Rethinking cyber learning—consider gamification

Reading Time: 1 minute

This post originally appeared on Microsoft’s Security Blog, authored by Mark McIntyre, Executive Security Advisor, Enterprise Cybersecurity Group

Cyber Monday and Black Friday Cyber Security Safety Tips to Prevent Holiday Hacks  

Reading Time: 3 minutes

If you’re anything like me, you get really excited when the holidays roll around. The music is cheerful (the Hallmark Channel is on 24/7–high five!), the fireplace is roaring, and I can curl up with my blanket and mobile phone to SHOP ONLINE (of course). Ah, the spirit of the holidays…But the bah humbug part about the scene I’ve just set, is I’m not the only one feeling “festive.” Cybercriminals LOVE when surges in online shopping occur because people are looking for the best deals on gifts, bargain hunting, and planning for the biggest online shopping days of the year: Black Friday and Cyber Monday. This means adversaries can more easily manipulate our holiday spirits with cyberattack methods like phishing and social engineering, credit card fraud, and more.

So while you prepare your winter festivities and “add to cart,” consider these 12 tips to keep your “digital dwelling” safe and warm during Cyber Monday and Black Friday, especially.

Shop from websites you know and trust. 

Don’t click on those flashy “hot deals” that are likely too good to be true. Scammers deliver ads based on your interests, offering sweet discounts or great deals to get the click. Now is NOT the time to experiment with new retail websites and apps.

Don’t go “public.” 

Avoid public Wi-Fi when using the Internet, especially when accessing sensitive data like your bank account balance or emails. Your personal information isn’t a “gift” you want to give a hacker this holiday season.

Update your operating systems. 

With a little more downtime during the holidays, take a merry minute to keep your operating systems as current as possible. This also goes for apps on your phone.

Refresh your passwords.

Enter into the New Year with stronger, more secure passwords—something that will keep a criminal out of your personal property and prevent identity theft. Things like symbols and numbers to replace letters add a layer of complexity that make passwords harder to crack. Consider using a password manager to store all your different passwords so you don’t forget them!

To ensure you are protected from any precocious cyber predator, check our security awareness game inCyt, a fun way to learn cyber concepts and attack methods while cozying up on your couch with a hot toddy. You can practice proactive cyber readiness during the holidays—and year-round with this sweet resource. 

Don’t click on suspicious links. 

Scammers, like the Grinch, will impersonate real online retailers and stores to get you to open an email and click on links while you are holiday shopping. Don’t! This phishing email tactic opens the door for them to install malware on your computer and before you know it, your data is stolen and compromised.

Look for the lock. 

Secure websites will often have a lock icon in the browser address bar to indicate it is a secure connection.

Get creative with security questions. 

Your mother’s maiden name or favorite food can most likely be found online somewhere, so try getting creative with your security questions to access your accounts. Choose a motto you live by perhaps or choose an answer to a question that is completely opposite of what you would select.

Watch your bank and card activity.

Hackers can see your financial activity when you’re sleeping and when you’re awake if you’re not careful. Diligently monitor your bank account, online transactions, and card activity and notify your financial services provider if you observe any suspicious activity.

Disable auto-connect.

Some devices will auto-connect to available wireless networks. Ensure you are only connected to wireless and Bluetooth networks when devices are in use or about to be used. Unknowingly being connected is the opportune time for hackers to cause damage right under your nose.

Store devices when away. 

If you’re a busy traveler, criminals seek out meal times to check hotel rooms for unattended laptops and mobile devices. Be especially wary when attending conferences or trade shows as guest networks tend to be more vulnerable to attacks (and allows hackers to access lots of data from lots of people, who are all in one convenient location).

Activate double authentication. 

If you haven’t done so already, ensure all your apps have a double authentication factor so every time someone tries to log in to your online account, they need a code or key that is texted to your phone or sent to your email to gain access. That makes unintended access to things like social media accounts more difficult for cybercriminals.

Practice persistent protection.

Hackers aren’t just looking to exploit individual data, they also target businesses knowing many take extra time off this time of year to spend with loved ones. Ensure your company has a strong cybersecurity response plan in place and key members of your threat intelligence, analysis, and fraud teams are consistently practicing responding to threat scenarios. Our Project Ares platform runs on Microsoft Azure, so professionals can practice cyber offense and defense from anywhere, at any time on a gamified cyber range.

It’s important to practice safe online behavior all year-round but the holidays bring about an extra level of digital activity hackers love to exploit. Make sure you are taking proactive measures to ensure you are having the most wonderful online shopping day of the year—and cybercriminals aren’t.

 

 

Immersive Cyber Training with Project Ares: Ramping Up a Cyber Career

Reading Time: 9 minutes

As promised, I’m back with a follow-up to my recent post on how we need modernize the learning experience for cybersecurity professionals by gamifying training to make learning fun.  Some of you may have attended the recent Microsoft Ignite events in Orlando and Paris.  I missed the conferences (ironically, due to attending a cybersecurity certification boot camp) but heard great things about the Microsoft – Circadence joint “Into the Breach” capture the flag exercise.  If you missed Ignite, we are planning several additional “Microsoft Ignite The Tour” events around the world, where you’ll be able to try your hand at this capture the flag experience.  Look for me at the DC event, right after the Super Bowl, in early February.

In the meantime, due to the great feedback that I received from my previous blog (which by the way I do really appreciate, especially if you have other ideas for how we should be tackling the shortage of cyber professionals), I will be digging deeper into the mechanics of learning to understand what it really takes to learn cyber in today’s evolving landscape.  I want to address the important questions of how a new employee would actually ramp up their learning, and how employers can prepare employees for success, and track the efficacy of the learning curriculum.  Once again, I’m pleased to share this post with Keenan Skelly, chief evangelist at Boulder, CO-based Circadence.  Take a look a look at some of her recommendations:

 

Q: Keenan, in our last blog, you discussed Circadence’s ‘Project Ares’ cyber learning platform.  How do new cyber practitioners get started on Project Ares?

The way that Project Ares is set up allows for a user to acquire a variety of different skill levels when launched.  It’s important to understand what kind of work roles you are looking to learn about as a user. What kinds of tools you’re looking to understand better before you get started on Project Ares. For example, if I were to take some of my Girls Who Code, or Cyber Patriot students and put them into the platform, I would probably have them start in the Battle School. This is where they’re going to learn about basic cybersecurity fundamentals, things like ports and protocols, regular expressions and the cyber kill chain. Then they can transition into Battle Rooms, where they will start to learn about very specific tools, tactics and procedures (TTPs), for a variety of different work roles. If you are a much more skilled cyber ninja, however, you can probably go ahead and get right into Missions, but we do recommend that everyone who comes into Project Ares does do some work in the Battle Rooms first, specifically if they are trying to learn a tool or a skill for their work role.

In Project Ares, we have a couple of different routes that an expert or an enterprising cybersecurity professional can come into that’s really focused more on their role. For example, we have an assessments area that is based entirely on the work role. That aligns to the NIST framework and the NICE cybersecurity work roles. For example, if you are a network defender, you can come into that assessment pathway and have steps laid out before you to identify your skill level in that work role.

 

Q: What areas within Project Ares do you recommend for enterprise cyber professionals to train against role-based job functions and prepare for cyber certifications?

You might start with something simple like understanding very basic things about your work role through a questionnaire in the Battle School arena. You may then move into a couple of Battle Rooms that tease out very detailed skills in tools that you would be using for that role. And then eventually you’ll get to go into a mission by yourself, and potentially a mission with your entire team to really certify that you are capable in that work role. All of this practice helps prepare professionals to take official cyber certifications and exams.

 

Q: Describe some of the gamification elements in Project Ares and share how it enhances cyber learning. 

One of the best things about Project Ares is gamification. Everyone loves to play games, whether it’s on your phone playing Angry Birds, or on your computer or gaming console, so we really tried to put a lot of gaming elements inside Project Ares.  For example, everything is scored within Project Ares, so everything you do from learning about ports and protocols, to battle rooms, to missions gives you points, experience points—those experience points add up to skill badges. All these things make learning more fun for the end-user. For example, if you are a defender, you might have skill badges in infrastructure, network design, network defense, etc.  and the way Ares is set up, once you have a certain combination of those skill badges you can actually earn a work role achievement certificate within Project Ares.

This kind of thing is taken very much from Call of Duty, or other types of games where you can really build up your skills by doing a very specific skill-based activity and earning points towards badges. One of the other things that is  great about Project Ares is it’s quite immersive, so the Missions, for example, allow a user to come into a specific cyber situation or cyber response situation (e.g. water treatment plant cyber attack) and be able to have multimedia effects that demonstrate what is going– very much reflective of that cool guy video look. Being able to talk through challenges in the exercises with our in-game advisor, Athena, adds another element to the learning experience. She, Athena, was inspired by the trends of personal assistants like Cortana and other such AI “bots” which have been integrated into games. So these things like chat bots, narrative storylines, and skill badges are super important for really immersing the individual in the process. It is so much more fun, and easier to learn things in this way, as opposed to sitting through a static Power Point presentation or watching someone on a on a video, trying to learn the skill passively.

 

Q: What kinds of insights and reporting capability can Project Ares deliver to cyber team supervisors and C-Suite leaders to help them assessing cyber readiness? 

Project Ares offers a couple great features that are good for managers, all the way up to C-Suite individuals who are trying to understand how their cybersecurity team is doing. The first one is called Project Ares Trainer View. This is where a supervisor or manager can actually jump into the Project Ares environment with the students or with the enterprise team members and actually do that in a couple of different ways. So for example, the instructor, or the manager can jump into the environment as Athena, so that the user doesn’t know that they are in there, they can provide additional insight or help that is needed to a student.

A supervisor or leader can also jump in as the opponent, which gives them the ability to see someone who is just breezing by everything, to maybe make it a little more challenging; and then of course, they can just observe and leave comments for the individuals.  That piece is really helpful when we are talking about managers who are looking to understand their team’s skill level in much more detail.

The other piece of that is a product we have coming out soon called Dendrite.  Dendrite is an analytics tool that looks at everything that happens at Project Ares so we record all the key strokes, any chats that a user has with Athena, the in game advisor, and any chatting a user may have done with other team members while in a mission or battle room.  Cyber team leads can really see what’s going on, and as a user, you can see what you’re doing well, and what you’re not doing well.  That can be provided up to the manager level, the senior manager level, and even to the C-Suite level to demonstrate exactly where that individual is, in their particular skill path. It helps cyber team leads to understand what tools are being used appropriately and which tools are not being used appropriately.

For example, if you are a financial institution and you paid quite a bit of money for Tanium, but upon viewing tool use in Dendrite, you find that no one is using it. It might prompt you to rethink your strategy on how you are using tools in your organization optimally. Or, how you’re training your folks to use those tools. These types of insights are absolutely critical if you want to understand the best way to grow the individual in cybersecurity and make sure they are really on top of their game.

 

Q: How do non-technical employees improve their cyber readiness?

Here at Circadence we don’t just provide learning capabilities for advanced cyber warriors. For mid-range people just coming into the technical side of cybersecurity, we have an entire learning path that starts with a product called inCytÔ. Now, inCyt is very fun, browser-based game of strategy where players have some hackable devices that they have to protect, like operating systems and phones. Meanwhile, your opponent has the same thing objective: protect their devices from attacks. Players continually hack each other by gathering intel on their opponent and then launching different cyber attacks. While they’re doing this, players actual get a fundamental understanding of the cyber kill chain.  They learn things like what reconnaissance means to a hacker, what weaponizing means to a hacker, what deploying that weapon means to a hacker, so that they can start to recognize that behavior in their everyday interactions online.

Some people ask why that’s important and I always say: “I used to be a bomb technician, and there is no possible way I could defuse an IED or nuclear weapon without understanding how those things are put together.” It’s the same kind of concept.

It’s impossible to assume that someone is going to learn cyber awareness by answering some questions or watching a five-minute phishing tutorial, after they have already clicked on a link in an suspicious email. Those are very reactive ways of learning cyber. inCyt is very proactive. And we want to teach you in-depth understanding of what to look for, not just for phishing but for all the attacks we are all susceptible to. inCyt is also being used by some of our customers as a preliminary gate track for those who are interested in cybersecurity. So you may demonstrate a very high aptitude within inCyt in which case we would send you over to our CyberBridge portal where you can start learning some of the basics of cybersecurity and see if it might be the right field for you. Within our CyberBridge access management portal, you can then go into Project Ares Academy which is just a lighter version of Project Ares.

Professional and Enterprise licenses in Project Ares pave more intricate learning pathways for people to advance in learning from novice to expert cyber defender. You’ll be able to track all metrics of where you started how far you came, what kind of skill path you’re on, what kind of skill path you want to be on. Very crucial items for your own work role pathway.

 

How to close the cybersecurity talent gap

Keenan’s  perspective and the solution that is offered by Project Ares really helps to understand how to train security professionals and give them the hands-on experience they require and want.  We’re in interesting times, right?  With innovations in machine learning and artificial intelligence, we’re increasingly able to pivot from reactive cyber defense to get more predictive.  Still, though, right now we are facing a cybersecurity talent gap of up to 4 million people depending on which analyst group you follow, so the only way that we are going to get folks interested in cybersecurity is to make it exactly what we have been talking about: a career-long opportunity to learn.

Make it something that they can attain, that they can grow in, and  see themselves going from a novice to a leader in an organization.  This is tough right now because there are relatively few cybersecurity operators compared to demand, and the operators on the front lines are subject to burnout, with uncertain and undefined career paths beyond tactical SecOps.  What’s to look forward to?

We need to get better as a community in cybersecurity, not only protecting the cybersecurity defenders that we have already, but also helping to bring in new cybersecurity defenders and offenders who are really going to push the boundaries of where we are at today.  This is where we have an excellent and transformational opportunity to introduce more immersive and gamified learning, to improve the learning experience and put our people in a position to succeed.

 

To read more about how to close the cybersecurity talent gap, please read this ebook.

For more information on Microsoft intelligence security solutions visit:  https://www.microsoft.com/en-us/security/business

Living our Mission Blog Series: How Tony Hammerling, Curriculum Developer, Orchestrates a Symphony of Cyber Learning at Circadence

Reading Time: 3 minutes

Circadence’s Curriculum Developer Tony Hammerling wasn’t always interested in a career in cyber—but he was certainly made for it. In fact, he initially wanted to be a musician! While his musical talents didn’t pan out for him early in his career, he quickly learned how to create unique harmonies using computers instead of instruments…After joining the Navy in 1995 as a Cryptologist and Morse Code operator, he transitioned to a Cryptologic Technician Networks professional where he performed network analysis and social network/persona analysis. It was there he learned more offensive and defensive strategies pertinent to cyber security and was introduced to network types and communication patterns. He moved to Maryland to do offensive analysis and then retired in Pensacola, Florida. The world of cyber grew on Tony and he enjoyed the digital accompaniment of the work it offered.

For the last few years, now settled in Pensacola, Florida, Tony is a critical part of Circadence’s Curriculum Team, working alongside colleagues to develop learning objectives and routes for players using platforms like inCyt, Project Ares, and other cyber games like NexAgent, Circadence’s immersive network exploration game. Currently, Tony and his team are focused on building out learning of network essentials in NexAgent, and “…are bridging the gap between what new IT professional’s learn in NexAgent and getting them onto more advanced learning pathways in Project Ares,” says Tony.

“We’re starting to introduce new content for [Project Ares] battle rooms so users coming out of NexAgent can have an understanding of the tools and techniques needed for more advanced learning of cyber defense—and actually apply those tools and techniques in realistic scenarios.”

As the technical subject matter expert for cyber curriculum, Tony digs into the details with his work—and that’s where he shines. Tony and his team ensure that user learning is reflective of today’s cyber attacks and vulnerabilities. In the next iteration of NexAgent, users will be able to focus on network segmentation using election security as the theme for game-play. From separating election polling servers to working with registration databases to designing networks to prevent election fraud, learning becomes much more interesting for the end-user.

The most exciting part about Tony’s job is the diversity of material he gets to work on every day. One day he could be helping end-users of Project Ares identify fraudulent IP addresses in a battle room and another day he could be working on a full-scale technical design of a SCADA system modeled after a cyber incident at a Ukrainian power plant.

By understanding corporate demands for new content, Tony and his team have more direction to build out cyber learning curriculum that aligns to customer’s needs. He believes the technical training he’s able to support with learning material in Circadence’s platforms complements traditional cyber learning paths like obtaining certifications and attending off-site classes. The variety of learning options for users of all cyber ability levels (both technical and non-technical), gives professionals the opportunity to be more thoughtful in their day-to-day lives, more critical and discerning of vulnerabilities and systems, and more creative in how they address threats.

“Knowing that people are able to come into a Circadence product and learn something that they didn’t know before or refine specific knowledge into an application/skill-based path is exciting. I don’t think too much of the greater impact my work provides—but perhaps 10 years down the line when we can say ‘we were the first to gamify and scale cyber training,’ it will mean so much more.”

We are grateful for the unique talents Tony brings to the Circadence family of products and how he’s able to craft learning “chords” that when orchestrated, provide a symphonic concerto of cyber learning activity—empowering cyber professionals across the globe with relevant, persistent, and scalable cyber training options to suit their security needs.

Photo by Marius Masalar on Unsplash

Photo by Alphacolor on Unsplash

 

8 Tips to Keep Your Small Business Cyber Safe this Holiday Season

Reading Time: 3 minutes

The holiday season is a time of giving, however, for hackers it can be a time of swindling. We are all susceptible to cyberattacks, but small businesses can hurt the most from the fall out. With limited staff numbers, small IT departments (if any at all), and no money allocated toward remediation, it is of the utmost importance to protect your small business, especially over the holidays. So, what can you do to protect yourself?

  1. Understand your vulnerability by industry – While every industry can be targeted by scammers, there are some more at risk than others. Specifically, retail, automotive, manufacturing, and financial. Not only do these industries process a lot of sensitive data and large quantities of money, but they also use automated process and many interconnected devices which are vulnerable to cyber attacks. Assessing your risk is the first step in preventing it.
  2. Adopt a cyber security policy – Whether you’re a sole proprietor or a company with 5,000 employees, cyber criminals are targeting your business. Smaller businesses may not have controls, processes, or policies in place for cyber security defense and offense. There are several options for securing a comprehensive cyber security plan such as a managed service provider (MSP), a systems integrator or security system provider, or a cyber security consultant. Take the time to put together a comprehensive policy for your employees to learn and reference.
  3. Educate employees on cyber risks and prevention – It won’t do you any good to adopt a cyber policy if you don’t train your employees on risk awareness and staying safe online while working. Ensure you utilize persistent, hands-on learning, such as a cyber range, to keep employees abreast of the latest threats while building confidence in their abilities to recognize threats and suspicious activity.
  4. Beware of popular scam tactics used against small businesses – From overpayment scams to phishing emails, hackers will try just about anything to get to your money and sensitive information. Be wary of anything that looks or sounds suspicious such as calls from unknown persons, pop-ups, and unfamiliar websites, only open emails from trusted sources, and NEVER give your credit card or personal information to anyone you don’t know whether over the phone, by email, or in person.
  5. Secure WiFi Networks – These days all businesses require WiFi to operate, so you need to ensure your network is safe. Hide your network, which you can do by googling instructions or working with your internet provider, so that your router does not broadcast the network name (or SSID) and ensure that a password is required for access. Be sure you change the administrative password that was on the device when first purchased as well to a complex password only you will remember. Setting up a private network for employees and offering a guest network to customers is a great way to keep customers happy while ensuring your cyber safety.
  6. Make backup copies of important information – Regularly back up data on every computer used in your business including documents, spreadsheets, financial and personnel files, and more. You can do this through many channels from uploading files to an external hardrive, USB, the cloud, or using a paid data storage site.
  7. Install and update antivirus software – Every device you use for your business needs to be protected with antivirus, antispyware, and antimalware software. You will need to purchase this software either online or from a retail store and will need to assess your specific needs based on a variety of factors, such as the type of operating system you use (mac or PC) and your budget. Here is a handy guide for things to consider before purchasing antivirus software. Be sure you install and update antivirus software regularly to ensure the newest and best iteration is at work protecting your sensitive information.
  8. Install a VPN – A virtual private network (VPN) is a software that enables a mobile device to connect to another secure network via the internet and send and receive data safely. If you regularly use your smartphone to access secure information for your small business, it can be technology that is well worth investing in. Setting up a VPN is a simple task but depends on what operating system you use. Check out this great article that guides you through VPN set up for various systems.

By following these tips and tricks, you can ensure that your business stays protected and profitable. Cyber security is an ever-changing field, and businesses must continually adapt to new attack methods and be able to defend themselves. Keep the latest in cyber training at your fingertips with Circadence’s inCyt security awareness game of strategy and if you have a small security team/IT professional, consider our flagship immersive, gamified cyber learning platform, Project Ares for advanced cyber training. We wish you a safe and happy holiday season!

Photo by Aryan Dhiman on Unsplash
Photo by You X Ventures on Unsplash

 

Operation Gratitude: 5 Reasons to Give Thanks for Cyber Security

Reading Time: 3 minutes

With daily breaches impacting business operations and security, it’s easy to forget about the good ways that cyber security keeps us safe behind the scenes. This holiday season, we’re giving thanks to cyber security and all that it does to make our lives easier and more secure with what we’re calling Operation Gratitude (inspired by our Project Ares missions, uniquely titled “Operation Goatherd” or “Operation Desert Whale”). #OperationGratitude is a rally cry for security professionals and business leaders to remember the positive aspects of cyber security and share those positive thoughts with each other. Too often we live in fear from cyber attacks and persistent threats, and while, there is always cause for concern, we must remember how advances in the field have equally made aspects of our digital life easier. We’re thankful for these advances in cyber security:

  1. Two-factor authentication – This tool helps to keep you secure by requiring two different credentials before allowing you to gain access to sensitive information online. One example of this would be when you log in to check your bank statements and it prompts you to not only enter your username and password, but also to check your phone and enter a verification code that was texted to you. You will normally see this security precaution used when logging into an account from a new device. The great part about it is, it’s widely known and used by everyone from CISOs to high school kids.
  2. HTTP(S) – You’ve likely seen this appear when visiting a URL online, usually showing up just before the “www” and website name. Http means HyperText Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web, which defines how messages are formatted and transmitted, and what actions web servers and browsers should take in response to various commands. The “S” is for security, and this little letter means that all communication between your browser and your website is encrypted for your protection. This means that sites utilizing https are prioritizing your safety while performing sensitive transactions online!
  3. Personal digital responsibility – These days the average consumer is more connected than ever. With our lives relying on smartphones, computers, tablets, and a multitude of IoT devices, we are entrenched in cyber every single day. This reliance requires us to practice personal digital responsibility, or often called digital citizenship—that is, the ability to participate safely, intelligently, productively, and responsibly in the digital world. Just because we are more connected does not necessarily mean that we are more aware of cyber risks, however, initiatives such as Cyber Security Awareness Month (in October) are helping to increase awareness by promoting cyber citizenship and education. Circadence is proud to contribute to the security awareness and digital responsibility effort with the soon-to-be-available inCyt, a security awareness game of strategy that helps bring cyber safe practices into the workplace and cultivates good cyber hygiene for all (and you don’t have to be a technical expert to use it).
  4. Corporate security awareness trainings – Given that 25% of all data breaches in the U.S in 2018 were due to carelessness or user error, it is critical for companies of all sizes to engage their employees in persistent cyber training. Thank goodness there is an increase in organizations such as the National Cyber Security Alliance (NCSA) that provide risk assessments and security training to organizations across the U.S.
  5. Increased security collaboration – With more than 4,000 ransomware attacks alone occurring daily, no one business can mitigate the increasing amount of cyber risks present in today’s threatscape. It is more important than ever for businesses to share knowledge from breaches they have experienced and stand together to fight cyber crime, which is exactly what they’re doing! Nowadays these partnerships are being formed not only to share information, but to conduct live fire cyber readiness exercises. One such initiative is DHS’s National Cybersecurity and Communications Integration Center(NCCIC) – a 24/7 cyber situational awareness, management and response center serving as a national nexus of cyber and communications integration for the federal government, intelligence community, and law enforcement. The NCCIC also shares information among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations.

So, as you prepare your Thanksgiving meal from recipes pulled up on your tablet, with holiday music playing from your smart phone, and timers set by Alexa to ensure the juiciest turkey and tastiest pies, remember to give thanks for cyber security. We certainly are!

 

Photo by Simon Maage on Unsplash
Photo by Pro Church Media on Unsplash

Why Cyber Security is Important for Higher Education Institutions

Reading Time: 3 minutes

It might surprise you to know that the education industry is a prime target for malicious hackers. While threats in this sector are on the rise, many education institutions are not prepared for a cyber attack nor do they know how to recover from one. In fact, there were 122 cyber attacks last year at 119 K-12 public education institutions, averaging out to an attack every three days. A 2018 Education Cyber Security Report published by SecurityScorecard also found that of 17 industries, the education sector ranked dead last in total cyber security safety. Schools are leaving themselves open to student and faculty identity theft, stolen intellectual property, and extremely high cost data breach reconciliation. In fact, a study done by the Ponemon Institute shows the average cost of a data breach in the education sector is $141 per record leaked.

This industry faces some unique cyber security challenges:

  • Historically, this industry is based on the free exchange of information, i.e the philosophy that information should be readily available to all. The use of computers and internet in education has allowed information to be stored and accessed in many different ways, creating vulnerabilities in storage, network security, and user error which leaves systems susceptible to hacks.
  • Students and staff may have limited technical skills and prowess to know how to stay safe online.
  • Online education systems are highly distributed across multiple schools in a district or across state lines, making it easier to infect one system to gain access to all.
  • Computer systems used by schools often lack a single application, or “source of truth” to safely manage student and employee identities.
  • There’s a significant change in the user population every year due to students graduating and new students enrolling, making it difficult to track who is using certain resources and who has access to them.
  • Remote access is often required, with students and parents accessing systems from home computers and smartphones. When you access an online resource repeatedly from potentially vulnerable or unsecure networks, it creates more opportunity for hacks.

So how can educational institutions better protect themselves against looming cyber threats?

  • Shift the focus to prevention instead of mitigation – by making the focus on securing data before an attack happens rather than after, organizations will be better prepared to protect students and staff against a breach.
    • IT directors and security operators within educational institutions would be wise to consider persistent training solutions for their teams to optimize existing cyber skills so they don’t go “stale” after a period of time.
    • Likewise, perform a security audit and work across departments to understand all the digital systems in place (financial, teacher, student portals, etc.) and where vulnerabilities might exist.
    • HR departments of institutions should consider updating or adopting employee security awareness training to ensure every education-employed professional working on a computer understands the basics of cyber security and how to stay safe online.
  • Minimize internal threats – Verizon’s 2019 Data Breach Investigations Report found that nearly 32% of breaches involved phishing and that human error was the causation in 21% of breaches. Proper and continued training and awareness around security issues is key in preventing possible attacks.
  • Make cyber security a priority in IT budgeting – Schools and other educational institutions need to recognize the growing cyber threatscape and prioritize allocating funds to training tools, IT teams, and continued education for internal staff.

Circadence is here to help. Our immersive, gamified cyber learning platform, Project Ares, can help ensure that your cyber team is ready to defend against malicious attacks, and our inCyt product (coming soon!) will keep everyone else in your organization up to snuff on cyber defense and offense. We pair gamification with prolonged learning methods to make learning and retaining cyber security tactics simple and fun for all. Don’t let your institution and students be next in line for a breach–think inCyt, and Project Ares when you think cyber security for the education sector!

If you’re still looking for more information on education and cyber security, check out these handy references:

DOWNLOAD WHITEPAPER

Photo by Vasily Koloda on Unsplash

Trick or Cyber Treat? How Quickly Hackers Use Your Information

Reading Time: 2 minutes

We’re getting in the Halloween spirit (with a cyber security spin of course)! We started wondering about the mysterious (or not-so-mysterious) world of hacking.  We wondered just how frightfully easy it might be to gather intel from social platforms with minimal prerequisite knowledge.

To that end, we did a little experiment in an attempt to understand the hacking process. We asked ourselves…

  • What details can hackers find about us online?
  • Are there enough details out there for a hacker to really manipulate us?

Are we “sharing too much” as a population committed to living our lives on social media?

To answer these questions and learn if we’re just asking to be tricked or if what hackers can find out about us is really their treat to exploit…[insert gloomy music here], we simulated an online  “stalking” exercise.

<< See this cool graphic to your left or read below for the simple steps we took to find personal details of someone online.

  • Identify a known person you want to learn more about
  • Go to the ol’ Google to dig up articles and social profiles about that person
    1. Easily obtain properties like their full name, interests, employer, etc.
  • Search their social accounts in greater depth to find:
    1. Their interests and passions
    2. Their work history
    3. Education level
    4. Birthday
    5. Previous co-workers and friends
    6. Geographic residence
    7. Links to their Instagram profile (for visual data)
    8. Pet’s name
    9. Marital status
  • Search through their friend list on Facebook, connections on LinkedIn, or followers on Twitter to isolate any missing social profiles or details on the person
    1. Find their hometown, family members, and political/religious views

So gosh.  This turned out to be a frighteningly straightforward path to take to find intel on someone….even if some of their social accounts are private!  And, you might be shocked to know that it took us less than an hour to discover enough information about a random person.

So what might a hacker do with the intel like what we just dug up? They use the information to manipulate us and make us vulnerable to an attack.

  • A hacker might craft a Twitter message asking about this person’s pet or commenting on the weather in her place of residence to start a conversation.
  • A hacker might name drop her former co-worker as a “friend” of ours and thereby “established a connection.”
  • A hacker might have contacted the persons parents or a friend claiming we were associated with individual’s previous employer to get his/her phone number to call them.
  • The TRICKS are endless!

And it can happen fairly quickly. Are you surprised?

There’s good news here though. While we did learn from this exercise that what we each choose to share online is, indeed, asking to be tricked by hacker, the fact is WE have some control of what information is “out there”.  Hackers LOVE any data they can use about our interests and personal information to gain access to something they want (e.g. bank accounts, social security numbers, credit cards, etc.); but we can limit our personal information and lock down our profiles to minimize how much intel is out there to start with.

Photo by Ehud Neuhaus on Unsplash

 

 

 

 

 

 

 

 

 

 

Living our Mission Blog Series: Supporting Cyber Red Teams, with Consultations and Pen Testing from Josiah Bryan

Reading Time: 2 minutes

While Circadence is proud to be a pioneer that has developed innovative cyber learning products to strengthen readiness at all levels of business, there’s one professional area at Circadence that doesn’t tend to get the limelight, until now. Meet Josiah Bryan, principle Security Architect for Circadence’s security consultation services, aptly called Advanced Red Team Intrusion Capabilities (ARTIC for short). For almost two years, Josiah has provided support and services to Red Teams around the country, those leading-edge professionals who test and challenge the security readiness of a system by assuming adversarial roles and hacker points of view.

Josiah enjoys doing penetration testing and exploit development with Red Teams at a variety of companies to help them understand what a bad actor might try to do to compromise their security systems.

But Josiah wasn’t always on the offensive side of cyber security in his professional career. He was first introduced to the “blue team,” or the defensive side of cyber, when he began participating in Capture the Flag competitions across the U.S. during his time as a computer science student at Charleston Southern University. Those competitions also exposed him to the offensive side of security training and he never looked back.

After graduation, he took a job in San Diego with the U.S. Navy as a DoD civilian, finding vulnerabilities in critical infrastructure, which were then reported up to the Department of Homeland Security.

“Learning how the DoD operates internally and how they conduct penetration tests/security evaluations was an extremely valuable skill and great background for my current job at Circadence,” he says.

In addition to consulting with Red Teams, Josiah uses a variety of tools to show and tell companies about existing vulnerabilities. For example, badge scanners that let people gain access to a facility or room are quite common devices for Josiah and his team to test for customers. He might also use USB implants that provide full access to workstations and wireless signal identification devices.

“We show people how easy it is to get credentials off of someone’s badge and gain access to an area,” he says. “They never believe we will find vulnerabilities but when we do, they realize how much they need to do to improve their cyber readiness,” he adds.

But, ultimately Josiah’s favorite part of his job is the level of research and analysis he gets to do. “We are a research team, first,” he says. “We are pushing the boundaries in cybersecurity and discovering new ways that bad actors might take advantage of companies, before they actually do.  It’s a great feeling to help companies and Red Teams see the ‘light’ before the hackers get them,” he adds.

Whether circumventing a security measure or patching a system, Josiah’s contributions to the field are significant.

“Finding new ways to help people understand the importance of strong cyber hygiene is fulfilling,” he says. “We can’t stress it enough in today’s culture where attacks are so dynamic and hackers are always looking for ways to take advantage of companies.”

To stay on the cutting edge of Red Team support, Josiah follows Circadence’s philosophy to persistently learn new ways to protect people and companies. “Any company is only as good as the least trained person,” Josiah says.

 

Why Alternatives to Traditional Cyber Training Are Needed Immediately

Reading Time: 4 minutes

Are you looking for a more effective, cost-conscious cyber training tool that actually teaches competencies and cyber skills? We’ve been there. Let us share our perspective on the top cyber training alternatives to complement or supplement your organization’s current training efforts.

Cyber training has evolved over the years but not at pace with the rapid persistence of cybercrime. Cyberattacks impact businesses of all sizes and it’s only a matter of time before your business is next in line. Traditional cyber training has been comprised of individuals sitting in a classroom environment, off-site, reading static materials, listening to lectures, and if you’re lucky, performing step-by-step, prescriptive tasks to “upskill” and “learn.” Unfortunately, this model isn’t working anymore. Learners are not retaining concepts and are disengaged from the learning process. This means by the time they make it back to your company to defend your networks, they’ve likely forgotten most of the new concepts that you sent them to learn about in the first place. Read more on the disadvantages of passive cyber training here.

So, what cyber training alternatives are available for building competency and skill among professionals? More importantly, why do you need a better way to train professionals? We hope this blog helps answer these questions.

Cyber Range Training

Cyber ranges provide trainees with simulated (highly scalable, small number of servers) or emulated (high fidelity testing using real computers, OS, and application) environments to practice skills such as defending networks, hardening critical infrastructure (ICS/SCADA) and responding to attacks. They simulate realistic technical settings for professionals to practice network configurations and detect abnormalities and anomalies in computer systems. While simulated ranges are considered more affordable than emulated ranges, several academic papers question whether test results from a simulation reflect a cyber pro’s workplace reality.

Traditional Cyber Security Training

Courses can be taken in a classroom setting from certified instructors (like a SANS course), self-paced over the Internet, or in mentored settings in cities around the world. Several organizations offer online classes too, for professionals looking to hone their skills in their specific work role (e.g. incident response analyst, ethical hacker). Online or in-classroom training environments are almost exclusively built to cater to offensive-type cyber security practices and are highly prescriptive when it comes to the learning and the process for submitting “answers”/ scoring.

However, as cyber security proves to be largely a “learn by doing” skillset, where outside-of-the-box thinking, real-world, high fidelity virtual environments, and on-going training are crucially important, attendees of traditional course trainings are often left searching for more cross-disciplined opportunities to hone their craft over the long term. Nevertheless, online trainings prove a good first step for professionals who want foundational learnings from which they can build upon with more sophisticated tools and technologies.

Gamified, Cyber Range, Cloud-Based Training

It wouldn’t be our blog if we didn’t mention Project Ares as a recommended, next generation alternative to traditional cyber training for professionals because it uses gamified backstories to engage learners in activities.  And, it combines the benefits and convenience of online, cyber range training with the power of AI and machine learning to automate and augment trainee’s cyber competencies.

Our goal is to create a learning experience that is engaging, immersive, fun, and challenges trainee thinking in ways most authentic to cyber scenarios they’d experience in their actual jobs.

Project Ares was built with an active-learning approach to teaching, which studies show increase information retention among learners to 75% compared to passive-learning models.

Check out the comparison table below for details on the differences between traditional training models and what Project Ares delivers.

Traditional Training
(classroom and online delivery of lectured based material)
Project Ares
(immersive environment for hands on, experiential learning)
Curriculum Design

  • Instructors are generally experts in their field and exceptional classroom facilitators.
  • Often hired to develop a specific course.
  • It can take up to a year to build a course and it might be used for as long as 5 years, with updates.
  • Instructors are challenged to keep pace with evolving threats and to update course material frequently enough to reflect today’s attack surface in real time.
  • It is taught the same way every time.
Curriculum Design

  • Cyber subject matter experts partner with instructional design specialists to reengineer real-world threat scenarios into immersive, learning-based exercises.
  • An in-game advisor serves as a resource for players to guide them through activities, minimizing the need for physical instructors and subsequent overhead.
  • Project Ares is drawn from real-world threats and attacks, so content is always relevant and updated to meet user’s needs.
Learning Delivery

  • Courses are often concept-specific going deep on a narrow subject. And it can take multiple courses to cover a whole subject area.
  • Students take the whole course or watch the whole video – for example, if a student knows 70%, they sit through that to get to the 30% that is new to them.
  • On Demand materials are available for reference (sometimes for an additional fee) and are helpful for review of complex concepts.   But this does not help student put the concepts into practice.
  • Most courses teach offensive concepts….from the viewpoint that it is easier to teach how to break the network and then assumes that students will figure out how to ‘re-engineer’ defense. This approach can build a deep foundational understanding of concepts but it is not tempered by practical ‘application’ until students are back home facing real defensive challenges.
Learning  Delivery

  • Wherever a user is in his/her cyber security career path, Project Ares meets them at their level and provides a curriculum pathway.
  • From skills to strategy:   Students / Players can use the Project Ares platform to refresh skills, learn new skills, test their capabilities on their own and, most critically, collaborate with teammates to combine techniques and critical thinking to successfully reach the end of a mission.
  • It takes a village to defend a network, sensitive data, executive leaders, finances, and an enterprises reputation:  This approach teaches and enables experience of the many and multiple skills and job roles that come together in the real-world to detect and respond to threats and attacks….
  • Project Ares creates challenging environments that demand the kind of problem solving and strategic thinking necessary to create an effective and evolving defensive posture
  • Project Ares Battle Rooms and Missions present real-world problems that need to be solved, not just answered. It is a higher-level learning approach.

If you want to learn more about Project Ares and how it stacks up to other training options out there, watch our on-demand webinar “Get Gamified: Why Cyber Learning Happens Better With Games” featuring our VP of Global Partnerships, Keenan Skelly.

  You can also contact our experts at info@circadence.com or schedule a demo to see it in action!

Photo by Helloquence on Unsplash