The cyber security workforce gap continues to grow, and the availability of qualified cyber professionals is predicted to decrease in the coming years. In fact, a Cyber Security Workforce Study from the International Information System Security Certification Consortium predicts a shortfall of 1.8 million cyber security workers by 2022. Some resources claim upwards of 3.5 million within the next two years too. While this can feel like impending doom and gloom for the industry, AI, or artificial intelligence, can help to quell the concerns while empowering existing cyber workers.
While many other industries have seen robotic systems replacing the need for human workers, this doesn’t appear to be the case in cyber security. Humans are able to accomplish more when supported by the right set of tools. Allowing AI to support and react to human behavior allows cyber professionals to focus on critical tasks, utilize their expertise to analyze potential threats, and to make informed decisions when rectifying a breach.
How? AI can do the legwork of processing and analyzing data in order to help inform human decision making. If we were to rely completely on AI to manage security risks, it could lead to more vulnerabilities because such systems have high risks for things like program biases, exploitation, and yielding false data. Nevertheless, if utilize and deployed correctly for cyber teams, AI has the ability to automate routine tasks for processionals and augment their responsibilities to lighten the workload.
So, is AI going to take over the jobs of seasoned cyber pros? The answer is no; however, AI will drastically change the kinds of work cyber engineers are doing. In order for IT teams to successfully implement AI technologies, they will need a new category of experts to train the AI technology, run it, and analyze the results. While AI may be great for processing large amounts of data or replacing autonomous manual tasks, it will never be able to replace a security analyst’s insights or understanding of the field. There are some data points that require a level of interpretation that even computers and algorithms can’t quite support yet.
AI can help to fill the workforce gap in the cyber security sector, although it may create a need for new skillsets to be learned by humans in the industry. AI and the human workforce are not in conflict with one another in this field, in fact, they complement each other. Thefuture is bright for AI and humans to work in tandem at the front lines of cyber defense.
For more information, check out our white paper on AI and gamification!
To celebrate National Cyber Security Career Awareness Month in November, we’re highlighting the many ways that aspiring cyber security professionals and career changers alike can enter the field with confidence and competency.
To start, join us as we share tips and recommendations for learning cyber at every stage from basic comprehension to skills application.
Speaker Dr. Dan Manson will discuss:
Current landscape of cyber workforce (from the skills gap to diverse work roles)
Where to start learning about cyber security (resources, tools, experiences)
How to develop the technical and hands-on skills needed for any cyber job
What You’ll Learn
How to find resources for learning cyber at any knowledge-level
Where to develop basic and advanced cyber skills using digital and on-demand platforms
How to develop a holistic cyber skill set to impress prospective employers
It might surprise you to know that the education industry is a prime target for malicious hackers. While threats in this sector are on the rise, many education institutions are not prepared for a cyber attack nor do they know how to recover from one. In fact, there were 122 cyber attacks last year at 119 K-12 public education institutions, averaging out to an attack every three days. A 2018 Education Cyber Security Report published by SecurityScorecard also found that of 17 industries, the education sector ranked dead last in total cyber security safety. Schools are leaving themselves open to student and faculty identity theft, stolen intellectual property, and extremely high cost data breach reconciliation. In fact, a study done by the Ponemon Institute shows the average cost of a data breach in the education sector is $141 per record leaked.
This industry faces some unique cyber security challenges:
Historically, this industry is based on the free exchange of information, i.e the philosophy that information should be readily available to all. The use of computers and internet in education has allowed information to be stored and accessed in many different ways, creating vulnerabilities in storage, network security, and user error which leaves systems susceptible to hacks.
Students and staff may have limited technical skills and prowess to know how to stay safe online.
Online education systems are highly distributed across multiple schools in a district or across state lines, making it easier to infect one system to gain access to all.
Computer systems used by schools often lack a single application, or “source of truth” to safely manage student and employee identities.
There’s a significant change in the user population every year due to students graduating and new students enrolling, making it difficult to track who is using certain resources and who has access to them.
Remote access is often required, with students and parents accessing systems from home computers and smartphones. When you access an online resource repeatedly from potentially vulnerable or unsecure networks, it creates more opportunity for hacks.
So how can educational institutions better protect themselves against looming cyber threats?
Shift the focus to prevention instead of mitigation – by making the focus on securing data before an attack happens rather than after, organizations will be better prepared to protect students and staff against a breach.
IT directors and security operators within educational institutions would be wise to consider persistent training solutions for their teams to optimize existing cyber skills so they don’t go “stale” after a period of time.
Likewise, perform a security audit and work across departments to understand all the digital systems in place (financial, teacher, student portals, etc.) and where vulnerabilities might exist.
HR departments of institutions should consider updating or adopting employee security awareness training to ensure every education-employed professional working on a computer understands the basics of cyber security and how to stay safe online.
Minimize internal threats – Verizon’s 2019 Data Breach Investigations Report found that nearly 32% of breaches involved phishing and that human error was the causation in 21% of breaches. Proper and continued training and awareness around security issues is key in preventing possible attacks.
Make cyber security a priority in IT budgeting – Schools and other educational institutions need to recognize the growing cyber threatscape and prioritize allocating funds to training tools, IT teams, and continued education for internal staff.
Circadence is here to help. Cybersecurity in the education sector is more important than ever, and our immersive, gamified cyber learning platform, Project Ares, can help ensure that your cyber team is ready to defend against malicious attacks. Our inCyt product (coming soon!) will keep everyone else in your organization up to snuff on cyber defense and offense. We pair gamification with prolonged learning methods to make learning and retaining cyber security tactics simple and fun for all. Don’t let your institution and students be next in line for a breach–think inCyt, and Project Ares when you think cyber security for the education sector!
If you’re still looking for more information on education and cyber security, check out these handy references:
We’re getting in the Halloween spirit (with a cyber security spin of course)! We started wondering about the mysterious (or not-so-mysterious) world of hacking. We wondered just how frightfully easy it might be to gather intel from social platforms with minimal prerequisite knowledge.
To that end, we did a little experiment in an attempt to understand the hacking process. We asked ourselves…
What details can hackers find about us online?
Are there enough details out there for a hacker to really manipulate us?
Are we “sharing too much” as a population committed to living our lives on social media?
To answer these questions and learn if we’re just asking to be tricked or if what hackers can find out about us is really their treat to exploit…[insert gloomy music here], we simulated an online “stalking” exercise.
<< See this cool graphic to your left or read below for the simple steps we took to find personal details of someone online.
Identify a known person you want to learn more about
Go to the ol’ Google to dig up articles and social profiles about that person
Easily obtain properties like their full name, interests, employer, etc.
Search their social accounts in greater depth to find:
Their interests and passions
Their work history
Previous co-workers and friends
Links to their Instagram profile (for visual data)
Search through their friend list on Facebook, connections on LinkedIn, or followers on Twitter to isolate any missing social profiles or details on the person
Find their hometown, family members, and political/religious views
So gosh. This turned out to be a frighteningly straightforward path to take to find intel on someone….even if some of their social accounts are private! And, you might be shocked to know that it took us less than an hour to discover enough information about a random person.
So what might a hacker do with the intel like what we just dug up? They use the information to manipulate us and make us vulnerable to an attack.
A hacker might craft a Twitter message asking about this person’s pet or commenting on the weather in her place of residence to start a conversation.
A hacker might name drop her former co-worker as a “friend” of ours and thereby “established a connection.”
A hacker might have contacted the persons parents or a friend claiming we were associated with individual’s previous employer to get his/her phone number to call them.
The TRICKS are endless!
And it can happen fairly quickly. Are you surprised?
There’s good news here though. While we did learn from this exercise that what we each choose to share online is, indeed, asking to be tricked by hacker, the fact is WE have some control of what information is “out there”. Hackers LOVE any data they can use about our interests and personal information to gain access to something they want (e.g. bank accounts, social security numbers, credit cards, etc.); but we can limit our personal information and lock down our profiles to minimize how much intel is out there to start with.
There’s never a dull moment at work for Circadence Software Engineer Raeschel Reed. Between learning ways to use new technology, improving coding techniques, and operationalizing cyber innovations, Raeschel is a critical part to the success of the company’s product suite.
She currently works on Orion, a curriculum development application that allows learning coordinators or security managers to customize cyber training exercises based on specific needs. Raeschel has been a part of the Orion development team for over nine months, working on the back-end operations to create the logic behind the functionality. The best part about working on this product is the level of collaboration Raeschel gets to experience.
“We do a lot of pair-programming on Orion, where we work in groups of two or three to move tasks along quickly. Everyone has good ideas to share and suggestions that build on one another and it helps expediate the problem-solving aspect of software engineering,” she said.
Prior to joining Circadence, she served as a senior software developer supporting the Naval Integrated Tactical Environmental System Next Generation and before that, at the Battelle Memorial Institute supporting various government contracts for the Department of Defense and Homeland Security. Those experiences helped her learn critical technical skills and computer languages that diversified her understanding of programming and software development. She’s also an alumnus of George Mason University (master’s degree in Computer Science) and Mary Washington College (bachelor’s in Computer Science).
For Raeschel, the process of working with and applying a new tech stack like Kubernetes, back-end tools like Golang (an open-source programming language), and working in Azure, keep the act of software development truly unique and on the cutting-edge of innovation.
While unique hobbies like soccer, sewing and improv feed her need to try new things, it is the tech industry she keeps returning to for career fulfillment.
“Tech stuff I keep coming back to,” she said. “I have a growth mindset where I want to keep learning new things and trying new things and the field of cyber allows me to do that.”
And if that wasn’t enough for Raeschel to feel inspired and innovative at Circadence, the team she works with is second to none in her eyes.
“Team Orion is the BEST!” she exclaimed. “I feel very fortunate to be here and to have found ‘my people.’ Mondays never feel like Mondays.”
The journey to cybersecurity engineer has been an exciting one for Circadence’s TS Reed. The former baseball pro turned security tech expert found his passion for problem solving at Circadence. After completing an undergraduate degree in criminology at Cal State Northridge, he pursued a master’s degree in mechanical engineering at CSUN and then a master’s in cybersecurity engineering from the University of San Diego.
TS started as an intern at Circadence and was quickly onboarded as a full-time employee for his technical prowess, adaptability, and knowledge of modern security functions and processes. For the past three years at Circadence, TS has monitored the company’s network security, tested the security of its products (including Project Ares) and learned how and what to look for to stay one step ahead of attackers.
“It’s impossible to be bored in this job. Security is always changing: the way people build it, the way people attack it. You have to continuously learn and teach yourself the latest and greatest practices,” said TS.
But cybersecurity management wasn’t always in the stars for TS. Prior to joining Circadence, TS coached division one baseball at the University of San Diego and was also an assistant coach and recruiting coordinator at the University of Arkansas Fort Smith. A Cal State Northridge Alum, TS was a well-respected baseball player, hitting home runs in the athletic industry (named a CIF California Player of the Year and a Division 1 All-American at CSUN) with the fourth highest batting average at the 2008 Big West Conference. After college he went on to play one year of professional baseball in St. Louis for the Gateway Grizzlies of the Frontier League.
He traded in his baseball cleats for cybersecurity after discovering the inherent problem-solving nature of the field—a part of the job that greatly intrigued TS to dive into a completely new field of study and long-term career trajectory.
For TS, one of the best ways to “win the game” in the security field is to think like a hacker. By understanding what vulnerabilities they look for to exploit and why, security engineers like TS, know how to harden systems and deploy preventative measures beforehand. And while open forum online communities help TS and other security professionals “understand the mind of a hacker” there is always a level of uncertainty he has to deal with.
“Hackers are attacking constantly and finding new ways to infiltrate networks,” said TS. “We have to stay as close to them as possible,” he adds.
While TS’ professional journey has been unconventional at best, he has noticed many lessons from his baseball career that have translated into the cyber arena.
“Teamwork is huge; I learned early on in baseball that every teammate receives things differently. You have to take the time and care enough to figure out how your team members communicate. [In cyber security], everyone communicates differently too. Both in receiving communication and externally communicating. Step one is always getting a feel for that in order to be as effective as possible when communicating with teammates/team members.”
Likewise, TS learned that in baseball, a player’s own skill level and performance weren’t the sole indicator of how “good” a teammate was. The greatest measure, he says, is how effective one is at making others better and serving them.
“To be good at and handle your job is one thing but whenever you have a team involved, the greatest measure of a player or cyber employee is the capability to lift up those around them and make them better,” he advises. Empowering teammates, teaching them, and learning from them is the approach he lives by at Circadence.
We are proud to have TS as part of the Circadence family and know while he’s not hitting balls out of the park at the stadium, he’s hitting home runs with Circadence, hardening its cyber security posture.
While Circadence is proud to be a pioneer that has developed innovative cyber learning products to strengthen readiness at all levels of business, there’s one professional area at Circadence that doesn’t tend to get the limelight, until now. Meet Josiah Bryan, principle Security Architect for Circadence’s security consultation services, aptly called Advanced Red Team Intrusion Capabilities (ARTIC for short). For almost two years, Josiah has provided support and services to Red Teams around the country, those leading-edge professionals who test and challenge the security readiness of a system by assuming adversarial roles and hacker points of view.
Josiah enjoys doing penetration testing and exploit development with Red Teams at a variety of companies to help them understand what a bad actor might try to do to compromise their security systems.
But Josiah wasn’t always on the offensive side of cyber security in his professional career. He was first introduced to the “blue team,” or the defensive side of cyber, when he began participating in Capture the Flag competitions across the U.S. during his time as a computer science student at Charleston Southern University. Those competitions also exposed him to the offensive side of security training and he never looked back.
After graduation, he took a job in San Diego with the U.S. Navy as a DoD civilian, finding vulnerabilities in critical infrastructure, which were then reported up to the Department of Homeland Security.
“Learning how the DoD operates internally and how they conduct penetration tests/security evaluations was an extremely valuable skill and great background for my current job at Circadence,” he says.
In addition to consulting with Red Teams, Josiah uses a variety of tools to show and tell companies about existing vulnerabilities. For example, badge scanners that let people gain access to a facility or room are quite common devices for Josiah and his team to test for customers. He might also use USB implants that provide full access to workstations and wireless signal identification devices.
“We show people how easy it is to get credentials off of someone’s badge and gain access to an area,” he says. “They never believe we will find vulnerabilities but when we do, they realize how much they need to do to improve their cyber readiness,” he adds.
But, ultimately Josiah’s favorite part of his job is the level of research and analysis he gets to do. “We are a research team, first,” he says. “We are pushing the boundaries in cybersecurity and discovering new ways that bad actors might take advantage of companies, before they actually do. It’s a great feeling to help companies and Red Teams see the ‘light’ before the hackers get them,” he adds.
Whether circumventing a security measure or patching a system, Josiah’s contributions to the field are significant.
“Finding new ways to help people understand the importance of strong cyber hygiene is fulfilling,” he says. “We can’t stress it enough in today’s culture where attacks are so dynamic and hackers are always looking for ways to take advantage of companies.”
To stay on the cutting edge of Red Team support, Josiah follows Circadence’s philosophy to persistently learn new ways to protect people and companies. “Any company is only as good as the least trained person,” Josiah says.
What is social engineering and why does it matter? In the context of information security, it is a hacking tactic designed to psychologically manipulate or “trick” a person into performing actions or divulging confidential information. Social engineering threats are a wildly popular way for cybercriminals to get access to money or damage a company’s reputation. In fact, social engineering attack statistics in the past year are daunting. In 2018, more than 17% of workers fell victim to social engineering attacks, according to InfoSecurity Magazine. This is problematic, as you can imagine because it disempowers people who place their trust in digital communications and leaves them feeling scared to engage with anyone online (especially if they’ve fallen victim to an attack already). Likewise, the propensity of workers who fall for these attacks tells cyber professionals that more needs to be done to: 1) educate people on what social engineering is, 2) how it manifests and impacts your personal life, and 3) the effects it can have on companies whose workers succumb to the attacks. In this article, we will discuss ways to recognize social engineering in your digital life and how to increase your cyber security awareness for these types of attacks using…games (yes, games!). More to come on that later.
Types of Social Engineering Attacks and How to Spot Them
Social engineering techniques come in many forms, but one of the most common ways to manipulate a person is via phishing email or a phone call. A malicious hacker could pose as one of your email contacts and send you a message to get personal information. Or an email aligning to your interests that seemingly comes from a store you frequent could allow a hacker access to your bank account. Perhaps your friend reaches out in need of help for an issue they are experiencing. One click in that email and a cybercriminal has instant access to all kinds of data about you from the operating system you use, even your social security number.
Some warning signs to think about if you believe you’re being attacked:
A hacker won’t give you their contact information, name, phone, or email address; they tend to pose as “someone else” familiar to you; if you’re at all suspicious and ask for their real name and info, they won’t divulge.
Hackers might come across with a sense of urgency and you need to act quickly to prevent something bad from occurring.
They might intimidate you to convince you to take action by informing you of an “issue” using technical words they know you won’t understand, yet seem legitimate.
They could misspell words in their communications or ask odd questions to get you to reveal more information.
Effective social engineers will try to build trust with their victim first by associating themselves with a reputable company or simply starting a casual conversation about a topic of your interest.
“My mom just became a victim of a social engineering hack recently…A person hacked into her email and she received a notice her firewalls were damaged and that she needed to pay money to have them restored before her data was compromised…a few hours later she found herself on the phone with a supposed representative of a reputable tech company giving out her credit card info to remedy the situation. It was incredibly disheartening to hear and I felt terrible that she experienced that. Fortunately, she was able to get her money back but this wasn’t the first time she fell victim to such a scam.” ~ a Circadence employee
This is just one example of what can happen when someone is unaware of social engineering tactics or just doesn’t know how to recognize them.
How to Protect Yourself from Social Engineering Attacks
Understanding defensive strategies will help anyone looking to “up the ante” on their social engineering detection prowess. Some strategies include:
Know what “bad” emails look like/email sender email address
Identify suspicious website URLs
Set spam filters to “high”
Update your passwords regularly (and don’t just change one character to make it “new”)
These are just a few options but honestly, one should not simply “pick and choose” from the above options in a silo. Those looking to protect themselves should adopt what SANS calls a “multi-layered” defense against social engineering, where if a hacker penetrates one level of protection, he/she can’t get into the next layer without being “found out.” And when all else fails, trust your gut! If something seems strange, out of the blue, or too good to be true, it probably is.
Persistent Cybercrime Requires Persistent Cyber Learning and Training – with Games!
Security awareness and defensive strategies are more than just telling people to update their software when prompted. It requires a deeper analysis and understanding of what, when, and how cybercriminals exploit vulnerabilities (and warning signs you’re being attacked).
Further, as social engineering attacks infiltrate and impact businesses, employees need to know what confidential information is, how to identify sensitive data, and how they as individuals can safeguard it simply by being proactive and cautious in their everyday online behavior. Nobody is immune to a social engineering attack and malicious hackers are working new vulnerable people every day to make progress and get what they want. But don’t let the “doom and gloom” of persistent cybercrime get you down…get empowered and fight back!
To begin a journey toward social engineering self-protection, we recommend looking into tools that help you learn cyber security basics and foundations. Our inCyt tool can help with that. It is a gamified security awareness training solution that doesn’t require any prerequisite knowledge of cyber security to play.
Accessible via a browser, inCyt invites players to complete in epic cyber-themed battles to increase the Cyber IQ of all players. Players gather intel and then use gamified hack processes like phishing and malware to take out their opponent. It disrupts the standard, stale teaching options currently available by giving people instant, approachable access to learning cyber in a fun way. Non-technical employees too, can play and learn real-world concepts like social engineering.
Social engineering is a very real threat and one that isn’t going away any time soon. Once companies realize that every cyber vulnerability starts with its people knowing and understanding how to protect themselves, the more companies will be on the defensive against these types of attacks. A willingness to empower oneself with persistent, gamified training and a multi-layered defensive approach is key to stopping social engineering hackers in their tracks. If more people adopt these strategies, social engineering will become much more difficult to deploy.