Guardian of the Cyber Galaxy
In middle school, Charles Carmakal (BSBA ’02, MS-ISOM ’03) used to be shy about describing himself as a computer nerd. These days, it’s a descriptor he embraces, and one his clients are likely glad is accurate.
As Vice President and Strategic Services CTO at Mandiant, Carmakal leads a team of security consultants that investigate cyber intrusions, in addition to attempting to ethically hack corporations to help them become more resilient to cyberattacks.
“It’s interesting to me to have grown up as a closet computer dork, and now I’m contacted by politicians, business executives and board members to help with their [cybersecurity] issues,” he said.
As the need for cybersecurity becomes more prevalent in today’s world, Carmakal is getting used to receiving random calls from clients. He received one prior to the 2016 U.S. presidential elections, he described, late one Friday evening while attending his cousin’s wedding reception from a politician inquiring about a suspicious email.
With the work he’s done over the years with governments and major corporations, Carmakal is not only prepared to take those calls, he’s proud to do so.
“I really feel like [at Mandiant] we help protect the people in our respective countries and we’re fighting for national security,” he said. “What we do has a real impact on the world.”
In addition to security work he did early in his career at PricewaterhouseCoopers, Carmakal credits the Master of Science in Information Systems and Operations Management with helping him build his security knowledge foundation.
“Most of my master’s classes taught me very practical information about security, even information that I still use today,” he said.
Two classes stand out to him as those that have made an impact on his career, he said. First, a business database systems class with Ethridge Professor Dr. Subhajyoti “Shubho” Bandyopadhyay, one of the few courses he admits he struggled in.
“I didn’t get many B+’s in school, but I did in [Dr. Shubho’s] class,” Carmakal laughed.
The second class, the first of its kind at Warrington, was an information security class he helped create with Robert B. Carter Professor Dr. Praveen Pathak.
Carmakal continues to be involved with helping students at Warrington understand information security. He recently returned to campus to speak with Dr. Pathak’s students about the current cybersecurity landscape, including threat actor, or hacker, motivations, the attack lifecycle, and current real-world threats from countries like Russia, North Korea and Iran.
One of the biggest issues he saw in the roughly 700 data breach investigations Mandiant completed last year was related to companies being extorted for money after having data stolen.
“Nobody likes to talk about it, but a lot of people pay extortionists,” he said.
However, there is a way for companies to avoid being taken advantage of by hackers, he said.
“Think about security early on,” he said. “It’s a lot easier and cheaper to do so.”
Carmakal also shared some personal security tips he urged students to take advantage of.
- Enable multifactor authentication everywhere – on your social accounts, your bank app, your email.
“Anything sensitive,” he said. “If you don’t, you run the risk of not only exposing yourself, but your friends as well.”
- Don’t reuse passwords. Use a password manager to keep yourself organized.
“If you reuse passwords, you’ll get hacked, period,” he said.
- Encrypt your hard drive.
“If your computer is physically stolen, encrypting helps save your data,” he said.
- Patch your OS software – do the updates your devices suggest when they are available.
- Use a VPN when on a public network.
“Using a public network is unavoidable these days,” he said. “When you’re using one, make sure to use a VPN.”
- Understand that emails are not encrypted.
- Understand that text messages are not encrypted.
“Systems like WhatsApp and Signal help protect your messages,” he said.
- Review your email accounts for third party applications that have access to your email (usually located in your email provider’s security area).
- Understand that caller ID can be spoofed, so make sure you add a pin to your voicemail.
- Use a wireless router.