In this paper, I reflect on my experience as a Cybersecurity Analyst Intern at the Earth Viability Center, where I evaluated and improved the Place4Us platform. Place4Us is a social media–style platform designed to give users a voice and encourage collaboration on important societal issues. Throughout my internship, I analyzed the platform from both a user experience (UX) and a cybersecurity perspective, focusing on how design choices can affect usability and system security.

My work involved conducting a UX audit, identifying usability challenges such as information overload and inconsistent layout, and proposing design improvements to enhance navigation and clarity. In addition, I evaluated the platform’s security posture, focusing on user login tracking, authentication, and input validation. I identified several vulnerabilities, including insufficient logging of user activity, lack of multi-factor authentication, weak CAPTCHA implementation, and risks associated with file uploads and MIME type validation.

This experience allowed me to better understand the relationship between usability and cybersecurity. I found that poor interface design can lead to user confusion and unintended actions, ultimately introducing security risks. Overall, this paper highlights that improving user experience is not only important for usability but also critical to strengthening system security.

INTRODUCTION:

WHY DID I DECIDE TO WORK FOR THIS ORGANIZATION?

I interned at the Earth Viability Center for several reasons. One of the main reasons was that I couldn’t secure an internship elsewhere. Because of that, I reached out to Professor Teresa Duvall to discuss my options. She presented me with two options. The first internship was for the ODU iLab. Had I gone with that option, I would have worked in Hampton, which didn’t work for me because of my schedule. Furthermore, my commute would be difficult because I live in Virginia Beach. The second option was for my current internship, the Earth Viability Center. Working for this organization was a much better fit for me because it is remote and based in Norfolk, so it was much closer to home if I ever needed to work in person. Ultimately, I decided it would be in my best interest to intern for the Earth Viability Center.

WHAT IS THE EARTH VIABILITY CENTER?

The Earth Viability Center is an NGO based in Norfolk, Virginia, focused on helping communities find practical ways to protect the planet’s future. It was founded in 2020. One of the main ways it achieves this mission is through its web application, Place4Us. Place4Us is a social-media-style platform designed to empower individuals and give them a voice to discuss sensitive issues and develop solutions. Within the platform, there are Virtual Community Centers (VCCs), essentially interest groups where people can discuss specific societal issues, such as climate change or the rise of AI. And within each VCC, there is a Deliberation Room where people can discuss those topics and collaborate. These deliberation rooms serve as a safe space where people can talk and discuss those issues.

ONBOARDING

The first 50 hours of my internship were spent onboarding and getting acclimated to my new role as a Cybersecurity Analyst Intern. My supervisor, Dr. Hans-Peter, conducted the onboarding process. Throughout the semester, I worked on the Place4Us web application, which is hosted on IONOS, a Linux-based hosting service. The Place4Us platform is primarily coded in PHP and hosted on IONOS. In addition, there is a test site that mirrors the original platform, allowing us to examine the code and make changes as needed. Most of our work was done on the test site. To access the code I would be working with, I had to go through a process called rsync, which allows a user to copy and synchronize files and directories across different machines. I first had to create a key pair using the Windows PowerShell terminal. I then gave my public key to my supervisor so that I could connect to the test site and copy the files to my machine. Locally, I also had to make changes to my settings (such as the OpenSSH service on the machine) in order to connect to the test site. Furthermore, I had to install Windows Linux System (WSL) in order to copy the files from the test site to my local computer.

My initial impression was that I wouldn’t gain much experience because I was working for an NGO. However, after completing the onboarding process, I realized it was much more technical than I expected. I also realized that, because NGOs tend to have a weaker security posture than other organizations across industries, there was more opportunity to test my cybersecurity knowledge and make meaningful contributions.

THREE LEARNING OUTCOMES

I hoped to achieve three specific learning outcomes. The first was to validate my existing cybersecurity knowledge in a real-world setting. The second was to test the practical application of that knowledge. Lastly, I hoped to bridge the gap between what I already knew and what I was weakest at. My assigned tasks are listed below.

MANAGEMENT ENVIRONMENT

Meetings are organized twice a week: every Tuesday from 11 AM – 12 PM and Friday from 5 – 6 PM. During meetings, we would discuss what needed to be done in the platform. Tuesdays would be dedicated to general issues, and Fridays to cybersecurity issues. This format kept everyone organized and allowed us to communicate effectively. Furthermore, it kept everyone accountable because we had to talk about the work we were doing for the week. In addition to the scheduled meetings with my supervisor, the other cybersecurity interns and I would also schedule meetings outside those times to get work done. Amongst ourselves, we communicated through Discord and kept our work organized using a shared Google Drive.

MAJOR WORK DUTIES:

UX EVALUATION/UX REVIEW

One of the first tasks I worked on was in the realm of UX Evaluation/UX Review. I analyzed the platform as a user and then conducted a UX audit, offering recommendations to improve core functions and better structure the user experience. One of the main issues I found was that the platform was overloaded with information, which overwhelmed users like the other interns and me. As a result, the platform’s core purpose was lost.

The solution we collectively came up with is to create a landing page that contains everything a user needs to navigate it. We were able to do that by creating different headers that contained UI controls, which led to different areas of the platform. For example, the “Explore Place4US” header includes UI controls that link to the About Us page, the Code of Conduct, and other resources. To go into more detail about the format, the landing page is divided into four different headers. The top header contains the Place4Us logo and login functionality. The second header contains essential information about the platform (Terms of Use, Code of Conduct, etc.). The third header contains miscellaneous information about the platform (such as contact information and frequently asked questions). Lastly, the bottom headers contain the platform’s content (News, Periodicals, and Virtual Community Centers). Below is a visual of the landing page.

Another big issue I encountered was the layout. As I navigated the platform, I found that the layout would change drastically, making it difficult to switch between web pages. For instance, I would sometimes find that the user profile button was in the bottom-left instead of the top-right, depending on where I was on the platform. Thus, another solution we came up with to make the platform easier to navigate was to create a global header that would remain consistent across the platform’s different web pages. Much like social media platforms such as Facebook and Instagram have a global header that contains all of their core functions (such as the home page, settings, user account, etc.), we adopted a similar approach to create a seamless user experience.

It was very important that the platform’s UI/UX was improved not only to make it easier to navigate, but also to address the security implications of a poor user interface. For instance, interface controls, particularly action buttons, function as key decision points where users interact with system features, including those related to security and privacy. The evaluation revealed that inconsistencies in labeling and placement of these controls can lead to user confusion and unintended actions. While such issues are often categorized as usability flaws, they also introduce significant cybersecurity risks by increasing the probability of accidental permission grants, improper configuration of security settings, or unintended data disclosure. This demonstrates that user interface design is not only an aesthetic concernm, but also a critical component of system security, as poor design can facilitate user-driven vulnerabilities.

USER LOGIN TRACKING

The next task I tackled was the concept of user tracking and storage in the Place4Us platform. During this time, there was no way to track user activity, nor was there a clear understanding of what we could track without violating user privacy, so I spent a lot of time researching the legality of user activity tracking on social media platforms to better understand what we can and can’t collect, so I was able to develop a plan for what could be implemented and present it to the other

On that note, one of the biggest challenges I faced over the next 50 hours was determining what could and couldn’t be collected. One of the ways I was able to do that was by developing a baseline of the bare minimum required from users to keep the platform operational, both from a general and a security standpoint. Through my assessments, I found that users had an option to track their logins, which was turned off by default. At a glance, it seemed like a good security measure because users could opt out of having this information collected. However, from a security perspective, it was concerning because, should an incident such as a brute-force attack occur, there would be no way to determine that an attack happened, as that information wasn’t collected.

Another challenge I faced was determining what work had already been done to harden the platform. During the onboarding process, I was told where to find interns’ previous work, so I spent a lot of time reading through it to better understand what had already been done and avoid reinventing the wheel. I also hoped to improve and build upon their work.

I read a particular report that was very valuable. It was a comprehensive risk assessment of the platform done by a previous group of interns. During their risk assessment, they used Valor’s Top 10 Digital Security Checklist and NIST 2.0 to identify threats and vulnerabilities across the platform. And one of the things they found is that the login page is susceptible to brute-force attacks because it has a weak CAPTCHA. Based on my own assessments, I found that the CAPTCHA is only shown when signing up for the platform, which doesn’t help stop brute-force attacks (or verify that a user logging into an account is legitimate). Further assessments showed that the platform did not implement multi-factor authentication (which the previous interns had also found).

With all of that being said, I, along with another intern, worked on a presentation to share our findings with the interns and supervisors. Some of the solutions I proposed include implementing mandatory user login tracking. More specifically, tracking successful and failed attempts in order to determine whether there is a brute-force attempt that is happening. The idea is that if a potential attacker tries to brute-force their way into an account and exceeds a certain threshold (an unreasonable number of logins within a given time), the attempt is logged, and a CAPTCHA is presented to verify whether the user is legitimate. Another feature I proposed is tracking account changes (such as email changes) and session activity (e.g., logins from a new device). This allows system admins to detect potential unauthorized modifications and unusual logins, which are indicative of an attack.

CODE REVIEW

The last 50 hours of my internship were spent conducting a comprehensive code review of the Place4Us platform’s input validation capabilities. Place4Us has many input entry points, from commenting on a post to uploading files to the platform. That said, there are 2 PHP functions in particular that validate user input: functions.php and special_functions.php. The functions.php has three capabilities: looks for potentially malicious input by comparing it to a blacklist (function cleanText($string)), replaces that input with a random set of strings (function cleanTextB($string)), and then automatically logs them out and blocks the user (function blockCurrentUser()). The special_functions.php file, on the other hand, checks uploaded files (function checkUploadedFile()). It checks whether the uploaded file’s extension is allowed and whether its MIME type matches the extension, and if it doesn’t, the user is unable to upload the file.

Analyzing the two files, I found several issues. One of those issues is the list of allowed MIME values. Three in particular were of big concern: .xls, .swf, and .zip. The first extension, xls, is the old Excel file type. Excel files (especially older versions) are a major concern because they contain macros, embedded scripts that serve a purpose. In Excel, macros would allow a user to create graphs (among other functions, of course). However, attackers can manipulate those scripts to perform malicious actions. The second extension, .swf, is the format for Adobe Flash Player (which has long been deprecated due to a long, extensive history of security bugs and exploits). Lastly, a .zip file is basically a folder compressed into a single file. Zip files can be concerning because it’s difficult to verify what is inside unless they’re opened, posing a significant security risk. Another issue I found was that each file extension had only one MIME type associated with it, whereas it is entirely possible that each extension could have multiple values. For example, Zip files can have both the “application/zip” and “application/x-zip-compressed” MIME types, depending on the system (Windows, Linux, browsers, libraries).

CYBERSECURITY SKILLS

Before interning for the Earth Viability Center, I was already decently knowledgeable about cybersecurity. In addition to my coursework as a Cybersecurity major and CS & International Studies minor, I held CompTIA Sec+ and CySA+ certifications, which validated foundational cybersecurity knowledge. I was also fairly involved outside the classroom, serving as an Executive Officer for the ODU Cybersecurity Student Association, where I worked to bridge the gap between classroom education and real-world industry expectations through organizing and executing CS2A initiatives such as our annual Cyber Ops cybersecurity conference. However, I lacked the practical application of the knowledge I had, which is what my internship experience helped with.

To give a specific example, something I learned during the internship was how to conduct a proper security code review. As a CS minor, I learned how to code in Java. However, the Place4Us platform is coded in PHP. So I had to do a bit of self-study on YouTube to read the platform’s source code to better understand what was going on. Furthermore, I had never conducted a security code review before (nor did I initially recognize it as such). So, I learned by doing.

HOW DID THE ODU CURRICULUM PREPARE ME?

The ODU curriculum prepared me by providing the baseline knowledge needed to understand and explain cybersecurity. For instance, explaining simple concepts, such as different kinds of cybersecurity attacks and the attack vectors an attacker could exploit, was all knowledge that I learned from my coursework. And I found myself having to explain these concepts to my supervisor a lot because it was my job as a cybersecurity intern. A specific example was discussing how to improve the platform’s security monitoring posture. I found that the platform was vulnerable to brute-force attacks. So, I first had to explain what a brute-force attack was and how attackers could conduct them, so that my supervisor could better understand the solution I wanted to implement.

However, everything else that helped me with the internship came from experiences outside the classroom. During my internship, I was clear about the changes needed to the platform, including cybersecurity-related ones. That ability is something I developed through my work with the ODU Cybersecurity Student Association, and not through my coursework. As an Executive Officer, I had the opportunity to plan and organize CS2A’s Cyber Ops 25 cybersecurity conference. And it was through experiences such as those that I learned to be outspoken about my concerns, from trying to determine whether a potential speaker was an appropriate fit for our event, to debating whether the conference should be pushed back a few months simply because we were underprepared, because if I didn’t bring up my concerns, we wouldn’t have a successful conference.

HOW DID THE INTERNSHIP FULFILL ME?

The internship fulfilled me.

MOST EXCITING ASPECTS OF THE INTERNSHIP

The most exciting part of the internship was the internship itself. Through this internship, I had the opportunity to bridge the gap between my classroom experiences and the real-world application of those skills. My internship showed me what I was good at, such as effectively communicating technical information to non-technical people. It also showed me what I was weakest at: managing my time effectively in a remote environment. Furthermore, working for an NGO provided me with many opportunities to tackle diverse cybersecurity issues.

MOST DISCOURAGING ASPECTS OF THE INTERNSHIP

One of the most discouraging aspects of the internship was the lack of a mentor to guide me. Because I interned at an NGO, there wasn’t specific cybersecurity guidance on tasks beyond what needed to be done, and general feedback we received on our work weekly. I was expected to be the expert on the subject matter, so I had to figure out much of what needed to be done and how to implement it on my own. However, it was one of the most rewarding experiences because it taught me to think critically about different issues, which is a very important skill in cybersecurity.

MOST CHALLENGING ASPECTS OF THE INTERNSHIP

The most challenging aspect of the internship was keeping up with my set schedule. Because the internship was remote, there was a lot of flexibility with when you could work, as long as you met your hours. This was very helpful for me because this semester I was taking 18 credit hours in addition to my position as an Executive Officer for CS2A and my internship. However, it was also very challenging because my schedule would vary widely depending on what I had going on each week. For instance, in the final weeks of February, I worked fewer hours as I finalized the logistics for our Cyber Ops conference. I then had to make those hours up in the following weeks.

GENERAL RECOMMENDATIONS

There are a number of recommendations I would offer to future interns before they begin the internship. The first recommendation I would give is to learn how to code. Preferably, future interns should learn to code in PHP, since the source code they will be working on is written in PHP. However, other coding languages will suffice. Having a general understanding of how to code, even if it’s in a different language, helps with proper security code reviews, as it helps you understand what is going on. Although syntax varies between languages, the logic behind it remains the same. Second, I would recommend that they have a set schedule for work outside of scheduled meetings. Because it is a remote internship, it is very easy to lose track of how many hours you work per week. Lastly, the biggest recommendation I can give is that you get out of the experience what you put into it. At first glance, there doesn’t seem to be much to gain in experience from working for an NGO, which was initially a big concern of mine. However, after having the opportunity to work for one, my position has significantly changed. I would argue that there is more cybersecurity work to be done for an NGO, given its lack of a strong cybersecurity posture. Cybersecurity encompasses many industries, and the non-profit sector is often overlooked.

CONCLUSION

Reflecting on my internship at the Earth Viability Center, I gained a much deeper understanding of the connection between user experience and cybersecurity. At the beginning of the internship, I approached the platform primarily from a usability standpoint, focusing on how easy it was to navigate and interact with. However, as I continued working on the platform, it became clear that many of the usability issues I identified also had direct security implications.

Through my UX evaluation, I saw how design choices such as inconsistent layouts and unclear interface controls could lead to user confusion. Over time, I began to recognize that this confusion is not just a usability issue, but a potential security risk. When users do not fully understand what they are clicking or how a system behaves, they are more likely to make mistakes, such as granting permissions unintentionally or misconfiguring settings. This experience showed me that effective cybersecurity is not only about implementing technical safeguards but also about designing systems that guide users toward safe and informed decisions.

My work on user tracking and login security further reinforced this idea. While prioritizing user privacy is important, I learned that failing to collect essential security data, such as login attempts, can make it difficult to detect and respond to threats. Similarly, analyzing the platform’s authentication mechanisms highlighted the importance of implementing features such as CAPTCHA and multi-factor authentication to mitigate common attacks, including brute-force attempts.

The code review portion of my internship was particularly valuable because it allowed me to see how security is implemented at a technical level. Even though I was initially unfamiliar with PHP, working through the input validation functions helped me better understand how vulnerabilities can arise if user input is not properly handled. Identifying risks related to file uploads and MIME type validation showed me how seemingly small implementation details can have significant security implications.

Overall, this internship challenged me to think more critically about how systems are designed and how users interact with them. It also helped me develop important technical and analytical skills, including problem-solving, research, and the ability to evaluate systems from multiple perspectives. Most importantly, it reinforced the idea that usability and security should not be treated as separate concerns. Instead, they should be integrated to create systems that are both user-friendly and secure.

Moving forward, I will carry these lessons with me as I continue to develop my cybersecurity skills. This experience has shown me that improving a system’s design can directly impact its security, and that understanding user behavior is essential for protecting digital systems.

joshuaoania

CYSE 368 FINAL REFLECTION

TABLE OF CONTENTS

ABSTRACT