Galloway, N.J. – When you hear the word "hackers," what comes to mind may be updating your online passwords frequently, being cautious with online banking, and watching for spam emails, but so much more goes into cybersecurity, especially when it comes to a large organization.

Brian Gembara, Stockton's cybersecurity engineer, completed a virtual course, "Enterprise Penetration Testing," offered by the SANS Institute in December, which really broadened his ever-growing skillset. Gembara joined Stockton's Office of Information Security full-time in April 2023 but worked there as a student, earning degrees in Computer Science and Mathematics in 2019.

At the course's end, the instructor organized a "Capture the Flag" (CTF) hacking competition for the 35 participants, and Gembara led his team of four to first place, scoring 7,000 of their 7,500 points. 

Gembara was elated by this accomplishment and shared why it was such a valuable experience, both professionally and personally.  

 

Why was this experience beneficial to the work you do at Stockton?

The class generally gives you a good overview of the tricks, tools and methodologies the average hacker would use to break into computer systems. The idea is that to prevent hackers from doing what they do, we need to understand how they do it in the first place - a real "know the enemy" situation. The course gives you this really wide overview of how they do it, but the capture the flag (CTF) competition at the end gives you a practical opportunity to explore how those tools and tricks work in a simulated organization's computer network. So, the class and the CTF together teach you - theoretically and practically - how an attacker can get in and potentially cause harm. 

We learn all this so that we can better model our adversaries, formulate strategies and implement mitigations to prevent the attacks before they occur. In particular, throughout the week while taking the class, there were several times when the course material covered something strongly relevant to my position here at Stockton that I'm excited to bring back in a meaningful way. The training has broadened my skillset, affording me new metaphorical tools to use at Stockton.

 

How did you feel after you realized your team won?

As the competition was nearing its end, I was sort of stressed that we might not finish all the challenges. Once we did, there was a great deal of relief and accomplishment at having totally completed the CTF competition. We didn't know where we stood compared to the other teams because the scoreboard had been hidden at some point for dramatic effect. When it was revealed to us, and I noticed we were at the top, I was both surprised and ecstatic. Surprised because we'd only just beat the second-place team by using less hints and having a better accuracy, and ecstatic because it's a serious achievement to have placed first in one of these SANS CTFs.

 

Why do you feel cybersecurity is so important, specifically in higher education?

Computers and the programs running on them are continually growing more and more complex. As that complexity scales, so does the attack surface - which is like saying there are more ways the attackers can get in. This, in theory, makes cyberattacks more common over time. 

Notably, it's not just desktop computers at risk: phones, tablets and all manners of smart devices are essentially just computers at the end of the day, so they're also targets for attacks. Cybersecurity will only become more important as well - it must - to guard against the numerous and varied threats against all these devices.

In higher education, cybersecurity is especially significant, not only as a goal for the institution but also as a learning objective. For an IT professional, knowing about cybersecurity is the difference between being able to see the metaphorical bullseyes on every computer and phone around you - or being blind to them. This is doubly important for all the computer science students who will go on to write the software that drives future digital infrastructure. Will they write vulnerable, exploitable apps or bulletproof code that is more resistant to cyberattacks? For everyone else, it's critical to be aware of cybersecurity to better protect yourself, your personal data, and your employer and their data. For instance, awareness to spot phishing scams and set smarter passwords.

Reported by Mandee McCullough

Photo by Bernard DeLury