CyberWire Daily - Sal Aurigemma: How things work. [Education] [Career Notes]
Episode Date: October 25, 2020Associate Professor of Computer Information Systems at the University of Tulsa Sal Aurigemma shares how his interest in how things worked shaped his career path in nuclear power and computers, Being i...ntroduced to computers in high school and learning about the Chernobyl event led Sal to study nuclear engineering followed by time in the Navy as a submarine officer. On the submarine, Sal had to understand how systems worked from soup to nuts and that let him back to IT. As a computer engineer, Sal spent a lot of time on network troubleshooting and was eventually introduced to cybersecurity. Following 9/11, cybersecurity took on greater importance. Sal's research focuses on behavioral cybersecurity. To newcomers, he suggests heading into things with an open mind and doesn't recommend giving users 24-character passwords that have two upper, two lower, and two special characters that cannot be written down. We thank Sal for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Learn more at zscaler.com slash security.
My name is Sal Arajema.
I'm an associate professor of computer information systems at the University of Tulsa.
I've always been interested in how things work, even when I was in high school.
And computers came around, and I think I was a sophomore or a junior in high school
when my high school got the first computer lab, and they were teaching us BASIC.
And I think the first thing I did was write one of those adventure-type text-based programs
where you choose A or B if you want to run away,
if you want to fight the dragon and die, that kind of thing.
And it was fun for the game, but then trying to figure out how the computer worked
and how it did stuff has always interested me.
So, you know, when I went to college, I ended up getting a nuclear engineering degree,
and it was one of those things kind of like with cybersecurity.
I never planned on liking nuclear engineering or cybersecurity, but something piqued my interest.
And Chernobyl actually piqued my interest before I went into college.
I read about it and I was like, wow, I'd like to know more about, you know, how nuclear power works.
And next thing you know, I was silly enough to go get a degree in it.
I was silly enough to go get a degree in it.
Then once I got my degree in nuclear engineering from the University of Florida, I ended up going into the Navy as a submarine officer.
And my job was to fight the ship.
You are collecting information, being able to, if required, you know, attack the enemy if there is one.
But a lot of it is just understanding how systems work from soup to nuts.
I mean, when you qualify on a submarine today or even back in the old days,
you have to be able to draw every system and every valve
and understand what every component does so that if the component fails,
what is the impact on anything else in the ship?
So that's always interested me, and that's what kind of led me to go back to my interest in IT when I decided to get out of the Navy was
the world is evolving, everything is transitioning to information and data and wow, it seems
more and more complicated every day. I think I should learn more about how that works.
What I think of a computer engineer nowadays in college is very different than what I was doing.
I think of a computer engineer as someone nowadays who designs components of the next generation's computers. What I was doing was everything from project management to
Unix and Windows system administration, a lot of training, a lot of system implementation,
and probably 50% of my time is on network troubleshooting
because, wow, did we have lots of network problems.
And that was actually probably still to this day my favorite thing,
which is why one of the classes I teach is networks and troubleshooting.
And it's just a lot of fun trying to figure out
why the packet didn't
get from point A to point B. That's kind of what led me in my professional career to stick with IT.
And then over time, I found myself, I guess, fighting with cybersecurity more and more because the government was slowly getting
more interested and caring about security. Because we've all heard about the big cybersecurity
exercises in the late 90s that showed how you could take down the power grid or you could take
down the communication system. And the government doesn't always move so quick, and the Department of Defense sometimes is even slower.
But there came a point in my career after 9-11 where we had all these operational requirements and cybersecurity requirements coming in from two different parties.
The people that needed to get things done and the people that were tasked, it was their job to keep systems secure.
that were tasked, it was their job to keep systems secure.
And I see even to this day, there is still a gap between the security purists and those folks
that are just trying to do their jobs
and get their tasks done.
And that's kind of really where I focus my research
on behavioral cybersecurity,
is trying to get people to be more secure,
but also understanding why they don't do the things
they know they should be doing.
And there's probably a pretty good reason as opposed to just stupid users.
There are different perspectives on just about everything in cybersecurity.
There are different perspectives on just about everything in cybersecurity.
So there's that challenge of privacy versus security.
They go hand in hand, but at times they conflict.
And be open-minded to the fact that what you know about cybersecurity fits your biases and your experiences.
And don't assume that everyone else knows as much as you
or that you don't know as much as other people.
So it's a very nebulous statement.
I guess what I would say is I wish I was more open-minded earlier on about the technical and procedural challenges with cybersecurity.
Because I made so many mistakes by just reading the rule and saying that's the way it has to be.
the rule and saying that's the way it has to be and then coming to find out that people can't accomplish their mission if I give them a 24 character password that has two upper two lower
two two special characters and they have to have it for 17 different systems and they can't use a
password manager and they can't write it down so going forward I think my main goal when I teach
my students and and also with my research is to try to find ways to elevate
security while not necessarily throwing away the tasks and increasing the level of effort
so much that it's just not worth doing. Thank you. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.