Abstract
While developing a tool for data transfer between computer systems during my internship, I came across a bug that revealed that the data was transferred in plain text rather than in its original, encrypted form. Broadly speaking, a failure to protect sensitive information is a severe software vulnerability that could lead to the information being stolen by a malicious actor, and could negatively affect governments, organizations, and individuals. The discovery of the bug inspired my STS research project on cybersecurity standards and techniques. For a new graduate entering the workforce, I wanted to ensure that I was educated in the best cybersecurity practices to utilize through my own career.
Over the summer, I worked as an intern at ScienceLogic, which is a company that develops software, called the SL1, for IT professionals to organize their work more effectively and efficiently. During my internship, I was tasked with developing a tool that exports discovery sessions, which are records of a device’s connection to a SL1, between SL1 systems. By doing so, it would save back-end engineers from having to manually carry out the task, turning an operation that takes several minutes into a matter of seconds as well as mitigating the possibility of human error causing the transfer of malformed data. As the company grew, there was an increase in the number of times the operation had to be carried out, and the task ended up taking countless hours every week that could have been better spent on a more productive task. As a result, the discovery session exporter drastically reduced the time it takes to execute a task that was quickly becoming a burden to the company as the number of employees rapidly increased.
Because of the security vulnerability I discovered during my internship, I chose to focus my STS thesis research on the topic of education in best practices in cybersecurity. It is impossible to protect against a zero-day attack, which targets a vulnerability that hasn’t been recognized before the attack happens; however, it is possible for an individual to prepare themselves for cyber-attacks that have happened in the past and may happen in the future. It is important to many organizations that they avoid any cyber-attacks from occurring, so the organizations educate their employees about the ways that they should practice cybersecurity to maintain a level of safety for themselves and their employers. Additionally, it is possible for those employees to learn about cybersecurity in their schooling before they enter the workforce. To research this topic, I interviewed professors at the University of Virginia that teach in cybersecurity or cybersecurity-adjacent courses to learn how they ensure that their students are being educated on best cybersecurity practices. One of the most emphasized and common points made by the professors during the interviews was that they teach their students how to be an adversary in order to look towards the future when considering possible cyber-attacks. If an individual isn’t trained in adversarial thinking in terms of security, they would only be limited to an education in past events. Alternatively, if the individual is able to think like an adversary, they are more likely to recognize and prepare for security vulnerabilities earlier, making for a safer work environment. In addition to adversarial thinking, some professors mentioned emerging technologies that would soon have an effect on the world of cybersecurity such as the spread of 5G networks and artificial intelligence. Their students will be the ones who will work with and develop such technologies, so it is important to the professors that their students are introduced to those topics.
Although I did not work on both projects simultaneously, working on the discovery session exporter allowed me to get hands-on experience with computer networks and APIs, and the security bug motivated my research on cybersecurity. Initially, my STS research was focused on the technology involved with cybersecurity, but after the interviews and research analysis, the project evolved into how cybersecurity professors ensure that their students are educated on the best cybersecurity practices to be prepared for their work in industry. If I had worked on both projects simultaneously, I would take the information gained from my research to develop software that is efficient and safe. Although I did not have the chance to do so, I will take my findings from my research to best prepare for the work in my own career in the future.
