Q&A with Shambhu Upadhyaya: Cybersecurity

Published January 19, 2017

Shambhu Upadhyaya.

Shambhu Upadhyaya

As director of UB’s Center of Excellence in Information Systems Assurance Research and Education (CEISARE), computer science and engineering professor Shambhu Upadhyaya works to protect the United States from cyber threats. Specifically, his focus is on infrastructure – electric power grids, transportation systems, financial networks, military assets and water supplies.

We caught up with Upadhyaya to get an expert’s view of today’s cyber threats, and how you might prevent their damaging effects from striking.

Question: CEISARE is certified by the National Security Agency and the Department of Homeland Security as a national center of excellence. What is its mission?

Upadhyaya: CEISARE supports efforts to meet the challenges and threats to the National Critical Information Infrastructure, which includes the financial sector, energy, health and transportation. Essential to that is elevating higher education in Information Assurance (IA) and Cyber Security, and the presence of a greater number of professionals with IA expertise. The goals of CEISARE are to provide graduate education and coordinated research in computer security and information assurance by faculty members from several schools and departments at the University at Buffalo.

Question: It seems like news of large-scale data breaches and cyber attacks are no longer a rare exception, but becoming the norm. Why?

Upadhyaya: With the advent of technology and software come new vulnerabilities. People are slow in adopting security’s best practices. So, the attack surface is not shrinking. Moreover, there are determined hackers outside and inside of the country who like to disrupt operations and cause damage.

Question:What security controls should companies have in place to help decrease their risks?

Upadhyaya: First and foremost, companies should have a chief information security officer (CISO) who can set up a security policy, and make sure that policies are implemented and security breaches can be investigated. Using some modern security tools – such as firewalls that provide perimeter defense, virus and spyware detectors that protect against malware, and intrusion detection systems that protect against unauthorized access to company assets – will help mitigate risks.

Question: How can individuals better protect themselves?

Upadhyaya: Adopt security best practices. Use strong passwords. Update your software and apply patches periodically. This is pretty easy because today’s computer systems can be programmed to apply security updates automatically.

Question: As an expert in cybersecurity, hacking, encryption and cyberattacks, how can you assist companies that either want to increase their safeguards or find themselves ensnared in a cybersecurity problem?

Upadhyaya: By way of education – via cybersecurity awareness classes – or by introducing concepts that would help to assess an organization’s security posture. I can help by making recommendations on how to harden your network. Our current focus at CEISARE is on research methodologies, but we are available to train individuals on how to perform penetration tests on an organization’s network and assess the risks.

Question: What are some emerging security issues that are on your radar screen?

Upadhyaya: I am looking at ways to enhance the authentication of users with strong passwords that you don’t need to remember. I am also examining how to keep individuals authenticated all of the time by using behavioral biometrics, such as typing rhythm on a keyboard or mouse movements. I am also looking at security solutions for attacks that are unconventional, spread over long periods of time, multi-stage and more damaging.