Indiana State University Newsroom

Cybersecurity firm trains Sycamores for high-tech heroics

April 12, 2017

With newscasts regularly portraying a menacing picture of cyber crime, Indiana State University Professor Bill Mackey -- and the students he teaches -- is almost guaranteed job security.

Perhaps the biggest news story this spring involves the Russians, the Democratic National Committee and, possibly, the Trump White House. It also involves exactly the focus of Mackey and his cyber security company, Alloy.

"A Russian cyber security team, part of the Kremlin ... basically phished John Podesta's (former chairman of Hillary Clinton's presidential campaign) email," Mackey said. "It was a fake email, trying to get somebody to click on it. It looked like a Google email, saying somebody is trying to access your account, you need to change your password immediately, click here to change your password."

Podesta did take the time to show the campaign's IT experts the email because something didn't look quite right.

"So the IT guy sends an email back saying, ‘This is a legitimate email.' But the IT guy, he committed a typo. What he meant to write was, ‘This is not a legitimate email.' To his credit, it appears that he told Podesta to go through official Google channels to change his password, but he used the phishing link instead.

"That's how Russia gained access to all of the Democratic National Committee files, gave them to Wikileaks, who then distributed them," said Mackey, a 2012 graduate of Indiana State.

Preventing the human missteps is exactly what Mackey's enterprise does that's different from almost everyone else: They marry the technological part (the computer-code breaking) with the human element for a mixture of tech and cybercriminology.

"That human element is what we focus on," Mackey said. "There's still plenty of people out there writing code, but the vast amount of hacking now takes place through the human element."

Like the human mistake made by Podesta and his associate, when Mackey is hired by a business that wants better cyber protection, he looks for the weakest link -- human beings.

Beginning in the 1990s, the defense against cyber attacks began to grow, he said. Big cyber walls got put up making most systems pretty safe, particularly banks and other financial institutions.

"You can break into those systems, but it's tough, and it takes time and the chances of getting caught are a lot higher," Mackey said.

So the hackers found that the weakest part of a system is the person sitting at the computer, Mackey said. Hackers think "Why should I go to all that trouble, with all of that risk, to get illegitimate access to a system, when I can just phish the assistant over there, log into their system with those credentials, and be there as long as I want to, and nobody knows it because I've got legitimate access," he said.

Mackey said his company goes about protecting a company in three steps: Social engineering, which is pure behavioral penetration testing, which Mackey takes care of; individual differences, provided by Joe Nedelec, assistant professor of criminal justice at the University of Cincinnati; and the computer/technical end by Mark Stockman, associate professor of IT at the University of Cincinnati.

Lastly, they get businesses demographics. Those demographics are then compared to Mackey's large database of businesses that have suffered data breaches. His unique data set combines information about each breach with a substantial amount of business demographics, which allows Alloy Cybersecurity to find the most common vulnerabilities based on various business demographics.

"The basic idea," Mackey said, "is that we do what others don't -- we use evidence-based practices to tailor our recommendations for optimal cybersecurity from behavioral threats."

For Mackey's portion, he will employ a number of social engineering attacks, including sending phishing emails to employees.

"We're going to do research on all of the employees and find out how vulnerable they are and why. I'm going to find where your favorite place to eat is and when you go to lunch. Then I'll send you a phishing email say, ‘We appreciate your business. Click here for your free meal.'

"And inevitably, we'll get somebody to click on it. And if we don't, we'll just send another round out tomorrow. All it takes is one click. 

"We might pretend we're somebody we're not to get access to your server room. Because if I can physically get into your office, I don't need to destroy anything, just plug a device in the back of your computer, which will recognize every keystroke you've made. Or I'll tape on the outside of a USB drive the word, ‘Private,' and then I'll drop it on the floor. Somebody will pick it up, plug it into their computer and then it will begin recording data and give us access. Every business is only as strong as its weakest link."

The good news is Mackey is teaching the next generation of cyberwarriors by helping to build the two new Indiana State classes, Intelligence Analysis and Cybercriminology.

"We're teaching students about the behavior behind cybercrime, how to apply criminological theory to that, prevent it and the lingo of computers. It's important that they can work alongside current IT staff in the field," he said.

Alloy is already hiring Sycamores, and it's paying off.

"I have four interns right now. So these students can get some actual, practical field experience," he said. "Two of the students I work with have been offered internships with penetration-testing companies starting in the fall. So far the feedback has been good. Companies are saying, ‘This is the stuff we want. We want these students.' It's exciting. Really exciting."

The more students who turn professional cyber crime fighters, the better, said Mackey, because right now the future looks pretty bleak.

"Cyber war is imminent, and it will be the most destructive thing the United States has seen," he said. "They're already in; they just lack the motivation right now to do more, but that's changing. This is not merely a prediction from a purely academic sense, but is backed up by reports by the National Security Agency."


Photo: -- Bill Mackey

Media contact: Libby Roerig, director of communications and media relations, Indiana State University, 812-237-3790 or