A Rising Tide Lifts all Boats: Celebrating National Cybersecurity Awareness Month

Reading Time: 3 minutes

National Cybersecurity Awareness Month (NCAM) in October reminds us of the importance of being safer online, in both our professional and personal lives. Easier said than done, eh? Who’s to say the majority of us even know what makes us “safer” online, or for that matter what makes us vulnerable or should raise a red flag?

It all starts with awareness. I’d like to suggest that “IT Literacy” is no longer enough. Now, in 2018 and beyond, “Cyber Literacy” needs to be a year-round, all-encompassing movement. And regardless of whether or not “Cyber-” or “IT-”anything is or will be in your title, cybersecurity must matter to you.

During a recent workshop presentation I delivered to attendees at the Florida CyberCon 2018 in Tampa, I likened our cybersecurity practices to the idea of personal hygiene. Because let’s face it, one’s personal hygiene is something that,
a.) you are personally aware of and educated on how to maintain
b.) is attended to routinely
c.) is well understood in terms its impact on your overall health
d.) has a relative impact on everyone around you regardless of direct contact

Cybersecurity can be thought of much in the same way. We must all begin to realize that cybersecurity demands the same kind of personal awareness and attention – it not only impacts us as individuals but also our family, colleagues, department, agency, company.

I believe that part of the disconnect around cybersecurity best practices comes from the assumptions we make as consumers in general – that what we’re buying is designed and sold with our best interests, and security, in mind. For example, you buy a new car and it comes equipped with seatbelts, turn signals, airbags, automatic brakes and locks, etc. The food you buy and eat is certified by the Food & Drug Administration to indicate it has been safely grown/ raised and suitable for human consumption. When making technology purchases, we cannot take these same conveniences for granted.

Now, that’s not to say that all technology is inherently unsafe, but my point is, we can’t settle with pre-installed safety protocols because, as we know, technology is ever evolving and failure to frequently update it and use it safely results in vulnerabilities that hackers will exploit for financial, reputational, or economic gain. Just like with personal hygiene, healthy practices and regular routines are necessary for optimal cyber literacy and performance.

The goal behind NCAM is to encourage us take some time to understand the problems resulting from poor cybersecurity practices. Those behaviors will not start to diminish until school counselors, parents, teachers, administrative assistants, nurses, athletes, and everyone become more aware of their cyber posture. There’s a reason why the laptop or PC you’re reading this on asks you to update its internet browser and operating system. And those push notifications you get on your phone to update your apps aren’t coming through to annoy you and eat up your battery and data. These simple practices and others — like resetting passwords and activating double-verification – will improve your cyber hygiene and protect you against ongoing threats to infiltrate the devices and exploit the data of our everyday lives.

So, did you shower today?
Did you check your computer updates today?

Ready to learn more? Checkout our new short, fun education videos on the “Cybersecurity Whiteboards” video playlist, here: https://www.youtube.com/playlist?list=PLUdKZUJquY1hn2EwlBJ90MyunBYcAaXRk.

As National Cybersecurity Awareness Month comes to a close, it’s important that the efforts put forth do not end. The reality is this: as the cost of compute power continues to be driven down by advancements in manufacturing and technology, the resources used by malicious hackers become more accessible. This, combined with the fact that a successful cyber breach gets more and more newsworthy and profitable by the day, means the problem isn’t going anywhere anytime soon. When we take steps together to be stronger individually, we become stronger collectively. We can prove the saying, “A rising tide lifts all boats.” Together, we can lift the intellectual property, national security and private data “boats” if we all commit to be more cyber conscientious and cautious.

How To Tell If Your Cybersecurity Strategy Is Prone to a Cyberattack

Reading Time: 2 minutes

What does your current InfoSec environment look like? Are teams prepared to tackle evolving threats? Is your cybersecurity strategy aligned with business objectives? Do you and your team undergo regular training to stay ahead of hackers? If you’re not sure, this blog is for you. Today, we’re outlining some of the most common, overlooked, unrecognized, and “I-just-don’t-have-time” aspects that comprise an insecure InfoSec culture so CISOs can cross reference these items against their own cyber environment.  

Lack of Executive Level Threat Intelligence & Communication  

Board members are looking to CISOs to report on the latest threats hitting their organization coupled with an explanation of WHY they’re being attacked. If CISOs aren’t regularly positioning themselves in front of their board communicating the company’s vulnerabilities and business risk, what happens is a lack of intel across the organization. If key stakeholders don’t have a general understanding of the latest threat intelligence happenings, a culture that values a “data privacy first” mentality cannot thrive. Skip the technical jargon and explanations of malware variants—a high level view of hacker profiles, new techniques, and new methods of hacking as it relates to the organization is sufficient.    

Inconsistent (or Absence of) Cyber Team Training  

If your cyber team isn’t regularly training to upskill, they will not be prepared to tackle the latest threats. Businesses fall victim to a ransomware attack every 14 seconds. So, you can bet that those methods of infiltration only get more advanced as sophisticated threats convert to successful attacks and breaches. With this threat evolution comes the dire need for cyber teams to stay on top of the latest threats—and the only way to do that successfully is through immersive, gamified training. The benefits of gamification for cybersecurity training are numerous, and far outpace traditional classroom learning. 

Irregular System Updates, Monitoring, and Auditing  

Performing regular system updates seems like a no-brainer, but you’d be surprised how many people let it slip through the cracks. Systems that aren’t regularly updated and assessed against current licenses/requirements will certainly be the demise of any secure cyber environment. Even little things like updating passwords monthly or installing the latest software updates can put companies at great risk. In the healthcare industry alone, about 78 percent of medical devices were breached because they weren’t properly locked. Continuous monitoring and auditing the system’s lifecycle—coupled with enterprise-wide system protection usage and authorization—will keep organization’s systems strong against threats.  

These are just a few of the cybersecurity insecurities we see emerge in our conversations with new customers. They’re seeking InfoSec solutions that strengthen their security posture, so they can enable their team and be a trusted, visible source and security support system for the business.

Living Our Mission Blog Series: New Developments for Project Ares

Reading Time: 2 minutes

The only constant in cybersecurity is change. To best serve our customers’ needs and equip them with the latest technology, tools, and best practices that help them successfully combat evolving threats, Circadence regularly updates its cybersecurity solutions. This is the first of a regular blog post series where we will share platform news about our cybersecurity solutions.

To that end, our talented engineering department recently upgraded our flagship Project Ares cybersecurity training and assessment platform.

Security

Security is not only our business but also our foremost concern for our own software. New security updates strengthen Project Ares and shrink possible vulnerabilities that today’s sophisticated hackers could take advantage of. For example, accounts now lock out after 11 unsuccessful password attempts.

Graphics

Visual improvements to Project Ares marry form and function to ease the player into a streamlined user experience throughout the mission system. This new graphic style pushes Project Ares past the industry standards of other training platforms.

Ease of Use

Administration is more streamlined. With new capability to batch reset users in the administrative panel, it is easier than ever to onboard trainees to the system. Previously, users had to upload trainees one-by-one.

Branding

Customers can now brand the log in screen with their own company logo and messaging. Personalizing the platform helps companies and agencies embrace the Project Ares platform as a core training tool for their cybersecurity team.

Content and Reporting (Project Ares for Government platform only)

Enhanced trainee reporting features and upgraded Mission content now meets Government agency performance needs and supports their stringent skills evaluation processes.

More Exciting Features Coming Soon

To keep exercises relevant and fresh for all users, the engineering team is working on exciting new battle room and mission content for future upgrades of Project Ares. For more information about Project Ares and scheduling a demo of the platform with these updates, visit https://www.circadence.com/project-ares. Existing customers: Make sure to check out the new changes to your platform and let us know your feedback at info@circadence.com

Cultivating the Next Generation of Cyber Professionals: Recapping Summer Internship Projects

Reading Time: 3 minutes

Circadence® is proud to live out its mission to continuously educate and upskill the next generation of cyber professionals. We had the pleasure of hosting several interns over the Summer season who showed us firsthand the promise and potential they have for the industry. We had more than 20 interns spread across our offices in Tupelo, MS, San Diego, CA, and Boulder, CO. Students were placed departments pursuant to their degree programs or learning interests.  

Interns are provided on the job experience and assist teams (both technical and administrative) with current work, while contributing to current projects and products. Each intern was assigned a specific mentor in which they were to meet with weekly for performance evaluation and learning monitoring. At the conclusion of the internship, students presented their project results and takeaways in a capstone brief, which they presented to their respective Circadence teams. All our interns did an amazing job learning new aspects of the cybersecurity industry from programming and app development to marketing and research. In this post, we feature the work of our interns in Tupelo who developed two web applications that focused on cybersecurity awareness training using trivia concepts.  

Circadence interns in Tupelo

Cypher

Tupelo interns created a mock mobile app inspired by the concept of Alberti Cipher (a code that requires a movable circle to decipher text using a cipher algorithm). In the game, the player gets an encrypted or decrypted message in a quiz-like format that requires them to use the cypher code-breaker to figure out the answer. The app is designed for “on the go” playing and learning, which supports today’s learners who want a more accessible learning platform. The interns created it as an educational tool so new and seasoned professionals alike could learn more about cybersecurity and the technical side of the industry. The interns utilized the latest technologies of HTML, CSS, JavaScript and Bootstrap 4 to develop the app, levels had different themes to keep engagement high and scoring systems help players see where they rank against other players.  

“I see a lot of promise in them and they were all very talented and very committed to their work; their work ethic was extremely strong, and they learned a lot and made a valuable contribution to Circadence’s work,” said Lauryn Pregoni, Human Resources Business Partner in Circadence’s San Diego office.   

Perplex

Interns also developed a multiplayer trivia loot game inspired by the many mobile app games we may play today. It is based off a client-server model with two types of client modes: host and controller. The host is the interface of the game projected on a main screen like a TV or projector. Players join in a queue on their mobile devices and start the game—kind of like how you’d join in HQ trivia. After the game has been initiated, a question pops up on a central screen and players race to select the correct answer. Players are timed to choose an answer and points are awarded based on correctness and time taken to answer. The game would be ideal for cybersecurity events or academic cyber competitions. 

“It’s visual, multi-sensory, team-oriented, and brings everyone together in any genre to share and communicate and learn about cybersecurity,” said Katie McCustion, Human Resources Manager in Circadence’s Tupelo office.  

All projects the interns worked on were a part of the everyday work that the professionals performed. This hands-on learning allowed the interns to develop and grow their technical prowess while working together as a team on real-world projects. Interns learned new skills in coding, research, frontend and backend development, and graphic design and overall communication skills that will support their future professional pursuits. We look forward to our next batch of interns in Summer 2019 and are excited for the future of these hard working and bright individuals!  

Special thanks to Circadence’s Jerry Camp, Lauryn PregoniKatie McCustion, Wes Knee, and Maria Ko-Lee for their collaboration on this blog post. 

Bridging the Cybersecurity Skills Gap with Artificial Intelligence

Reading Time: 3 minutes

You know it and we know it. We cannot train our way out of the widening cybersecurity skills gap (expected to reach 3.5 million by 2021). We’ve discussed at length why traditional, passive learning models in training classroom settings are ineffective (not to mention boring), but at Circadence®, we are optimists and innovators, dedicated to finding a solution—and for now, in the industry’s current state of affairs, we’ve found what works. It lies in leveraging artificial intelligence (AI) and machine learning.  

Types of AI  

AI is a broad field so for the sake of simplifying, there are two types of AI that we distinguish: Narrow and General. Narrow AI refers to AI that is used for a specific function like self-driving cars. General AI tends to be a feared concept (e.g. robots taking over the world). For this post, we are focusing on Narrow AI and how it informs the cybersecurity space. 

Within Narrow AI, we are focusing on two sub-sets of the field: Natural Language Processing (NLP) and machine learning. Together, they can provide automated and augmented relief to weary cybersecurity workers who are stretched beyond their limits.  

NLP is present in our cybersecurity training platform Project Ares®. The in-game advisor Athena uses NLP to communicate with trainees in “chat-bot” format to answer questions and provide hints to players. The data that comes from those conversations with Athena (in addition to how a user progresses through exercises) is processed by machine learning, the technique where data is used to learn about a user’s actions, so it can generate a response.  

This becomes particularly valuable when machine learning has lots of data to process in order to create different pathways to solving a problem. It’s kind of like the “two heads are better than one” motto, but machine learning needs lots of “heads” (aka, data) to generate the best solution for the problem at hand. Uber uses machine learning to understand the various routes drivers are taking to transport people from point A to point B. It then takes all those routes together and finds the most efficient route, so current and future Uber drivers can better serve their passengers.  

How AI can work for cybersecurity pros  

Now, one can imagine how these two sub-fields of AI can be of value in the cybersecurity industry. With attacks getting more advanced by the minute and the frequency of attacks occurring at alarming rates (an average of 200,000 malware attacks per day per company), the more information we can equip machine learning and NLP with, the better it can function for us. Particularly when it comes to understanding how to defeat sophisticated cyberattacks and the appropriate steps to take for risk mitigation.  

The more cybersecurity professionals engage with the Project Ares platform and its content, the better information data scientists have to draw conclusions on the best ways to solve the missions (and remember, the missions and battle rooms are developed from real-world threats and methods of attack, emulated on real networks). The more efficiently we solve missions, the closer we are to defeating incoming threats quicker, and the more we contribute to protecting enterprises from cyberattacks and closing the skills gap.  

AI: Augmenting the cyber workforce 

One of the exciting outcomes of AI is in its ability to augment the cyber workforce. Since there has been a staffing shortage, AI can be used to bridge the gap by scoring or ranking individuals and teams based on mission performance. The data that is collected and used to generate pathways for attack strategies and mission completion, can also inform the score or skill level a person is at. This can augment evaluation and assessment protocols, helping CISOs better evaluate the capabilities of their teams and identify areas for improvement.  

AI can also augment cyber team task performance. For example, if an enterprise company wanted to create its own custom missions/exercises within Project Ares for its teams to train on (so they are not engaging with the same redundant exercises), designers/engineers can use AI to collect existing performance data from similar missions to create variability in another mission. Instead of the mission designer spending time creating different pathways in the mission, AI can use the data it already has to inform what and how those variabilities are developed, saving time and resources.   

All about the data  

The relationship between AI and cybersecurity comes down to how it is used within the solution and the quantity and quality of data it has available to work with. With our solutions, we leverage NLP and machine learning to automate administrative tasks currently performed by professionals and augment where staffing falls short. In the case of Project Ares, AI helps guide and teach trainees during game play, giving them new threat vectors, scenarios and tasks based on past performance and behavior. In other words, the ecosystem feeds threat data to improve training, augmenting cyber actions to ensure trainees are learning best practices to combat evolving threats.  

What we’ve learned from the power of AI is that when it has a large corpus of data to work from, it is the most productive way to ensure systems take the best actions for the player’s learning advantage—and players, too, make informed decisions that help them defeat emerging threats.

3 Ways to Prevent Cyber Security Election Interference

Reading Time: 4 minutes

Voting is the crux of what we refer to as an American Democracy. Since the 2016 elections in the United States, numerous reports have cited concerns of vulnerabilities in the voting ecosystem, detailing attempts of foreign interference by organizations such as the Russian government to exploit election results with pervasive cyber attacks.

To assist in securing critical infrastructure and preventing cyber attacks, Congress provided federal funding under the recent 2018 Consolidated Appropriations Act Election Reform Program, authorized by the 2002 Help America Vote Act (HAVA). This funding grants states additional resources to make improvements in election cyber security.  Failure to negate election interference will only perpetuate future cyber attacks, which will lower voter confidence in the democratic process and impact on voter turnout.

Now more than ever, election security officials need to revisit their voting systems to leverage this newfound funding and better secure the human element that often causes cyberattacks. While the cyber attack surface of election systems is extensive due to the more than 8,000 jurisdictions in counties, states, and cities that maintain election infrastructure, there is one constant in the elections security system that can be leveraged—humans. With individuals and teams informing the entire voting process from voter registration to casting votes to reporting outcomes and auditing, humans are a key part in managing and directing both digital and manual processes.

If election security professionals can be better trained to understand how to stop cyber attacks using their own tools in emulated environments, the state of election cyber security will be greatly improved.

We’ve detailed three ways for election security officials to upskill their cyber security teams in spite of the variability in equipment and process.

1. ADOPT A CONTINUOUS LEARNING APPROACH TO ELECTION CYBER SECURITY  

In previous Circadence blogs, we’ve shared the benefits of a continuous learning approach, and there’s a reason for it—if cyber teams cannot keep pace with evolving adversary techniques and tactics, they won’t know how to stop them from causing mass damage. Learning basic cyber skills as well as how adversaries are using social engineering to influence election campaigns will help state, local and government election officials be better prepared to identify and respond to cyber attacks on voting systems.

Unfortunately, there have been documented instances of untrained personnel who have knowingly and unknowingly jeopardized the security of elections thus far. Notably, one of the first cryptic signs of cyberespionage came when a Democratic National Committee (DNC) help desk contractor ignored repeated calls from the FBI who were reporting a cyber threat from a computer system hack conducted by a Russian group referred to as “the Dukes28.” The article notes the contractor “was no expert in cyber attacks,” and couldn’t differentiate the call from a prank call.

Fortunately, with the passing of the Election Reform Program, now is the time for election cyber security professionals to dedicate the resources necessary to address all aspects of cyber security that affect a strong cyber posture. This includes:

  • having the proper equipment and security protocols in place
  • employing a trained team who can identify and combat threats quickly
  • deployment of cyber resilience when attacks do occur, and much more.

2. ANALYZE PREVIOUS ATTACKS TO UNDERSTAND ADVERSARY TECHNIQUES  

It is insufficient to solely analyze the specific cyber attacks from the past few years, but it is still important to see and understand the tactics and vulnerabilities exploited, particularly since electronic voting machines are not upgraded often. Two cyber attack groups, Fancy Bear and Cozy Bear are worth investigating further since their methods have been analyzed in detail already. From using fake personas to deliver stolen emails and documents to journalists, to the use of malware and spear-phishing, adversaries were able to access an operational infrastructure, implant the agent and encrypt communication to silently exfiltrate data remotely.

Understanding adversary techniques like this can inform how cyber teams train for future cyber attacks. Election officials can begin to assess the skill level of their teams and all involved in the election process to get a sense of their capabilities and how they would approach a “Cozy Bear 2.0” for instance.

3. PARTICIPATE IN OR HOST TABLETOP AND LIFE FIRE EXERCISES  

Recently, Circadence used its Project Ares platform to help the City of Houston simulate a realistic cyber attack exercise to help public and private entities better prepare for an attack scenario. Emergency response simulated a cyber attack on transportation, energy, water, and government sectors while senior leaders worked directly with technical professionals to develop timely responses.  This type of collaborative approach could be undertaken in every voting jurisdiction to test election systems.

There will always be risks, but cities and counties are realizing that the key is getting ahead of the cyber attack and to develop effective cyber readiness policies and procedures, realistic virtual training environments can help. Running through these cyber exercises with multiple players helps leaders see apparent gaps in offensive and defensive techniques while reaffirming the practices that must take place to secure any type of infrastructure.

As election security officials plan for new ways to leverage the HAVA Election Security Fund to improve processes, they will be pressed with justifying expenditures while also demonstrating that said security measures have indeed improved. The above recommendations will make elections safer and likely contribute to the restoration of public confidence in our democratic process.

The more focus election security officials place on upskilling their cyber teams with 1) continuous learning approaches, 2) analyzing past cyber attack methods, and 3) participating in realistic training events, the more effectively they reduce human error as a dominant source of cyber attacks.

To learn more ways to prevent election cyberattacks download our whitepaper “Protecting Democracy from Election Hacking.”

DOWNLOAD WHITEPAPER

Celebrate “National Cybersecurity Awareness Month” Year-Round

Reading Time: 3 minutes

National Cybersecurity Awareness Month (NCAM) in October reminds us of the importance of being safer online in both our professional and personal lives. By employing fundamental cybersecurity best practices, ALL professionals from the C-Suite to the Administrator can better safeguard against ongoing threats infiltrating and exploiting systems and data every day.  

The overarching theme of NCAM includes having a “shared responsibility [of cybersecurity] and we all must work together to improve our Nation’s cybersecurity.” Circadence couldn’t agree more. We are excited for the future of cybersecurity given the advancements in AI and machine learning and Natural Language Processing, all of which are features available in our cyber solutions focused on workforce readiness, cyber training and assessment, cyber ranges, cybersecurity awareness, and cyber competition/event support.  

Turning awareness into action  

During this month of awareness, Circadence is hyper-focused on its commitment to continue providing resources and tools to automate and augment the cyber workforce to accomplish the goal of increasing cyber resiliency across all organizations.  

While NCSAM is entering its 15th year as an annual initiative, Circadence has been using its history in online gaming to develop innovative solutions that help businesses defeat evolving cyber threats. We’re proud to contribute to the cybersecurity of our nation through unique training, assessment and education platforms that together, help non-cyber professionals and seasoned cyber managers become better offenders, defenders, and governance leaders.  

It’s not just about raising awareness of cybersecurity practices; we are at a time where it’s equally important to take that awareness and use it to ACT. In the current state of cybersecurity, every business, academic institution and government organization is and continues to be vulnerable. Regardless of how many cyber teams are on the frontlines protecting your organization, regardless of the stringency of policy and procedures in place; regardless of frequency of system updates and access controls, hackers are determined, intentional, strategic and leveraging technology to manipulate a company’s data, liquidate valuable assets or finances, and ruin their reputation and public trust. Therefore, we, as cyber and non-cyber professionals, too, must be determined, intentional, strategic and continue to leverage technology to automate and augment the cyber workforce so they can stay one or two steps ahead of hackers.  

Educating and upskilling professionals to improve cybersecurity awareness  

We understand the challenges facing cybersecurity experts are insurmountable. From staffing shortages to skill deficits to budget constraints and overworked cyber teams, it can appear there’s minimal hope for improvement. We are changing that with our suite of solutions designed to place PEOPLE at the forefront of cybersecurity readiness. We believe the experts who control the advancing technologies used to prevent cyberattacks are the key to strong infosecurity environments.  

This month is a time for cyber professionals and CISOs to explore new ways to modernize their cyber readiness strategy and upskill their cyber teams and non-cyber professionals. Circadence has two solutions to help: Its gamified training and assessment platform Project Ares® is one solution that CISOs can leverage cost-effectively to better prepare their organizations to protect against cyberattacks and elevate visibility to the C-Suite of the value of building and sustaining a strong cybersecurity posture.   

Likewise, the new inCyt® mobile application is a game-based concept designed to educate non-cyber professionals on fundamental cyber offense and defense strategies in a fun and engaging way. The first of its kind, inCyt’s ability to educate the entire workforce through gamified activities that challenge opposing colleague’s infrastructure using phishing, botnets, and spyware disrupts the stale learning approach in the marketplace.  

Finally, we are actively producing a series of whiteboard videos focused on the fundamental concepts of cybersecurity, both demystifying terminology and debunking processes to further our mission of cultivating an “all hands on deck” cyber culture. Subscribe to our YouTube channel to receive updates as new videos are added to the library. 

While National Cybersecurity Awareness Month is in October, the awareness and application of modern practices should continue throughout the entire year, so we don’t forget the value of a strong cybersecurity posture AND keep pace with imminent threats.   

Let’s celebrate, educate, assess, and adopt modern cyber training practices year-round!