Meet the LSU Cybersecurity Student Whose Work CISA Calls “Staggering”
November 20, 2024
Last week, LSU cybersecurity graduate student George Buras from Baton Rouge received a shoutout from the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, for the “Staggering!” impact his work, and the work of other interns, is having on the nation. Here, Buras explains what he’s working on, and why.
You’re one of 22 National Science Foundation Scholarship for Service students at LSU, which means free tuition, a cash scholarship of $37,000 ($27,000 for undergraduates) plus $6,000 for professional development each year, and a laptop. It also comes with an annual trip to a career fair in Washington, D.C., each January. Is that’s how you connected with CISA?
Yes, it started there. CISA had several different tables. After talking with them and giving them my resume, I got a call from their office of vulnerability management. That’s how it came about, my work with their penetration testing capabilities team.
Why was an internship at CISA a good fit for you?
I’m interested in election security and in the resilience of our political infrastructure. That’s what I’m focusing on in my master’s research at LSU. CISA is a good place to work on that, since they do threat intelligence, threat hunting, and vulnerability management of critical infrastructure, which includes elections.
Tell me about the actual work you did?
You’re probably familiar with phishing emails. Attackers often send them with instructions to click a link, which runs a payload that grants them command and control over your machine. The CISA team I worked with conducts risk and vulnerability assessments, and part of that involves testing how vulnerable a customer is to phishing attacks. The penetration testing team needs a variety of different payloads because how many of them work on the customer’s system is a measurement of vulnerability. Ideally, at least one of the payloads works on the customer’s system, and that one is used in the phishing emails to measure how many people in the customer’s organization are vulnerable to being phished.
At CISA, I automated the creation of phishing payloads using various tools. In other words, I wrote code that installs tools that can be used to create phishing payloads, ensures those tools are up to date, then runs those tools multiple times with different parameters to produce a variety of phishing payloads.
So now, the CISA team I was working with only has to click a button to create payloads. Whereas before, they had to read through documentation, install things on their computers, troubleshoot to make sure everything’s working correctly, figure out what inputs they want to provide to the tool, and then run those inputs, waiting for the tool to work each time.
The tools I developed, which automated the RustPacker and PythonLoader family of phishing payloads, save the penetration testing team hours of manual effort for each assessment.
I’m guessing this wasn’t your first internship. How did it compare?
This was my third internship. The summer before, I was at the Department of Defense and prior to that I interned with General Dynamics Information Technology, a government contractor. What I appreciated the most about working with CISA is that they gave me a project that is impactful to their mission.
What do you see yourself doing in the future after you graduate?
Working for the government in some capacity. I would love to return to CISA and the penetration testing capabilities team because I really enjoyed working with them. Their mission and the culture there, it was all great. I hope they will be hiring when I graduate.
I really like the red-teaming side of things, but I’m also very interested in threat intelligence and defense. For me, it’s mostly about the mission and more about the impact I can make using my skills than flexing any particular skill.
For those who don’t know what red-teaming is, how would you explain it?
Essentially, a red team is a group that hacks an organization that asked them to do it for the purpose of learning where they’re vulnerable and patching those vulnerabilities. Red-teaming is a great way to improve one’s security posture because it provides an adversarial perspective.
Tell me about the research you’re doing for your master’s thesis.
In a risk and vulnerability assessment, you’re telling your customer what their vulnerabilities could cost them; what they stand to lose and how likely they are to lose it. That helps them make decisions as to how to allocate their resources to improve their security posture. With most sectors, you can kind of reduce things to money, but in elections, you’re looking at votes.
Money has a fairly consistent value, whereas the value of a vote depends on the number of votes and the margin of victory in a particular election. I am working on quantifying the value of a vote to an attacker so that we can better understand the risks posed to elections and mitigate them. For example, instead of saying we are at “medium risk” for a particular attack, I would like to calculate that there is a 30% chance that we are hit with this attack and, if the attack is successful, we can expect to artificially reduce voter turnout by 5%, which is dangerous because we expect the difference between the winner and the loser to be decided by 6% of legitimate votes.
For the record, I think CISA and the wider election security community are doing a great job. I’m not trying to undermine any faith in our elections. But I also see ways we might be able to improve our election security by quantifying things more. So, that’s what I’m trying to do in my master’s thesis right now.
What do people get wrong or misunderstand about election security?
Just because you left your door unlocked doesn’t mean your TV was stolen. Even if we have vulnerabilities in our elections, that doesn’t mean our elections have been manipulated or stolen. It is a good thing to critically examine the security of our elections, but it’s very dangerous for our democracy to jump to conclusions about the illegitimacy of our elections. Especially when there’s so many people who are not experts looking for vulnerabilities and seeing vulnerabilities where they don’t exist.
Next Step
LSU's Scholarship First Agenda is helping achieve health, prosperity, and security for Louisiana and the world.