Q&A with Kevin Hawkins: SQL Database Administrator and Information Technology Professor

Kevin Hawkins earned his bachelor’s in computer science and his MS in IT Management, in addition to the several competency certificates he holds. Kevin has worked as an IT and network management adjunct faculty professor for nine years. He also has 12 years of professional experience as an SQL server database administrator, with 11 of those years at Humana in Kentucky, the nation’s third-largest health insurance company.

Kevin’s curiosity about computers was piqued decades ago as a teenager at the dawn of the computer revolution. We sat down to talk with Kevin to get his take on the evolution of information assurance and the broader implications of cybersecurity now and in the years ahead.

Q: Can you talk about your professional experience with cybersecurity to give us a sense of your background?

When I was about 13 years old a friend of mine told me that I needed to focus as much as possible on computer technology. I didn’t understand why – I was too dumb in those days – but I sold my dirtbike and bought my first computer. That was back in the ‘80s.

Back in those days computer technology and security was wide open. Back in 1984, Microsoft released their first version of Windows. At that time they had no concept of security so it was really wide open. Then back in the mid-’90s they found that scams were coming in, and that became a really big issue. We’ve had that problem ever since.

Prior to that everyone just presupposed that everyone was okay with cyber security because there was just nothing out there.

But then scammers came to find that there was an opportunity to make money and we started getting all of the things popping up on the internet before there were pop-up blockers and it was just crazy. So these people looked at it as an opportunity.

So in the late 1990s I went to college and I learned that there are some things you can do to lock this down. But at that time it was very minimal. People didn’t really understand the depth of this kind of threat. So I spent a lot of time understanding what all the issues were and what we could try and do to solve them.

In the normal world you try to not put restrictions on people unless there is a problem. That’s the best approach. But in computer technology it works way different. What you do is you lock everything down to start, and then you only open it up as needed.

That was one of the biggest things about computer technology that people in the United States and even around the world learned in the late 1990s. Prior to that it was wide open and there were so many people taking advantage of things that network security professionals realized they had to take proactive action.

Q: Did you have all this in mind when you were going to school? How did you take what you learned in school and apply it to your first job after you graduated?

I built the computer lab at the college that I was working in, and when I built that lab I left it wide open and found all kinds of problems. People were exploiting things by downloading third-party software that was causing spyware and anti-virus issues. I had no choice but to lock it down.

So when I locked it down everything was okay, but the students didn’t like it so well. But that was fine because it kept us safe. So I would open up the security as necessary for specific versions of software that needed to actually communicate online to get updates and so forth.

Q: How was it managing cybersecurity on a much bigger scale for Humana?

The thing about cyber security on an enterprise level is that you need to really focus on keeping everyone outside of your network. You have a firewall that blocks anyone from getting into your network.

So let’s say I have 7,000 users working for a particular company on the inside of my network. I also have a web presence so that my customers can go online and look and see what their status is with this particular company. As part of this process I need to expose internal information from the network to customers on the outside of the network. That’s where you run into cyber security issues.

So you have your internal network, which is blocked off from the world, and your outside network, which is the web. In between those you have what’s called a DMZ; a de-militarized zone. In that zone you can put servers or applications that are exposable to the web so that people can get to them.

However, once they get in that DMZ they still cannot do the next hop into your internal network. So you have two firewalls. So you have a firewall between your internal network where your 7,000 users are, and then you have another firewall which has a couple of holes so that only people on your website can get in but hackers cannot. That blocks what’s called an SQL injection attack, which is where someone’s trying to get into your database illegitimately. So if it’s set up properly that would block hackers but also give legitimate users access to what they need.

Q: Can you give some examples of actual or attempted breeches you discovered?

Back in the early 2000s there was a payment card company, I won’t mention their name, that was breeched very badly by a hacker. He got several hundred thousand dollars worth of payments. You see, whenever you walk into a Walmart and swipe your credit card, that device where you’ve swiped your card notifies a company that you’ve submitted your payment, and that payment is then sent to the person who you’ve agreed to pay.

The company that produces most of those swipe devices got hacked in the early 2000s, and the hackers took hundreds of thousands of dollars using an SQL injection attack.

To understand how this works take this scenario: if I were to go out to a website and enter in my user id and password, in the days before the SQL injection attack was exploited, you could go out there and put in a password such as “true.” That password would then be sent to the database and recognized as being valid, and I would then get access to that database.

That happened in the early 2000s. SQL injection attacks were very popular from 2000 to 2010. Maybe not so much anymore, but I’m not sure because not a lot of people take the time to lock down their databases.

I talked to a company the other day whose technology was so outdated that they’re about 15 years behind. They deal with clients’ personal health information, and I’m just waiting to hear on the news when they get hacked because they’re just ripe for it.

Most databases are inside of the DMZ, the de-militarized zone. Anything inside the company’s firewall isn’t even in the DMZ and is locked down. That’s where most databases are.

However because some people surfing the web need to have access to some of that data, the applications that allow that would be inside the DMZ. I’ve seen hacks, I don’t know how many times, by SQL injection attacks. In fact Equifax was an SQL injection attack, and their database was exposed to the web.

Q: Can we expect things like the Equifax data breech to continue to get better or worse?

You can expect massive data breeches going forward … Here’s the thing: hackers only get better. They don’t get worse and they don’t go away; they only get better. The hacks, the security breeches; they’re only going to continue and get worse than what they were before. It’s not going away.

If companies are not on the vanguard of this they’re just going to have nothing but issues going forward. And a lot of companies just don’t see the turnover in income from that. They put it on a back shelf thinking they’re okay for now and things are good, but it’s just going to get worse going forward.

People seem to think that we had these types of things in the past and they’re going to get better. They’re not going to get better, they’re going to get worse. And they’re going to get much more specific.

Q: Is the government any better? Are federal and local governments on par with the private sector or are they worse?

When you deal with the government and security they seem to run way behind everyone else. By far. They claim to be secure, but their technology is way outdated. The government needs to be on the vanguard of this and they’re not. That’s the problem.

Their technology is way outdated. The way the government looks at it is the technology they’re using has stood the test of time. I understand that, but in terms of information technology, time will also kill you. Because you have to be on top of the latest and greatest technology or you’re not going to survive. And it doesn’t matter whether or not you’re a student, whether or not you’re working in security, technology; it doesn’t matter.

One of the things I learned early on in my career is that if you don’t keep yourself current in this field you are going to fall off the wayside. That’s just the way it’s going to be. You are continually a student as long as you are working in information technology. That’s just the way it’s going to be. You’ve got to continually educate yourself going forward.

Q: What are the best ways of continually educating yourself?

I know a lot of people seem to think they can just take college classes, get a master’s degree, and so forth, and those are helpful. But generally colleges are behind the curve when it comes to technology.

The best thing to do is once you get your foot into the field is to continually train yourself by taking classes that are offered, working for a decent company that offers you continuing technology classes to keep you on top of your field, and take any kind of classes that are available on your own… A lot of people won’t do that because they aren’t self-motivated. But if you’re not self-motivated guess what? You’re going to find yourself in Section B where your office is somewhere in the basement.

The best thing to do is try to stay on top of the technology and the latest and greatest developments: buy a book, take some certification courses, take any type of classes that pertain to your field. It’s like you play in a monthly music group. They’re good because they stay up with the latest and greatest things that come out.

Q: What advice would you give for someone in school getting ready to go into the field of cyber security?

That’s a very hard leap. I’ve told this to my students for years: the biggest jump you have in your career is going from learning into the experience of doing. Because for computer technology on any level – whether it’s security or not – you need to not only have the education. You also need to have the experience in the field.

I’ve told my students in the past that they can volunteer at a local library or volunteer anywhere; whatever you’ve got to do to get the hands-on experience.

Computer technology is not just an education. It’s not just, ‘Hey, I’ll get my doctorate degree and I’m good to go.’ Don’t think it’s that way. This is a hands-on skill, and without the hands-on experience you’re really working with one hand.

You need to have both hands. You need to have the education, which is very good. But the hands-on experience is very important. In fact, many of my coworkers over the years who have hands-on experience and no education were very good at their skill.

They’re what they call an “IT worker by accident.” Someone noticed, ‘Hey, you’re kinda good at this, we’re going to have you do this over here.’ And next thing you know that guy’s a software developer.

If you have an education and no experience, you’re going to be hard-pressed to find a career in this field. You’ve got to do whatever it takes to get yourself experience. That’s more important than anything.

It doesn’t matter whether it’s cyber security or any other area of this field. But when it comes to cyber security, it’s kind of the next step up. So you need to learn computer technology and get a hands-on feel for a while, and then you move into that more narrow area.

Security is a very narrow area of information technology, and it is important that you first get that underlying broad skills set with an education and then start to focus on something much more narrow like cyber security.

Software development is a very good route to go. Cyber security is very good, technical, and so forth. But you have to get the underlying education and skills set before you start focusing on something much more narrow.

Q: Why isn’t there gender parity in the fields of IT, technology, or cyber security?

I’m telling you, one of the best people I know as a security expert is a woman, and she is extremely good at what she does. I would only aspire to be as good as she is. Some people have it, some people don’t.