It is no news to people in our business that there is and will be a lack of well educated and trained security specialists. And specific around this identified challenge for our organization, but also, in general, we invest quite a lot in new talent and cooperation with the relevant universities and colleges.

I would like to share our activities around talent development and awareness around cybersecurity of last week. But before that, it may be good to describe what kind of talent is needed and which skills are of importance. Years back in the agriculture era, the way to win the competition was due to own lots of land. In the industrial era, the productivity made the difference. In the information era, the ones who could digest, analyze and present the information the best made the difference. But is the information era not over yet? Because people can get access (nearly) for free to news, music, movies, etc. I think Twitter is still the fastest growing media for sharing news. So if information is cheap now, what is valuable? I state it is “innovation”. Innovation is an attitude and requires creativity. This means we are in the creative era.

The creative era

But isn’t that a contradiction? To search for techy nerds that are creative? Ain’t the creative people, the ones who were good at drawing at school? Some people say that they are not creative. But I suggest we see creativity as an activity, not as a label. Last week I was involved in a regional college initiative in Gorinchem (this is in the region where the SecureLink Sliedrecht office is situated). Together with a school, the municipality and a couple of IT-intensive organizations the plan has been set up to start with a “dual” college program with a focus on IT. And the main reason is that there is no regional college offering IT education now, but there are over two hundred vacancies in IT in the region. Local students move towards the bigger cities and likely find an organization to work for in that area. Together with the people involved in the initiative we discussed the curriculum of the education and the naming of the education. A point of discussion was whether we should rename software development to software innovation. The initiative will start in September and is aiming for thirty students right now.

Also in this week, my colleague Gerard gave a guest lesson at the college of Utrecht (HU) for sixty students (fourth degree) on the challenges, the solutions and the innovations around datacenter architectures. The goal of these sessions is to share the enormous amount of innovation also in this area, and to make the students enthusiastic about us as a company, but also about the chances they can get.

Thinking out of the box

I also attended an interesting event in Eindhoven, where the Fontys college held an experimental project week with 1000 ICT students to come with a solution or idea around the theme “Spy”. We are involved as a partner in education at the Fontys and therefore give colleges and share ideas, reviewing student work and cooperate with student groups on projects. It’s really impressive to see the amount of creativity and innovation and thinking out of the box that the student groups (mostly 6-10 people) created in a week timeframe. Making use of existing tools, hardware, compute power, big data they realized or investigated the threats or the ease of getting all kinds of sensitive information. I will share a few examples.

Google came with a voice activated speaker that take actions on your command, called Google Home. The students found a way to send commands to the sensitive speaker, but in a tone height or adjusted frequency so people do not understand. They even find a way to put these audible commands in for example a commercial. The scary thing is that with these commands they could let the Google Home dial paid phone lines, or play a Spotify song they get the royalties for, or change thermostat control etc. Another team made an artwork on relevant data, a sort of QR code, but then much fancier, like it’s a painting.

We all know the autofill option in your browser that fills the form with saved information like name, address, email. It is fairly easy to get all the stored information from your browser, even if the website just seems to request the name and address. And so the students gathered lots of privacy related information and even credit card data by just asking people to register their name on a website to get 10% discount on drinks at the bar. Another team created some malware embedded in a game that stole the browser stored passwords (some people tend to store the frequently used passwords in their browser) and sends those back to a C&C host. Also fairly easy to do.

Some examples sound may be easy to you, but the fact that they created this in a week, presented it and came to shocking conclusions on the ease of getting sensitive data. Most even said, if we take a bit more time we can create, innovate, alter this and that. It’s very good to see this innovative drive.

The conclusion of this week: students need to be prepared for a continuous learning attitude, need to have a passion for ICT in general and have a security mindset on everything while being creative and innovative all the time and come with alternatives continuously. I am happy that we are involved in a bunch of those educations and classes to make sure students are prepared for what is next instead of learning what was yesterday’s innovation. Yes, of course, some fundamentals stay.

Peter Mesker

CTO of Technology – Netherlands
peter.mesker@securelink.nl