Podcast with Dr. Kevin Harris, Program Director, Cybersecurity, Information Systems Security and Information Technology and
Rodney Hampton, solutions architect, 20-year cybersecurity professional
Data privacy is extremely challenging in today’s interconnected world. In this episode, AMU cybersecurity program director Dr. Kevin Harris talks to Rodney Hampton, a 20-year cybersecurity professional who focuses on data privacy. Learn about corporate privacy issues including storing data on the cloud and the potential risk of having employees who work from home using IoT devices. Also learn how individuals can protect their own privacy by removing personal information from the internet as well as career advice for aspiring cybersecurity professionals.
Listen to the Podcast:
Read the Transcript:
Dr. Kevin Harris: Welcome to the podcast, Protect and Secure. I’m your host, Dr. Kevin Harris. I appreciate you sharing a few moments around data privacy. Today’s guest is Rodney Hampton, a seasoned cyber security and privacy leader who’s spent over 20 years delivering solutions for enterprises with the focus on data privacy. Welcome to Protect and Secure, Rodney.
Rodney Hampton: Thank you, Kevin. How are you today?
Dr. Kevin Harris: I’m doing great. I really appreciate you joining us. Do you mind just sharing a little bit about your career and how you’ve seen the field of cybersecurity grow?
Rodney Hampton: Oh, sure. No problem. So even before I became an IT professional, I had an interest in programming. Back in the early 80s, I got a Commodore VIC-20 and started learning BASIC on my own. Went to school, picked up some other languages, Pascal and FORTRAN.
Back around 1999, I decided that I wanted to transition into IT as a career. I did it by starting out as a web app developer. Back in those days, web application programming was on the LAMP Stack. So Linux, Apache, MySQL, or in my case, I used both MySQL and Postgres and then PHP or Perl.
Again, I programmed with both for the first couple of jobs that I had. I eventually made my way to an insurance company where I worked as basically a web application infrastructure guy. We had all the J2EE servers like WebLogic, WebSphere, Tomcat, et cetera. We were responsible for Apache, the load balancers, IIS, all that stuff, and we were responsible for code deployments to the production systems. I did that for a couple of years and then made a move to the security team at that insurance company. Once I moved to security, I haven’t looked back.
Dr. Kevin Harris: Nice. Exciting. You talk about the move to security. I know in addition to some of those jobs that you mentioned, you’ve got a military background. Can you discuss how that experience directed some of the things you do now in your career?
Rodney Hampton: Sure. We chatted about this a little bit the other day, but my first impression of what the military service did for me was it gave me a lot of self-discipline, which I was lacking at the time. But the more I’ve thought about it, there were three other things that I got out of that military experience.
The second thing was an ability to grind. That wasn’t the term back in the day. I was in the infantry for the Army for four years. That’s a very physical and demanding job with some very odd hours. And I never deployed, but we did a lot of training and you find that your physical limitations, your mental limitations are not what you necessarily think they are until you really test them. So now I know I can grind, and I know where my limitations probably are at.
The third thing was meritocracy. In the military, as I experienced it, I saw that people that performed well were rewarded for that performance. That’s not necessarily everyone’s experience in the military, but it was mine.
Then the fourth thing—and I think the more time has progressed, the more I see this as the most beneficial thing—that’s teamwork. We were taught to get all participants, all the combat power, muster that for any fight that we got into. That means every individual brings some kind of skill. They bring some kind of specialization.
You want all of that active at the same time to accomplish your goal. The more I’ve been in cybersecurity, the more I’ve seen this is a team sport. You need everybody on the field and you need everybody to bring something different to the game.
Dr. Kevin Harris: Good analogies there. One of the things also this past year that’s come up a lot, especially leading up to our recent election that we had, was a topic of ransomware. Can you talk about your experience with ransomware? I know some of the questions that come up a lot of time is should a company organization pay a ransom?
Rodney Hampton: Yeah. First on the topic of ransomware, it’s been around a long time. I read an article the other day about the history of ransomware and the earliest, I think it was 1989. There was some early nascent form of ransomware that was distributed.
I am fortunate in that I have never had to work a ransomware incident, but they can be pretty devastating to organizations. There are a couple of things that come to mind. Recently, there’ve been a lot of attacks on hospital systems. But a couple of years ago, there was an attack on Maersk Shipping, which was the NotPetya ransomware, which was designed to look a little bit like Petya.
That was a very large logistics company and shut down some operations and impacted their customer base. Ransomware is a growing problem and it continues to be a growing problem because people are paying the ransom.
My personal opinion had been, that’s a bad idea to pay the ransom, but let me just lay out a couple of points for you, Kevin. In some cases, the idea is with ransomware, “If you pay us our ransom, we will give you the encryption key and you’ll be able to get access to your data,” but that doesn’t necessarily happen in all of the cases. Sometimes companies pay and they find that they don’t get a working key and what’s the recourse? They have none.
The other issue is that, I forget who said this, but it really resonated with me. They said, “You’re basically identifying yourself as a qualified customer. You’re a mark for future shakedowns. You’re going to pay.” They know that you’ve paid once and that’s going to get around in the criminal underworld.
Then, lastly, this is something that not a lot companies were aware of, especially smaller companies. But since I worked in the financial services industry, I’m aware of the Office of the Treasury and what they have is the OFAC.
And OFAC’s job is to basically enforce this Specially Designated Nationals list—persons and entities that are threats to national security or harboring terrorists, et cetera. But OFAC has the ability to impose civil penalties for sanctions based on strict liability. So even if you’re a company that didn’t know that by paying this ransomware to this person that’s on the SDN list, you should have known. So OFAC can potentially sanction you with some civil fines. That’s not only companies, that’s individuals too. Hopefully that kind of hit the high points for you.
Dr. Kevin Harris: Yeah. Thank you. Yeah, just a big concern that companies and individuals, and when you talk about individuals, I know a lot of times we think about organizations and big corporations, but with the explosion of IoT devices in the home, really brings that importance to the consumer. What should the average consumer think about with data privacy and the number of these IoT devices most of us have in our homes today?
Rodney Hampton: Yeah. IoT devices in the home. So first of all, full disclosure, I have none, none. So I’m kind of atypical. I guess I am a bit of a Luddite there, but Siri is turned off on my phone. Siri is not listening. We just recently bought a smart TV. It has the ability to hook into Alexa. That’s turned off. I have none of it on my network.
Those people that do have it just be aware for those devices A) you should keep up to date. B) you should probably statically assign the IP if you have access to the router to do that. But just recognize that they can be a pivot point for attackers within your home network, which wasn’t as big a deal before work from home, but now it’s a bigger deal for companies.
Once you have given that up to some other entity, how do you get it back? You really can’t. So they’re able to produce profiles of you and your family and distribute them for cash. I am just fundamentally opposed to that.
Dr. Kevin Harris: Thanks. Definitely, I think a lot of people don’t realize the sheer fact that they’re using these devices, what they’re giving up for these and a lot of times, I think they’re just nice toys to play with. So definitely is something that everyone should keep in mind. Rodney, I know we talked a little while ago about your background, and I know you’ve got a legal background as well. It brings up an interesting question. Do you see any recent legislation bringing about change in data privacy?
Rodney Hampton: Yeah. There are two things that are really interesting that are happening legislatively. Now, the day that we record this is really close to a ballot initiative that was put on California’s ballot. It looks like, at this time, that that ballot initiative is going to pass.
And it was brought by Alastair MacTaggart and the others that were behind the ballot initiative that eventually became the CCPA. What I’m talking about is Prop 24 in California, which is the CPRA, which is going to give additional consumer rights privacy and it’s going to impact companies that operate in California. That’s one thing.
The other thing that’s interesting and it’s stuck in committee right now is up in New York. The New York legislature is considering a piece of privacy legislation that has buried within it, the idea, a concept that’s really exciting to me called data fiduciary. And what that basically says that if you’re a company that takes data from your consumers, you have to treat that data as if you had a fiduciary responsibility toward those consumers. In other words, you’ve got to put the consumers interest ahead of even your own interest in that data.
I think that’s an interesting development. It will be interesting to see if it ever gets out of committee and gets passed by the New York legislature. But I think that’s a path forward. Instead of having numerous different state laws and maybe some overarching privacy legislation at the federal level, by imposing a duty on companies and making that consistent it could be a much simpler approach in the longterm. So that’s my read of things right now, Kevin, as far as what’s interesting and what’s not.
Dr. Kevin Harris: That’s great that at least we see there are some conversations and some movement to keep this on forefront legislatively. So that’s a great thing there. Another topic that we hear about a lot of time is the convenience of the cloud. So I know there’s risks there that get brought up a lot of times. I think some of the times those are overlooked. What are some of those risks when we talk about companies and even individuals saving data to the cloud?
Rodney Hampton: I actually see with the main cloud service providers (GCP, AWS, and Azure) moving things to the cloud, at this point probably would make them more secure for most companies. It’s only when you start talking about SaaS providers, which may not be as well architected, that I might have security concerns.
Then it would go down to how security practitioners take on this challenge under a heading called third-party risk, right? Third-party risk management. Often, it’s handled through an initial assessment questionnaire, some kind of security-risk scoring from maybe one of the vendors that plays in that space. Then occasionally revisiting those vendors to make sure that they haven’t drifted security-wise.
I think with the proper amount of due diligence from cybersecurity and privacy professionals, that the risks of moving things to the cloud are manageable.
Dr. Kevin Harris: Yeah, that’s great. I think a lot of companies are looking for that assurance when they’re making that decision where to put their data. So that’s great. Thanks for sharing that. As you’re sharing advice, what advice would you have for people that are looking to enter the field and go into security field?
Rodney Hampton: Two things. First, stay humble. And here I talked to a lot of people around the state that we live in about their cybersecurity program. Occasionally, you run into somebody who thinks they know all of the answers. And frankly, it’s impossible to know all of the answers, especially since attackers are evolving their techniques on a daily basis. The regulatory environment has gotten very complicated in the US and worldwide. It’s impossible for somebody to know it all. So stay humble.
That dovetails with the other point I’d like to make, which is seek allies. Find people that can bring you up. You don’t have to be the smartest person in the room. Find people that are and learn from them and be willing to be in that discomfort zone. I’m in the process of going through getting some certifications in AWS, because I just see the cloud as being unavoidable at this point.
I think a lot of on-prem architectures are going to go away. So I’m trying to put what I would call pitons in the wall as I climb up this wall that is my career. I’m trying to make sure that I don’t off of the wall and descend too far. So I’m getting additional certs.
The people that I am going through that process with at my company are my allies. If I have a question about this upcoming certification exam, I can reach out to one of them. We have a very collegial environment where I work and you kind of need to build that. If your culture doesn’t have that kind of free interplay of ideas and free sharing of things, then you’ve got to build it if you’re the security or privacy leader.
Dr. Kevin Harris: Yeah. I definitely agree with you, Rodney, that being somewhere where there is that collegiality that you can reach out to different colleagues and team members does make all the difference. So thanks for bringing that up.
When you talk about some of that learning that’s required professionally kind of had me think that as a consumer, general consumer, that may not be in the IT or security space, what about learning or things that just a general user might want to make sure they’re aware of when it comes to their data and data privacy?
Rodney Hampton: Right. I think people would be amazed if they were to simply put in their first name, middle initial, last name, and first name, full middle name, last name, and their email address and do Google and Bing searches on those and just see what the footprint they have out there actually is and how much people can find out about them using just a few simple queries, same thing with your family. Especially if you have kids that are teenagers, start there and then start whittling that down.
Over the course of many years, I’ve gotten a lot of personal information removed from the web. I’ve been fairly diligent about it. It’s not easy to do, but it can be done. That’s one thing I would do to protect my privacy.
The other things are obvious. With social media, turn on multifactor, watch what you post, don’t have geolocation on your photographs, do the privacy review on Facebook, occasionally blow up your social media and start over with a fresh account. Those kinds of things can do a lot to make it harder for somebody who wants to target you to get too close.
Dr. Kevin Harris: Great recommendations. When you talk about working to have information removed, what’s kind of the best process there? Is it just contacting the search engines directly?
Rodney Hampton: You can’t really remove the search results directly from the major search engines. As you could back in the day, you could flag a page and perhaps have them rescan it once it’s removed. Now that ability is gone unless you’re the “webmaster” at the site.
But what you can do is go to these sites like whitepages and peoplefinder, et cetera. Each one of them has an opt-out process. Most of them can be done online. Occasionally, you’ll run into one that will want a copy of your driver’s license. With those, make your choice, whether you want the information removed, or if you’re fine with it remaining out there.
Dr. Kevin Harris: Perfect. Well, we appreciate you sharing some of that and helping us protect ourselves, especially when we think about our physical security, protecting if someone can actually target us physically as well as online. So thanks for sharing that. Thank you for sharing your expertise and perspective on this issue. Thank you for joining me on today’s episode of Protect and Secure.
Rodney Hampton: Kevin, you’re welcome. It’s been a pleasure.
Dr. Kevin Harris: And thank you to our listeners for joining us. You can learn more about these topics and more, continue to tune in to Protect and Secure. Be well and stay safe.
About the Speakers:
Dr. Kevin Harris is the Program Director for Cybersecurity, Information Systems Security and Information Technology at American Military University. With over 25 years of industry experience, Dr. Harris has protected a variety of organizational infrastructure and data in positions ranging from systems analyst to chief information officer.
His career encompasses diverse experiences both in information technology and academia. His research and passion are in the areas of cybersecurity, bridging the digital divide, and increasing diversity in the tech community. As an academic leader, Dr. Harris has instructed students at various institutions, including community colleges, HBCUs, public, private, graduate, undergraduate and online. He has trained faculty from multiple institutions in the area of cybersecurity as part of a National Science Foundation multistate CSEC grant.
Rodney Hampton is a solutions architect for a large cybersecurity solutions integrator. Rodney learned programming on his first computer, a Commodore Vic-20, in the early 80s and was a computer enthusiast long before IT became his career. He now has 20 years of professional experience working his way up and over from web development to infrastructure and finally to security. Previously, he was the Security Manager for a Fortune 500 oil and gas company. Rodney’s formal education includes an Associate of Science degree in Business, Magna Cum Laude; a BA in History from The Ohio State University; and a JD, Magna Cum Laude, from Western Michigan University. Rodney is a licensed attorney and holds several certifications in security and privacy.