Dr. Alex Bardas is an assistant professor in the Department of Electrical Engineering & Computer Science and the Institute for Information Sciences at the University of Kansas. He received his PhD from Kansas State University. Faculty profile.
Listen to the full episode
Key takeaways from the interview
- Alex Bardas’s approach to cybersecurity education: Bardas emphasizes a hands-on approach to teaching cybersecurity, involving practical exercises like port scans, vulnerability scanners, and exploring Metasploit in a controlled, isolated network environment.
- Cybersecurity landscape and educational challenges: There is a discussion about the differences in priorities between federal agencies and industry in cybersecurity, noting that the field is still in a trial-and-error state without an established science of security.
- Importance of building a strong foundation: Bardas stresses the need for a strong foundational knowledge in cybersecurity, warning against focusing solely on specific tools. He suggests that a solid foundation allows for adaptability to various environments and challenges.
- Recommended cybersecurity learning resources: He recommends foundational books like Ross Anderson’s “Security Engineering” and Matt Bishop’s “Computer Security: Art and Science,” along with attending conferences like RSA, Black Hat, and DefCon for those who already have basic knowledge.
- Future of cybersecurity education: Bardas predicts the continued importance of strong foundational knowledge and suggests that advancements in AI and machine learning will play a significant role in cybersecurity, but emphasizes understanding the foundational aspects of these technologies.
Here is a full transcript of the episode
Steve Bowcut: Welcome to the Cybersecurity Guide Podcast. My name is Steve Bowcut, and I’m a writer and an editor for Cybersecurity Guide, and I’m the podcast host. Thank you for joining us today. We appreciate your listening.
On today’s show, our guest is Dr. Alex Bardas. Dr. Bardas is an assistant professor at the University of Kansas, and we’re going to be discussing cybersecurity educational opportunities at KU.
A little bit about our guest: Alex is an assistant professor in the Department of Electrical Engineering and Computer Science and the Institute of Information Sciences at the University of Kansas. He received his PhD from Kansas State University. Welcome Alex, thank you for joining me today.
Alex Bardas: Hi Steven, and thank you for having me.
Steve Bowcut: Okay. Well, we appreciate your time. This will be fun and interesting, and I’m sure our audience will enjoy it as well. Let’s get to know you a little better.
Alex Bardas: Okay.
Tell us, primarily, how did you get interested in the cybersecurity? When did that happen for you?
Well, it happened I’d say now, a long time ago. Started in the late ’90s, early 2000s, so middle school to high school for me. There were some events that caught my attention there; the large-scale distributed denial-of-service attacks, but also some local smaller things that were going on, especially around that time. I’m originally from Romania, from Eastern Europe, so hijacking Yahoo email addresses and Yahoo Messenger accounts was quite something because Yahoo Messenger started being very popular after the IRC wave.
This was something, one of my family members faced this problem. His account was stolen and information was sent out on his behalf, and it was around high school so rumors are very important at that age. So I tried to recover his account and went through the recovery pathway process from Yahoo and started without really knowing how things come together. He just called me and it’s like, “You know how to computer. Do something.”
So I started looking into this and it was really fun and it was like, “I wish I could.” I was able to recover his password and change the private information to something that was not deterministic. I put him that is some from somewhere in Asia or Africa and with the zip code, because at that time, the zip code, for instance, my hometown had only one zip code for the whole town, even though it was a pretty big town to 200,000 people or people or so.
That’s how it was distributed and then was the street number that was really making the difference when it comes to postal deliveries. However, zip code was a big part of recovering your password, and that had to be something that was nondeterministic, let’s put it this way, and I sent it somewhere else on the globe.
So this was something that really made me like it, but on the other hand, I didn’t really like what I was seeing what was happening with eBay. I think University of Minnesota’s happens at that time when their network went down because of the denial-of-service thing. I was always thinking there has to be a way to do this in a legal way to help not destroy. And this was something that just stayed with me for quite a few years. Went to on the computer science path more from a business perspective perspective.
And in 2007, I came to the US for one year as an exchange student at James Madison University where they have a master’s program in secure software systems. And that was my answer. I was like, “Okay, now I know how that can be done.” So that thing that was in the back of my mind came back to life and this is how it started. So I pretty much started getting interested late ’90s, early 2000s and entered the field in 2007 officially.
Interesting. So you would be the exception to the rule that something that you were interested in in high school carried all the way through your career, at least to some degree. You may have taken some side roads there along the way.
Yes, to some degree that is correct, but I think I could qualify or I could fit into that category to some degree.
Okay. Interesting. And at what point did you decide that you wanted to teach, that academia rather than business was where you wanted to spend your career?
That’s an excellent question. I always liked hands-on research with practical… Practicality should be a part of it, a big part it, and was very fortunate to work with professors and my advisors that let me do that, and not only encouraged but supported it. And I was like, “Okay, I think I like academia because I have the freedom to do the things that industry does, but I have more flexibility.”
That’s true. In business, they want you to do what they do, right?
What they need.
Which is makes a lot of sense; nothing wrong with that.
So I think the academic freedom part is what really, really got me. But I really like the problems from industry. I think this world is full of problems. I don’t need to create my own problems in the lab. So we’re trying to grab problems from industry and work with industry and operational environments to hopefully, have some viable solutions.
Excellent. Okay. So from your beginnings in high school and the interest to one degree or another all the way through to where you’re at now, what kinds of things are you working on? What research or projects or kinds of things occupy your time now?
Well, I’m looking at cybersecurity as the intersection of science, engineering, and human behavior. So my projects, they fall at this intersection or they go a little bit on the engineering side, on the scientific side. They get data analysis and let’s see what the data is telling us.
Or the human behavior side, where we have social sciences such as anthropology, participant observations are two of the main areas or main directions that guided my research effort. So I use, for instance, currently, we’re looking at defensive technologies and how these technologies expose or help at-risk groups like political activists or people that are oppressed or operating in austere environments such as the environment, unfortunately, what’s going on in Ukraine.
And we’re also trying to develop applications that help these environments. So one of the projects we’re looking at now is using a non-terrestrial network to facilitate communication in austere environments where we have active adversaries; adversaries that might physically destroy the infrastructure or try to sabotage or hijack the communication.
Now, these kind of technology, looking at these technology, we also pivoted towards elections where we look at elections outside of the US so let’s not make it controversial. So we’re looking at some countries outside the US that introduced technology in their elections; how this technology helped, where this technology fell short, where engineering data and human behavior pretty much met and the, let’s say the collision was not quite a fortunate one. So this is something where we’re also looking at.
And then pivoting to the more technical side, engineering side, we’re also looking at techniques on how to mitigate reconnaissance and vulnerability scanning, especially when it comes to web servers. Can we actually delay this and instrument a code of a web server? So the functionality that is used on a more frequent basis is not encountering any delays but functionality and features that are rarely used. If they’re used too much like the scanners are doing, trying to trigger everything and more than it’s there, then there will be some significant delays that can lead to timeouts. Because this is an environment where timeouts pretty much dominate, or they’re important factor. So why not try to use this as a way to defend against reconnaissance activities tasks?
Yeah. And then there are other projects because we’re probably one of my main projects that I’ve been involved in for years and also my research grants and efforts are focused on this is working with security operations centers, specifically developing metrics for security operations centers. We have several collaborators, and that’s why when I’m say I’m grabbing the problems from operational environments, that’s where we’re trying usually, to get our problems from SOCs, from these security operation centers.
Also looked at DevSecOps like next-generation service messages, security in the power grid. And even though I was not an Android guy or an Android researcher, I went that path and we were very fortunate to have some collaborators and were able to have a lot of data that enabled us to study the Android updating ecosystem. So a lot of different directions that my research group and I explored, and I’m very fortunate to work with a group of very talented graduate students and undergraduate students in all these projects.
Excellent. So if you were to… I mean, that was a lot of stuff. So has any one of those, or maybe it’s something else, been a through line or consistent through your academic career? I mean, has it been technical or human behavior? And if it’s been technical, what aspects? What’s been consistent?
Well, now you’re starting to make it difficult.
Well, I think that what I would call the systems’ perspective, and this is how I define the systems’ perspective: looking at the entire entity in relationship to its environment. I think that this has been… If I have to define a through line, this is a through line through all my research projects. I’m not looking at the research in isolation. Everything was simple before we had systems.
Now, we’re in a world of systems, of systems, and other systems, and their interactions a lot of the times is nondeterministic. So always try to take all the perspectives that apply to a problem, into consideration, and I would say that this would be the through line that brings things together.
Excellent. All right. Thank you. All right, so now let’s pivot here a little bit and put ourselves in the shoe of a shoes of let’s say a new or a relatively new student who’s considering getting into cybersecurity and has the option of attending the University of Kansas.
What would be some of the educational opportunities that they would find there?
Okay, well, they should definitely do that because-
… our University, so KU, the University of Kansas has defined cybersecurity as one of its main priorities, and this is at the university level. And not only that, I mean, everybody can say that something is a main priority, but you look at the budget and things look a little different.
However, in our case, important resources were dedicated to this priority and this is something that is very, very encouraging. So besides the external resources that are coming in, we also have at university level a lot of support.
For instance, our department, ECS… So I’m on the computer science side, but we are on ECS department, electrical engineering, computer science. We do have an undergraduate degree in computer science and we will have, starting next fall, an undergraduate degree in cybersecurity-
… which has a strong computer science component, but it’s more on the security side. So we’re still trying to build a solid background so that students will be effective when it comes to cybersecurity. Now, when you’re saying cybersecurity, it’s security of something. Now, what is that something? We have to build the foundations for that.
We also have an undergraduate certificate, so if you don’t want to go for the degree, you can get an undergraduate certificate in cybersecurity. And this is a series of five classes. Some of them are also required for a computer science degree. Others are required only for the certificate. This would be two of the… Well, pivoting to the Institute for Information Sciences, we also have quite a few because our department and the Institute for Information sciences, they are very much in sync.
So the research part happens in the institute and the educational, the teaching part, usually, within the department, but we are crossing over quite a bit in a very, very healthy manner. So that’s why I would also mention the two centers, the High Assurance and Secure Systems Center and the Center for Cyber Social Dynamics that are heavily involved in the research that’s going on within our department or together with our ECS department.
Excellent. Go ahead.
Yes, I think there’s one more thing before I forget. At University level, we also have other opportunities. For instance, we have an intelligence community center for academic excellence on the Lawrence Campus. And there are a lot of three-letter agencies coming in. And even though you don’t have a technical background, computer science, computer engineering was something related.
There are a lot of different areas where cybersecurity, it is a multidisciplinary domain I’d say. And there are a lot of opportunities for students with very, very different backgrounds. We also have on the Edwards campus, we have several opportunities that also are focused around the intelligence community.
Excellent. So let’s try and paint a picture here for these students who will be listening to this podcast.
What kinds of projects, or I don’t know, assignments would they be involved in, should they choose to come to University of Kansas to pursue cybersecurity education?
Well, that’s an excellent question, and I will start with an informal answer, and I’d say that whatever they want, as long as they’re committed and they’re willing to put the time and energy into it, they will find the expertise that they need to support their effort.
So in a formal manner, so we have a lot of diverse set of projects, from pure technical ones, to social technical ones, policy-driven ones. So everything is on the table. For instance, on the technical part from virtualization containers, cloud computing, DevOps, to the social technical part, user agreements, how do those user agreements map to actually the features that are present in the actual applications? And so many more.
We’re working with security operation centers. Had students embedded as security analysts, so doing work side by side with security analysts in SOCs and documenting the process and trying to help with the various problems that challenges. I think it’s a better word that these environments are encountering.
Excellent. All right, so let’s take another little pivot here. I’m always interested to see from someone like you’s perspective, the industry is clamoring about a skills gap.
There’re not enough cybersecurity workers. It’s something that everyone in industry is very well aware of, and then everyone’s trying to find solutions for that. But I’m always interested to hear what academia is doing to respond to this skills gap.
Are there are things that have changed? Does this skills gap change anything that you’re doing at your institution to address this?
Yes. This is a highly complex issue, and I think that there are several factors that should be considered, and this is my personal perspective on this. I think that… I mean, we know overall it’s not a purely technical problem that we’re dealing with, and it’s not like we have the solutions and we just need to invest and make things happen. We don’t really have a science of security and I think that a lot of academic people, researchers in academia, will mention something along these lines that we’re not there yet.
We’re still figuring things out and overall, we’re still in a trial-and-error phase of things. Now, the sudden high demand on the industry side is a blessing, but also a big challenge to deal with because a lot of the high-skill security jobs, they require mentorship. They require time. It’s all the security of something. So you have to know what that something is, how it’s working, how it’s put together.
There has to be some foundational components that need to be covered. That’s not very scalable when the demand is so sudden and so high.
So that’s why we’re scrambling in different ways to make things happen. I would also emphasize that there are also particular tools and techniques that industry needs. You cannot really focus the entire educational process on specific tools. So you want to focus more on the foundation so that our students can adapt to different environments.
However, those different environments require a little time to make them really productive. And that’s what industry doesn’t really have: time. Which is understandable from a lot of perspectives, but we have to find a way, I think, together to make things happen.
Also, I think that the priorities are different when it comes to federal agencies and industry. And as I said before, I dare to repeat it. I think that overall, cybersecurity is still in a trial-and-error state. So without an established science of security, and this is still a work in progress, I think that all sides are trying different pathways to get pretty much to the same end goal, but trying different ways to do this and hoping that these different ways will result into the main or the end solution that we’re all looking for.
Now, from this high level perspective, let me tell you what we’re doing, what I’m doing from this to help with this. I always had a hands-on approach on how to deal with problems and especially problems from industry. So that’s why my research is always collaborations with industry, collaborations with operational environments. This is something I mentioned throughout some of the other questions.
But I also put together a class that is a hands-on class that we are looking at pretty much the current cybersecurity landscape. It’s an inter class where part of the class we are lecturing and other part of the class we have practices and tasks, from doing port scans to vulnerability. We’re looking at vulnerability scanners, playing… Well, not playing, looking into, but also playing with Metasploit. And we are doing this in an isolating environment, so we are not affecting the rest of the university network. So this is, our network is behind a very restrictive firewall that we are managing, and inside the network, we have all the privileges we need. Sometimes we’re installing malware. And it’s like you want to don’t click on those links. Well, in our classes, let’s click on the links and see what happens.
See what happens. Very good.
Yes. So this is what we’re trying. So this hands-on approach and pretty much have an understanding of how the foundational theory concepts apply in practice, how these two things come together. And a lot of students, the feedback… So this started as it’s not a required class.
It started as, “Okay, let me give it a try.” And from 20 students we had to expand to 30, and now we are at 50, and it’s still not enough. And it’s not a required class. It’s something that students are… They’re taking it only if they’re interested in.
We called it cyber defense. And in order to be a good defender, you have to put yourself in the shoes of the attacker and see how things are done. So we are getting our hands dirty, trying to get them dirty in a controlled environment and be able, ultimately, I’m hoping, for my students to distinguish the signal from the noise; distinguish good information that is out there from other type of information.
Excellent. Very good. That sounds exciting. Thank you for that. We’re going to end here with a couple of fun questions.
The first one is, if you were to put together a cybersecurity reading list for a new student, and this could include books, or papers, or lectures, or even conferences to attend, or YouTube channels to follow, what would you suggest? Where outside of this conversation or a more formal setting, can students learn more about cybersecurity?
Well, this should be a fun question, but it’s actually a pretty hard question or a pretty loaded one.
I would say because cybersecurity from a lot of perspectives is an overloaded term. It really depends on the lens, on the perspective that you’re taking. So are we looking at it through a social lens? Are we looking at it through a purely technical lens or trying to combine the two together? And it’s sounds really good, a social technical lens, but it’s probably the hardest one to work through.
So this is a highly fluid area, and I think it’s hard to have a static list or resources that one could recommend. So I would say that there’s some fundamental or foundational books that can really help.
For instance, Ross Anderson, “Security Engineering.” I still think that that is a relevant book to start with. Matt Bishop’s, “Computer Security: Art and Science.” (and/or check out a full interview with Matt Bishop) I think it’s at the second edition now. It’s also a very, very interesting book.
But there also, if you’re interested at what happened in the cutting edge advancements, there are several conferences to look at. So we do have conferences from the industry side, like RSA, Black Hat, DefCon. And we have the academic or more academic conferences such as IEEE, formerly known as Oakland, Houston Security, ACMCCS, NDSS, Sysorex, and several others.
And I think that these are relevant when you have a foundation to build on. Just going to these references because it’s interesting, it might be a little overwhelming, might not really get the gist of the core of what is really happening there. And that’s why I’m a little hesitant. It’s like, “Okay, well, let’s first build a strong foundation, and then go from there.” So that’s… I’m not sure if this is what you’re looking for but?
Well, that certainly makes sense; it really does. Most of these conferences or books and even YouTube channels won’t make a lot of sense if you don’t know something about the topic.
They don’t normally start from zero. You have to come with some knowledge, so that makes sense. All right. So our last question, obviously, we know no one can see into the future, but we like to ask our guests to dust off your crystal ball a little bit and look into the future.
And the idea here is to help our audience understand what someone from your perspective may see coming in the future five years or 10 years, to help them decide which aspects of cybersecurity they should be focused on.
Yes, this is a great question and well, let me tell you how this future will look like.
Well, but it won’t be anything very fancy because from this perspective, I think I’m a little boring and repeating myself, but I do think that building a strong foundation and going back to the fundamentals is essential because if you have a strong foundation, you can pretty much build whatever you want.
However, that foundation is not very pleasant to build. And that’s what drives a lot of people away on one hand, and also, I mean, when you see glamorous and good-looking things and a lot of eye candy and tools, and it’s very easy to go this route and just be focused on a certain set of tools.
So if things change, then you pretty much lose your footing. And this is something to some degree, our students agree with us, and I think everyone agrees with this. Industry, the government sector, and academia are on the same page, but what is that degree to that we should be operating at? That is, I think, something that we’re still figuring out.
I think a strong foundation really… I think that there’s a famous quote that, “If you want to invest in the future, invest in education.” So build a strong foundation, and then you can adapt to whatever’s thrown in your direction. I think that would be something to keep in mind. And I have to answer something. What about AI and machine learning because it’s everywhere.
Well, I think that they will play an important role, but it won’t be about turning knobs to get better results. I think if we want to do something meaningful with artificial intelligence and machine learning on the security side, we have to go beyond turning the knobs. Oh, look, the results are great. Our detection rate is 99.9% of something.
So I think it’s one step beyond that, and this is really understanding how machine-learning algorithms work and foundational aspects that I think will really help us make progress. So going back pretty much are foundations to make progress towards the future. I think that that’s a healthy way to look at it. Not always very glamorous or pleasant, but I think it’s the sustainable way for sure.
I love that advice, and I think our audience will appreciate that as well because I know it can be stressful if you’re a new student and you’re trying to guess what the future is going to look like because you think you need to start focusing on that today, understanding that at least for your undergraduate degree, just build the best foundation that you can; understand the basics.
And then maybe if you’re going to go on and get a postgraduate degree, you can start focusing on some of the shiny baubles. But don’t be deterred from getting the foundation in place by the shiny things that are out there in the industry.
That is an excellent point, yes. And in working with security operations centers over the years, going and interacting with several security operations centers, we have witnessed interesting things where foundations were there and foundations were not there. And that was down the road really affecting the performance of the SOC.
And you could see that some people were very good at doing certain things, but really they were lacking stuff on foundational components that when the landscape shifted a little bit, they were lost. And this is something that is very painful and unfortunate to witness, but it’s part of this dynamic world that we’re all part of.
Excellent. Thank you. Thank you so much, Alex. This has been very interesting, and I’m sure that our audience is going to find it useful. So thank you for spending some time with us today.
Well, thank you very much for having me, Steve.
All right, and a big thanks to our listeners for being with us. Please remember to subscribe and review if you find this podcast interesting. And please join us next time for another episode of the Cybersecurity Guide Podcast.