Living our Mission Blog Series: Hitting a Home Run with Circadence’s Security Management, thanks to TS Reed, Cybersecurity Engineer

Reading Time: 3 minutes

The journey to cybersecurity engineer has been an exciting one for Circadence’s TS Reed. The former baseball pro turned security tech expert found his passion for problem solving at Circadence. After completing an undergraduate degree in criminology at Cal State Northridge, he pursued a master’s degree in mechanical engineering at CSUN and then a master’s in cybersecurity engineering from the University of San Diego.

TS started as an intern at Circadence and was quickly onboarded as a full-time employee for his technical prowess, adaptability, and knowledge of modern security functions and processes. For the past three years at Circadence, TS has monitored the company’s network security, tested the security of its products (including Project Ares) and learned how and what to look for to stay one step ahead of attackers.

“It’s impossible to be bored in this job. Security is always changing: the way people build it, the way people attack it. You have to continuously learn and teach yourself the latest and greatest practices,” said TS.

But cybersecurity management wasn’t always in the stars for TS. Prior to joining Circadence, TS coached division one baseball at the University of San Diego and was also an assistant coach and recruiting coordinator at the University of Arkansas Fort Smith. A Cal State Northridge Alum, TS was a well-respected baseball player, hitting home runs in the athletic industry (named a CIF California Player of the Year and a Division 1 All-American at CSUN) with the fourth highest batting average at the 2008 Big West Conference. After college he went on to play one year of professional baseball in St. Louis for the Gateway Grizzlies of the Frontier League.

He traded in his baseball cleats for cybersecurity after discovering the inherent problem-solving nature of the field—a part of the job that greatly intrigued TS to dive into a completely new field of study and long-term career trajectory.

For TS, one of the best ways to “win the game” in the security field is to think like a hacker. By understanding what vulnerabilities they look for to exploit and why, security engineers like TS, know how to harden systems and deploy preventative measures beforehand. And while open forum online communities help TS and other security professionals “understand the mind of a hacker” there is always a level of uncertainty he has to deal with.

“Hackers are attacking constantly and finding new ways to infiltrate networks,” said TS. “We have to stay as close to them as possible,” he adds.

While TS’ professional journey has been unconventional at best, he has noticed many lessons from his baseball career that have translated into the cyber arena.

“Teamwork is huge; I learned early on in baseball that every teammate receives things differently. You have to take the time and care enough to figure out how your team members communicate. [In cyber security], everyone communicates differently too. Both in receiving communication and externally communicating. Step one is always getting a feel for that in order to be as effective as possible when communicating with teammates/team members.”

Likewise, TS learned that in baseball, a player’s own skill level and performance weren’t the sole indicator of how “good” a teammate was. The greatest measure, he says, is how effective one is at making others better and serving them.

“To be good at and handle your job is one thing but whenever you have a team involved, the greatest measure of a player or cyber employee is the capability to lift up those around them and make them better,” he advises. Empowering teammates, teaching them, and learning from them is the approach he lives by at Circadence.

We are proud to have TS as part of the Circadence family and know while he’s not hitting balls out of the park at the stadium, he’s hitting home runs with Circadence, hardening its cyber security posture.

Photo by Joey Kyber on Unsplash

Living our Mission Blog Series: Supporting Cyber Red Teams, with Consultations and Pen Testing from Josiah Bryan

Reading Time: 2 minutes

While Circadence is proud to be a pioneer that has developed innovative cyber learning products to strengthen readiness at all levels of business, there’s one professional area at Circadence that doesn’t tend to get the limelight, until now. Meet Josiah Bryan, principle Security Architect for Circadence’s security consultation services, aptly called Advanced Red Team Intrusion Capabilities (ARTIC for short). For almost two years, Josiah has provided support and services to Red Teams around the country, those leading-edge professionals who test and challenge the security readiness of a system by assuming adversarial roles and hacker points of view.

Josiah enjoys doing penetration testing and exploit development with Red Teams at a variety of companies to help them understand what a bad actor might try to do to compromise their security systems.

But Josiah wasn’t always on the offensive side of cyber security in his professional career. He was first introduced to the “blue team,” or the defensive side of cyber, when he began participating in Capture the Flag competitions across the U.S. during his time as a computer science student at Charleston Southern University. Those competitions also exposed him to the offensive side of security training and he never looked back.

After graduation, he took a job in San Diego with the U.S. Navy as a DoD civilian, finding vulnerabilities in critical infrastructure, which were then reported up to the Department of Homeland Security.

“Learning how the DoD operates internally and how they conduct penetration tests/security evaluations was an extremely valuable skill and great background for my current job at Circadence,” he says.

In addition to consulting with Red Teams, Josiah uses a variety of tools to show and tell companies about existing vulnerabilities. For example, badge scanners that let people gain access to a facility or room are quite common devices for Josiah and his team to test for customers. He might also use USB implants that provide full access to workstations and wireless signal identification devices.

“We show people how easy it is to get credentials off of someone’s badge and gain access to an area,” he says. “They never believe we will find vulnerabilities but when we do, they realize how much they need to do to improve their cyber readiness,” he adds.

But, ultimately Josiah’s favorite part of his job is the level of research and analysis he gets to do. “We are a research team, first,” he says. “We are pushing the boundaries in cybersecurity and discovering new ways that bad actors might take advantage of companies, before they actually do.  It’s a great feeling to help companies and Red Teams see the ‘light’ before the hackers get them,” he adds.

Whether circumventing a security measure or patching a system, Josiah’s contributions to the field are significant.

“Finding new ways to help people understand the importance of strong cyber hygiene is fulfilling,” he says. “We can’t stress it enough in today’s culture where attacks are so dynamic and hackers are always looking for ways to take advantage of companies.”

To stay on the cutting edge of Red Team support, Josiah follows Circadence’s philosophy to persistently learn new ways to protect people and companies. “Any company is only as good as the least trained person,” Josiah says.

 

Help Wanted: Combating the Cyber Skills Gap

Reading Time: 4 minutes

Recent news headlines frequently communicate about the massive shortage of cyber skills in the industry so we wanted to dig deeper into this phenomenon to find out why there’s a talent shortage and what can be done about it. Cyberattacks are permeating every commercial and government sector out there yet industry and analyst reports indicate there isn’t a large enough talent pool of defenders to keep pace with evolving threats. When data is compromised and there aren’t enough cyber security staff to secure the front lines, we ALL are at risk of identity theft, monetary losses, reputational damage, fines, and operational disruption. cy

Statistics on the Cyber Skills and Talent Gap

With more than one in four organizations experiencing an advanced persistent threat (APT) attack and when 97 percent of those APT’s are considered a credible threat to national security and economic stability, it’s no wonder the skills shortage is on everyone’s mind.

A report from Frost & Sullivan found that the global cybersecurity workforce will have more than 1.8 million unfilled positions by 2020 (that’s next year!) while some sources report a 3.5 million shortfall by 2021.

It begs several questions:

  • What’s causing the shortage of cybersecurity skills? According to a Deloitte report, the lack of effective training opportunities and risk of attrition may be to blame.
  • Is there really a shortage of talent? Hacker, security evangelist, and cyber security professional Alyssa Miller thinks there is more of a cyber talent disconnect between job seeker’s expectations of what a job entails versus what employer’s demand from a prospective candidate.
  • How do we fill these cyber positions? A study of 2,000 American adults found that nearly 80% of adults never considered cyber security careers. Why? Sheer unawareness. Most had never even heard of specific cyber job roles like a penetration tester and software engineer and others were deterred by their lack of education, interest, and knowledge about how to launch a cyber career.

Strategies to Minimize the Cybersecurity Skills Shortage

Given the pervasive nature of cyber security attacks, businesses can’t afford to wait around for premiere talent to walk through the door. Companies need to take a proactive and non-traditional approach to hiring talent—and, yes, it takes effort.

Miller suggests that recruiters “must learn to engage security professionals through less traditional avenues. The best security recruiters have learned how to connect with the community via social media. They’ve learned how to have meaningful interactions on Twitter and are patient in their approach.”

Whether looking to fill a position in digital forensics or computer programming or network defense or even cyber law, the skills required for those positions can be taught with the right tools. Companies should learn to be flexible with those requirements as many are now filling unopened positions by hiring and then teaching and training professionals on preferred cyber skills and competencies. Recruiters need to adopt a paradigm shift during the talent search and be more comfortable hiring for character and cultural fit first, then, training for skills development.

Fill the talent pipeline

Consider hiring people with different industry backgrounds or skill sets to bring new ideas to the table. Sometimes, getting an “outside” perspective on the challenges firms are facing sheds a new light because they notice nuances and inconsistencies that internal teams, who are in the day-to-day, may not see immediately. Look for passionate candidates with an eagerness to learn.

Companies today are prioritizing skills, knowledge, and willingness to learn over degrees and career fields because they know that some things cannot be taught in a classroom such as: curiosity, passion, problem-solving, and strong ethics.

Look for individuals with real-world experience

If you happen to have candidates in your pipeline that have industry knowledge, ask about their real-world experience. Inquire about the kinds of things they’ve learned in their previous position and get them to share how they remedied attacks. Create a checklist of skills you desire from a candidate that may include identity management, incident response management, system administration, network design and security, and hacking methodologies, to name a few. Learning how they dealt with real situations will reveal a lot about their personality, character, and skill set.

Re-examine job postings

Often a job posting is the only thing compelling a candidate to apply for a position. If the job posting is simply a laundry list of skills requirements and degree preferences, it may deter candidates who have those skills but also seek to work for a company that values innovation, creativity, and strategic vision. Read descriptions carefully to determine if they portray the culture of your organization. If a cultural vibe is lacking, it may be time to inject a sense of corporate personality to attract the right candidates.

Provide continuous professional development opportunities

With advances in technology, professionals need to be on top of the latest trends and tools to succeed in their job. That is why it is vital to re-skill and persistently train cybersecurity professionals so they can prepare for anything that comes their way—and you can retain your top talent. Conferences, webinars and certifications are not for everyone—so it is important to find growth opportunities that employees want to pursue for both their personal as well as their professional benefit.

Create a culture of empowerment for retention

CISOs can set expectations early in the hiring process so candidates understand how their specific role impacts the organization. For example, during the interview process, notify candidates of your expectation that they be “students of the industry” such that they are expected to stay on top of security news and happenings.

Gartner advocates for a “people-centric security” approach where stacks of tools are secondary to the powerful human element of security. Additionally, send out quarterly or bi-monthly roundups of the latest cyber security news and events to keep your team abreast of current affairs. Making it as easy as possible for them to be “students of the industry” increases the likelihood that they will remain current on industry developments and engaged in their role.

Invest in Cyber Training to Cultivate Talent

Executives are demonstrating their support for strong info security programs by increasing hiring budgets, supporting the development of info security operation centers (SOCs) and providing CISOs with the resources they need to build strong teams.

With the right talent, you will have a better chance of successfully defeating attackers, staying aware of current threats, and protecting your team, your company—and your job. These strategies will go a long way in preventing future attacks and preparing staff and systems to respond when things go awry. The cyber security staffing shortage is no longer just a cyber security department issue—it’s a global business risk issue.

 

Living Our Mission Blog Series: Building Hyper-Scalable Cyber Training Experiences with Randy Thornton, Enterprise Architect at Circadence

Reading Time: 3 minutes

A newly minted Engineering Fellow, Randy Thornton has dedicated his craft to software development for over 30 years. His passion for learning and using new technologies is evident in Circadence’s cyber range platform, Project AresÒ.

Randy joined Circadence in 2005 when the company was selling its WAN Optimization product, MVOÔ. His background in scientific computing software for CAD/CAM, telecom, and seismology have all been brought to bear to transform Project Ares from a mere cool idea that met unique market demands, to now, a full-fidelity, hyper-scalable range training tool for cyber security professionals used worldwide.

Randy and Circadence: Then and Now

In the beginning, there were about four Circadence employees working on the Project Ares prototype, which was eventually adopted by government and military agencies who were looking for better ways to train their cyber operators. Fast forward to today, Randy is leading the Project Ares team to redesign the architecture to scale within Microsoft Azure.  The goal is to provide private sector enterprises the same cutting-edge opportunity to train their cyber teams of any size and location on a gamified range—persistently, authentically, with flexibility and relevant to their specific cyber readiness needs. And Randy has been there through it all!

Today Randy mentors the engineering team at Circadence and helps them identify and collate standards around how the company’s products’ code is written and tested. He also helps identify what technologies to use and evaluates the technical feasibility of using new tech in the products themselves.

“Researching and learning new technology and staying on the cutting-edge is one of the most exciting parts of my job,” said Randy. “I see so much potential for Project Ares…so much promise…and being able to build out complicated networks in the cloud is a welcomed challenge for me.” he added.

Fellow Designation Reflected in Technical Capabilities within Project Ares

Randy’s contributions have been celebrated with a promotion to an Engineering Fellow, a significant career milestone that honors his achievements, expertise, and technical leadership to Project Ares, Circadence, and the cyber security industry as a whole.  The well-deserved recognition clearly stems from the fact that Randy never stops learning! He recently completed his Azure architecture certification exam, which helps him contribute to transitioning Project Ares to run on Microsoft Azure intelligent cloud.

“Project Ares’ ability to scale across regions is even more prevalent now thanks to Microsoft Azure,” said Randy. “The usability, the functionality, and its capability to connect across multiple locations and look like one single installation will be very beneficial to enterprise and government entities looking to scale their cyber training efforts effectively.”

A professional motto that drives Randy’s belief in continuous innovation in Project Ares is “Every time we change code, we should improve it.” It is this technical philosophy that has kept Randy and the Circadence engineering team on their toes and moving at pace to meeting market demands for scalable cyber training experiences.

Evolving Cyber Training to Scale for Customers

Randy’s current project lies in Project Ares.Next, an evolution of Project Ares from an on-premise application to a true cloud native SaaS platform that fully exploits the advantages of the cloud computing model.  Many of the cloud native improvements for Project Ares will be “under the covers”.  But customers will see performance improvements in mission virtual machines and new cyber curriculum will be able to be added to the platform more expeditiously. Project Ares users who want to train their teams from anywhere in the world will be able to do so persistently, without compromising user experience and impacting mission load times, etc.

As Project Ares evolves, we start to adapt to Go and Google standards and Kubernetes standards,” said Randy. “We’ve been working closely with Microsoft engineering teams on how we use the Azure Cloud most effectively and efficiently,” he adds.

The work of Randy and his teams is technical in nature and we greatly appreciate the level of knowledge and expertise they have to ensure Project Ares stays on the cusp of cyber training market demands using the latest technology to automate and augment the cyber workforces of tomorrow. We are grateful for their work to make Project Ares better every day as they use their talents to inform what our customers experience in the platform.

Learn Project Ares, including recent mission and battle room updates!

Photo by Markus Spiske on Unsplash
Photo by John Schnobrich on Unsplash

When cyber security meets machine learning

Reading Time: 2 minutes

What happens when cyber security and machine learning work together? The results are pretty positive. Many technologies are leveraging machine learning in cyber security functions nowadays in order to automate and augment their cyber workforce. How? Most recently in training and skill building.

Machine learning helps emulate human cognition (e.g. learning based on experiences and patterns rather than inference) so autonomous agents in a cyber security system for instance, can “teach themselves” how to build models for pattern recognition—while engaging with real human cyber professionals.

Machine learning as a training support system

Machine learning becomes particularly valuable in cyber security training for professionals when it can support human activities like malware detection, incident response, network analysis, and more. One way machine learning shows up is in our gamified cyber learning platform Project Ares, under our AI-advisor “Athena” who generates responses to player’s queries when they get stuck on an activity and/or need hints to progress through a problem.

Athena generates a response from its learning corpus, using machine learning to aggregate and correlate all player conversations it has, while integrating knowledge about each player in the platform to recommend the most efficient path to solving a problem. It’s like modeling the “two heads are better than one” saying, but with a lot more “heads” at play.

Machine learning as an autonomous adversary

Likewise, machine learning models provide a general mechanism for organization-tailored obscuring of malicious intent during professional training—enabling adversaries to disguise their network traffic or on-system behavior to look more typical to evade detection. Machine learning’s ability to continually model and adapt enables the technology to persist undetected for longer (if it is acting as an autonomous agent against a trainee in our platform). This act challenges the trainee in the platform in a good way, so they begin to think like an adversary and understand their response to defensive behavior.

Machine learning supports cyber skills building

Companies like Uber use machine learning to understand the various routes a driver takes to transport people from point A to point B. It uses data collected to recommend the most efficient route to its destination.

It increases the learning potential for professionals looking to hone their cyber skills and competencies using machine learning.

Now imagine that concept applied to cyber training in a way that can both help cyber pros through cyber activities while also activating a trainee’s cognitive functions in ways we previously could not with traditional, off-site courses.

Machine learning abilities can analyze user behavior for both fraud detection and malicious network activity. It can aggregate and enrich data from multiple sources, act as virtual assistants with specialized knowledge, and augment cyber operators’ daily tasks. It’s powerful stuff!

To learn more about machine learning and AI in cyber training, download our white paper “Upskilling Cyber Teams with Artificial Intelligence and Gamified Learning.”

Photo by Startup Stock Photos from Pexels

How Cyber Security Can Be Improved

Reading Time: 5 minutes

Every day we get more interconnected and that naturally widens the threat surface for cybercriminals. In order to protect vulnerabilities and keep pace with hacker methods, security – and non-security professionals must understand how to protect themselves (and their companies). And that involves looking for new ways to improve cyber security. To start, we believe cyber security can be improved by focusing on three areas: enterprise-wide cyber awareness programs, within cyber teams via persistent training, and in communication between the C-suite and the CISO. Check out our recommendations below and if you have a strategy that worked to improve cyber security in your company or organization, we’d love to hear about it.

Company-Wide Security Awareness Programs

Regardless of company size or budget, every person employed at a business should understand fundamental cyber concepts so they can protect themselves from malicious hackers. Failure to do so places the employee and the company at risk of being attacked and could result in significant monetary and reputation damages.

Simple knowledge of what a phishing email looks like, what an unsecured website looks like, and implications of sharing personal information on social media are all topics that can be addressed in a company-wide security program. Further, staff should understand how hackers work and what kinds of tactics they use to get information on a victim to exploit. Reports vary but a most recent article from ThreatPost notes that phishing attempts have doubled in 2018 with new scams on the rise every day.

But where and how should companies start building a security awareness program—not to mention a program that staff will actually take seriously and participate in?

We believe in the power of gamified learning to engage employees in cyber security best practices.

Our mobile app inCyt helps novice and non-technical professionals learn the ins and outs of cyber security from hacking methods to understanding cyber definitions. The game allows employees to play against one another in a healthy, yet competitive, manner. Players have digital “hackables” they have to protect in the game while trying to steal other player’s assets for vulnerabilities to exploit. The back and forth game play teaches learners how and why attacks occur in the first place and where vulnerabilities exist on a variety of digital networks.

By making the learning fun, it shifts the preconceived attitude of “have to do” to “want to do.” When an employee learns the fundamentals of cyber security not only are they empowering themselves to protect their own data, which translates into improved personal data cyber hygiene, but it also adds value for them as professionals. Companies are more confident when employees work with vigilance and security at the forefront.

Benefits of company-wide security awareness training

  • Lowers risk – Prevents an internal employee cyber mishap with proper education and training to inform daily activities.
  • Strengthens workforce – Existing security protocols are hardened to keep the entire staff aware of daily vulnerabilities and prevention.
  • Improved practices – Cultivate good cyber hygiene by growing cyber aptitude in a safe, virtual environment, instead of trial and error on workplace networks.

For more information about company-wide cyber learning, read about our award-winning mobile app inCyt.

Persistent (Not Periodic) Cyber Training

For cyber security professionals like network analysts, IT directors, CISOs, and incident responders, knowledge of the latest hacker methods and ways to protect and defend, govern, and mitigate threats is key. Today’s periodic training conducted at off-site training courses has and continues to be the option of choice—but the financial costs and time away from the frontlines makes it a less-than-fruitful ROI for leaders looking to harden their posture productively and efficiently.

Further, periodic cyber security training classes are often dull, static, PowerPoint-driven or prescriptive, step-by-step instructor-driven—meaning the material is often too outdates to be relevant to today’s threats—and the learning is passive. There’s minimal opportunity for hands-on learning to apply learned concepts in a virtualized, safe setting. These roadblocks make periodic learning ineffective and unfortunately companies are spending thousands of dollars every quarter or month to upskill professionals without knowing if it’s money well spent. That’s frustrating!

What if companies could track cyber team performance to identify gaps in security skills—and do so on emulated networks to enrich the learning experience?

We believe persistent training on a cyber range is the modern response for companies to better align with today’s evolving threats. Cyber ranges allow cyber teams to engage in skill building in a “safe” environment. Sophisticated ranges should be able to scale as companies grow in security posture too. Our Project Ares cyber learning platform helps professionals develop frontier learning capabilities on mirrored networks for a more authentic training experience. Running on Microsoft Azure, enterprise, government and academic IT teams can persistently training on their own networks safely using their own tools to “train as they would fight.”

Browser-based, Project Ares also allows professionals to train on their terms – wherever they are. Artificial intelligence via natural language processing and machine learning support players on the platform by acting as both automated adversaries to challenge trainees in skill, and as an in-game advisor to support trainee progression through a cyber exercise.

The gamified element of cyber training keeps professionals engaged while building skill. Digital badges, leaderboards, levels, and team-based mission scenarios build communicative skills, technical skills, and increase information retention in this active-learning model of training.

Benefits of persistent cyber training

Gamifying cyber training is the next evolution of learning for professionals who are either already in the field or curious to start a career in cyber security. The benefits are noteworthy:

  • Increased engagement, sense of control and self-efficacy
  • Adoption of new initiatives
  • Increased satisfaction with internal communication
  • Development of personal and organizational capabilities and resources
  • Increased personal satisfaction and employee retention
  • Enhanced productivity, monitoring and decision making

For more information about gamified cyber training, read about our award-winning platform Project Ares.

CISO Involvement in C-Suite Decision-Making

Communication processes between the C-suite and CISO need to be more transparent and frequent to achieve better alignment between cyber risk and business risk.

Many CISOs are currently challenged in reporting to the C-suite because of the very technical nature and reputation of cyber security. It’s often perceived as “too technical” for laymen, non-cyber professionals. However, it doesn’t have to be that way.

C-suite execs can understand their business’ cyber risks in the context of business risk to see how the two are inter-related and impact each other.

A CISO is typically concerned about the security of the business as a whole and if a breach occurs at the sake of a new product launch, service addition, or employee productivity, it’s his or her reputation on the line.

The CISO perspective is, if ever a company is deploying a new product or service, security should be involved from the get-go. Having CISOs brought into discussions about business initiatives early on is key to ensuring there are not security “add ons” brought in too late in the game. Also, actualizing the cost of a breach on the company in terms of dollar amounts can also capture the attention of the C-suite.

Furthermore, CISOs are measuring risk severity and breaking it down for the C-suite to help them understand the business value of cyber.  To achieve this alignment, CISOs are finding unique ways to do remediation or cyber security monitoring to reduce their workloads enough so they can prioritize communications with execs and keep all facets of the company safe from the employees it employs to the technologies it adopts to function.

Improving Cyber Security for the Future

Better communications between execs and security leaders, continual cyber training for teams, and company-wide cyber learning are a few suggestions we’ve talked about today to help companies reduce their cyber risk and harden their posture. We’ve said it before and we will say it again: cyber security is everyone’s responsibility. And evolving threats in the age of digital transformation mean that we are always susceptible to attacks regardless of how many firewalls we put up or encryption codes we embed.

If we have a computer, a phone, an electronic device that can exchange information in some way to other parties, we are vulnerable to cyber attacks. Every bit and byte of information exchanged on a company network is up for grabs for hackers and the more technical, business, and non-technical professionals come together to educate and empower themselves to improve cyber hygiene practices, the more prepared they and their company assets will be when a hacker comes knocking on their digital door.

Photo of computer by rawpixel.com from Pexels

Diversity in Cyber Security: Why It’s Important and How To Integrate It

Reading Time: 3 minutes

You may have heard that the cybersecurity skills gap is widening, and that there is a massive shortage of cyber professionals today. In fact, Cybersecurity Ventures predicts that there will be up to 3.5 million job openings in the field by 2021. In spite of the growing need for people in cyber, women continue to be underrepresented in the field.

According to major findings from the 2017 Global Information Security Workforce Study:

  • Women are globally underrepresented in the cybersecurity profession at 11%, much lower than the representation of women in the overall global workforce.
  • Globally, men are 4 times more likely to hold C-suite and executive-level positions, and 9 times more likely to hold managerial positions than women.
  • In 2016 women in cybersecurity earned less than men at every level.

It’s no surprise that women are the underdog across plenty of male-dominated industries. So why is it so important for women to close the gender gap in cyber?

We need diverse perspectives in cybersecurity

Firstly, cyber is an area that benefits greatly from utilizing people with diverse perspectives and histories to solve problems. As threat actors and black hat hackers often come from disparate backgrounds, the wider variety of people and experience that are defending our networks, the better the chances of success at protecting them.

Combat the stereotype that cyber is only for men

Secondly, as there are so many empty jobs in the field, it is ultimately detrimental for a factor like a gender to narrow the pool of people pursuing it. Unfortunately, the message is ingrained in women from a young age that tech and security are “masculine” professions, which results in a self-perpetuating cycle of unconscious bias against women in the field. These problems are difficult to fix because they are subtle and pervasive and often come back to issues in culture and education. In fact, an online survey, Beyond 11%, found that most women have ruled out cybersecurity as a potential job by the age of 15. This is unacceptable!

Everyone can learn cyber

Finally, there is a misconception that the cybersecurity industry is only for people with highly technical skills. Unfortunately, the “bad guy” hackers out there don’t require crazy technical skills to get to your personal information. Fortunately, being on the defensive lines don’t require them either. Cybersecurity is a highly trainable field and has a growing need for people in more positions than ever before, such as legal, marketing, and public policy – all of which women have proven to excel in. In fact, the communication skills, problem-solving and attention to detail skill sets needed to excel in cybersecurity are skills women possess and are really good at.

Introducing more women to cybersecurity


Programs and Events

Since many of these problems start for women from a young age and through somewhat unconscious societal and cultural constructs, it can feel like a daunting task to get women more involved in cyber. In order to combat these misconceptions, many programs and events have been put into place to provide young women with female role models in the cybersecurity field. Events such as the Women in Cybersecurity Seminar, Women in Cybersecurity Conference, and Cyber Day for Girls are just a small number of direct-action groups that companies like IBM have put in place to address the gender gap. Further cyber competitions like the Wicked6 Cyber Games, and organizations like the Women’s Society of Cyberjutsu and Girls Who Code are dedicated to introducing young women to cyber at that earlier age before they are told “it is not for them.”

Cybersecurity Mentorships and Internships

Mentorships and internships are another great way to introduce girls to other women in cybersecurity fields they may think are beyond their reach. Volunteers from tech companies have been going to summer camps specifically designed to encourage young girls to consider careers in STEM, such as the Tech Trek summer camp. Additionally, the Girl Scouts just introduced the first ever cybersecurity badge, which can be earned by completing curriculum and gamified learning around internet safety.

Persistent cyber career development

Another way we can support and retain women who choose cybersecurity roles is for companies have policies in place that ensure women do not miss out on opportunities to further their careers after having children. Things like flexible hours and the option to work from home can be key in maintaining a diverse and productive workforce. Hiring managers can also work to ensure equal employment opportunities when looking to hire for a new position. People from all backgrounds should feel welcome to apply for roles in this highly trainable and accessible field.

We need all hands-on deck now more than ever in cybersecurity, tech and STEM fields. Communicating to girls at a young age that technology isn’t just for their male counterparts, and that it can offer them a long and rewarding career, is essential in closing the gender and skills gap in cyber.

To learn more how to diversify the cybersecurity workforce from a strategic standpoint, read our other blog “Diversifying the Cybersecurity Workforce.” https://www.circadence.com/a-call-to-diversify-the-cybersecurity-workforce/

 

 

Cyber Ranges and How They Improve Security Training

Reading Time: 3 minutes

WHAT ARE CYBER RANGES?

Cyber ranges were initially developed for government entities looking to better train their workforce with new skills and techniques. Cyber range providers like us deliver representations of actual networks, systems, and tools for novice and seasoned cyber professionals to safely train in virtual, secure environments without compromising the safety of their own network infrastructure. Today, cyber ranges are used in the cybersecurity industry to effectively train the cyber workforce across companies and organizations for stronger cyber defense against cyber attacks. As technology advances, cyber range training advances in scope and potential.

To learn more about Circadence’s cyber range offering, visit https://www.circadence.com/solutions/topic/cyber-ranges/.

The National Initiative for Cybersecurity Education reports cyber ranges provide:

  • Performance-based learning and assessment
  • A simulated environment where teams can work together to improve teamwork and team capabilities
  • Real-time feedback
  • Simulate on-the-job experience
  • An environment where new ideas can be tested and teams and work to solve complex cyber problems

In order to upskill cybersecurity professionals, commercial, academic, and government institutions have to gracefully fuse the technicalities of the field with the strategic thinking and problem-solving “soft skills” required to defeat sophisticated attacks.

Currently, cyber ranges come in two forms: Bare environments without pre-programmed content; or prescriptive content that may or may not be relevant to a user’s industry. Either cyber range type limits the learner’s ability to develop many skill sets, not just what their work role requires.

UNDERSTANDING CYBER RANGES IN A BOX (OR CYRAAS, as we call it.)

Cyber ranges in a box is a collection of virtual machines hosted on an on-premise or cloud-based environment. Now, don’t let the name “in a box” fool you, at Circadence, you can’t purchase our cyber range solution on its own. To your cyber learning benefit, Circadence offers a cyber-range-as-a-service [CyRaas] solution embedded within the Project Ares cyber learning platform for optimized training and skill building at scale. When you purchase Project Ares, CyRaaS is included. It provides all-encompassing tools and technologies to help professionals achieve the best cybersecurity training available. Our service offers industry-relevant content to help trainees practice offense and defense activities in emulated networks. Cyber ranges also allow learners to use their own tools within emulated network traffic to reflect the real-world feeling of an actual cyberattack. In “training as you would fight,” learners will have a better understanding of how to address cyber threats when the real-life scenario hits.

With advances in Artificial Intelligence (AI), we know cyber ranges can now support such technology. In the case of our own Project Ares, we are able to leverage AI and machine learning to gather user data and activity happening in the platform. As more users play Project Ares, patterns in the data reveal commonalities and anomalies of how missions are completed with minimal human intervention. Those patterns are used to inform the recommendations of an in-game advisor with chat bot functionality so players can receive help on certain cyber range training activities or levels. Further, layering AI and machine learning gives security  professionals better predictive capabilities and, according to Microsoft, even  “improve the efficacy of cybersecurity, the detection of hackers, and even prevent attacks before they occur.”

To learn how cyber ranges are being used to improve cyber learning for students (and how it can be applied to your organization or company,
DOWNLOAD OUR “LEARN BY DOING ON CYBER RANGES” INFOGRAPHIC.

GAMIFIED CYBER RANGES

With many studies touting the benefits of gamification in learning, it only makes sense that cyber ranges come equipped with a gamified element. Project Ares has a series of mini-games, battle rooms, and missions that help engage users in task completion—all while learning new techniques and strategies for defeating modern-day attacks. The mini-games help explain cyber technical and/or operational fundamentals with the goal of providing fun and instructional ways to learn a new concept or stay current on perishable skills. The battle rooms are environments used for training and assessing an individual on a set of specific tasks based on current offensive and defensive tactics, techniques and procedures. The missions are used for training and assessing an individual or team on their practical application of knowledge, skills and abilities in order to solve a given cybersecurity problem set, each with its own unique set of mission orders, rules of engagement and objectives.

CYBER RANGE SECURITY

There is a lot of sensitive data that can be housed in a cyber range, so system security is the final piece to comprising a cyber range. The cloud is quickly recognized as one of the most secure spaces to house network components (and physical infrastructure). To ensure the cyber ranges are operating quickly with the latest updates and to increase visibility of how users are engaging in the cyber ranges across the company, information security in the cloud is the latest and greatest approach for users training in test environments.

We are proud to have pioneered such a state-of-the-art cyber range in many of our platforms including (as mentioned above), Project Ares®, and CyRaaSTM. We hope this post helped you understand the true potential of cyber ranges and how they are evolving today to automate and augment the cyber workforce.

Penetration Testing Challenges and Solutions

Reading Time: 3 minutes

It’s one of the most direct and proactive cyber security activities organizations can do to protect themselves from an attack, penetration testing.

Also known as ethical hacking, it involves legally breaking into computers to test an organization’s defenses. Companies make it a part of their overall security process to know if their systems are strong or not. It’s kind of like preventative maintenance. If a hired penetration tester can get into their system, it’s relatively reassuring because penetration testing teams can take steps to resolve weaknesses in their computer systems before a malicious hacker does.

So how does penetration testing work? What roadblocks are professionals in this field facing? How are companies using penetration testing today? What innovations in penetration testing are available today? All these questions will be answered in this article. And if you have questions about any of it, please contact us for more information.

What is Penetration Testing?

Now that we understand why penetration testers exist and how critical they are to companies security posture, let’s review how they work. The ethical hacking process usually involves working with the client to establish goals and define what systems can be tested, when and how often without service interruptions. In addition, penetration testers will need to gather a lot of information about your organization including IP addresses, applications, number of users who access the systems, and patch levels. These things are considered “targets” and are typically vulnerable areas.

Next, the pen tester will perform the “attack” and exploit a vulnerability (or denial of service if that’s the case). They use tools like Kali Linux, Metasploit, Nmap, and Wireshark (plus many others) to help paid professionals work like hackers. They will move “horizontally or vertically,” depending on whether the attacker moves within the same class of system or outward to non-related systems, CSO Online notes.

Penetration Testing Career and Company Challenges

As you can imagine, being an ethical hacker naturally requires continuous learning of the latest attack methods and breaches to stay ahead of the “black hatters” and other unauthorized users. That alone can be a challenge because it requires a huge time commitment and lots of continual research. In addition, the following penetration testing challenges are keeping organizations up at night:

  • There were more than 9,800 unfilled penetration testing jobs in the U.S. alone. With all these jobs open, businesses are challenged to find these professionals for hire, leaving them without resources to harden their potential security vulnerabilities.
  • High costs prohibit hiring dedicated and skilled CPTs. Not all CPTs are created equal, while some third parties only perform vulnerability analysis as opposed to thorough pen tests.
  • Most tests are conducted via downloaded tools or as one-off engagements focused on known threats and vulnerabilities.
  • Many third-party engagements have to be scheduled well in advance and run sporadically throughout the year.

A New Penetration Testing Training Solution

Recent reports note that 31% of pen testers test anywhere from 24-66% of their client’s apps and operating systems, leaving many untouched by professionals and open to vulnerability. In the face of these penetration testing challenges, government, enterprise, and academic institutions are turning to technology and persistent training methods for current staff to help. Automated penetration testing tools can augment the security testing process from asset discovery to scanning to exploitation, much like today’s malicious hacker would.

Circadence is proud to have developed a solution (available soon) that automates and augments penetration testing security professionals with a platform called StrikeSetTM. StrikeSet is designed to increase the efficiency and thoroughness by which pen testing is performed. Specifically, the platform can help professionals perform hacks and simulated attacks on systems while machine learning capabilities provide session analysis and create unique threat playbooks for operators. It also monitors and tracks tool behavior for classification.

In addition, data is gathered from distributed operators who can remotely collaborate on how to gain access to a system and exploit development, perform SQL injections, forensics analysis, phishing campaign orchestration, and much more. That data analyzes Red Team’s TTPs with the aim of mimicking approaches to save on resources and time.

With cyber attacks becoming the norm for enterprises and governments, regular scans and pen testing of application security is key to protecting sensitive data in the real world. Coupled with holistic cyber training for offense, defense, and governing professionals and enterprise-wide cyber hygiene education, enterprises and governments will be better prepared to handle the latest and greatest threats. It’s time for organizations to leverage tools that automate and augment the cyber workforce in the wake of an ever-evolving and complex threat landscape.

 

Learning from the Top 5 Financial Cybersecurity Incidents

Reading Time: 3 minutes

Banks, credit unions, credit card companies, investment firms, and insurance companies are all under cyberattacks—making financial cyber security a hot topic of discussion. For years, the finance industry has been one of the hardest hit with cybercrime according to Deloitte. And it continues to rank in the top five most vulnerable industries. In 2017, 69 material cyber incidents were reported to the Financial Conduct Authority, an increase from the 38 incidents in 2016, according to Information Age. Financial cyber security regulations are keeping companies in check but the pace at which threats evolve in sophistication requires a persistent approach to stay ahead of hackers.

If you bank online or have an insurance policy, you likely understand the convenience of single keystroke access to financial information. It’s easy, convenient and useful to transfer funds from mobile device to mobile device; electronically sign a form; or get a quote for a mortgage company just by entering in new financial details. Unfortunately, the rapid pace of adoption of new technologies that make these everyday transactions convenient is widening the attack surface for hackers and prompting security professionals to consider even stronger finance cyber security risk management processes.

Financial Cyber Security Incidents

Below are some of the most notable cybercrime attacks on financial services firms that we can learn from in order to take a more proactive approach to cyber security readiness.

Equifax 

The consumer credit reporting agency was breached in 2017, exposing the sensitive personal information of more than 147 million Americans. Partial driver’s license data was the primary data leaked. Equifax representatives said the vulnerability that allowed for the attack to occur was the failure to keep its computer systems adequately up to date.

Bank of Chile

State-backed hackers infiltrated the Bank of Chile’s ATM system in January 2019 and stole $10 million. The cyber heist was deployed via hackers initiating a virus as a “distraction” then prompting banks to disconnect 9,000 computers to “protect customer accounts.” Meanwhile, hackers sneaked in and used the global SWIFT bank messaging service to deploy fraudulent transactions.

India’s Cosmos Bank

Unauthorized users accessed their system and siphoned nearly $13.5 million through withdrawals across 28 countries. Unidentified hackers created a proxy switch that approved all the fraudulent payments.

Lazarus group

North Korea’s hacking operations are targeting financial institutions nationwide—completely indiscriminate of a brand or geographic location. The country is linked to attacks in 18 countries, according to a report from Russian cyber security firm Kaspersky Lab. The hacking operation known as “Lazarus” targeted employees at banks who visited the hackers’ list of 150 specified internet addresses. Experts say the attacks are at a “level of sophistication not generally found in the cybercriminal world,” and companies should take proactive measures to carefully scan their networks for the presence of Lazarus malware samples, disinfect their systems and report the intrusion.

Bangladesh Bank 

Bangladesh Bank experienced a hack in February 2016 that drained $81 million from accounts in a few short hours. Attackers subverted the bank’s SWIFT accounts, the international money transfer system, to get what they wanted, reports Wired magazine. Hackers sent more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of Bangladesh Bank’s funds to accounts in the Philippines, Sri Lanka, etc. Reports indicate lax computer security practices were to blame (e.g. lack of firewalls installed on the networks), allowing hackers to easily infiltrate the network and find the credentials needed to proceed. The concept of attacking systems on the weekend isn’t a new approach either—other banks like Tesco experienced the same timing in November 2016 when thousands of current account customers were hit with fraudulent transactions by hackers.

Learning from Financial Cyber Security Incidents

Outdated systems, employee exploitation, weakened network security, and a poor ratio of defenders to hackers all contribute to the severity of these financial cyber security incidents.

These attacks tell us a lot about what preventative steps can be taken. To ensure financial services firms have the latest systems updated and in place requires an experienced cybersecurity team to perform regular system checks and updates.

Financial cyber security compliance leaders need to empower their teams with the right tools and persistent learning opportunities so they can be prepared for any malware infection or system overwrite that occurs.

The increase in reported attacks reflects a greater need for accountability across all financial institutions. As the attack frequency grows, so must our cybersecurity vigilance. Cyberattacks will adapt to defense strategies so financial firms need to ensure they are always one step ahead. The best way to achieve this goes beyond hiring our way out of the issue. Training your cyber workforce proactively using gamified cyber range training to combat the latest threats is the key to sustained success.

For more information on how financial firms can upskill their security workforce
download Project Ares subscription brochure.

Photo by Alexander Mils on Unsplash