More and more, CFOs are finding cybersecurity as part of their organization chart, so understanding how security can help to mitigate risks and how to talk about it in that context is a frequent question. Join Microsoft’s Lisa Lee on 4/29/2020 for this live virtual event.
WHAT ARE CYBER RANGES?
Cyber ranges were initially developed by government agencies looking to better train their cyber operators on new skills and techniques. To do this, a physical range or ranges were installed on-premise. Cyber range providers built representations of actual networks, systems, and tools that helped cyber professionals safely train in virtual, secure environments without compromising the agency’s operational network infrastructure.
Today, cyber ranges are used in the cyber security sector to effectively train IT professionals in all industries and help improve defenses against cyber–attacks. As technology advanced, cyber range training advanced as well, both in scope and potential. More on this later.
To schedule a demo of Circadence’s cyber range platform, visit https://www.circadence.com/request-a-demo/
The National Initiative for Cybersecurity Education reports that cyber ranges provide:
- An environment where new ideas can be tested safely and teams and work to solve complex cyber problems
- Performance-based learning and assessment
- A simulated environment where teams can work together to improve teamwork and team capabilities
- Real-time feedback
- Simulate on-the-job experience
Most cyber ranges come in one of two forms: A network environment without pre-programmed content; or a network environment with prescriptive content that may or may not be relevant to a user’s industry. Either cyber range type limits the learner’s ability to develop enriched skill sets beyond what their specific work role may dictate.
UNDERSTANDING & EVOLVING CYBER RANGES IN A BOX
Typically, Cyber range in a box has been a collection of virtual machines hosted on an on-premise system. However, Circadence has taken the concept of a cyber range in a box and placed it the cloud to better scale cyber training. We lovingly call this CyRaaS, or Cyber Range-as-a-Service, which is integrated into our Project Ares cyber learning platform.
Instead of purchasing a physical set of machines to take up space in a room, virtual machines exist in the cloud and can be accessed by more professionals from any location who want to train persistently and develop cyber skills. The cloud is recognized as one of the most secure spaces to house network components (and physical infrastructure). To ensure cyber ranges spin up environments quickly, deliver the latest training content, and engage users in productive training activities, accessing cyber ranges in the cloud is the latest and greatest approach for professionals training in ‘sandbox’ environments.
By offering cloud based, cyber range in a box services to support cyber training in Project Ares, we are able to deliver more relevant tools and technologies to help professionals gain the best cyber security training possible.
The service allows Project Ares to emulate industry-relevant network configurations within learning activities that help trainees practice defensive tactics. Cloud-based cyber ranges also offer hands-on keyboard experience with real world tools and emulated network traffic to reflect the authentic feeling of an actual cyber–attack.
Advances in Artificial Intelligence and machine learning allow us to use cloud ranges to their full potential by tracking patterns in training data to reveal player learning progression with minimal human intervention and oversight. Those patterns are then used to inform the recommendations of an in-game advisor (Athena) that has chat bot functionality so players can get help on cyber range training activities in the platform. Further, cloud-based cyber range training gives security professionals better predictive capabilities when defending and anticipating threats—and according to Microsoft, even “improve the efficacy of cyber security, the detection of hackers, and prevent attacks before they occur.”
GAMIFIED CYBER RANGES
Not only have we taken physical cyber ranges and placed them in the cloud but we’ve added in elements of gamification to further drive the effectiveness of cyber training.
With many studies touting the benefits of gamification in learning, it only makes sense that cyber ranges come equipped with sets of gamified elements (e.g. leaderboards, scoring mechanisms, points, badges, levels, etc.). Project Ares has a series of cyber learning games that teach foundational cyber concepts and terms, battle rooms that teach tools, tactics, and procedures, and team-based missions that bring learning full circle when players are tasked with defending against a realistic cyber threat scenario. This level of cyber learning is done in the cloud so professionals can work together from anywhere in the world to collaborate and defeat modern-day attacks.
We hope this post helped you understand the true potential of cyber ranges in the cloud and how they are evolving today to automate and augment cyber workforce training and learning.
You know it and we know it: Security awareness training doesn’t have the best reputation Many employees who are required to undergo security awareness training do so under the direction of human resources or a risk and compliance department within their company. Trainings have long been conducted via static PowerPoint presentations, lecture-based talks, online “tutorials”, and through other passive methods that don’t result in the employee retaining much of anything. It merely becomes a box employees check off on their requirements sheet and they move on.
This is not the way cyber security awareness training should be implemented. We know that current trainings like this are ineffective in helping employees learn cyber best practices or, more importantly, change their online behavior for the better. The “learning pyramid”, sometimes referred to as the “cone of learning”, developed by the National Training Laboratory, suggests that most learners only remember about 10% of what they read from textbooks. Whereas, retention is improved when gamification is incorporated into training and learning activities. In fact, according to Talent LMS, 89% of employees believe they’d be more productive if their work was more gamified.
Don’t believe us? Take a peek at the recent news headlines and industry reports that show human error is still a primary contributor and cause significant company breaches. Employees aren’t empowered with the knowledge to know what to look for in suspicious emails or phone calls, resulting in higher cyber risk for organizations.
- Shark Tank’s own Barbara Corcoran recently lost $380,000 in a phishing email scam.
- People are getting scammed by hackers capitalizing on fear of the Coronavirus to steal money and sensitive data, according to Yahoo Finance.
- The 2019 Data Breach Investigations Report (DBIR) highlights that a third of data breaches (34%) involved internal employees.
- CNBC reports “Individuals reported losing almost $153 million to government imposter schemes in 2019, according to the Federal Trade Commission.”
And that’s only a few of many incidents that indicate the need to foster more effective security awareness training to truly change digital behavior.
Pain Points of Traditional Security Awareness Training
- Actually changing —Getting an employee to go through security awareness training is one thing but actually changing their behavior is another challenge all its own. Training can’t be a ‘one and done’ effort. It must be engaging enough for people to retain learned information so they can recall it when faced with a cyber threat. To do this, security awareness training must have a ‘what’s in it for me?’ component otherwise, there’s no incentive for an employee to do the training at all. Teaching elements like scoring, competition, badges, levels, and ‘digital rewards’ help engage employees so they take training off the ‘must do list’ and onto the ‘want to do list.’
- Convincing employees it directly impacts them—If you’ve never been in a car accident, you may be inclined to drive a little faster on the highway, not thinking twice about the repercussions because “an accident will never happen to you.” Wrong. Just because your company may not have been breached (yet) doesn’t mean you’re immune to security awareness training. Unfortunately, the daily onslaught of company breaches making news headlines indicate that the ‘we don’t need security awareness training’ thinking is not only outdated but will leave your organization more vulnerable to an attack. Everyone needs security awareness training if they do any kind of work on an electronic device (whether computer, phone, internet-connected system, etc.)
- Perceived protection from technology—It’s quite common to presume that today’s technology has ‘built-in’ security to protect against hackers, and while some devices do offer limited protection, it’s not enough. With as fast as technology is advancing, there’s always a gap in security waiting to be exploited. Spam filters, antivirus software, and firewalls are great, but hackers know the easiest way to get sensitive data and cause disruption is by going through people first. A multi-layered security strategy that places people at the forefront of defense is critical to hardening posture from all angles.
Empower Employees with Fun Security Awareness Learning
Just because the industry has typically conducted security awareness training in a passive manner in the past, doesn’t mean it works—and it certainly doesn’t mean that we have to keep doing it. So let’s flip the script on security awareness training shall we?
We recently debuted inCyt, a security awareness learning tool, at RSA this year. It is an evolving solution designed for non-technical employees to learn cyber foundations and improve online workplace practices. In it, we dare to have fun with security awareness training by simplifying and gamifying the complexity of cyber. We expand the understanding of the threat landscape to non-technical employees who work on business systems by introducing basic concepts through the mind of a hacker. THEN the player is encouraged to demonstrate their learned knowledge in a “final” lesson where the player defends their digital assets from a bot hacker. Games are designed around the cyber attack sequence that outlines the structure of an online threat.
Players with limited cyber knowledge learn basic concepts through cyber themed battles against a bot attacker and the learning becomes ‘sticky’ as information is retained because it’s engaging. Colorful characters, friendly competition, and relevant cyber examples improve security awareness aptitude.
inCyt currently teaches the following security foundations with more on the way!
Phishing & Email Security
- Understand what phishing is.
- Understand the impacts of phishing.
- Identify common indicators of phishing attempts.
- Identify appropriate countermeasures related to phishing.
- Understand the risks associated with public internet.
- Identify proper safety precautions when online shopping.
- Understand the impact of what and when you post online.
- Understand the importance of strong passwords.
- Identify best practices when creating passwords.
- Understand multi-factor authentication.
Future game topics and themes will include: Social Media, Least Privilege, Remote Work / Bring Your Own Device (BYOD), Computer & Software Updates, Response to Potential Attack, Data Value, Preservation & Recovery.
So what do you think? Is it time to change up your security awareness training approach? Perhaps try something new to augment the most vulnerable attack element in your organization: your people.
Schedule a demo of inCyt today to learn more.
Circadence mentioned in Cyberwire’s “Daily Briefings” section for debut of inCyt, security awareness solution for enterprises and non-technical employees.
Circadence Corporation, announced the debut of inCyt, its new cybersecurity awareness learning solution, at the RSA conference today. inCyt will be demonstrated to RSA attendees between February 24 – 28, 2020 at the Moscone Center in San Francisco, California in preparation for its official release in Spring 2020.