Greg Gogolin is a professor of information security and intelligence at Ferris State University. Gogolin created Ferris State’s undergraduate and graduate information programs.
His research interests include digital forensics, cybersecurity, and business intelligence. LinkedIn profile
Here are the key points
- Innovative approach to education: He created undergraduate and graduate information programs at Ferris State, focusing on breaking down traditional academic barriers and incorporating real-world cybersecurity challenges into the curriculum.
- Research on IoT security: Gogolin has been researching the security of Internet of Things (IoT) devices, particularly how they transmit user data to numerous IP addresses, raising concerns about privacy and data monetization.
- Privacy concerns in the digital age: His findings highlight the extensive sharing of personal data by IoT devices with multiple entities, emphasizing the irreversible nature of privacy erosion and the challenges in regulating data privacy.
- Cybersecurity education at Ferris State: The programs he developed offer a unique blend of technical and non-technical aspects, including digital forensics, incident response, pen testing, data mining, and even foreign language and cultural studies.
- AI in cybersecurity: Gogolin is exploring the use of artificial intelligence in cybersecurity, emphasizing the importance of understanding data structures and pattern recognition in the field.
- Diverse perspectives in cybersecurity: He advocates for a more inclusive approach in cybersecurity education and practice, recognizing the value of diverse perspectives and backgrounds in addressing complex security challenges.
How did you first become interested in cybersecurity?
I started teaching digital forensics classes…And about the same time, the Department of Homeland Security was going through quite a few grants and needed grant reviewers for cybersecurity-type solicitations or grant requests. And I became the grant reviewer for Homeland Security for a couple of years. This was right after the Twin Towers went down and a lot of the context was things around communication.
For example, if you had police at the same scene as the fire department, they couldn’t talk to each other on their radios and things like that. So the purpose of the grants was to break down a lot of the barriers for information sharing and things of that nature.
But one of the grants that I’d received to review was for Link and Visual Analysis Software, and I wasn’t really familiar with it. And I thought, “Well, if I’m going to make a decision on this grant, I’d better understand the technology pretty fully.”
What did you do?
So I called up the vendor and I asked, “Hey, do you have any academic programs?” “Well, let’s get together and work one out.” And they said, “But if you want to use this software in the class, you better be trained.” And I said, “Well, how much is that?” And they said, “You get out to us,” (which was in DC) “and we’ll train you. It’s all free but you’ve got to get here.” And I got the right price, and so I’m out in this class and everybody in class are three-letter people — FBI, CIA, DHS — people of that nature.
And after I was listening to what they were doing, it’s like, “Man, universities are missing the boat, they’re not preparing students for what you need.” And they replied, “Absolutely not.” And so that’s where the real seed was planted.
Okay. Let’s jump ahead. Can you tell us what your current research looks like, or what sorts of cybersecurity-related projects you’re working on now?
I spent the last three, four years on IoT security. So it’s pretty common right now that people understand that their conversations are being recorded and so forth…telephone, television, all kinds of things operated by voice control. Four or five years ago, the question that I had was, “What are the companies and organizations that are gathering this data, what are they really doing with it?”
And so, I got some of the voice devices, Amazon Echo type things, and voice-activated TVs and such. And started capturing the traffic that they are sending back through the Internet. And what I found was, this TV in particular, although a lot of these devices are like this, but this television, in particular, was sending the information to 283 different IP addresses.
What was the significance of that?
Well, if I were to try to gather information, if I were the Vendor, Vendor X, and I wanted to gather the information, the conversations, I’d want to refine the voice recognition process. If you were going to capture the data (I’m a database guy, back when I was corporate), you don’t want the data to be redundant.
So those 283 IP addresses really jumped out at me because if I were capturing something, I would put it in one location first and then filter it down, and then if I needed to distribute it across the organization or whatever, I would do it that way, rather than just send it out to 283 places and then everybody struggle with the breakdown or the analysis.
Well, the thing is, the 283 addresses weren’t all internal to that organization, so basically what it means is that they are sending that information real-time to other organizations, they’re monetizing those conversations and who knows what those organizations are doing. So, people will say that they are not too concerned about Google or Apple having their voice conversation. But a lot of these vendors are literally just selling it, without even knowing what they’re selling. It’s just a conversation, or a video feed or whatever.
So that whole piece has really fascinated me, scared me quite a bit too, because if you think about it, if 283 companies are potentially getting the information, what are those 283 companies doing? They may be also selling it to 283 companies. Well, just do the math. That information is everywhere instantly, and you cannot reel it back.
So, that is a huge interest and concern and something I spend quite a bit of time on.
I think a lot of us are becoming more concerned with privacy now that we have more Alexas and Siris and Smart TVs and whatever else, even refrigerators are collecting data on our eating habits. So once you have that research, what do you do with it? What’s the end result of your research, especially in that IoT Privacy realm?
I presented it at the North America Cyber Summit and the National State Auditors Association National Conference and have spoken with policymakers, legislators, and so forth. We are in the wrong political cycle currently to discuss regulation of these types of things. There’s no interest in it.
And it’s extremely unfortunate because the amount of privacy erosion that is occurring and has occurred over the few years, you can’t reel it in. I’m always dumbfounded when my information is taken from X bank or credit card company or whatever, that I might get a letter from them saying, “Well, we’ll give you one year of privacy service.” Well, okay, if I’m going to steal someone’s identity, then I guess I wait 366 days. It makes absolutely no sense. Or like the Equifax thing where they essentially leaked everybody’s information, you know, every adult in the United States, more or less.
One hundred sixty-five million people give or take. And who knows what the implications were for young people because they haven’t applied for loans and so forth. To my knowledge, nobody went to jail for Equifax but there were some incredibly negligent acts that warranted potential prosecution.
But that information is out there and it doesn’t come back and it’s to the point almost, well, maybe it is, where, “Is there really even any reason to protect some of these things because they’re already out there?”
I see what you mean. Yeah, that’s tough.
It’s almost like you have to go on a disinformation campaign so that you put dirty data out there so you store the wrong social security numbers for people and then that gets kind of like a honey pot type thing.
And someone like me, my name is very unique, so it’s not difficult to match things up. I worked with a colleague, his name was Jim Jones and that, growing up was not a good name. [Take a] look in the phone book and everybody’s Jim Jones, how do you figure out which name and phone number is his? But in today’s world, that’s actually a blessing because there are too many Jim Jones to be able to match everything up as well as you could by going by name, as you could with someone like me.
That’s one main [area] of research, the other is AI use in cybersecurity, and that’s more recent and still evolving. But it gets back to my interest when I was corporate. I was a programmer and a database administrator — database was my favorite spot. I really enjoyed being a database administrator, and it has really colored the way I look at cybersecurity because I always think, “data first.” And a lot of people think, networks in computer security. And the reality is that the reason most people are breaking into the computers is for the data.
So, I’ve got a little different perspective than most simply because of what my background was.
Right. Well, that’s a good segue to my next question. Is there a through-line that connects all the parts of your career to what you’re doing now?
Well, I had a little bit [of a] different path than a lot of people in that when I was going through college, I had a difficult time deciding what I wanted to do, and I would jump back and forth between IT and science.
And I actually ended up picking up degrees in too many things, including biology, with an emphasis on chemistry as well as computer degrees, and that in itself has given me a little bit [of a] different perspective… It’s not unusual for someone maybe to have a math background, or something like that. But, it’s not as common for someone to have an interest in biology and chemistry and become an IT person.
I also had a fascination with history, and that actually has come in very handy with cybersecurity.
That’s really interesting that you bring that up, and hopefully useful to students to understand that it’s okay to branch out and pursue other interests too. To learn about other facets because ultimately that might help whatever career you choose down the road.
So, can you explain more specifically what the cybersecurity programs are like at Ferris State?
Well, I created the programs and it was directly because of that class that I took with the government agencies in DC in 2006.
And, I think back at that time, cybersecurity was not sexy and most people felt that it was just another class in a computer science degree. And that class was basically access controlled. So in other words, a computer security class that dealt with access and roles and things like that.
And realized there is a political landscape in an academic environment, that in many cases is resistant to change, and a lot of people might think, “Well, I thought universities were places that liked to change quickly.” And that isn’t the case.
So how did you develop the program with that in mind?
Rather than take an existing program and bolt on a couple of classes and take a lot of things that I didn’t want, that I didn’t see as part of the program. I went straight from scratch and I kept my networks going with the people in the federal agencies and other innovators that I knew, and I just spent a summer basically drinking Guinness and brainstorming, and came up with a curriculum that way rather than saying, “Okay, I’ve got this computer science degree or computer networking degree, let’s make it into a cybersecurity degree.” And they didn’t call them cybersecurity back then anyway.
But again I had this data side, and that’s why I called it Information Security and Intelligence because I always wanted to keep the data side in sight. And it wasn’t until maybe 2015, 2016, where the cybersecurity really got the religion at universities, where you started to see programs pop up.
And a lot of them were, “Just snap on a couple of security courses and call it cybersecurity.”
But even today, if you look at nearly every cybersecurity program, you can see that it was built on an existing computer science type structure. There are very few that have data components. There are very few that have classes, for example, on risk, or even project management, or Link and Visual Analysis. And Link and Visual Analysis is what gave me the whole idea back in 2006.
Competitive theory, if you look at our program compared to any other program, you’ll say, “Wow, this is different.” And I get calls or emails frequently because it intrigues people when they see, “Oh, it’s just not a class in this, this, and this, with a couple of security classes on it.”. It’s very much more a big picture thinking type of thing with multiple perspectives.
Tell us more about your classes and offerings.
We have classes in Python and things that are built into the program, but then you take this core area and then you take a concentration that can be in digital forensics or incident response. Digital forensics originally was seen as a criminal justice thing. But it has evolved into far more than that, and digital forensics needs to have a broader perspective in terms of incident response to be most effective—at least, that’s my opinion. We have a pen testing area and we have a data mining area. Students can also focus on project management and the unusual area that students can focus on is a foreign language.
When I first brought up the program, I required a foreign language, and there were no computer science programs anywhere in the world that I could find that had a foreign language component.
And I also required a religion class, didn’t care which one, I just wanted that perspective, that cultural perspective.
The challenge was would have a lot of students that would want to come from community colleges and so forth, and the way the programs were structured, it was difficult to require foreign language because some schools, the first-year foreign language was considered non-credit bearing towards a degree.
That made some transfer challenges. So I had to change it out from, “required,” to “strongly recommended.” So, every single student I say, “Take foreign language. You’re not going to be fluent in the foreign language in a year or two of study anyway, but it’s that whole concept of thinking differently and getting the cultural appreciation — that is basically one of the reasons we’re having the protests we’re having right now.”
Is that both at the bachelor’s level and the master’s levels, or were you just describing only the bachelor’s courses?
They’re actually at both. The most common concentrations people take are the digital forensics/ incident response, the pen testing, or the, at the undergrad level we call it more of a data warehousing area, and at the grad level we call it more of a business intelligence area. And also project management—we have that at both levels as well. And those are four or five course sequences to develop the concentration. And we’re looking at bringing in AI into that and that’s been an interesting set of challenges.
Where you’re having conversations with your students and you’re talking to them and advising them, what kinds of things are on their minds in terms of cybersecurity?
I don’t know if I can generalize it into one or two things, but I will say that there are different types of students. In other words, you have some that have a laser focus—they know exactly what they want to do and oftentimes, it’s pen testing. And then you have another group of students that will be, “Well, I know there are jobs in cybersecurity, but I don’t know what they are.” And the challenge with that group is they don’t understand that if something’s not your initial interest, or initial passion, then it maybe takes a little bit longer to ramp up to it.
So, for example, let’s use foreign language because it’s the perfect correlation. If you want to learn a foreign language and you’re a kid and your parents speak a foreign language in the home, piece of cake. If you’re older…it just feels more difficult to pick up the language.
And it’s very similar with the computer field. If you haven’t been technically comfortable prior to coming in there’s this huge intimidation factor that students feel and a lot of time that washes people out too quickly. They get frustrated or intimidated or whatever and that’s the group that really needs the most also. “Give it a shot, you’ve got to be a little bit persistent, you’re not going to win the Boston Marathon picking up running six months before.” That type of thing.
But it’s such a broad field that there are probably some opportunities that you’ll really find interesting. And since we have that intelligence side, that data side, we actually have a pretty high percentage of a female student body. They make fantastic analysts, and in many cases they are much better analysts than the male students. And that’s where a lot of the universities are missing the boat when they focus so much on network security and so forth.
When I was in IT, I worked in this one shop that we had about 350 in IT. I’m trying to think of how many of them were on the network side but don’t recall. I can only remember one female in that whole group. And that’s a problem because you need the people with the different perspectives to show you what you don’t know.
Right. So how do you encourage those different perspectives?
So we work hard with the students that maybe they’re pretty strong students but they’ve not been in the computer field – you don’t want to weed them out. Some people, some professors think it’s their job to make the first class in a particular degree, the “weed out class.”
Well, we don’t subscribe to that. For one, there’s such a need for people in the field, but the other is, the last thing we need is to keep the field a white, male-dominated thing. Interestingly, all of the professors in our program have daughters. And that gives you a much different perspective — if you have a daughter and you see what they go through. It gives you a different passion.
Yeah. And we’ve touched on this next question, do you think from your perspective that cybersecurity is becoming a mainstream concern?
Of course. President Obama had it as one of his top five threats to the country. And I think it was two years ago in, it might not have been Forbes, but it was a survey from an organization like that, of CEOs of what keeps them up at night.
And cybersecurity made the list?
It was first or second for many of the CEOs. So clearly, it’s mainstream, but still a lot of people…they’ll give it lip service, but their organization does not build itself that way. So I just said it, “Yes, it was mainstream.” but in many ways, it’s not. And the reason I say, it’s not is because if you actually look at the way that organizations are built out, they’re not built out the most efficient way possible for cybersecurity. And they’re maybe not addressing the full picture.
Why do you think that is?
Part of that is, well, especially for small business, it’s a resource issue.
But the other is, it’s like when I created the degree in the first place, I wanted to start from scratch. Organizations aren’t that way. They’ve got to get there with what they have and the structures in place and you can’t just change overnight, so it’s taken time. But it’s been painful.
If we’re crowdsourcing a cybersecurity reading list or information security reading list, and this reading list could include anything—books, papers, movies, podcasts, whatever, you get the idea—what would be your top two or three recommendations? What do you recommend for people who are trying to understand what cybersecurity is all about?
Yeah. Podcasts. “Cyberwire,” which basically is a daily podcast that gives you a lot of current information and so forth. And the other, which is more general interest, is “Spycast” podcast. It’s the Spy Museum in DC. The host will do interviews and you’ll get very fascinating people on there.
Most of them worked in a three-letter agency in the past, as did he. But they’ll talk about current issues in the context of their background…and I just find that fascinating because a lot of times it gives it more of an international perspective.
What is on the horizon for cybersecurity in the next five to ten years?
So, artificial intelligence is going to be a huge aspect of it. And it could be simply because of the volumes of data, you need the AI capability or the deep learning capability to be able to make sense of it. And if I were to talk to someone, I’m on the data side. I would encourage people to get a better understanding of the data side and Python.
Can you explain why?
Because you’ve got to be able to sort through a lot of information very quickly. You know, this Link and Visual Analysis piece, it all comes into play. And being able to spot patterns and so forth. It’s a different mindset than locking down.
And I’m frustrated when I hear people speak or write articles and they say, “Well, everybody should apply all of the patches as soon as they come out.” They clearly are someone that hasn’t really worked in IT, because you can’t do that. Microsoft might send a patch for their OS that makes the DBMS no longer function correctly, or some other package. So it’s not like you can just apply a patch immediately.
You’ve got to do testing and so forth. Your environment is going to have so many variables that people aren’t going to be able to keep those in their heads to make the correct judgments in many cases. And so being able to programmatically help yourself and analyze the available data and understand data structures is critical. So that’s my high-level spiel on it.