Published: April 29, 2014
Joseph Mahaffee wants to stay a step ahead of the world's cybercriminals - because that's his job.
Now executive vice president and chief information security officer for defense giant Booz Allen Hamilton, Mahaffee was tapped Jan. 31 to become the company's chief administrative officer on July 1. The 56-year-old executive joined Booz Allen in 1981 and has spent 34 years in cybersecurity, communication and information assurance. He leads the company's s information services, security services and shared services operational teams.
Mahaffee and Kevin Cook, who was named Booz Allen's chief financial officer effective July 1, co-lead the company's IT Operating Group in directing strategic information technology decisions. Previously, Mahaffee led development of Booz Allen's information and mission assurance and resilience capability; led the integration of defense and national security operations during previous base-closing initiatives and was a system engineer on several Navy and joint service projects including the Milstar network of military communications satellites.
Before joining Booz Allen, Mahaffee was an information security engineer with the National Security Agency. He holds a bachelor's degree in electrical engineering from Clemson University and an master's degree in electrical engineering from Johns Hopkins University.
Mahaffee was in Colorado Springs and Denver earlier this month to learn about the challenges and needs of the company's offices in the two cities.
Question: How important is cybersecurity becoming to Booz Allen?
Answer: Cyber is a huge part of most of our business areas. We do a lot of that work here and, in a general sense, it covers the waterfront. We make sure our clients have good defensive measures in place and are prepared for the next attack. The cyber landscape continues to evolve - some adversaries have become more aggressive and others have become more covert. We saw that with the heartbleed vulnerability, where our adversaries went after the underlying basic security capability with the intent to get user credentials so they can gain greater access to accounts of all types. We are seeing some adversaries that are trying to lure people to certain sites, so-called watering holes like news, social media or other popular sites, where they have embedded a piece of code that infects whatever device they are using so then can gain access to the user's credentials for later use.
Q: How can the average computer user protect themselves?
A: We are reliant on the hosts of those sites to keep them clean (of viruses and malicious code), but we need to constant revisit how we educate and make people aware of these exploits. There is still a big play to be made around awareness. The most common type of exploit is still phishing, in which the adversary wants you to click on a link to start the attack. If you click on the link you have been had. Booz Allen has been working on this and has made a big effort on making our staff aware of what a phishing attack is. The adversary is just looking for a good email address. We built a tool three or four years ago called StarPhish that takes a page right out of the secret shopper playbook. We test our people on how to recognize bogus or potentially malicious messages by periodically sending out a bogus message. If someone clicks on it, they get a message that they have been phished and have to take a five-minute refresher course. That has dramatically reduced instances where people have fallen for a phishing attack. People are much more aware of what to look for. A lot of that is caught by our own filters, but if those messages do get through, we want to make sure people are behaving responsibly.
Q: What other measures can the average user employ?
A: As adversaries become more sophisticated, they have found ways around some defenses so you have to think about segmenting your (information technology) architecture and find different ways to protect your most valuable assets. You have to have the right protection mechanisms in place right down to the end user, and some of them are not the most IT savvy or think about security that much, so we are making sure they do think about security. If you improve your cyberhygiene, that can make a big difference. That includes having strong passwords, not using the same password for every site you visit, changing your password often, keep operating system patches and virus definitions up to date and not sharing passwords or other sensitive information with anyone else.
Q: What are some computer security best practices?
A: Using two-factor authentication for users, which means both a password and a particular physical device must be used to gain access; having a temporary password sent to your cell phone and changing passwords at least several times a year makes it much more difficult for an adversary to gain access to your information. Adversaries are getting better a cracking passwords and are using automated tools, so it is important to introduce a greater level of complexity into your password (not using password or the numbers 1-2-3-4 in sequence). Adversaries are more interested in convenience, so using special characters, changing between upper and lower case characters or using more characters (10-15), makes it more likely the adversary will look elsewhere for a victim. Ultimately, it is difficult for the network to distinguish between legitimate users and adversaries.
Questions and answers have been edited for clarity and brevity.
Contact Wayne Heilman: 636-0234
Facebook Wayne Heilman