campus news

UB cybersecurity expert advocates for the ‘active defender’

Catherine Ullman pictured surrounded by conference badges on lanyards.

UB cybersecurity expert Catherine Ullman urges some cybersecurity professionals to become "active defenders" in protecting their organizations' information systems. Photo: Meredith Forrest Kulwicki

By CHARLES ANZALONE

Published August 4, 2025

Print
“Providing personally identifying information such as Social Security numbers, credit card numbers or driver’s license information to a chatbot or other AI-driven product is exceptionally dangerous. You have no way to know where that data is being stored or how it is controlled. ”
Catherine J. Ullman, principal technology architect, security
UBIT

As UB’s principal technology architect, security, Catherine J. Ullman is recognized as an authority on cybersecurity, digital forensics and incident response. Ullman has helped to redefine and raise the cybersecurity bar, teaching and advocating that some cybersecurity professionals become “active defenders.”

Published in 2023, Ullman’s book, “The Active Defender: Immersion in the Offensive Security Mindset,” has been well accepted by her peers — it’s even been used as a textbook at one university — as well as being embraced by many newcomers to the field.

To become an active defender, Ullman says defenders — those who put into place defensive mechanisms to protect an organization’s information systems — develop a hacker mindset by engaging with offensive security professionals — those who test those defensive mechanisms to determine whether they prevent attacks or at least detect them once they have occurred.

Defenders often focus on the alerts they receive from passive tools, as well as checklists, Ullman explains, noting they rely on notifications from firewalls, EDR (Endpoint Detection and Response) and other tools, but do not consider the full context of an attack or the motivation for an attacker’s actions. Defenders need to understand the other dimension of security — what their offensive security counterparts do regularly, she says.

“Without this knowledge, they are missing half the story,” she says. By understanding the attacker methodologies employed by offensive security professionals, defenders are much more likely to recognize attacks, as well as how best to defend against them.

“Defenders are not required to suddenly change their jobs and become offensive security practitioners, but understanding the basics of their counterparts' tooling and how they think about systems can be exceptionally instructive,” she says. 

A regular speaker at cybersecurity conferences, including occasional keynotes, Ullman appears at a wide range of venues, from large national conferences to smaller group chats with university departments.

And she’s happy to offer some cyber advice for UBNow readers.

Ullman notes that changes in technology over the past few years have only provided a lower barrier to entry for would-be attackers.

“Be wary of where and with whom you share your data,” she cautions. “In particular, providing personally identifying information such as Social Security numbers, credit card numbers or driver’s license information to a chatbot or other AI-driven product is exceptionally dangerous. You have no way to know where that data is being stored or how it is controlled.”

Here are some more basic tips and principles from Ullman on staying cyber safe:

  • AI systems such as ChatGPT are not truly “intelligent,” nor should they be relied upon for accurate information, she says. They can only provide predictive responses based on the data that was fed to them. The big problem with such systems is that the information you think is anonymous is not only traceable but could be stored on a third-party website.

“Let’s say you input your data or reveal personal information to an AI interface,” Ullman says. “You don’t know where it’s going or who might access it. Even if the first company doesn’t willingly release this information, the data may be stored with a third party, who could be involved in a breach.

“We have all these products that include AI, but at the end of the day, in the sense that we must be wary of where data is stored and who maintains it, it’s no different than it was a few years ago,” she says. “Data security itself hasn’t changed at all. Same problems. Same complications.”

  • Students are especially susceptible to employment scams, also known as “fake check scams.” “It’s very sad when students fall for these,” she says. “The attackers prey on greed.”

In one version, a scammer posing as a professor sends the student an email that uses a college domain name and a format like your.name@collegename.edu. The scammer offers students a part-time job, like personal assistant or dog walker. Then, the scammer sends the student a check, asks the student to deposit it, send some of the money to someone else and keep the rest as payment. Later, the bank realizes the check was fake and deducts the original check amount from the student’s account. So, if the unsuspecting student deposits a $1,000 check, the bank will take that back. But if they sent $400 to someone else, the student is now out $400 of their own money.

“In some cases,” Ullman says, “it wipes out their account and they lose all their money.”

  • Imposter emails. Many in the UB community have seen the fake emails from a supervisor or co-worker asking them to purchase a gift card from an address provided, with the urgent request to send it on as a favor to the supervisor. The well-intentioned but naïve employee makes the purchase, and the money and credit information are siphoned into the scammer’s domain.

“One of the big eye-openers is the understanding that just because an email comes from a buffalo.edu address, doesn’t mean it’s safe,” Ullman says.