James Banfield is an associate professor at Eastern Michigan University. He has earned a Ph.D. in Information Assurance, an M.S. in Information Assurance, and a B.S. in Network Information Technology Administration, all from Eastern Michigan University. He teaches in the B.S. Information Assurance and Cyber Defense program. This program emphasizes the design, integration, administration, hardening, and protection of all types of computer information systems and network infrastructures in modern cyber environments. Faculty page
Why did you first become interested in cybersecurity?
I started working in IT in 1984. That would have been my junior year of high school. This was back when computers were very rare, and there wasn’t one in every business office. I found myself helping people set up networks and even teaching them why they are needed. My father was running a company at the time, and seeing 30 or more people stand in line to use a printer drove me nuts. I helped them stand up their first print center.
Then in the mid-nineties, the whole world landscape changed as the Internet started to become the thing that it is today. For many, however, security was still an afterthought, but not for the companies I worked for. We were managing websites for ford.com, nike.com, whitecastle.com, and the like. We were at the forefront of brand protection.
Those early experiences eventually turned into a 36-year career as an executive and educator in the IT/security field.
During this period, I became interested in understanding how a hacker thought—asking myself what I would do if I were an adversary. I developed a love for pentesting.
As we have conducted interviews with cybersecurity experts such as you, we have begun to identify a trend. Many of the leaders in cybersecurity today serendipitously came to the discipline. They didn’t set out to build a career in cybersecurity; rather, their interest in cybersecurity grew as the threats we all experience today increased.
I think that is very common, and in many ways, that describes my experience as well.
Is it fair to say that this serendipitously backing into cybersecurity is one thing you are trying to change with programs like the one you teach at Eastern Michigan University?
Absolutely! I try to instill in my students the idea that success follows doing what you love. About 25 percent of students come to my program because of the job opportunity and salary potential they perceive the Information Assurance and Cyber Defense program will afford them. This is a fine reason, but it’s not the best reason. I tell them to chase their passion. Then they can have success and enjoy what they do at the same time.
In your current role, do you have the ability to work on independent or discretionary research? If so, what research are you involved in?
I do have research opportunities, but it can be a challenge. I currently have two Ph.D. students. I try to align my research with theirs so we can work together.
As an example, I am interested in Industrial IoT (IoT), and one of my Ph.D. students is interested in medical IoT. So, we are working together where it makes sense to do so.
One of the things that capture my time most is human security; which most call usable security. You can build the greatest, wonderful security solutions in the world, but if people don’t adhere to best practices, it is not going to save the company any money. You can tell people all day long not to click on certain things, but often they will anyway, right?
I am performing a lot of research trying to help people succeed in adopting secure behavior. I am looking beyond information awareness to look at risky behavior and ask questions like, “why wouldn’t someone comply with corporate security policy?” What would have to happen for them to comply with the policies, and what technologies can help with that?
I am also interested in finding applications for machine learning in security. We all know that hackers are continually developing new exploits and deploying them before we can develop a patch. That’s just the world we live in right now.
A simple example of an application for machine learning might be in an intrusion detection system. An IDS compares activity patterns as they happen across a network against a database of known malicious behavior. I am working with a couple of my students on a self-learning IDS. The idea is to teach the IDS how to identify anomalous behavior even if it has not been seen before. This way, you don’t have to wait for a security vendor to update your database or send a patch.
Can we talk a little more about your interest in usable security? I think our readers will find that interesting.
Certainly. The idea is that for security to be effective, it must be usable by the organization’s people. It goes beyond the set of rules that humans must follow to stay safe and comply with policy. And while that is important, useable security means trusting and engaging your people. They have to do their jobs, so build security solutions that will accommodate human behavior and not work against it.
At another level, usable security includes security-by-design principles as well. We have the technology to build all kinds of beautiful devices, programs, and apps, but security can’t be an afterthought. It must be baked-in.
With medical edge IoT, for example, we have the ability to apply pain management remotely. A doctor can check a patient’s vitals and remotely inject the medicines he prescribes. Now imagine what could happen if malicious hackers were able to take control of that type of equipment.
Security must be considered at the very outset of product development, and it must consider what humans, even legitimate users, can and will do.
Let’s turn to your students. What kinds of things are they interested in when they come to your program?
We see what most schools that teach cybersecurity courses see; students that show up wanting to be a pentester. They want to hack things, but they’re not interested in breaking the law.
As I recall, the job opportunity for pure red-team is about 5 percent. We train our students on some offensive strategies, but we are not trying to make them full-on hackers. The job market won’t support that.
Most of our kids are going to end up blue-team, administering/securing servers or websites. They will evolve to purple-team in their careers with experience.
We give them practical experience on both sides of security, however. We divide classes into roles; in one team build a secure website, and the other tries to break it. Then the knowledge is applied in tandem at upper levels of course work. All of this is done hands-on.
Students sometimes come to the program with misconceptions about cybersecurity. They may have watched too many CSI episodes and expect something like that will be their work environment.
We have a couple of classes designed specifically to help identify those that don’t yet have the basics needed to succeed. One is on networking, and the other is an intro to security. If a student can’t get a B- in those classes, they are prevented from continuing at that point. We don’t want students to spend time and money on something they may not be well suited for.
To wrap things up, if you were to build a cybersecurity reading list, what would be your top picks? That could be books, papers, lectures, what do you recommend?
The Art Of Exploitation. It’s by Jon Erickson. There are a couple of editions out now. It dives into that world of ethical hacking we discussed earlier.
Eric Cole wrote one I really like. He is actively involved with the SANS Technology Institute (STI) and SANS. It’s called The Network Security Bible. He does a great job of explaining the foundations of network security in this book. I tell my students to buy it. It’s the book you keep on your shelf when you’re working.
I love Hack This Site. It’s a fun place to test your skills.
Thank you so much for your time today. I have enjoyed speaking with you.
You’re welcome. It was nice to meet you.