Inside inCyt: The Benefits of Gamified Cybersecurity Learning (An Interview with Cassie Brubaker)

Reading Time: 4 minutes

Here at Circadence, we are dedicated to taking cybersecurity learning to the next level. We do this through gamification that is accessible to all ages and ranges of knowledge on the subject. Our own Cassie Brubaker, co-creative director on our security awareness mobile app inCyt™, helped us understand the differences between learning and training, and how games can bring value to skill building in the technical world.

Why does cybersecurity really matter in today’s interconnected world?

C: When we don’t understand something, we don’t feel empowered. So, when I think about the importance of cybersecurity and cyber awareness, it’s more a story of empowering people to take back control of their lives. It’s a story about not being scared to live your day-to-day life because you understand [cyber] and you’re in control of it and I think that’s a wonderful thing.

I get that everybody needs to make their companies more secure, but I think it comes at a personal level too. If you feel in control over your personal life, you’re going to be a better contributor to your entire business, you’re going to be a better contributor to your family, you’re going to be a better contributor to yourself.

When we learn more about cybersecurity, we are empowered. Given your expertise with game development, what are the differences between learning versus training?

C: Games provide an inherently clever method to promote learning. There is a place for training, but in my mind, it’s a lot more formal. Learning has a broader application for me. It can happen in all kinds of different moments. You never know when you’re going to learn something new and that’s the magic of it. Training is more like, “let’s get this piece of information across in this specific way.” With our game inCyt, I’ve had so much fun trying to find all the different ways you can learn. You can play it again and again and it’s a little different every time. I can’t guarantee what lesson you’re going to learn when you play today and I don’t know what lesson you’re going to learn when you play tomorrow, BUT you’re going to learn something because you’re engaging with a well-designed product that has been crafted in such a way to give you all kinds of realistic experiences as it pertains to cybersecurity. 

Let’s talk briefly about inCyt and how it uses gamified learning.

C: inCyt is a mobile app that builds cybersecurity awareness. It is designed to educate everyone on fundamental cyber concepts and attack methods. It does this through two learning paths:  a concept learning component and gameplay component for individuals or teams.

The solution is taking the common perception of cybersecurity and flipping it on its head. Cybersecurity, as it exists today, does not conjure up feelings of peace and comfort the way you might expect from a field focused on security and safety. inCyt brings a radically different approach to the existing landscape – one that invites anyone and everyone to step out of the darkness and take their first step towards cyber enlightenment. One of the cool things about this product is that you’re learning organically about cybersecurity as you play, but you’re just having fun battling with your friends. The more and more you play, the more the cyber concepts start to sink in because you’re seeing them applied in real-world scenarios.

Who should play inCyt?

C: inCyt has been designed to reach all ages and experience levels. It’s ultimately designed for people who know very little about cybersecurity, but because we’ve built it to be playful and with a bit of strategy, even people who are cybersecurity professionals could play it and enjoy it. One of the things we found in testing within the company is that people who do this for a living will play it and say, “I think I could actually use this with my family, they don’t understand what I do.”

What is the ultimate value in a game like this?

C: The ultimate value of inCyt as a product for any company is that it is first and foremost fun for your employees to play. They are going to jump in and not going to feel like they’re being put through some mundane training exercise. There are two different ways that were teaching employees about cyber awareness. One of them is what I call “organic lessons” and that’s what happens primarily in the gameplay itself. We give players a bunch of cyber tools and allow them to experiment through gameplay and find what strategies work. In doing this, we’re creating employees that think one level bigger, more strategically about the “whys” and the “what’s” as opposed to a memorized list of rules that need to be followed. Nobody likes that. After learning the basic cyber concepts, players can compete in the gameplay portion of the app.

When working on inCyt, how did you address different learning styles?

C: In terms of different learning styles, that’s really where we’ve gone into playtesting as our method to lean against. Everybody wants something a little bit different when they play – some people want all of the answers up front, they want to know exactly how to use it and they want to know why they’re doing it, while some people want to experiment. Through those playtests, we’re able to make variations of the gameplay that hit the largest range of learning styles. It’s really from a human engagement level, less of a theoretical learning style level. That’s why the playtests have been so helpful for us.

For more information on the benefits of gamified learning, check out the below-recommended reading.

 

Recommended Reading:

The Importance of Gamification in Cybersecurity Training

Why Gamification is the Answer You’ve Been Looking For

Benefits of Gamified Learning

 

Penetration Testing Challenges and Solutions

Reading Time: 3 minutes

It’s one of the most direct and proactive cyber security activities organizations can do to protect themselves from an attack, penetration testing.

Also known as ethical hacking, it involves legally breaking into computers to test an organization’s defenses. Companies make it a part of their overall security process to know if their systems are strong or not. It’s kind of like preventative maintenance. If a hired penetration tester can get into their system, it’s relatively reassuring because penetration testing teams can take steps to resolve weaknesses in their computer systems before a malicious hacker does.

So how does penetration testing work? What roadblocks are professionals in this field facing? How are companies using penetration testing today? What innovations in penetration testing are available today? All these questions will be answered in this article. And if you have questions about any of it, please contact us for more information.

What is Penetration Testing?

Now that we understand why penetration testers exist and how critical they are to companies security posture, let’s review how they work. The ethical hacking process usually involves working with the client to establish goals and define what systems can be tested, when and how often without service interruptions. In addition, penetration testers will need to gather a lot of information about your organization including IP addresses, applications, number of users who access the systems, and patch levels. These things are considered “targets” and are typically vulnerable areas.

Next, the pen tester will perform the “attack” and exploit a vulnerability (or denial of service if that’s the case). They use tools like Kali Linux, Metasploit, Nmap, and Wireshark (plus many others) to help paid professionals work like hackers. They will move “horizontally or vertically,” depending on whether the attacker moves within the same class of system or outward to non-related systems, CSO Online notes.

Penetration Testing Career and Company Challenges

As you can imagine, being an ethical hacker naturally requires continuous learning of the latest attack methods and breaches to stay ahead of the “black hatters” and other unauthorized users. That alone can present pentesting challenges because it requires a huge time commitment and lots of continual research. In addition, the following penetration testing challenges are keeping organizations up at night:

  • There were more than 9,800 unfilled penetration testing jobs in the U.S. alone. With all these jobs open, businesses are challenged to find these professionals for hire, leaving them without resources to harden their potential security vulnerabilities.
  • High costs prohibit hiring dedicated and skilled CPTs. Not all CPTs are created equal, while some third parties only perform vulnerability analysis as opposed to thorough pen tests.
  • Most tests are conducted via downloaded tools or as one-off engagements focused on known threats and vulnerabilities.
  • Many third-party engagements have to be scheduled well in advance and run sporadically throughout the year.

A New Penetration Testing Training Solution

Recent reports note that 31% of pen testers test anywhere from 24-66% of their client’s apps and operating systems, leaving many untouched by professionals and open to vulnerability. In the face of these penetration testing challenges, government, enterprise, and academic institutions are turning to technology and persistent training methods for current staff to help. Automated penetration testing tools can augment the security testing process from asset discovery to scanning to exploitation, much like today’s malicious hacker would.

Circadence is proud to have developed a solution (available soon) that automates and augments penetration testing security professionals with a platform called StrikeSetTM. StrikeSet is designed to increase the efficiency and thoroughness by which pen testing is performed. Specifically, the platform can help professionals perform hacks and simulated attacks on systems while machine learning capabilities provide session analysis and create unique threat playbooks for operators. It also monitors and tracks tool behavior for classification.

In addition, data is gathered from distributed operators who can remotely collaborate on how to gain access to a system and exploit development, perform SQL injections, forensics analysis, phishing campaign orchestration, and much more. That data analyzes Red Team’s TTPs with the aim of mimicking approaches to save on resources and time.

With cyber attacks becoming the norm for enterprises and governments, regular scans and pen testing of application security is key to protecting sensitive data in the real world. Coupled with holistic cyber training for offense, defense, and governing professionals and enterprise-wide cyber hygiene education, enterprises and governments will be better prepared to handle the latest and greatest threats. It’s time for organizations to leverage tools that automate and augment the cyber workforce in the wake of an ever-evolving and complex threat landscape.

 

Keeping Critical Infrastructure Strong and Secure

Reading Time: 2 minutes

November is Critical Infrastructure Security and Resilience Month, a nationwide effort to raise awareness and reaffirm the commitment to protect our Nation’s critical infrastructure.  Circadence’s mission is to build awareness about how next-generation cybersecurity education and training can improve cyber preparedness. This month is an excellent time to talk about that in relation to critical infrastructure.

“We are seeing government agencies and companies work to make systematic, holistic, and cultural changes through improved cybersecurity standards, best practices, processes, technology, and workforce,” said Josh Davis, Director of Channels. “The massive, distributed, and legacy infrastructure we have today demands a layered security approach that focuses on building a true understanding of what’s at risk within critical infrastructure systems —and that requires a targeted focus on the people who operate these systems both digitally and physically.”

We know critical infrastructure as the power we use in our homes and businesses, the water we drink, the transportation systems that get us from place to place, the first responders and hospitals in our communities, the farms that grow and raise our food, the stores we shop in, and the communication systems we rely on for business as well as staying connected to friends and family. The security and resilience of this critical infrastructure is vital not only to public confidence, but also to the Nation’s safety, prosperity, and well-being.

During November (and year-round), Circadence focuses on engaging and educating public and private sector partners to raise awareness about the security posture of the systems and resources that support our daily lives, underpin our society, and sustain our way of life. Safeguarding both the physical and cyber aspects of critical infrastructure is a national priority that requires public-private partnerships at all levels of government and industry.

Managing risks to critical infrastructure involves preparing for all hazards and reinforces the resilience of our assets and networks.

This November, help promote Critical Infrastructure Security and Resilience Month by:

Our virtualized cyber ranges-as-a-service (CyRaaSTM) provide public/private entities the opportunity to train in realistic cyber environments that mirror their actual interconnected, internet-of-things networks. These virtualized ranges can model the digital footprints of companies, agencies, entire city networks and even Nation State operation exercises, into living physical and fifth domain environments. Teams can collaborate and train together to test and improve their cyber skills in protected environments that can scale and flex as their organizations’ inter-connected structure does, but without impacting live systems and networks.

By combining Circadence’s Project Ares®, Orion Mission Builder™, and StrikeSet™, your organization can learn and grow without impacting your operations. This next-generation combination transforms traditional lecture-based learning, taking it out of the classroom and into interactive real-world environments, at any scale, anytime, anywhere.

We all need to play a role in keeping infrastructure strong, secure, and resilient. We can do our part at home, at work, and in our community by being vigilant, incorporating basic safety practices and cybersecurity behaviors into our daily routines, and making sure that if we see something, we say something by reporting suspicious activities to local law enforcement.

To learn more, visit www.dhs.gov/cisr-month.

A Rising Tide Lifts all Boats: Celebrating National Cybersecurity Awareness Month

Reading Time: 3 minutes

National Cybersecurity Awareness Month (NCAM) in October reminds us of the importance of being safer online, in both our professional and personal lives. Easier said than done, eh? Who’s to say the majority of us even know what makes us “safer” online, or for that matter what makes us vulnerable or should raise a red flag?

It all starts with awareness. I’d like to suggest that “IT Literacy” is no longer enough. Now, in 2018 and beyond, “Cyber Literacy” needs to be a year-round, all-encompassing movement. And regardless of whether or not “Cyber-” or “IT-”anything is or will be in your title, cybersecurity must matter to you.

During a recent workshop presentation I delivered to attendees at the Florida CyberCon 2018 in Tampa, I likened our cybersecurity practices to the idea of personal hygiene. Because let’s face it, one’s personal hygiene is something that,
a.) you are personally aware of and educated on how to maintain
b.) is attended to routinely
c.) is well understood in terms its impact on your overall health
d.) has a relative impact on everyone around you regardless of direct contact

Cybersecurity can be thought of much in the same way. We must all begin to realize that cybersecurity demands the same kind of personal awareness and attention – it not only impacts us as individuals but also our family, colleagues, department, agency, company.

I believe that part of the disconnect around cybersecurity best practices comes from the assumptions we make as consumers in general – that what we’re buying is designed and sold with our best interests, and security, in mind. For example, you buy a new car and it comes equipped with seatbelts, turn signals, airbags, automatic brakes and locks, etc. The food you buy and eat is certified by the Food & Drug Administration to indicate it has been safely grown/ raised and suitable for human consumption. When making technology purchases, we cannot take these same conveniences for granted.

Now, that’s not to say that all technology is inherently unsafe, but my point is, we can’t settle with pre-installed safety protocols because, as we know, technology is ever evolving and failure to frequently update it and use it safely results in vulnerabilities that hackers will exploit for financial, reputational, or economic gain. Just like with personal hygiene, healthy practices and regular routines are necessary for optimal cyber literacy and performance.

The goal behind NCAM is to encourage us take some time to understand the problems resulting from poor cybersecurity practices. Those behaviors will not start to diminish until school counselors, parents, teachers, administrative assistants, nurses, athletes, and everyone become more aware of their cyber posture. There’s a reason why the laptop or PC you’re reading this on asks you to update its internet browser and operating system. And those push notifications you get on your phone to update your apps aren’t coming through to annoy you and eat up your battery and data. These simple practices and others — like resetting passwords and activating double-verification – will improve your cyber hygiene and protect you against ongoing threats to infiltrate the devices and exploit the data of our everyday lives.

So, did you shower today?
Did you check your computer updates today?

Ready to learn more? Checkout our new short, fun education videos on the “Cybersecurity Whiteboards” video playlist, here: https://www.youtube.com/playlist?list=PLUdKZUJquY1hn2EwlBJ90MyunBYcAaXRk.

As National Cybersecurity Awareness Month comes to a close, it’s important that the efforts put forth do not end. The reality is this: as the cost of compute power continues to be driven down by advancements in manufacturing and technology, the resources used by malicious hackers become more accessible. This, combined with the fact that a successful cyber breach gets more and more newsworthy and profitable by the day, means the problem isn’t going anywhere anytime soon. When we take steps together to be stronger individually, we become stronger collectively. We can prove the saying, “A rising tide lifts all boats.” Together, we can lift the intellectual property, national security and private data “boats” if we all commit to be more cyber conscientious and cautious.

Game On: The Benefits of Active, Gamified Learning in Cyber Training

Reading Time: 3 minutes

What is gamified learning? Before we dive into that question, let’s discuss some of the ways we currently learn about cyber today. Traditional cyber training has been conducted in the same way for years, comprised of static, classroom-style settings complete with a teacher lecturing and passive listeners. This model causes people to forget 

  • 40% of what they’ve learned after 20 minutes 
  • Between 50-80% of what they’ve learned after one day   
  • 77% of what they’ve learned after six days
  • 90% of what they’ve learned after one month  

In addition to forgetting material learned, there’s minimal opportunity for the student to proactively solve problems, think critically, and analyze material. Instead, they superficially understand concepts without truly learning their application to real-world situations. This leaves the trainees disengaged, disempowered, bored, and unmotivated.  

We believe there’s a better way to deliver information security training—a way that engages teams in healthy competition and in critical thinking and problem-solving activity. Through active learning, studies show learners are more engaged, empowered, excited, and possess deep, conceptual understandings of topics learned. Active learning involves collaborating with teams and applying concepts to real-world exercises and scenarios, which improves retention rates to 75%, compared to 5% through traditional learning methods. 

So why is active learning so important for cybersecurity professionals?

Because the undeniable jobs shortage affecting the industry is prompting CISOs to take a closer look at ways in which they can close the skills gap. The first step involves leveling up existing cyber teams by equipping them with the tools and skills they need to do their jobs better. Without proper cyber training and skills development, professionals can’t keep pace with evolving cyber threats, causing teams, organizations, and companies to succumb to hacker attacks.  

How significant is this issue? According to a recent ESG/ISSA study, 70% of cybersecurity professionals claimed their organization was impacted by the cybersecurity skills shortage, with ramifications such as an increasing staff workload, hiring and training junior personnel rather than experienced professionals, and situations where teams spend most of their time dealing with the emergency du jour, leaving little time for training, planning, strategy, etc.  

So what can we do about this?  

Consider gamified cyber training 

Not only is hands-on, active learning important but we believe that gamification is the natural, logical step in training the next gen learner (born after 1980), who has never known a world without video games. Gamification is often defined as the process of adding games or game-like elements to something. The term was originally coined in 2002 by a British computer programmer named Nick Pelling. When we think about the benefits of gamification of cyber security training, it is a learning style best suited for today’s learner who grew up playing video games and being motivated by elements like leaderboards, competition, collaboration, and social proof/progression. 

Even academic institutions across cyber schools are exploring cyber security games for students to complement their classroom learning. Some institutions like CU Boulder have even crafted an entire class around gamified cyber training using Project Ares in their syllabus.

Unlike compliance-driven teaching methods, gamified teaching engages practitioners individually and in teams, through modern learning strategies. It works by deploying connected, interactive, social settings that allow learners to excel in competitive, strategic situations. Further, it enables learners to apply what they know to simulated environments or “worlds,” creating a natural flow that keeps learners engaged and focused. Organizations that offer gamified exercises to teams report that 96% of workers see benefits including increased awareness of weaknesses, knowledge of how breaches occur, improved teamwork and response times, and enhanced self-efficacy.   

In gamified environments, trainees are typically:  

  • rewarded for good behavior 
  • incentivized to maintain good behavior 
  • encouraged to dialogue about their lessons learned with peers 
  • reminded of what they don’t yet know and held accountable 
  • engaged in their progress thanks to leaderboards 
  • prepared to participate in simulated threat situations that further prepare them when real-world situations occur 

 

Active, gamified cyber training is only effective if employees apply their skills learned and acquired to real-world scenarios. For this reason, cybersecurity leaders are encouraged to measure the effectiveness of training efforts through regular audits and assessments to determine which employees may still pose a risk to the overall security posture of the organization.  

“Keeping our workforce engaged, educated and satisfied at work is critical to ensuring organisations do not increase complexity in the already high-stakes game against cyber crime,” Grant Bourzikas, chief information security officer at McAfee. (ComputerWeekly) 

Great, there are clear benefits. Now what?

Now it’s time to reflect on how your organization can benefit from gamification in cybersecurity training. First, look at what training (if any) is currently occurring. Then, speak with teams about where they’d like to improve and draw clear parallels between the investment in training and desired business outcomes. And of course, when you’re ready to learn more, contact us to see how gamified training actually works through our Project Ares® platform.