Angela Orebaugh wanted to break into computer systems legally, so she got into cyber security.

Orebaugh, a member of the teaching faculty at the University of Virginia’s School of Continuing and Professional Studies and director of its graduate certificate in cyber security management program, came to UVA as a veteran in the cyber security wars. She has 20 years of hands-on strategic and technical experience in cyber security, earned in industry, government and academic settings. Much of it came as a fellow and chief scientist at Booz Allen Hamilton, where she led several cyber security initiatives and emerging technology areas.

A Harrisonburg native, she holds a master’s of science degree in computer science from James Madison University and a Ph.D. in information technology from George Mason University. She worked for a start-up firm in Denver that managed data centers throughout the United States. While at Booz Allen Hamilton, Orebaugh supported both federal government and Department of Defense clients, wrote a series of best-selling technical books and began teaching at GMU.

Orebaugh, who has been full-time here since January, recently talked with UVA Today about what led her to Charlottesville.

Angela Orebaugh

Q. Why did you get into the cyber security field?

A. I started out as a programmer, moved into networking and then became fascinated with the many different cyber attacks and the defenses in the mid to late-1990s. I wanted to learn how to break into things, legally. I worked at a start-up, helping them create a network management system and started performing security analysis.

But the real change occurred in 2001 when I was recruited by Booz Allen Hamilton, one of the large consulting firms in the Washington, D.C., area. I was there for about 15 years, doing cyber security consulting for a variety of clients, including the federal government, Department of Defense, and intelligence community. It was really fun when the government paid us to break into systems, legally, and then help them secure the systems so others couldn’t break in.

Then I moved more onto the defense side. My main client for several years was the National Institute of Standards and Technology. I helped write guidance documents for the federal government and commercial companies on how to secure their organizations. I was listed as a co-author or subject matter expert reviewer on at least a dozen publications there.

I also helped lead the National Vulnerability Database, created to provide information on known vulnerabilities, and how to patch and protect them against them. The federal government and the general public can use this public database to learn how to secure their systems.

I started adjunct teaching while I was working on my Ph.D. I was already doing some teaching on the commercial side with conferences and weeklong trainings for certification. My ultimate goal was to move into higher education and help create our next generation cyber security workforce.

Q. What do you like about teaching?

A. I really enjoy working with students, breaking down the technical components and watching students have those “aha” moments and understanding “Oh, that’s how that works.” I enjoy watching them grow. With the program we have, I get to see them from beginning to end, and I get to see them mature as cyber security professionals.

Q. Why did you want to come to UVA?

A. UVA is one of the top-notch schools in the world. Growing up in Virginia, I already knew about the school’s reputation, so when I moved here 10 years ago I said, “Eventually, I am going to become a professor at that school.”

[The School of Continuing and Professional Studies] fits my background because I am coming from industry, not traditional academic ranks, and SCPS enjoys having professors with industry experience. I was able to create a new course, “Securing the Internet of Things,” which is the direction cyber security is moving.

Cyber security is moving toward smart technology. Consumers have activity trackers that monitor their movements and home automation capabilities now to control heating, ventilation and air conditioning systems from their smart phones. There are a lot of smart devices with embedded technology that puts them on the Internet, where they were not before.

Beyond that, we’re seeing older devices, such as traffic sensors in roadways or in dams and bridges, becoming cyber-enabled. Manufacturing has a lot of automated components with sensors and actuators that have been operating for a very long time, but now these devices are becoming cyber-enabled. They are becoming accessible remotely and/or put onto the Internet. All of this smart technology is under the “Internet of Things” umbrella, to create solutions and efficiencies for people and processes.

Unfortunately, many of the devices don’t have security built in. If they do, it is very rudimentary, and consumers don’t take security precautions such as updating software and changing default passwords. There are news articles about web-enabled baby monitors broken into by someone from across the world, but likely it is because they did not change the default password. It didn’t need to be broken into; it just needed to be logged into.

Many devices in industrial control systems, such as transportation or manufacturing, were built for functionality, efficiency, performance and safety, but not security. In many cases, those devices operate for long periods of time and don’t get updated, so they could be running very old versions of software that have a lot of vulnerabilities.

So cyber security professionals are moving into spaces they may not have been before. They are hired more by hospitals, not only to secure electronic health records, but to ensure security of smart devices such as implantable medical devices. They may be getting hired by building and construction organizations to help secure large commercial buildings or large campuses that are implementing building automation components. There are entirely whole new worlds that need to be secure.

Q. Who are your students?

A. We have a lot of diversity and a variety of backgrounds in our students. Because the cyber security program is a graduate program, they tend to be adult students, with a job and a family.

I may have students with IT backgrounds already working in in the field, possibly managing databases or providing computer support, but they want to learn more about security because it is becoming more of their current job role or they may be pursuing a new job.

I also have students who may be working in completely unrelated fields or have an undergraduate degree in the liberal arts, but are looking to move into a different phase of their career or move into a completely different career.

Q. What have you learned in all of this?

A. Cyber security is dynamic and always challenging. Even though you think you may be safe from some sort of cyber attack, there is always a way that a cyber attack can occur. You may think your system is patched and secure, but there are other ways in. It is a cat-and-mouse situation. The stronger security you build, someone is trying to a find a way in it or around it.

As technology evolves, history repeats itself. When I started with this, we worked out the vulnerabilities and problems with mainframes, and then we moved into the servers and desktops that were distributed throughout the organization and we went through the same cycle again. I watched the same process occur when wireless became popular. I watched the same process when Voice Over Internet Protocol systems became popular. And I am watching the whole process again with the Internet of Things. With every new technology, we are seeing that security is an afterthought. History repeats itself with each new evolution of technology.

Humans have always been the weakest link. An attacker will most often take the path of least resistance. If you have a very secure product with a very strong password, an attacker is not going to take the time to break that password if he or she can send a simple phishing attack to someone and get it that way. The user falls for the phishing attack, attempts to log in, uses that strong password and now the attacker has actually captured the password and they’ve got it. They didn’t have to break it; they just let the user give it to them. People will continue to be the weakest link, which is why continued cyber security awareness and training for everyone is very important.

Q. What have you learned about yourself?

A. I will never be done learning. Technology is continuously evolving and you have to learn new skills to keep up with advancing cyber attack methods and defenses. New cyber security professionals are broadening their skillsets to include knowledge in areas such as data science and analytics. This diverse skillset enables cyber professionals to apply new techniques to manage the vast quantities of data generated by technologies such as the Internet of Things to proactively identify cyber security issues or perform cyber security forensic analysis. There is always something new to learn in this field.

Q. Are you having fun with this?

A. I am definitely having fun. I am very happy to be at [the School of Continuing and Professional Studies] where there is a lot of opportunity for me to create and teach programs that address the critical 21^st-century needs of students, industry, and society at large.

Editor’s note: This is another installment in an occasional series profiling members of a generational wave of new faculty members at the University of Virginia.