Good Bots and Bad Bots: How to Tell the Difference to Stay Cyber Safe

You may have heard or read the term “bot” in the context of cyber security. Normally we hear this word in the wake of a cyberattack and relate it to breaches in computer or network security. While there are certainly bad bots, there are good bots too! So what exactly is a bot, how can you differentiate, and how do they work?

What are bots?

The term bot is short for robot and is a type of software application created by a user (or hacker) that performs automated tasks on command. There are so many variations, from chatbots to spider bots to imposter bots. Good bots are able to assist in automating day to day activities, such as providing up to the minute information on weather, traffic, and news. They can also perform tasks like searching the web for plagiarized content and illegal uploads, producing progressively intelligent query results by scouring the internet content, or helping find the best purchase deals online.

While we encounter bots like these in our everyday activities without really thinking about them, being aware of bad bots is important. Bad bots, used by adversaries, perform malicious tasks and allow an attacker to remotely take control over an infected computer. From there, hackers can infiltrate the network and create “zombie computers,” which can all be controlled at once to perform large-scale malicious acts. This is known as a “botnet”.

How do bots work?

Cybercriminals often use botnets to perform DoS and DDoS attacks (denial of service and distributed denial of service, respectively). These attacks flood target URLs with more requests than they can handle, making regular traffic on a web site almost impossible. Hackers use this as a way to extort money from companies that rely on their website’s accessibility for key business functions and can send out phishing e-mails to direct customers to a fake emergency site.

Protect yourself from bad bots

Don’t let this information scare you though! Awareness is a great first step to recognizing any potential harmful activity, whether on your own computer or on a site you visit online. Preventing bad bots from causing attacks before they start is easy with these tips:

  • Ensure your antivirus software is up to date by setting it to automatically update.
  • Routinely check the security options available to you for your iOS, web hosting platform, or internet service provider.
  • Only click on links and open emails from trusted sources. Avoid accepting friend or connect requests, responding to messages, or clicking on links from unknown persons on social media.

Bots can be incredibly helpful, and we use them every day. Knowing how to differentiate the good from the bad while taking the necessary precautions to protect yourself against malicious bots will ensure that you only need to deal with bots when they are telling you about blue skies or saving you money on that great shirt you’ve been wanting!

Photo by Su San Lee on Unsplash

How to Launch a Cyber Security Career

Preparing for a cyber security career is more enjoyable than you may think! The technical challenge, problem-solving, constant change (you’re never bored!), and continuous learning opportunities are positive experiences one can have when entering the field of cyber security.

For any interested student or autodidactic, pursuing a cyber security career may seem a little daunting. But with the right cyber security tools and teachings in place, coupled with the latest proficiencies, any person can learn cyber and garner the skills necessary to enter the workforce with confidence and competency.

The earning potential for an individual pursuing a career in cyber is significant. The national average cyber security career salary is $93,000 (on the low end) for a security-related position in the U.S. according to the Robert Half Technology’s 2019 Salary Guide. The industry offers high paying jobs, yet many positions continue to be unfilled with an estimated 3.5 million open cyber positions by 2021. Today, there are more than 300,000 open positions nationwide.

This begs the question: what is the best way to fill the cyber security skills gap with motivated and budding professionals? The answer is multi-faceted but at its core is a fundamental shift in how we prepare and train them with the skills needed to thrive.

Pro Tips for Building a Cyber Security Career Path 

Just like many other career paths, cyber security needs people who possess a mix of academic, theoretical-based knowledge, practical skill sets, and a lot of creative thinking. An aspiring cyber security professional can learn the knowledge, skills, and abilities needed in the industry, seek out internships and/or apprenticeships, and learn of careers in cyber without actually being on the defensive frontlines of cyber attacks. Details of each approach are below.

IDENTIFY INDIVIDUAL CYBER STRENGTHS AND KNOWLEDGE/SKILLS/ABILITIES (KSAs)

The first suggestion for an individual who wants to learns on their own is to match their unique strengths (technical and non-technical) to the kinds of knowledge, skills, and abilities needed to do certain cyber jobs in the workplace. Understand what kinds of jobs are available too. For students, they will likely learn these details in traditional classes and in their coursework assignments. With Google at our fingertips, however, it’s easy to find a variety of online resources to learn cyber security KSA’s including ISACAISC(2)ISSA, and The SANS Institute—all of which provide information about the profession and detail certification and training options. Understanding the kinds of tasks performed in certain work roles and the kinds of behaviors needed to perform certain jobs, an aspiring cyber professional will be better prepared during the interview and job search process. He/she won’t be surprised to learn about what is required to start a job in cyber security.

PURSUE INTERNSHIPS, APPRENTICESHIPS, ALTERNATIVE PATHWAYS

As a self-guided learner, you likely have the go-getting attitude needed to find a cyber security internship, apprenticeship, or alternative trade school to start building your knowledge, skills, and abilities more.

Internships are available through many community colleges, technical colleges, and universities, each of which have well-oiled practices of connecting students with local companies. In fact, it’s not uncommon for most students, both undergraduate and graduate, to be required to complete an internship in their field of study before graduation.

Apprenticeships are a “learn while you earn” kind of model and are incredibly beneficial for both the company offering the apprenticeship and the student.

“This is absolutely fundamental, and a key plan in meeting the workforce needs. Our solution to the gap will be about skills and technical ability,” says Eric Iversen, VP of Learning & Communications, Start Engineering. “And the most successful of apprenticeship programs offer student benefits (e.g., real-world job skills, active income, mentorship, industry-recognized credentials, an inside track to full-time employment, etc.) and employer benefits (i.e., developed talent that matches specific needs and skill sets, reduced hiring costs and a high return on investment, low turnover rates and employee retention, etc.)”

The Department of Homeland security created a Cyber Corp Scholarship program to fund undergraduate and graduate degrees in Cyber Security. Students in this program agree to work for the Federal Government after graduating (with a one year service for every year of scholarship).

These types of opportunities are especially advantageous for recruiting individuals who may be switching careers, may not have advanced degrees, or are looking to re-enter the field.

Alternative pathways are also quite accessible for the college graduate or self-driven learner seeking a career in cyber security. One cyber career pathway is via “stackable” courses, credits, and certifications that allow learners to quickly build their knowledgebase and get industry-relevant experience. These kinds of courses are available in high school (taking collegiate-level courses) and at the college level. Another type of alternative pathway is via cyber competitions and hackathons. Learners can gain practical skills in a game-like event while meeting fellow ambitious professionals. Participating in these events also makes for great “extracurricular activities” on one’s resumé too.

Circadence is proud to lend its platform Project Ares® for many local and national cyber competitions including the Wicked6 Cyber Games, cyberBUFFS, SoCal Cyber Cup, and Paranoia Challenge so students can engage in healthy competition and skill-building among peers. For more information on cyber competitions and hackathons, check out the Air Force Association’s CyberPatriotCarnegie Mellon’s picoCTFMajor League Hacking, and the National Cyber League.

Cyberseek.org also has a detailed and interactive roadmap for hopeful professionals to learn more about how to start and advance their careers in cyber security. This interactive cyber security career pathway map breaks it all down. For example, if you’re interested in a software development role, you’ll want to build skills in Java or Python, databases, code testing, and software engineering, as well as, build cyber skills in cryptography, information assurance, security operations, risk management, and vulnerability assessment. You may also consider certifications in Certified Ethical Hacking (CEH), Security+, Network+, Linux+, Offensive Security Certified Professional (OSCP), CISSP, and GIAC in addition to having real-world experience and training.

Cyber Security Career Requirements

We recommend three types of experience when considering a career in cyber security:

·     Degree experience for basic understandings of cyber theory and practice

·     Technical experience to demonstrate learned knowledge translates to skill sets acquired

·     Real-world training experience, either via an internship/on-the-job opportunity or via realistic cyber range training

Many entry-level cyber security job descriptions will require at least a bachelor’s degree or 4 years’ experience in lieu of a degree. Higher-level positions will require the academic degree plus some technical experience and/or real-world training.

It’s important to note that there are two types of cyber training available: A traditional classroom-based setting and an on-demand, persistent training option. Both are great in their own ways and can complement each other for holistic cyber learning. The classroom-based learning presents information to learners via PowerPoints, lectures, and/or video tutorials. Learners can take that knowledge and apply it in a hands-on virtual cyber range environment to see how such concepts play out in real-life cyber scenarios.

Since cyber security is an interdisciplinary field, it requires knowledge in technology, human behavior/thinking, risk, law, and regulation—to name a few. While many enter the field with the technical aptitude, many forget the “soft skills” to cyber security. To communicate effectively with a cyber team, problem-solve, analyze data, identify vulnerabilities, and understand the “security story” of the employer, a young professional needs to possess and demonstrate those social skills to thrive in their job.

The Variety of Cybersecurity Fields are Endless

There’s more to cyber security than being a network analyst or incident response manager. Interested, aspirant professionals can work in cyber security through other departments beyond security and IT. Cyber careers in human resources, marketing, finance, and business operations are all available sectors that allow a learner to “be in cyber” without doing the actual day-to-day frontline security defense tactics. It is important to know about the other careers individuals can pursue in cyber security because it is not just for the IT department to “manage” within a business. Furthermore, cyber security roles don’t have to be pursued at technology companies – there are many healthcare, banking, energy, and enterprise companies seeking cyber security professionals in their organizations. So, if a certain industry is of interest to you, you can explore cyber in that specific industry. In the age of digital transformation, practically every sector has a security need that needs hardened.

For young graduates entering the cyber security field, a multi-faceted approach to learning cyber security skills is recommended. The good news is that motivated learners have lots of avenues and resources available to them to pave a career path that best fits their needs and interests.

Diversity in Cyber Security: Why It’s Important and How To Integrate It

You may have heard that the cybersecurity skills gap is widening, and that there is a massive shortage of cyber professionals today. In fact, Cybersecurity Ventures predicts that there will be up to 3.5 million job openings in the field by 2021. In spite of the growing need for people in cyber, women continue to be underrepresented in the field.

According to major findings from the 2017 Global Information Security Workforce Study:

  • Women are globally underrepresented in the cybersecurity profession at 11%, much lower than the representation of women in the overall global workforce.
  • Globally, men are 4 times more likely to hold C-suite and executive-level positions, and 9 times more likely to hold managerial positions than women.
  • In 2016 women in cybersecurity earned less than men at every level.

It’s no surprise that women are the underdog across plenty of male-dominated industries. So why is it so important for women to close the gender gap in cyber?

We need diverse perspectives in cybersecurity

Firstly, cyber is an area that benefits greatly from utilizing people with diverse perspectives and histories to solve problems. As threat actors and black hat hackers often come from disparate backgrounds, the wider variety of people and experience that are defending our networks, the better the chances of success at protecting them.

Combat the stereotype that cyber is only for men

Secondly, as there are so many empty jobs in the field, it is ultimately detrimental for a factor like a gender to narrow the pool of people pursuing it. Unfortunately, the message is ingrained in women from a young age that tech and security are “masculine” professions, which results in a self-perpetuating cycle of unconscious bias against women in the field. These problems are difficult to fix because they are subtle and pervasive and often come back to issues in culture and education. In fact, an online survey, Beyond 11%, found that most women have ruled out cybersecurity as a potential job by the age of 15. This is unacceptable!

Everyone can learn cyber

Finally, there is a misconception that the cybersecurity industry is only for people with highly technical skills. Unfortunately, the “bad guy” hackers out there don’t require crazy technical skills to get to your personal information. Fortunately, being on the defensive lines don’t require them either. Cybersecurity is a highly trainable field and has a growing need for people in more positions than ever before, such as legal, marketing, and public policy – all of which women have proven to excel in. In fact, the communication skills, problem-solving and attention to detail skill sets needed to excel in cybersecurity are skills women possess and are really good at.

Introducing more women to cybersecurity


Programs and Events

Since many of these problems start for women from a young age and through somewhat unconscious societal and cultural constructs, it can feel like a daunting task to get women more involved in cyber. In order to combat these misconceptions, many programs and events have been put into place to provide young women with female role models in the cybersecurity field. Events such as the Women in Cybersecurity Seminar, Women in Cybersecurity Conference, and Cyber Day for Girls are just a small number of direct-action groups that companies like IBM have put in place to address the gender gap. Further cyber competitions like the Wicked6 Cyber Games, and organizations like the Women’s Society of Cyberjutsu and Girls Who Code are dedicated to introducing young women to cyber at that earlier age before they are told “it is not for them.”

Cybersecurity Mentorships and Internships

Mentorships and internships are another great way to introduce girls to other women in cybersecurity fields they may think are beyond their reach. Volunteers from tech companies have been going to summer camps specifically designed to encourage young girls to consider careers in STEM, such as the Tech Trek summer camp. Additionally, the Girl Scouts just introduced the first ever cybersecurity badge, which can be earned by completing curriculum and gamified learning around internet safety.

Persistent cyber career development

Another way we can support and retain women who choose cybersecurity roles is for companies have policies in place that ensure women do not miss out on opportunities to further their careers after having children. Things like flexible hours and the option to work from home can be key in maintaining a diverse and productive workforce. Hiring managers can also work to ensure equal employment opportunities when looking to hire for a new position. People from all backgrounds should feel welcome to apply for roles in this highly trainable and accessible field.

We need all hands-on deck now more than ever in cybersecurity, tech and STEM fields. Communicating to girls at a young age that technology isn’t just for their male counterparts, and that it can offer them a long and rewarding career, is essential in closing the gender and skills gap in cyber.

To learn more how to diversify the cybersecurity workforce from a strategic standpoint, read our other blog “Diversifying the Cybersecurity Workforce.” https://www.circadence.com/a-call-to-diversify-the-cybersecurity-workforce/

 

 

On the Move: Cyber Attacks on the Transportation Systems

Everything is on the move. People. Agriculture. Water. Power. Materials ranging from home goods to hazardous waste all flow through a massively complex, public/private, interconnected – and increasingly automated – hive of vehicles and transport systems.

According to the Department of Homeland Security:

  • More than 19,000 airports with 780,000 commercial flights a month
  • 361 ports and 95,000 miles of coastline
  • Billions of passenger trips on mass transit (buses, subway, commuter, etc.) annually
  • Four million miles of roadway with 600,000 bridges and 400 tunnels

Via plane, train, or automobile, the transportation sector supports nearly 10 percent of the U.S. GDP and transports nearly 20 billion tons in goods annually. Over the past couple of years, the industry has grown in complexity in logistical chains, production, facility and manufacturing partners, and plant management operations.

As a result of such growth, the industry has shifted to more automated processes, turning paper documents into digital formats, and using advanced analytics to address customer needs. Those efforts have placed more transportation systems online. With the expansion of the transportation industry into the digital domain, it has become even more alluring and accessible to cybercriminals.

Historical transportation cyber attacks

  • Maersk: Peyta malware variant infected the IT systems of the world’s largest shipping company with 600 container vessels handling 15% of the world’s seaborne trade in June 2017.
  • LOT: A Polish airline canceled 10 flights due to an attack against the airline’s ground computer systems at Warsaw’s Okecie airport in June 2015.
  • Jeep Cherokee: A coordinated attack in 2015 by Charlie Miller and Chris Valasek demonstrated the ease by which a connected car can be remotely hacked into, in this case, using Uconnect.

While many transportation companies understand the importance of keeping data and passengers safe and secure, a few companies have experienced the detrimental effects of an attack similar to other industries like the financial sector and healthcare.

From ransomware attacks to data breaches, the transportation sector is not immune to malicious hackers. While the industry has been thought of as “less vulnerable,” it also means the industry could be next in line for hackers to target. This is especially true now that automobiles and transit systems are becoming increasingly more connected via IoT, or the Internet of Things. Many cars now come with their own WiFi hotspot, public transportation utilizes apps to help you get around, and specialty lanes on the highway use the internet to charge for driving in things like the express lane.

Unauthorized users know that such “untapped” industries are indeed at risk because they haven’t been attacked yet, leading industry professionals to believe their systems are secure and not defenseless. A system may appear to be secure, but until the first oversight or staffing shortfall impacts security, it’s hard to be 100% certain. The transportation industry is new territory that can be easily exploited if persistent cyber learning, procedures and processes are not put in place.

Since most transportation organizations keep cybersecurity responsibilities in-house, building a culture of awareness within the organization that prioritizes education, skill-building, and continual awareness, is crucial to staying on top of threats. Transportation industry cyber teams and CISOs would do well to be proactive in their cybersecurity efforts instead of hoping their systems are secure from hackers. Hope isn’t a strategy.

So, what is the best strategy? Continuous learning that upskills your cyber teams. It can and should be a part of the transportation sector’s cyber readiness efforts to constantly improve their posture. Because, as we know, the only constant in cybersecurity is change. The transportation industry is dynamic and evolving, just like cyber threats. Cybersecurity is the responsibility of everyone, not just those in IT. All need to take ownership of how they contribute to the security of the company.

Failure to provide responsible oversight will not only impact everyone personally employed in the company, but it will have a ripple effect that extends out to the great social, political, and economic groups that depend on transportation.

Transportation’s reach and integration with so many other industries require and demand a stronger cybersecurity arm. To start strengthening the sector, we’ve prepared four strategies to form an elite cyber team. Without a strong cyber team in place, the newest technologies and tools will only go as far as the skill sets and knowledge base of your cyber team.

Ten Reasons to Check Out San Francisco while at RSA

Your definitive guide to de-compressing from the tradeshow chaos.

Exhibiting at and attending a tradeshow can be stressful. Packing, getting to your flight on time and finding your way in a “new” city are all trying. Not to mention, once you arrive at the show, the hours are long, the coordination is tedious, and all the coming and going from various conference rooms is tiresome—plus you are “always on.” We think you deserve a break! If you’re gearing up for the RSA 2019 Conference in San Francisco, CA this year March 4-8 at the Moscone Center, we’ve compiled the best stress-reducing, fun activities to do and see (after visiting with us at booth #6583, of course).

  1. RSAC After Hours Events: These events, hosted by the conference, offer Full Conference and Discover Pass holders the chance to hang out with industry peers and colleagues in a setting of their choice.
    • Tuesday, March 5th After Hours: Game Night at Moscone Level 2 from 7:00 p.m. to 9:30 p.m.
    • Wednesday, March 6th After Hours: Whiskey & Wine Tasting at Marriott Marquis Golden Gate B&C from 6:30 p.m. to 8:00 p.m.
    • Thursday, March 7th After Hours: Comedy Club at Moscone South Esplanade from 6:30 p.m. to 8:30 p.m.
  1. Check out The View Lounge rooftop at the Marriott Marquis for some delicious cocktails and incomparable views of the city. Only a 6-minute walk from Moscone Center! It’s the perfect place to bring clients and partners, do some networking, or enjoy a little alone time at the end of a long day of networking and meetings.
  2. Head to the Ferry Building to enjoy the sights and sounds of the city. The expansive marketplace inside is home to wine, coffee, food, and souvenirs. A great spot to grab some lunch or coffee and get out of the conference room.
  3. Yerba Buena Gardens is a beautiful place to reflect on the tradeshow experience thus far and find some peace after the busyness of the day. Serene waterfalls, sprawling lawns and gorgeous gardens are sure to help you unwind, and it’s right across the street from the conference. Beyond being a great place to relax, a sponsored game of Intro to Capture the Flag will be taking place in the park from 8:00 a.m. to 9:30 a.m. on Thursday, March 7th. This is a women’s only game geared toward beginners. You will gain real-life hacking experience while collaborating, game playing, and enjoying coffee and bagels.
  4. If you’re looking for hot new restaurants to try, look no further than these gems near the tradeshow:
    • Ayala Restaurant – A seafood-centric haven in the bottom of Hotel G in Union Square (another great place to visit).
    • Z&Y Bistro – Ramen, hot pot, and skewers with minimal, upscale décor. This “baby brother” of Z&Y Restaurant is located just northwest from the original on Jackson Street.
    • Trailblazer Tavern – Located in the SalesForce East Building, unique Hawaiian comfort food abounds in a modern space. Open for lunch, happy hour, and dinner with an indoor dining room, bar, and heated patio.
  5. Visit the San Francisco Museum of Modern Art, just around the corner from Moscone. The inspiring art and calm atmosphere are just the ticket for hitting the re-set button. Here is a list of museums that offer free days around the city if you find yourself craving more artistic expression!
  6. If art isn’t your thing, or you’re on the hunt for a very authentic San Francisco experience, be sure to check out the Cable Car Museum. It’s a free museum in the Nob Hill neighborhood. It holds historical and explanatory exhibits on the San Francisco cable car system, which can be regarded as a working museum in and of itself. If you’d like to actually ride one, here is a list of routes, tickets, and schedules.
  7. After spending the day at the tradeshow, why not visit the Fortune Cookie Factory and see what the future holds for you? This little bakery offers free tours, delicious fortune cookie flavors and toppings, and makes over 10,000 cookies per day, by-hand, from scratch. You can also get custom fortunes made as a gift for your colleagues and newfound customers and partners!
  8. Looking for an amazing shopping experience in the city? The Westfield San Francisco Center has you covered. From top department stores to small, SF-based boutiques, you can get whatever you need here. There’s also a dining hall and many delicious restaurants if you have trouble deciding what to eat.
  9. Still unsure of how to spend your time away from the Circadence booth #6583? Check out this list of sponsored parties around town. Keep checking back as this list will continue to get updated!

We hope you find time to enjoy yourself this year at RSA. Kickstart your city adventures with some fun and be sure to visit the Circadence booth #6583 for more excitement. We would love to talk shop and hear what you’ve been able to do from our list!

Photo Credit: https://unsplash.com/@sonuba

Guest Blog: Taking Cybersecurity Learning to a Whole New Level

Last week I was lucky enough to be able to attend Circadence’s Cyber Learning Tour at the Microsoft Technology Center in Chicago.  This event was hosted by Laura Lee, VP of Rapid Prototyping,  and one of the lead creators of the Project Ares training platform.

The opportunity to attend this event and hear from the brains behind Project Ares was an eye-opening experience for me.  The passion that Laura spoke with was something that I could relate to.  As someone who personally advocates for introducing more people to information technology and more specifically cybersecurity, it was amazing to hear Laura Lee talk about how she utilizes Project Ares in schools as early as middle school to educate students on not only the importance of cybersecurity but also real-world scenarios.  Hearing Laura talk about kids using Metasploit, Nmap, Wireshark and learning how to defend simulated cyber-attacks or infiltrating networks with Project Ares is taking learning to a whole new level.

One of the more interesting topics Laura brought up about the platform is the scoring capability and how it works within the learning environment.  She often finds students begin competing against each other on the platform by going through missions and assessments over and over again to see who can get the better score.  This brings another avenue of excitement and energy to cybersecurity that could lead to more exposure with things such as e-sports using Project Ares.

The fact that Circadence has created a learning environment that brings gamification, cybersecurity, and training to the same platform is ground-breaking to me.  Here is a platform that will simulate real-world scenarios like bank networks, power grids, and other enterprise networks and you either must attack (red team) or defend (blue team) using real-world skills and tools.  If you’re a rookie at cybersecurity, Project Ares offers a variety of battle rooms and assessments that will help get you up to speed.

To hear more about why gamification and AI-powered cyber learning is the future of cybersecurity skill building, check out one of their other Cyber Learning Tour stops here: https://marketing.circadence.com/acton/media/36273/cyber-learning-tour-with-microsoft.

Follow Zach’s YouTube Channel I.T. Career Questions for all things cybersecurity learning and development here: https://www.youtube.com/channel/UCt-Pwe2fODjH4Wuwf5VqE7A.

A Call to Diversify the Cybersecurity Workforce

You’ve read about it, know it well, and can probably instantaneously identify one of today’s top cyber crises: the cybersecurity skills gap. It’s putting enterprises, governments and academic institutions at greater risk than ever because we don’t have enough professionals to mitigate, defend, and analyze incoming attacks and vulnerabilities. According to recent estimates, we are looking at the possibility of having as many as 3.5 million unfilled cybersecurity positions by 2021. The widening career gap is due in part to the lack of diversity in the industry.

And we’re not just talking about racial and ethnic diversity, we’re also talking about diversity of perspective, experience and skill sets. A recent CSIS survey of IT decisionmakers across eight countries found that 82% of employees reported a shortage of cybersecurity skills and 71% of IT decisionmakers believe this talent gap causes direct damage to their organizations[1]. It’s not just the technical skills like computer coding and threat detection that are needed, employers often find today’s cyber graduates are lacking essential soft skills too, like communication, problem-solving, and teamwork capabilities[2].

An ISC2 study notes, organizations are unable to equip their existing cyber staff with the education and authority needed to develop and enhance their skill sets—leaving us even more deprived of the diversity we desperately need in the cybersecurity sector. The more unique thinking, problem-solving and community representation we have in the cybersecurity space, the better we can tackle the malicious hacker mindset from multiple angles in efforts to get ahead of threats. Forbes assents, “Combining diverse skills, perspectives and situations is necessary to meet effectively the multi-faceted, dynamic challenges of security.”

In an interview with Security Boulevard, Circadence’s Vice President of Global Partnerships Keenan Skelly notes that as cybersecurity tools and technology evolve, specifically AI and machine learning, a problem begins to reveal itself as it relates to lack of diversity:

“The problem is that if you don’t have a diverse group of people training the Artificial Intelligence, then you’re transferring unconscious biases into the AI,” Keenan said. “What we really have to do…is make sure the group of people you have building your AI is diverse enough to be able to recognize these biases and get them out of the AI engineering process,” she added.

The good news is that is it never too late to build a more diverse workforce. Even if your organization cannot hire more people from different career backgrounds or varying skill sets, existing cyber teams can be further developed as professionals too. With the right learning environments that are both relevant and challenging to their thinking, tactics and techniques, current employees can develop a more diverse set of cyber competencies; all while co-learning with diverse teams around the world.

Companies can also build relationships with local educational institutions to communicate critical workforce needs to better align talent pipeline with industry needs, recommends a new study from the Center for Strategic and International Studies. Likewise, cyber professionals can be guest speakers or lecturers in local cyber courses and classrooms to communicate the same diversification needs in the industry.

While some experts say it’s too late to try and diversify the workforce in thinking, skill, and background, we beg to differ. If we give up now in diversifying our workforce, our technology and tools will outpace our ability to use it effectively, efficiently, and innovatively. It’s not too late. It starts with an open mind and “take action” sense of conviction.

[1] CSIS, Hacking the Skills Shortage (Santa Clara, CA: McAfee, July 2016), https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hacking-skills-shortage.pdf. 

[2] Crumpler and Lewis, The Cybersecurity Workforce Gap, Center for Strategic and International Studies, January 2019.

Photo Credit: https://unsplash.com/@rawpixel

Finding the needle in the cybersecurity haystack: Why gamification is the answer you’ve been looking for

To say we’re on an upward trajectory in the cybersecurity space would be an understatement. Cyber threats are increasing. Organizational spending is increasing. And the cost of a data breach is increasing—to somewhere around $3.62 million per breach according to the Ponemon Institute. With such exponential growth across the field, CISOs are actively looking for ways to strengthen their efforts. With the plethora of information available today, it is like finding a needle in a haystack. It’s hard to know whom to believe, what to believe and how often. With so many options available, CISOs are understandably stymied in making educated decisions for an optimal solution. Fortunately, our 20+ years in the gaming industry have led us to a valuable conclusion that can help CISOs professionally develop their teams—and protect their organization. The answer lies in gamification 

It’s a buzz word floating its way around the technology sphere for quite some time and is gaining momentum. It’s commonly defined as a process of adding games or game-like elements to something. The term was originally coined in 2002 by a British computer programmer named Nick Pelling. The term hit mainstream when a location-sharing service called Foursquare emerged in 2009, employing gamification elements like points, badges, and “mayorships” to motivate people to use their mobile app to “check in” to places they visited.  

The term hit buzzword fame in 2011 when Gartner officially added it to its “Hype Cycle” list. But we’re not recommending gamification because it is the new, shiny object on the heels of AI. We’ve seen gamification work for companies looking to train their cyber teams.   

How does it work 

Unlike compliance-driven teaching methods, gamified teaching engages practitioners individually and in teams, through modern learning strategies. It works by deploying connected, interactive, social settings that allow learners to excel in competitive, strategic situations. It allows trainees to apply what they know to simulated environments or “worlds,” creating a natural “flow” that keeps them engaged and focused. And we’re not talking about simple Capture the Flag games, we’re referring to cybersecurity exercises inspired by game-like activities to effectively engage learners.

According to Training Industry, gamified training programs are customizable based on an organization’s needs; visually-driven through use of progress bars and milestones; and are usually time-bound to hold employees accountable for task completion. Further, achievements, points, badges, trophies, and rewards/recognition of progress gives users a sense of accomplishment, keeping them motivated and engaged. 

Why is gamification powerful?  

The next gen learner (born after 1980) has never known a world without video games so it’s a natural progression that cyber training incorporate a style of teaching that best suits today’s learner. Neuroscientist Eric Marr said the reason it works so well is because when an individual engages with gamified simulations, the brain releases dopamine, a chemical that plays a role in the motivational component of reward-driven behavior. He says “Dopamine helps activate the learning centers in the brain. If your brain releases dopamine while you’re learning something, it helps you remember what you’ve learned at a later date.”  

Studies like “I Play at Work: Ten Principles for Transforming Work Processes Through Gamification” outline the following benefits:  

  • Increased engagement, sense of control and self-efficacy   
  • Adoption of new initiatives  
  • Increased satisfaction with internal communication  
  • Development of personal and organizational capabilities and resources   
  • Increased personal satisfaction and employee retention   
  • Enhanced productivity, monitoring and decision making    

 

At Circadence®, we have taken these learnings and applied them to our own flagship product, our cybersecurity training platform Project Ares®. Recognizing the widening cyber skills gap and evolving threats, only the most productive and effective training mechanisms will do—and the latest research tells us that gamified environments are here to stay. An immersive training platform, Project Ares appeals to today’s learner—and gets CISOs and their colleagues excited about training again. In contrast to passive, traditional instructor-led courses, gamification provides an active, continuous learning, people-centric approach to cybersecurity skills development.   

For a more in-depth look at the Importance of Gamification in Cybersecurity, download our white paper here.

Cybersecurity & Artificial Intelligence Trends from 2018

Worsening employee cybersecurity habits and the need for organization-wide cybersecurity literacy.

A study conducted by SailPoint reported that nearly 75% of employees engage in password re-use across accounts, as opposed to just over half four years ago. Nearly half of people surveyed admitted to sharing passwords across personal and work accounts. Part of this is being driven by employees seeing IT practices as inconvenient, as they seek circumvention in favor of personal efficiency.

Public awareness of cybersecurity issues is increasing.

Cybercrime making it into mainstream news headlines has also raised public awareness of its challenges, dangers, and impacts. An increased prevalence of ransomware, such as “cryptojacking” software, has been spurred by the relative ease of orchestrating difficult to trace ransom payments and increasing malware availability.

Artificial Intelligence is being used to enable personalized attacks at-scale.

Attackers are gaining access to troves of personal data to use for increasing threat effectiveness. By combining increasingly sophisticated AI techniques for language understanding with the scraping of publicly available, indexed data, it is becoming far easier for malicious actors to generate increasingly authentic, personalized attacks. As a result, large-scale personalized threats have a lower barrier to entry than ever before.

Artificial Intelligence provides a force multiplier for offensive capabilities.

Machine learning models provide a general mechanism for organization-tailored obscuring of malicious intent, enabling adversaries to disguise their network traffic or even on-system behavior to look more typical to evade detection. In addition to enhancing data exfiltration capabilities, these techniques provide the capability to continually model and adapt to their environment even after deployment, enabling them to persist undetected for longer and potentially infiltrate deeper into organizations.

Artificial Intelligence provides a necessary force multiplier for defensive operations.

Increasing system complexity, endpoint vulnerability, and attack sophistication have expanded the available attack surface in a manner that has left traditional monitoring techniques ineffective. Particularly in a world of increasingly intelligent threats and well-resourced actors, the only cost-efficient and scalable mechanisms for detection and remediation are quickly becoming artificially intelligent systems with the ability to sift through largely unstructured data, identify malicious behavior over potentially long time horizons, and dynamically respond. We’re seeing proof that applications of AI to both local-machine and organization-wide event monitoring can correlate observations to provide root cause analyses and incident investigations beyond traditional analyst capabilities on superhuman timescales.

Perhaps the most important trend over the past year has been the industry’s continued realization and acceptance of a coming arms race between AI-enhanced dynamic threats and AI-enhanced adaptive defenses. 

Artificial Intelligence is not a cure-all.

While AI has deservedly received substantial hype within the cybersecurity realm and beyond, there still exists a substantial gap between algorithm deployment and successful application. To that end, continuing education is still critical for cybersecurity professionals to be able to leverage, collaborate through, and engage with these technologies to form a basis for effective defense: providing AI-enhanced tools with the knowledge and data they need to operate and engaging appropriate levels of trust and reliance in their capability (both in terms of detection and response) to make them a formidable component of a modern defensive cybersecurity strategy.

Utilizing Cyber Range Learning in Academia

Cyber ranges are virtual learning environments used for cyber warfare skills development.  A cyber range offers hands-on learning opportunities for cybersecurity professionals by marrying traditional classroom concepts with more ‘sticky’ experiential learning techniques.

By effectively preparing students to address real-world cyberattack scenarios now, academic institutions will increase their success rate of achieving learning outcomes pertinent to the cybersecurity profession. Further, the students benefit by applying what they’ve learned to realistic cyber situations they’d experience in the workplace.

While there are many cyber range solutions on the market today, there are several key learning capabilities missing on their platforms. Some examples of this are:

  • Game-inspired exercises for fundamental concept learning and skill-building with repetitive, hands-on activities.
  • Defense strategy teaching, which involves engaging in multiple cybersecurity job roles to problem-solve challenges.
  • Limited or non-existent scoring methods for learners to assess skills performance.
  • Lack of team play for collaborative learning and greater strategic work.
  • Infrastructure-only ranges with no pre-programmed learning curriculum.
  • Prescriptive, “check the box” approaches with fixed content (that, over time, will become irrelative and disengage learners).
  • The limited number of virtual environments.

To read more about cyber range learning environments for student skill building, download: 
“The Faces of Cyber Ranges: Tapping into Experiential Skill Building for Cybersecurity Teaching and Learning.”

 

To ensure your academic institution gets the most out of its cyber range investment, the following features and capabilities should be considered to best maximize student learning and skill building:

  • Ensure the cyber range comes installed with pre-existing content that is informed by real-threat scenarios and attack methods.
  • Look for cyber range content that is diverse, offering a mix of both concept-driven exercises and real-world, team-based activities for holistic learning.
  • Consider custom mission builders (like Circadence’s OrionÔ Mission Builder) to create scenarios that mirror the latest threats happening today. This can ensure the learning material is constantly evolving, just as threats are.
  • Assess instructor capabilities for reviewing and grading student performance to prevent tedious log review work.
  • Confirm that course syllabi and other learning materials can be integrated into the cyber range platform to tie learning objectives to actual student performance.
  • Consider gamified activities that encourage students to “learn by doing,” individually and in teams.

In order to address these glaring needs, Circadence created Project AresÒ, the face of the next generation of cyber ranges. Project Ares delivers learning and assessment opportunities to anyone from cyber newbies to cyber ninjas, with both individual and team-based engagements. It can be adapted to students in undergraduate and graduate university programs as well as Middle/High/Primary level schools. High engagement in cybersecurity education is critical because if students are not interested in learning new skills, and aren’t encouraged to think outside of the box, they won’t be adequately prepared to handle threats that are always changing and evolving in the workplace.

Academic institutions have an exciting opportunity in front of them – to lead the way with progressive, next-generation learning approaches that utilize cyber ranges to prepare students for the cybersecurity workplace. Don’t fall behind the times, look into learning through this exciting platform in order to better serve the future workforce.