Get Gamified! Why Learning Happens Better with Games with Keenan Skelly

Reading Time: 1 minute

Gamification is a new, more engaging way for cyber professionals to learn and build new skills to keep pace with evolving threats. Speaker Keenan Skelly, VP of Global Partnerships at Circadence, will discuss:

  • What gamification is and what it is not
  • How it is being applied to cyber training
  • Why hands-on cyber range learning increases information retention

Gamification as both an engagement strategy and a development strategy is proving an effective means of achieving security readiness. The approach puts a fresh spin on current cyber training options available today, making learning fun and engaging while accumulating relevant skills needed to stop today’s malicious hackers.

Circadence’s Project Ares, a gamified, immersive learning and assessment platform, runs on the Microsoft Azure Cloud. The cyber range solution provides the scalability needed for professionals to learn new cyber skills on emulated networks—positively impacting job performance.

Critical Infrastructure Webinar with Laura Lee

Reading Time: 1 minute

What You’ll Learn

  • How to build a strong cyber team for IT and OT   
  • How critical infrastructure is impacted by evolving threats  
  • Insight into live fire exercises to support cyber preparedness

The critical infrastructure sector is not immune to cyberattacks. Between the evolving threat landscape and convergence of IT and OT infrastructure, companies need continuous learning solutions that support their cyber teams in the best ways possible.

Gamification puts a fresh spin on cyber training. Learn how critical infrastructure organizations can arm themselves with cyber teams who are ready to defend threats as well as anticipate them.

Ransomware – The Attack Du Jour!

Reading Time: 3 minutes

Ransomware is gaining traction among hackers; emboldened by financial success and anonymity using cryptocurrencies. In fact, ransomware is now considered a tried and true cyberattack technique, with attacks spreading among small and medium-sized businesses, cities and county governments. Coveware’s recent 2019 Q1 Ransomware Report notes:

  • Ransoms have increased by an average of 89% over Q1 in 2019 to $12,762 per ransom request
  • Average downtime after a ransomware attack has increased to 7.3 days, up from 6.2 days in Q4 of 2018, with estimated downtime costs averaging $65,645
  • Victim company size so far in 2019 is anywhere from 28 to 254 employees (small, medium, and large-sized businesses)

Let’s review how ransomware works and why it’s so effective. Ransomware is a type of cyberattack where an unauthorized user gains access to an organization’s files or systems and blocks user access, holding the company’s data hostage until the victim pays a ransom in exchange for a decryption key. As you can surmise, the goal of such an attack is to extort businesses for financial gain.

Ransomware can “get into” a system in different ways, one of the most common through phishing emails or social media where the human worker inadvertently opens a message, attachment, or link acting as a door to the network or system.  Messages that are urgent and appear to come from a supervisor, accounts payable professional, or perceived “friends” on social media are all likely ransomware actors disguising themselves to manipulate or socially engineer the human.

Near and Far: Ransomware Has No Limits

Many types of ransomware have affected small and medium-sized businesses over the last two decades but it shows no limitations in geography, frequency, type, or company target size.

  • Norwegian aluminum manufacturing company Norsk Hydro, a significant provider of hydroelectric power in the Nordic region, was shut down because of a ransomware infection. The company’s aluminum plants were forced into manual operations and the costs are already projected to reach $40 million (and growing). The ransomware name: LockerGoga. It has crippled industrial firms across the globe from French engineering firm Altran, and manufacturing companies Momentive, and Hexion, according to a report from Wired.
  • What was perceived as an unplanned system reboot at Maersk, a Danish shipping conglomerate, turned out to be a corrupt attack that impacted one-fifth of the entire world’s shipping capacity. Deemed the “most devastating cyberattack in history,” NotPetya created More than $10 billion in damages. To add insult to injury, the cyber risk insurance company for Maersk denied their claim on the grounds that the NotPetya attack was a result of cyberwar (citing an act of war exclusionary clause).  WannaCry was also released in 2017 and generated between $4 billion and $8 billion in damages but nothing (yet) has come close to NotPetya.
  • On Black Friday 2016, the San Francisco Municipal Transportation Agency fell victim to a ransomware attack. The attacker demanded $73,000 for services to be restored. Fortunately, speedy response and backup processes helped the company restore systems in 2 days—avoiding having to pay the ransom. In March 2018, the City of Atlanta experienced a ransomware attack that cost upwards of $17 million in damages. The Colorado Department of Transportation fell victim, too, left with a bill totaling almost $2 million.

These headlines are stories of a digital war that has no geographical borders or structured logic. No one is truly immune to ransomware, and any company that thinks that way is likely not as prepared as they think they are. Beazley Breach Response (BBR) Services found a 105% increase in the number of ransomware attack notifications against clients in Q1 2019 compared to Q1 of 2018, as well as noting that attackers are shifting focus to targeting larger organizations and demanding higher ransom payments than ever before.

Immersive cyber ranges – Protect Yourself, Your Business, Your People

If your own security efforts, staff practices, and business infrastructure are continuously hardened every time a new breach headline makes the news, the things that matter most to you and your company will be better protected. One of the ways to consistently harden security practices is via immersive and persistent training on gamified cyber ranges. Some benefits of using cyber ranges like this include:

  • Helping professionals of all skill levels learn and apply preventative measures such as: regular backups, multi-factor authentication, and incident response planning and analysis.
  • Understanding what ransomware looks like and how it would “work” if it infected their company’s network.
  • Cloud-based environments can scale to emulate any size digital system and help users “see” and respond to threats in safe spaces.
  • Providing user assistance and immediate feedback in terms of rewards, badges, and progress indicators, allowing organizational leaders who want to upskill their cyber teams to see the skills gaps and strengths in their teams and identify ways to harden their defenses.

When ransomware does come knocking at your business door, will you be ready to recover from the costly and reputational damages? If there is any shred of doubt in your mind, then it’s time to re-evaluate your cyber readiness strategy. As we’ve learned, even the smallest vulnerability or level of uncertainty is enough for a cybercriminal to take hold.

Photo by Michael Geiger on Unsplash and via website.

Cyber Security and the LGBTQIA Community

Reading Time: 2 minutes

While most of us recognize the inherent vulnerabilities of putting our personal information online, we may not think about how marginalized communities are at even greater risk of malicious attacks on the internet. The LGBTQIA (lesbian, gay, bi-sexual, transgender, queer, intersex, and asexual) community certainly understands the ramifications of sharing their lifestyles on the web, and it is of vital importance to consider how compromised online privacy can specifically impact these already vulnerable groups.

To understand the privacy risks for LGBTQIA individuals, consider how we all use the internet and create digital footprints. Here are some statistics from LGBT Tech, The Trevor Project, and a study released by GLSEN (the Gay, Lesbian, and Straight Education Network).

  • 81% of LGBTQIA youth have searched for health information online, as compared to 46% of non-LGBTQIA youth.
  • 62% of LGBTQIA youth have used the internet to connect with other members of the community in the last year.
  • More than 1 in 10 said they had first disclosed their LGBTQIA identity to someone online.
  • 1 in 4 youth said they are more out online than in person.
  • 42% of youth in this community have been bullied online versus 15% of the general public.
  • 27% of LGBTQIA members report not feeling safe online.
  • LGBTQIA youth are almost 5 times as likely to attempt suicide from harassment and isolation compared to heterosexual youth.

The internet can be a scary place for members of the LGBTQIA community, but it is often also a lifeline.  LGBT-identifying adults often need to find resources and places that will be welcoming and supportive, and mobile devices play a vital role in their day today.  For many individuals who are not yet comfortable revealing their sexual identity at home or in their communities, the internet is often the first tentative step for seeking both information and community belonging.

However, when privacy is breached, intentionally or unintentionally, for vulnerable populations, consequences can be catastrophic including loss of employment, damaged familial relationships or friendships, and even threats of physical harm or death.

Back in 2013, the National Cyber Security Alliance (NCSA) launched a collaboration with the LGBT Technology Partnership to highlight safety issues and increase focus on vulnerable populations. They created a sheet of specific tips and tricks for the LGBTQIA community for staying safe online based on the slogan STOP. THINK. CONNECT. which can be found here. Many of these tips are helpful for everyone looking to stay safe online, but when reviewing them, you can see just how cautious members of this population need to be in order to feel safe.

Ensuring that every person has equal rights and access to online safety is of the utmost importance. While many walk through life taking precautions to ensure their data is protected, we must be aware of how certain communities are at more risk than others and strive to practice our own safe behavior online so as not to put anyone else’s lives at risk.

We wish members of the LGBTQIA community a cyber safe Pride Month and risk-free access to the resources they need.

To ensure everyone stays safe online, we’ve developed a few educational videos to keep everyone informed about hacking methods and how to avoid them.
Watch the video series here.

 

Photo by Peter Hershey on Unsplash

Spotlight: Cyber Security Readiness for the Electricity and Energy Industries

Reading Time: 2 minutes

When your power goes out, you recognize just how many things you use every day rely on energy. From phones to WiFi to air conditioning and heat, our homes and offices almost entirely rest on this silo of critical infrastructure.

While we may not think of the energy sector as being a significant cyber vulnerability (we don’t read about a lot of breaches on this sector in the news media), it is not only of intrinsic importance to a functioning society but all other sectors that make up the nation’s critical infrastructure rely on electricity. According to the Council on Foreign Relations, the U.S power system has evolved into a highly complex enterprise with:

  • 3,300 utilities that work together
  • 200,000 miles of high-voltage transmission lines
  • 55,000 substations
  • 5 million miles of lines that bring power to millions of homes and businesses

There are not many documented cases of a successful power grid attack, but the first known instance occurred on December 23, 2015 in Ukraine. Hackers were able to compromise information systems of three energy distribution companies in Ukraine and temporarily disrupt electric supply to the end customers. A year later, Russian hackers targeted a transmission level substation, blacking out part of Kiev.

Although there may not be many examples of historical energy facility hacks, these kinds of attacks are no longer a theoretical concern. In 2014, Admiral Michael Rogers, director of the National Security Agency, testified before Congress that China and other countries likely had the capability to shut down the U.S. power grid. An adversary with the capability to exploit vulnerabilities within the electric utility silo may be motivated to carry out such an attack under a variety of circumstances, and it seems increasingly likely that the next war will be cyber.

Cyber Security Readiness for Electricity and Energy

So what can we do to prepare ourselves? Understanding that cyber security is the responsibility of everyone, not just CISOs or those in IT, helps ensure that everyone is participating in strengthening an organization’s cyber readiness.

Utilizing AI, persistent learning, and gamified training to upskill your team will ensure that you are prepared for any looming threat.

Electricity is of incredible importance to the country and the world, the remainder of our infrastructure would crumble without it. Building a culture of awareness and education around cyber security will help protect us from a domino effect of failing infrastructure. Continuously improving security posture is vital to defending ourselves against attacks that threaten our critical infrastructure.

Photo by Gerrit Vermeulen on Unsplash