Author: Circadence

The internet has changed rapidly since its inception in 1983. The way we communicate, consume news and media, shop, and collect data are just a few examples of the way the internet has changed the world. A term you may have heard crop up in recent years is IoT, or The Internet of Things . IoT is about extending the purpose of the internet from use in day to day devices like smartphones and computers to use as a host of connected “things.”

So why would we want to do that? When something is connected to the internet and able to send and receive information, it makes the device smart. The more smart devices we have, the more connected and controllable our environment will become. IoT provides important insights to businesses and people that allow them to be more connected to the world and to do more meaningful, high-level work.

While the Internet of Things holds incredible potential for the world, it also means opening up more avenues of vulnerability for hackers to tap into our infrastructure, our homes, and our businesses. On a large scale, the development of “smart cities” are cropping up, promising better usage of resources and more insights from data among other things. On the other hand, this could allow hackers higher access to critical infrastructure leading to potentially crippling instances of national and industrial espionage. On a smaller scale, things like parking meters can be hacked in order to cheat the system for free parking.

The rise in IoT security must match the explosive growth rates for these devices, which means that a new era of cybersecurity is being ushered in. Nearly half of U.S. companies using an IoT network have been hit by a recent security breach, and spending on IoT security will reach more than $6 billion globally by the year 2023.

Where does this leave us in a world with a seemingly bright technological future that holds such dark potential? As IoT continues to grow and evolve, it’s hard to say what specifics need to be put in place in order to keep it secure. However, there are some good general practices that can mitigate your personal and professional risk of being a victim of a breach.

• Be aware when it comes to downloading apps. Always read the privacy policy of any apps you’re thinking of downloading to see how they plan to use your information and more.
• Do your research before you buy. Smart devices collect a lot of personal data. Understand what’s being collected, how it’s being stored and protected, and the manufacturer’s policies regarding data breaches.
• It seems obvious, but use strong and unique passwords for your device accounts, Wi-Fi networks, and connected devices (and update them often).
• Use caution when utilizing social sharing features that can expose your location information and could let people know when you’re not at home. This can lead to cyberstalking and other real-world dangers.
• Install reputable security software on your devices and use a VPN to secure data transmitted on your home or public Wi-Fi.

All these tips are focused on educating yourself as a responsible user of the internet and sharer of all things personal and professional. To protect yourself (and others around you), keep learning safer internet and cybersecurity practices. Cyber is always changing, just like the internet, and if we overlook a privacy policy or share a little “too much” on social media, we place ourselves at risk of exploitation and danger. It is up to us, the individuals who use this technology day in and day out, to create safer spaces online to communicate and continue to enjoy the internet in all its glory.

Eventually, there is hope that the IoT industry is able to revolutionize cybersecurity for itself, as compliance and regulation never seem to catch up to the pace required by cyber defense technologies. Since this is still such a new industry and constantly evolving, utilizing the aforementioned tips and tricks will help you stay safe while IoT security gets its footing. There is a lot to look forward to as IoT continues to revolutionize the way the world works, it’s just a matter of time before cyber teams are ready to take on this new wave of security needs.

Photo by Domenico Loia  on Unsplash

What if someone told you that there was a new way to commute to work in the morning? A way that was more efficient than taking the highways or backroads to avoid traffic – a way that would allow you to save time, headaches and the dangers of driving altogether…you’d be interested, right? Maybe a little skeptical, certainly, but interested. So would we! Changing the way we think about a process or an act does not happen at the flip of a switch. We know that. However, the speed at which technology advances and new products and services hit the market with attempts to make our daily lives easier, faster, better requires us to be open to new ways of thinking about traditional approaches. In this blog, it’s about changing how we think about “cybersecurity training.”

While we can’t help you teleport to your office or lend you a flying car, the concept behind the “better way to commute” scenario is exactly what we at Circadence are advocating for—A new way to think about cybersecurity training and skills development. Now, we realize that might not be as “cool” as teleportation but hear us out.

When it comes to cybersecurity, we believe wholeheartedly that there is a better way to train cyber professionals on the latest tactics and techniques. Why? Current ways of developing professionals with “one-and-done” trainings in classroom settings aren’t working. How do we know this? Because businesses are still getting hacked every day. In 2018 alone, we saw a 350% increase in ransomware attacks and 250% in spoofing or business email compromise. If lecture-based, classroom setting, PowerPoint-driven training courses were working, we wouldn’t still be reading about breaches in our local and national news. Something new, something different has to be done.

Talk to your teams

People develop, use and control the technologies we have available to us. People are the mechanisms by which we execute certain security methods and procedures. People are the reason there are actual tools to help us stop threats. Talking to your team can help gain perspective on how they are feeling with their current workloads and where they want to improve professionally.

Without well-trained individuals who persistently learn new skills and find better (more efficient) ways to operationalize cyber processes and techniques, our businesses and our personal information will be exploited—it’s only a matter of time. While you may be thinking “I send my team to an off-site course and they learn new stuff every time” then great! We invite you to take the next step and talk to those teams about how they’re using what they’ve learned in everyday cyber practice. Sometimes the first step in adopting a new way of thinking about a process (in this case, cyber training), we need to talk to the people who actually experienced it (those with boots on the ground).

Talk to your teams about:

• their experience on-site at the training
• what their main takeaways were
• how they are applying learned concepts to daily tasks
• where they see gaps or “opportunities for improvement”

Listening to teams and asking objective questions like this can shed light on what’s working in your cyber readiness strategy and what’s not.

Reframe negative thoughts

Things that are new and different are disruptive and that can be scary for leaders looking for concrete ROI to tie to cyber readiness solutions. Forbes suggests reframing negative thoughts as well. In thinking about a new way to do cyber training, instead of “gamified cyber learning will never work,” come from a place of inquiry and curiosity instead. Reflect on what feelings or experiences are causing you to think negatively about a new way of doing something.

Ask objective questions like:

• What is gamification in the first place?
• What are the pros and cons of gamified learning?
• How could my team even adopt a gamified learning approach?

Understanding how something works or could work for your specific situation is the foundation for evaluating the merit of any new process or approach presented to you.

Know Today’s Cyber Training Options

How cyber training has been conducted hasn’t changed much in the past several years. Participation in courses require professionals to travel off-site to facilities/classrooms where they gather together to listen to lectures, view PowerPoint presentations and videos, and maybe engage in some online lab work to “bring concepts to life.”

Travel costs incur, time away from the frontlines occurs, and learners often disengage with material that is passively delivered to them (only 5% of information is retained with passive-learning delivery).

One of the biggest gaps in cyber training is that there isn’t a way to effectively measure cyber competencies in this traditional method. The proof is in the performance when professionals return to their desks and attempt to identify incoming threats and stop them. That absolute, black and white, way of measuring performance is too risky for businesses to stake their reputation and assets on.

Leaders who send their teams to these trainings need to know the following:

1) what new skills cyber teams have acquired

2) how their performance compares to their colleagues

3) what current skills they have improved

4) what cyber activities have they completed to demonstrate improvement/progression

Today’s off-site trainings don’t answer those questions until it’s too late and a threat has taken over a network. Professionals can “see” really quick when a learned skill doesn’t translate to real life.

Embrace the journey of learning

There is a better way to train professionals and it can happen with gamification. But don’t let us be your only source of truth. Talk to people. Listen to their experiences training traditionally and hear firsthand what they want out of a skill building opportunity. Read the latest research on gamification in the corporate workplace. Then, make connections based on the intel you’ve gathered to evaluate if gamification is right for your organization’s professional development approach.

We’ll be here when you’re ready to dive deeper into specific solutions.

Photo by Sergio Souza  on Unsplash

The statistics are dismal. An estimated 3.5 million unfilled cyber positions by 2021 and today, we have over 300,000 openings in the U.S. alone. According to a New York Times article, “filling those jobs would mean increasing the country’s current cybersecurity workforce of 715,000 people by more than 40 percent,” according to data presented at the National Initiative for Cybersecurity Education Conference. If you’re a student in cyber or are just undeclared, there hasn’t been a better time to consider cybersecurity as a professional career. The field has come a long way from the stereotypical hoodie-wearing, Mountain Dew sipping worker in a dark room performing tedious coding tasks.

Cybersecurity is so much more than that—and it’s exciting! Don’t believe us? At Divergence Academy, we are preparing the next generation of cyber professionals to enter the workforce and alleviate the skills gap through gamified learning. If more institutions adopted such an approach, we as educators would be more successful at not just engaging our students in teaching relevant concepts and theory, but successful at helping them build skills needed in today’s workforce.

Cyber Teaching and Learning Challenges

But before we get into the “hopeful” part of this article, we need to understand the challenges in teaching cyber in the first place. The way that cybersecurity has been taught throughout the years often include lectures, PowerPoint presentations or online models that students complete on their own. Inherently there is nothing wrong in teaching new information in this way. However, the opportunity exists to help students learn how to apply this knowledge to a real-world setting. The act of doing and creating the needed experience is the single most important quality job candidates can bring to an employer and this is the gap Divergence Academy is hoping to close.

When students sit in a classroom, information can be presented in a systematic way, where in real life this may not always be the case, especially in the world of cybersecurity.

When you think of teaching someone how to think like a hacker, you are fundamentally teaching them how to be creative in how they approach a situation.

The concept of teaching someone to think like a hacker is easier said than done, which is why diversifying the way students can process information is crucial. Not every student learns in the way same.

There’s Hope for Cybersecurity: Continuous Skills Acquisition and Application

As cyber educators and instructors, we know there is no “one-way” to teach and that’s the good news! While certifications and technical degrees are a starting place for cybersecurity readiness and workforce development, instructors must think of new methods that provide persistent access to cyber education.

This statement can best be described with an analogous story. If an aspiring baseball player was training for the major leagues and went to practice to hone his/her skills, they would certainly learn something. However, if that aspiring baseball player then applied for the major leagues a year or so later, without attending training leading up to that point, he/she would be a little rusty, wouldn’t you say? The same situation can be applied to cybersecurity. You wouldn’t attend a class or even complete a full degree in cybersecurity and then apply for a job and say you were a “seasoned cybersecurity professional,” would you? Of course not. There is no “final inning” in cybersecurity signaling a professional’s peak of learning and skills acquisition.

Threats evolved day by day and if a student graduates thinking about phishing or malware detection one way and ends up in a work environment where that knowledge isn’t applicable anymore, we won’t be able to help the next generation of cyber pros be successful in their jobs. To keep current students and alumni actively engaged in critical learning, persistent access to cybersecurity training must be employed. In this industry, the only constant in cybersecurity is change, and for that reason (in addition to the multitude of attacks businesses every day), educational institutions can be vigilant in putting learning to work for the businesses and workplaces we rely on to support our daily functions.

As technology and interconnectivity evolve with each passing day, steps must be taken immediately to adopt a pedagogy that values and emphasizes continuous learning to best prepare our students for the career they want. With gamified learning at the helm of a new teaching approach for cybersecurity, we can be on our way to minimizing the cyber skills gap and empowering today’s students in a more effective way.

For more information about our gamified learning cyber courses, visit https://divergenceacademy.com/.

You’ve read about it, know it well, and can probably instantaneously identify one of today’s top cyber crises: the cybersecurity skills gap. It’s putting enterprises, governments and academic institutions at greater risk than ever because we don’t have enough professionals to mitigate, defend, and analyze incoming attacks and vulnerabilities. According to recent estimates, we are looking at the possibility of having as many as 3.5 million unfilled cybersecurity positions by 2021 . The widening career gap is due in part to the lack of diversity in the industry.

• Women only make up 14% of the U.S. cybersecurity workforce.
• A Frost & Sullivan report found that 26% of the cybersecurity workforce are minorities.
• According to Data USA , almost three-fourths of information security analysts are white.

And we’re not just talking about racial and ethnic diversity, we’re also talking about diversity of perspective, experience and skill sets. A CSIS survey of IT decision makers across eight countries found that 82% of employees reported a shortage of cybersecurity skills and 71% of IT decision makers believe this talent gap causes direct damage to their organizations. It’s not just the technical skills like computer coding and threat detection that are needed, employers often find today’s cyber graduates are lacking essential soft skills too, like communication, problem-solving, and teamwork capabilities [1].

An ISC2 study notes, organizations are unable to equip their existing cyber staff with the education and authority needed to develop and enhance their skill sets—leaving us even more deprived of the diversity we desperately need in the cybersecurity sector. The more unique thinking, problem-solving and community representation we have in the cybersecurity space, the better we can tackle the malicious hacker mindset from multiple angles in efforts to get ahead of threats. Forbes assents, “Combining diverse skills, perspectives and situations is necessary to meet effectively the multi-faceted, dynamic challenges of security.”

In an interview with Security Boulevard , Circadence’s Vice President of Global Partnerships Keenan Skelly notes that as cybersecurity tools and technology evolve, specifically AI and machine learning, a problem begins to reveal itself as it relates to lack of diversity:

“The problem is that if you don’t have a diverse group of people training the Artificial Intelligence, then you’re transferring unconscious biases into the AI,” Keenan said. “What we really have to do…is make sure the group of people you have building your AI is diverse enough to be able to recognize these biases and get them out of the AI engineering process,” she added.

The good news is that is it never too late to build a more diverse workforce. Even if your organization cannot hire more people from different career backgrounds or varying skill sets, existing cyber teams can be further developed as professionals too. With the right learning environments that are both relevant and challenging to their thinking, tactics and techniques, current employees can develop a more diverse set of cyber competencies; all while co-learning with diverse teams around the world.

Companies can also build relationships with local educational institutions to communicate critical workforce needs to better align talent pipeline with industry needs, recommends a new study from the Center for Strategic and International Studies. Likewise, cyber professionals can be guest speakers or lecturers in local cyber courses and classrooms to communicate the same diversification needs in the industry.

While some experts say it’s too late to try and diversify the workforce in thinking, skill, and background, we beg to differ. If we give up now in diversifying our workforce, our technology and tools will outpace our ability to use it effectively, efficiently, and innovatively. It’s not too late. It starts with an open mind and “take action” sense of conviction.

[1] Crumpler and Lewis, The Cybersecurity Workforce Gap, Center for Strategic and International Studies, January 2019.

Photo Credit: https://unsplash.com/@rawpixel[1

We sat down with Circadence’s own Chief Technology Officer, Brad Hayes, to delve deeper into the meaning of AI and machine learning as it relates to the cybersecurity field, to discuss how robotics inform best cybersecurity practices, and to learn about new developments that are shaping the future of the field.

Artificial Intelligence (AI) is a phrase we hear quite often. It’s thrown around in movies and TV shows, listed as a feature in new devices we buy, and is even brought into our homes through voice services like Siri and Alexa. AI is a technology this being positioned to help us, as consumers and professionals perform traditionally complex tasks with ease. The ability to automate and augment responsibilities using robotics continues to gain traction as our digital footprints expand. And surrounding it all, cybersecurity becomes ever more critical as we seek out better ways to protect ourselves, our schools, our businesses, and national security.

Before we talk about Artificial Intelligence and machine learning, can you tell me a little more about your robotics research?

BH: The central theme of my lab’s research is building technology to enable autonomous systems to safely and productively collaborate with humans, improving both human and machine performance. The main goal is developing human-understandable systems and algorithms to create teams that are greater than the sum of their parts, outperforming the state of the art in inferring intent, multi-agent coordination, and learning from demonstration. Robotics is a foundation upon which AI and machine learning technology can be deployed with substantial impact, and it opens doors for skill building and capability expansion when we use these techniques in the context of cybersecurity learning.

Can robots help humans be more efficient?

BH: Early robotics research focused on creating robots that would primarily occupy a purely physical role: as a force multiplier that adds physical strength, repetition, or precision to a process (like a robotic arm helping to transport material). Within the scope of earlier AI research, decision support systems were designed as cognitive assistants, helping humans make more informed choices. The next evolution of robotics research significantly synthesizes AI advancements and helps engineers and developers understand how to automate and augment processes of cognition and interaction.

The idea of machines/robots helping professionals automate and augment tasks and decision-making is interesting. Can you explain how machine learning folds into this idea?

BH: Machine learning is a broad concept. It gets confused a lot with artificial intelligence (AI), which is more of an umbrella term. Machine learning is a term that applies to systems that adapt based on behavior or action, while AI is descriptive of intelligence that doesn’t necessarily need to change as a function of its experiences over time.

AI and machine learning are ever-present in our lives. Route directions on Google maps, for example, use a combination of AI techniques to find a path between your source and destination while machine learning models estimate factors like traffic, time of day, and weather conditions to get you to your destination as quickly as possible. Netflix uses a tremendous amount of data, processed within their machine learning models, to predict shows that you might like. They also use these models to inform which programs they’re going to manage and create. Likewise, Pandora and Spotify use machine learning to tell you what they think you’d like to listen to. Machine learning is ubiquitous, already telling us where to go, what to see, and what to listen to.

How does robotics relate to cybersecurity?

BH: A lot of the problems that we’re trying to tackle in the human-robot interaction research space are also echoed within the cybersecurity industry. If we want to design a robot teammate for a manufacturing task, that robot will need to be able to infer a human’s goals and intent from observation. This will let the robot perform productive actions, avoid collisions, and generally not be infuriatingly “in the way” during collaboration. Now apply that behavior to cybersecurity: Consider an autonomous agent that can infer the intent of actors on a system on your network, based on their behavior. Once those intentions are known, a defender can take steps to mitigate threats so malicious actors can’t achieve their goals. That’s a force multiplier for those defenders, making them more powerful and productive!

The relationship between the autonomous teammate and the human is especially important to cybersecurity education, as we can use learning technologies to assess a learner’s skill set and guide their progress to make them more effective more quickly. Beyond cooperative activities, we can also use these autonomous agents as opponents, providing a cost-effective means of teaching cyber professionals to react and respond to realistic attacks, forcing them to think more strategically and creatively to overcome adversaries.

Thinking about the relationship between robotics and cybersecurity, an example I often think of is when IBM’s “Deep Blue” beat Garry Kasparov at chess. People were asking: “Does this mean that computers are smarter than people? What does this mean for the future of chess?” My response is that this doesn’t mean we’re going to abandon chess, but rather that we will have new tools to train with and improve. In fact, that advancement helped spur great interest in human-machine teaming within the game of chess.

To me, the most exciting aspect of these systems is when it’s shown that a team consisting of an expert human and the AI can beat the AI by itself, suggesting that there are still aspects of the game not yet captured by the system. This example is illustrative of the fact that even in domains widely considered “solved,” the human still brings something valuable to the team.

Why does cyber learning matter to you and why is cybersecurity so important given advancements in AI and machine learning?

BH: Cybersecurity professionals can engage in a cyber range learning environment against AI-powered adversaries and gain new insights into their approach, positively impacting threat response and mitigation. Further, they can learn to team up with AI-powered agents to accomplish tasks quicker and develop strategies to mitigate threats to defeat increasingly capable, quick, and clever opponents. Cyber learning through AI-powered intelligent tutoring is of paramount importance for providing affordable, effective, and personalized education at scale.

As we’ve been quick to inject computation into pretty much every aspect of life, the speed at which we’ve deployed these systems has come at a cost. At this stage, I would consider it a debt, as there is a tendency to deploy systems without properly safeguarding them and/or ensuring that they’re reliably operational under potentially adversarial operating conditions.

Further, cybersecurity doesn’t just mean being able to defend against intentional adversaries, but also against unintentional consequences stemming from benign actions from people we trust. In any case, the attack surface grows rapidly as points of interaction grow in number. Because of this, I don’t foresee a viable strategy that doesn’t heavily involve the use of AI and machine learning for cybersecurity professionals, both in terms of learning and continuing education, but also in terms of effective coordination against increasingly capable adversaries.

These concepts are important to know and understand as government, enterprise, and academic institutions look to keep pace with the evolving threat-scape and prepare the next generation of cyber professionals. To learn more about how Circadence is at the forefront of cybersecurity learning tools at https://circadence.com/.

To say we’re on an upward trajectory in the cybersecurity space would be an understatement. Cyber threats are increasing. Organizational spending is increasing. And the cost of a data breach is increasing—to somewhere around $4.35 million per breach according to  IBM. With such exponential growth across the field, CISOs are actively looking for ways to strengthen their efforts. With the plethora of information available today, it is like finding a needle in a haystack. It’s hard to know whom to believe, what to believe and how often. With so many options available, CISOs are understandably stymied in making educated decisions for an optimal solution. Fortunately, our 20+ years in the gaming industry have led us to a valuable conclusion that can help CISOs professionally develop their teams—and protect their organization. The answer lies in gamification.

It’s a buzz word floating its way around the technology sphere for quite some time and is gaining momentum. It’s commonly defined as a process of adding games or game-like elements to something. The term was originally coined in 2002 by a British computer programmer named Nick Pelling. The term hit mainstream when a location-sharing service called Foursquare emerged in 2009, employing gamification elements like points, badges, and “mayorships” to motivate people to use their mobile app to “check in” to places they visited.

The term hit buzzword fame in 2011 when Gartner officially added it to its “Hype Cycle” list. But we’re not recommending gamification because it is the new, shiny object on the heels of AI. We’ve seen gamification work for companies looking to train their cyber teams.

How does it work?

Unlike compliance-driven teaching methods, gamified teaching engages practitioners individually and in teams, through modern learning strategies. It works by deploying connected, interactive, social settings that allow learners to excel in competitive, strategic situations. It allows trainees to apply what they know to simulated environments or “worlds,” creating a natural “flow” that keeps them engaged and focused. And we’re not talking about simple Capture the Flag games, we’re referring to cybersecurity exercises inspired by game-like activities to effectively engage learners.

According to Training Industry, gamified training programs are customizable based on an organization’s needs; visually-driven through use of progress bars and milestones; and are usually time-bound to hold employees accountable for task completion. Further, achievements, points, badges, trophies, and rewards/recognition of progress gives users a sense of accomplishment, keeping them motivated and engaged.

Why is gamification powerful?

The next gen learner (born after 1980) has never known a world without video games so it’s a natural progression that cyber training incorporate a style of teaching that best suits today’s learner. Neuroscientist Eric Marr said the reason it works so well is because when an individual engages with gamified simulations, the brain releases dopamine, a chemical that plays a role in the motivational component of reward-driven behavior. He says “Dopamine helps activate the learning centers in the brain. If your brain releases dopamine while you’re learning something, it helps you remember what you’ve learned at a later date.”

Studies like “I Play at Work: Ten Principles for Transforming Work Processes Through Gamification ” outline the following benefits:

• Increased engagement, sense of control and self-efficacy
• Adoption of new initiatives
• Increased satisfaction with internal communication
• Development of personal and organizational capabilities and resources
• Increased personal satisfaction and employee retention
• Enhanced productivity, monitoring and decision making

At Circadence®, we have taken these learnings and applied them to our own flagship product, our cybersecurity training platform Project Ares®.  Recognizing the widening cyber skills gap and evolving threats, only the most productive and effective training mechanisms will do—and the latest research tells us that gamified environments are here to stay. An immersive training platform, Project Ares appeals to today’s learner—and gets CISOs and their colleagues excited about training again. In contrast to passive, traditional instructor-led courses, gamification provides an active, continuous learning, people-centric approach to cybersecurity skills development.

For a more in-depth look at the Importance of Gamification in Cybersecurity, download our white paper here.

Cyber ranges were initially developed for government entities looking to better train their workforce with new skills and techniques. Cyber ranges provide representations of actual networks, systems, and tools for novice and seasoned cyber professionals to safely train in virtual environments without compromising the safety and security of their own networks.

Today, cyber ranges are known to effectively train the cyber workforce across industries. As technology advances, ranges gain in their training scope and potential. The National Initiative for Cybersecurity Education reports cyber ranges provide:

• Performance-based learning and assessment
• A simulated environment where teams can work together to improve teamwork and team capabilities
• Real-time feedback
• Simulate on-the-job experience
• An environment where new ideas can be tested and teams and work to solve complex cyber problems

In order to upskill cybersecurity professionals, commercial, academic, and government institutions have to gracefully fuse the technicalities of the field with the strategic thinking and problem-solving “soft skills” required to defeat sophisticated attacks. Cyber ranges can help do that.

Currently, cyber ranges come in two forms: Bare environments without pre-programmed content; or prescriptive content that may or may not be relevant to a user’s industry. Either form limits the learner’s ability to develop many skill sets, not just what their work role requires.

Six Components of Modern Cyber Ranges

Modern cyber ranges need realistic, industry-relevant content to help trainees practice offense and defense and governance activities in emulated networks. Further cyber ranges need to allow learners to use their own tools and emulated network traffic in order to expand the realism of the training exercise. By using tools in safe replicated networks, learners will have a better understanding of how to address a threat when the real-life scenario hits.

We also know that cybersecurity attacks require teams to combat them, not just one or two individuals. So, in addition to individual training, cyber ranges should also allow for team training and engagement for professionals to learn from one another and gain a bigger picture understanding of what it REALLY takes to stop evolving threats.

With advances in Artificial Intelligence (AI), we know cyber ranges can now support such technology. In the case of our own Project Ares, we are able to leverage AI and machine learning to gather user data and activity happening in the platform. As more users play Project Ares, patterns in the data reveal commonalities and anomalies of how missions are completed with minimal human intervention. Those patterns are used to inform the recommendations of an in-game advisor with “chat bot-esque” features available for users to contact if help is needed on a certain activity or level. Further, layering AI and machine learning gives cyber professionals better predictive capabilities and, according to Microsoft, even “improve the efficacy of cybersecurity , the detection of hackers, and even prevent attacks before they occur.”

With many studies touting the benefits of gamification in learning, it only makes sense that modern ranges come equipped with a gamified element. Project Ares has a series of mini-games, battle rooms, and missions that help engage users in task completion—all while learning new techniques and strategies for defeating modern-day attacks. The mini-games help explain cyber technical and/or operational fundamentals with the goal of providing fun and instructional ways to learn a new concept or stay current on perishable skills. The battle rooms are environments used for training and assessing an individual on a set of specific tasks based on current offensive and defensive tactics, techniques and procedures. The missions are used for training and assessing an individual or team on their practical application of knowledge, skills and abilities in order to solve a given cybersecurity problem set, each with its own unique set of mission orders, rules of engagement and objectives.

There is a lot of sensitive data that can be housed in a cyber range so security is the final piece to comprising a modern cyber range. The cloud is quickly recognized as one of the most secure spaces to house network components (and physical infrastructure). To ensure the cyber ranges are operating quickly with the latest updates and to increase visibility of how users are engaging in the cyber ranges across the company, security in the cloud is the latest and greatest approach for users training in test environments.

There you have it. The next generation cyber range should have:

• Industry-relevant content
• Emulated network capabilities
• Single and multi-player engagement
• AI and machine learning
• Gamification
• Cloud-compatibility

We are proud to have pioneered such a next generation cyber range manifest in many of our platforms including (as mentioned above), Project Ares®, and CyRaaSTM. We hope this post helped you understand the true potential of cyber ranges and how they are evolving today to automate and augment the cyber workforce.

It’s one of the most direct and proactive cybersecurity activities organizations can do to protect themselves from an attack, penetration testing.

Also known as ethical hacking, it involves legally breaking into computers to test an organization’s defenses. Companies make it a part of their overall security process to know if their systems are strong or not. It’s kind of like preventative maintenance. If a hired penetration tester can get into their system, it’s relatively reassuring because penetration testing teams can take steps to resolve weaknesses in their computer systems before a malicious hacker does.

So how does penetration testing work? What roadblocks are professionals in this field facing? How are companies using penetration testing today? What innovations in penetration testing are available today? 

What is Penetration Testing?

Now that we understand why penetration testers exist and how critical they are to companies security posture, let’s review how they work. The ethical hacking process usually involves working with the client to establish goals and define what systems can be tested, when and how often without service interruptions. In addition, penetration testers will need to gather a lot of information about your organization including IP addresses, applications, number of users who access the systems, and patch levels. These things are considered “targets” and are typically vulnerable areas.

Next, the pen tester will perform the “attack” and exploit a vulnerability (or denial of service if that’s the case). They use tools like Kali Linux , Metasploit, Nmap, and Wireshark (plus many others) to help paid professionals work like hackers. They will move “horizontally or vertically,” depending on whether the attacker moves within the same class of system or outward to non-related systems, CSO Online notes.

Penetration Testing Career and Company Challenges

As you can imagine, being an ethical hacker naturally requires continuous learning of the latest attack methods and breaches to stay ahead of the “black hatters” and other unauthorized users. That alone can present pentesting challenges because it requires a huge time commitment and lots of continual research. In addition, the following penetration testing challenges are keeping organizations up at night:

• There were more than 9,800 unfilled penetration testing jobs in the U.S. alone. With all these jobs open, businesses are challenged to find these professionals for hire, leaving them without resources to harden their potential security vulnerabilities.
• High costs prohibit hiring dedicated and skilled CPTs. Not all CPTs are created equal, while some third parties only perform vulnerability analysis as opposed to thorough pen tests.
• Most tests are conducted via downloaded tools or as one-off engagements focused on known threats and vulnerabilities.
• Many third-party engagements have to be scheduled well in advance and run sporadically throughout the year.

A New Penetration Testing Training Solution

Recent reports note that 31% of pen testers test anywhere from 24-66% of their client’s apps and operating systems, leaving many untouched by professionals and open to vulnerability. In the face of these penetration testing challenges, government, enterprise, and academic institutions are turning to technology and persistent training methods for current staff to help. Automated penetration testing tools can augment the security testing process from asset discovery to scanning to exploitation, much like today’s malicious hacker would.

With cyber attacks becoming the norm for enterprises and governments, regular scans and pen testing of application security is key to protecting sensitive data in the real world. Coupled with holistic cyber training  for offense, defense, and governing professionals and enterprise-wide cyber hygiene education, enterprises and governments will be better prepared to handle the latest and greatest threats. It’s time for organizations to leverage tools that automate and augment the cyber workforce in the wake of an ever-evolving and complex threat landscape.