead, it has to be managed. Keeping that in mind, there’s 10 ‘top’ tips that AAA recommends that all of us follow as a way to avoid distractions while driving that includes:

• Fully focus on driving. Do not let anything divert your attention, actively scan the road, use your mirrors and watch out for pedestrians and cyclists.
• Store loose gear, possessions and other distractions that could roll around in the car, so you do not feel tempted to reach for them on the floor or the seat.
• Make adjustments before you get underway. This includes adjusting your seat, mirrors and climate controls before hitting the road. Also, decide on your route and check traffic conditions ahead of time.
• Finish getting ready at home – instead of once you get on the road.
• Snack smart. If possible, eat meals or snacks before or after your trip, not while driving. On the road, avoid messy foods that can be difficult to manage.
• Secure children and pets before getting underway. If they need your attention, pull off the road safely to care for them. Reaching into the back seat can cause you to lose control of the vehicle.
• Put aside your cell phone. Never text, read email, play video games, or scroll on the internet or social media while driving. If you have passengers, let them be your co-pilot so you can focus safely on driving.
• If another activity demands your attention, instead of trying to attempt it while driving, pull off the road and stop your vehicle in a safe place. To avoid temptation, turn your phone off or store it somewhere you cannot reach it before heading out.
• As a general rule, if you cannot devote your full attention to driving because of some other activity, it’s a distraction and it’s a good idea to take care of it before or after your trip, not while behind the wheel.

The bottom line is, beginning with the moment we get in a car that we recognize that distracted driving can lead to a chain of events that not only can cause us physical harm (or what we refer to in the cyber world as a kinetic attack), but that there are also digital threats. By taking the time to just drive, we can help protect ourselves – along with everyone else – when we’re out on the road.

This week’s blog first appeared on the SANS Institute’s OUCH! Newsletter on March 1, 2025.

By Dhruti Mehta

Caught off Guard: Steve’s Story

Steve was at his desk when he received a frantic video call from his manager, Bela. She looked stressed in the video call, her voice hurried. “I need you to send the confidential client report to this new email right away!” she insisted. Seeing her familiar face and hearing her distinct voice, he didn’t hesitate, he sent the confidential report to the new email address.

Hours later, Bela walked into his office and asked about the report. Confused, Steve mentioned the video call. Bela’s expression turned to shock; she hadn’t called him. The person he saw on the video wasn’t Bela. It was a deepfake, created by a cybercriminal to trick him.

Steve couldn’t believe how real the fake call seemed. The face, the voice, everything matched his boss perfectly. He had fallen victim to a growing cyber threat where criminals use Artificial Intelligence (AI) to create highly convincing fakes.

What is a Deepfake?

AI can create images, audio, or videos that look real. These capabilities have many legitimate uses. For instance, marketing companies creating images for use in ad campaigns, movie companies de-aging certain actors, or teachers creating dynamic video lessons for their students.

A deepfake is when AI is used to create fake images, audio, or videos for the purpose to deceive others. The name deepfake combines “deep learning” (a type of AI) and “fake.”

Often the most damaging deepfakes are when cyber criminals create fake images, audio or video of people that you may know, doing things they actually never did.  For example, cyber attackers may create fake pictures of famous celebrities or politicians committing a crime and spread them as fake news. Or they may clone someone’s voice and use it in a call to deceive a victim’s family or colleagues. What makes deepfakes so dangerous is how easily cybercriminals can replicate anyone, doing anything, and make it appear real.

Three Types of Deepfakes

Image Deepfakes

As indicated in its definition, the images, often, are either photos of fake people created by AI (who don’t even exist) or photos of real people but showing them doing something they never did. Unfortunately, these fake images can be distributed very quickly and are often used for the purpose of damaging someone’s reputation or manipulating a person’s emotions.  Deepfake images are becoming increasingly common in social media when people, or even governments, are attempting to push out stories that are completely untrue, or they promote false narratives (often called fake news or it’s referred to as part of a disinformation campaign).

Audio Deepfakes (Voice Cloning)

These are fake recordings or phone calls using someone’s cloned voice.  Attackers can get recordings of people's voices from podcasts or sources, such as YouTube. From there, they use   those recordings to replicate their voice.  Once replicated, cyber attackers can then call anyone they want pretending to be that individual, such as posing to be a manager and calling an employee to ask for sensitive data or re-create a loved one’s voice in an emergency call asking for money.

Video Deepfakes

These are fake videos, in which a person’s voice and actions are manipulated or recreated.  Deepfake videos can consist of pre-recorded video, or they utilize live video to participate in an online conference call.  For example, cyber attackers could create a deepfake video of a CEO making an announcement with information that’s not true about their company. It can also be used in a political campaign to make it appear as though one of the candidates said something (in the video) that, in reality, they didn’t say.

How to Detect Deepfakes: Focus on Context

Do not try to detect deepfakes by only looking for technical mistakes.  Both AI and the cyber attackers, who use them, have become very sophisticated.  Instead focus on context.  Does the image, audio or video make sense?

• Trust Your Instincts: Does something feel “off” about the interaction? Is the request urgent or unexpected? Is the person behaving strangely, even if they look and sound normal? Is someone asking for confidential information or personal data they should not have access to?  If something doesn’t feel right, trust your gut and check your facts and the situation.
• Watch Out for Emotional Manipulation: Cyber attackers often create urgency or fear to try and make you act quickly. If a message or call makes you panic, take a breath and verify the true identity of the person you believe you’re in contact with.  The stronger the emotional pull, such as creating a strong sense of urgency or fear, the more likely it’s a potential attack.
• Verify Through Another Method: If you are concerned the person contacting you may be a deepfake, reach out to the individual using a different method.   For example, for video calls or messages that you are concerned about may be fake, contact the person directly via phone or email.  If you get a voice call asking for urgent action, hang up and call back using a trusted number.
• Establish a Code Word or Phrase: Agree upon a shared code word or phrase known only within a group, or perhaps your family, that can be used to authenticate an urgent communication. Another option is to ask a question that you are certain that only the actual individual could answer; one the criminal could not research or figure out simply by searching online.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, discusses some of the misconceptions about people who are neurodiverse and what we can do differently with regard to the career opportunities that exist for them to find success and contribute their skills in today’s cybersecurity workforce.  

By David Dungan

For all that’s been reported in news articles and other mediums that have put an otherwise positive spotlight on the topic, the opportunity of hiring people who are neurodiverse in the cybersecurity workforce has been impacted by several misconceptions. These misconceptions have made it difficult for these individuals who are neurodiverse to find their place in the field.

Neurodiversity is a term that describes individuals whose brains work differently; this term is usually used to describe people who’ve been diagnosed with certain medical conditions such as, but not limited to:

• ADHD (Attention Deficit Hyperactivity Disorder)
• Autism
• Down Syndrome
• Dyslexia
• Sensory Processing Disorders
• Social Anxiety

The first of these misconceptions is that neurotypical people are “better” to hire than individuals who are neurodiverse. Many articles cite the current shortage of cybersecurity workers as a reason to hire more neurodiverse individuals. While it’s true there is currently a shortage of people in the cybersecurity workforce and that people who are neurodiverse are underrepresented in the field, some articles seem to imply that if there was not a current workforce shortage, there wouldn’t be any need to hire people who are neurodiverse. The reality is that people who are neurodiverse are just as effective workers as those who aren't. The disproportionality is due, instead, to factors involved with the hiring process such as interviews, as well as discrimination faced in the field.

A better solution for overcoming these barriers is for employers to fundamentally change the way people are recruited through hiring practices that are more inclusive and providing tailored training programs, and utilizing adaptive management styles.

The next big misconception is the idea that people who are neurodiverse are so different from people who are neurotypical, that the most productive way to use them as employees is to have teams built up entirely of neurodiverse people. People who are neurodiverse often see the world and systems differently from people who are neurotypical, but this does not mean that they cannot work together with people who are neurotypical.

In fact, it has often been shown that environments that include both neurotypical and neurodiverse people can be more productive and effective. Having a diverse set of people also helps to ensure that all sides of a situation are considered, and essential perspectives are included to create even better outcomes. This can be an even greater benefit in the cybersecurity field, where problems often require an added measure of creativity to come up with solutions. Having only neurotypical people or only neurodiverse people on a team does not allow the kind of interchange of ideas that can happen in more diverse environments.

As for the last big misconception, people may think being neurodiverse is a kind of “superpower”. In reality, this stereotype can be harmful because it ultimately sets up people with neurodiversity for failure. The more people believe this misconception, the higher expectations are for people who are neurodiverse. People who are neurodiverse often find themselves in situations where they are given lots of responsibilities because they are seen as super competent and, as a result, they’re not provided the support they need in order to meet those expectations. When these expectations are not met or misunderstood, they are judged for not being good enough.

All three of these misconceptions can make it hard for people who are neurodiverse to find a place in the cybersecurity industry and contribute in a meaningful way to the lack of representation in the field.

As a recent article, posted on a website page by Indeed.com for employers, there are 10 steps employers can follow to support their neurodiverse employees, with the understanding that they also expect to be treated the same as their colleagues who are neurotypical. A story in the Wall Street Journal also offered five ways that neurodiverse employees can help drive innovation and performance, based on new research from Deloitte.

And isn’t that what we’re talking about? Creating a work environment, in which everyone deserves to have their needs, as well as the knowledge and experience they possess to be met with respect, one in which everyone is valued and supported and enables all employees to do their best work.