Better cybersecurity training through gaming

Posted on by
1

I came across a report entitled Video Games as a Training Tool to Prepare the Next Generation of Cyber Warriors by the Software Engineering Institute. While out for a year, it still worth reading. The authors are part of a project at Carnegie Mellon University and suggest that the coming cybersecurity skills gap will be critical and require some non-traditional methods to fix. Their thesis is that we have to turn to video games to heighten some new interest, and to start with young children. By grabbing kids’ attention and building a solid foundation of skills and infosec knowledge, the games could help motivate a passion towards finding a career cybersecurity later in life.

One of the reasons why games make sense for cybersecurity is that they are designed for multiple players; promote team building and scenario-based problem solving. All of these are very valuable when it comes to responding to digital attacks and other IT-related situations.

Plus, under the category of unintended consequences, getting kids involved in security-related games could help narrow the gender gap as well: nearly half of gamers are girls, who have been historically under-represented in the cybersecurity field. And with more than 175 million gamers in just the US alone, there is a wide pool of potential recruits.

The idea isn’t new: the sci-fi series “Ender’s Game” by Orson Scott Card and the movie “The Last Starfighter” both have had a similar plot line — and both are from decades ago. In the real world, the modification of the game Doom by the US Marines has been out for decades as well. When it was first developed in the early 1990s, it cost about $25,000 and took about six months to develop. It proved to be so popular with the soldiers that they would queue up in the evenings to get a chance to play. Since then, the US Army released its own game, called America’s Army, that was designed as a recruitment and public relations tool but migrated into helping new enlistees learn about the state of weaponry and tactics that they would be learning in basic training exercises.

But what is new is that there are a number of video games, include one from a CMU-affiliate, that can help bridge the gap. The report reviews several of them. These include games for children, such as MySecureCyberspace and CyberCiege; Control-Alt-Hack, a card game targeted at teens; Cyber Awareness Challenge and Cyber Protect, two games created by the DoD several years ago; and Watchdogs, a game for various consoles that has been out since 2014. Some of these games get pretty deep into things such as understanding appropriate IT policies such as setting strong passwords and implementing biometric access to sensitive data. Think about that for a moment: when was the last time you could learn about setting a firewall rule with a tactic in some first-person shooter game? Card’s Ender was ahead of his time.

Sadly, none of these games is really optimally suited for the proposed task of training cybersecurity defenders. It is a fair assessment, since none of them really had that as an original design goal. The authors state that it is “time to invest in a cybersecurity training video game that can be used to prepare the next generation of cyber-warriors and infosec professionals.” The report is well worth reading.

FIR B2B Podcast #47: Hank Weghorst and account-based marketing

Posted on by
Reply

Paul Gillin and I talk today on our FIR B2B podcast with Hank Weghorst about account-based marketing (ABM) and why it is catching on now, along with some of the mistakes that potential users of ABM can first make. Weghorst gave this TED Talk about the process where he describes how his company has assembled a huge database of more than 50 million companies worldwide, and makes this information available to his customers via various desktop programs. Paul and I find out what ABM is all about and why it’s time has come. Listen to our podcast below.

Quickbase blog: Signs that you have outgrown Microsoft Access

Posted on by
1

Many of us started out with database software with something like Microsoft Access. It was part of the Office suite, fairly easy to get started and infinitely customizable. However, it might be time to look elsewhere for alternatives, especially for citizen developers who want to build more sophisticated online databases. Here are some ways to recognize the warning signs and to start thinking about its replacement.

First, Access was designed as a personal product, where one developer creates an entire application from scratch. If your need are more collaborative, or where you have a database where multiple people input information, Access isn’t the best solution and this is where having a SaaS-based app shines. Using an online product like QuickBase means you don’t have to worry about setting up a server and worrying about when more than one person is inputting records: this is handled automatically for you.

Second, when non-Windows computers are using your database it also might be time to switch. While there are now versions of Access for Macs and iOS, not everything that is developed for Windows versions works across platforms. It might make sense to build your app with something that natively speaks the Web, or that has the exact same look and interface across all versions.

Are you heavily involved in using Visual Basic? This was the underlying programming language for Access, and while it has a large ecosystem that Microsoft has done a great job cultivating, it might be costly to maintain and to hire the appropriate skilled staff to continue to build VB apps. Look at ways that you can build your apps without a lot of programming expertise, or that make use of Web-based forms and templates that can accomplish many of your tasks quicker, and with lower cost of ownership.

And when your users span the globe and are working on the same app, it also might be time to retire that Access project and find something more flexible and more comfortable working in a distributed environment.

When you can’t find your favorite command or function, thanks to yet another UI “improvement.” Tired of Microsoft re-arranging the menu ribbon yet again? It seems every major upgrade of Office comes with a new interface. Now Microsoft touts a “feature” that helps you find your favorite command.

Veracode blog: Why firewalls aren’t your only friend

Posted on by
Reply

Firewalls have been protecting networks for decades, and many of us can’t remember life before them. But they aren’t your only friends, and these days just having a firewall isn’t enough to keep the bad guys from penetrating your network. While they are a good first step, you need to start thinking beyond firewalls to keep your infrastructure secure.

What is really required is to move away from the notion of “we need to build a wall” to “we need to understand what is going on across our network.” It is a very different mindset, and requires an IT department to think differently about how to implement their network security and operations.

The first step is in understanding what is going on across your application layers. To do this properly, you need to discover what applications are running across your enterprise. Some of the more modern firewalls are attempting to collect this information; they often rely on the IT department to understand their app portfolios up front to be effective. For example, they offer very granular app-level control, such as the ability to block a Facebook wall post but allow users to read their Facebook accounts. Many products (such as Palo Alto Networks) have extensive applications databases that they can draw on to model particular behaviors so that network administrators can craft very fine-grained access policies.

But most firewalls are too steeped in the ports and protocols approach to be truly effective, and many require that IT operations keep up with network documentation and have a deep knowledge about the interaction of their firewall rule sets. Tools like Veracode that specialize in the app-layer defense don’t assume this knowledge, and also make it easier to set up app-specific security policies.

Once you have this understanding, you can better design your app-layer network protection. Firewalls were designed to handle network-events, such as finding and blocking botnets and remote access exploits. Why can’t firewalls handle app-level situations? Well, some can, but only with some significant effort at configuring and monitoring them. Specialized app-layer tools are better at finding vulnerabilities and inspecting traffic that is moving across the application layers. You especially want app-layer protection if you have web-based or cloud-based applications.

Next, you need to think differently about your endpoint protection too.

We all know that the days of simple endpoint protection are over. Scanning and screening for malware has become a very complex process, and most traditional anti-malware tools only find a small fraction of the potential infections that are available to today’s cyber-criminals and attackers. Today there are numerous specialized endpoint detection and response (EDR) products that can dive deeper and understand the progress of any infection that happens. The best products are both hunting down particular exploits as well as gathering information about what is happening and tie into existing security news feeds as well. Many offer real-time analysis and other insights.

When you start looking at your endpoints holistically in this fashion, you will find there are plenty of endpoints that aren’t traditional end-user devices. Most modern networks have plenty of embedded devices that are connected to their networks, such as network-based printers and cameras, environmental monitoring devices, and specialized industrial equipment. Remember the Target HVAC exploit? That was just the tip of numerous such attacks.

Even if these systems aren’t connected to the network directly, they do have the means to be infected by a network-based computer, as the Iranian nuclear plant at Natanz found out years ago with the Stuxnet virus. Again, this is an area where traditional firewalls fall down: a potential threat from a print server could be buried in a firewall log. There are better ways to avoid this issue, such as by changing the default management ports and authentication credentials, keeping up with firmware updates, putting all embedded devices on their own VLAN and clearing their buffers and histories often.

Part of the tools for these EDR products includes being able to block insider threats. These threats are becoming more common, and one of the reasons why traditional firewall and anti-virus protection has failed is because attackers can gain access to your internal network and do damage from a formerly trusted endpoint. Many firewall administrators are used to blocking incoming traffic and have focused their attention in the past to this arena. But traffic that originates from an insider who has been compromised is a problem too. To block this kind of behavior, today’s tools need to map the internal or lateral network movements so you can track down what PCs were compromised and neutralize them before your entire network falls into the wrong hands.

As you can see, building up walls are a good first approach but not the only mechanism for defining your network, your applications, and your endpoints. You need a combination of several protective devices that can work together to secure your enterprise and gain visibility into all of your vulnerable places.

Quickbase blog: There are better ways to manipulate data than Google Docs

Posted on by
1

Google Docs is a favorite way to build applications for lightweight data manipulation, reporting, and analytics as well as useful for building websites that can capture and display data. While it is a great tool to get started using an online all-purpose office suite, you should also know its limitations and when it is time to move on to something more industrial strength. Let’s look at what is missing and when you should move on.

Document size limits. Google Docs has several limits on file sizes, depending on the type of file that you store there. For example, uploaded document files that are converted to the Google documents format can’t be larger than 50 MB, spreadsheets can be up to 2 million cells.

You need to enable Javascript and allow cookies for Google Docs to work. That might be an issue in some environments.

Lack of workflows. Google Docs is setup for real-time collaboration, which means that everyone working on a document can chime in at the same time, if they are online and have access to a particular document. As the others make changes to your document, you see them displayed almost immediately. While that is great, there is no control over the workflow: meaning you have to play traffic cop and make sure your teammates know the order of who is going to be working on the document next and how it gets passed around. There are other collaboration tools (such as the Skyword editorial add-on to WordPress) that handle this workflow better.

Weak data reporting and report construction. If you are used to these features in QuickBase, you will be frustrated by what Google Docs offers.

It isn’t at feature parity to Microsoft Office, especially for Excel, Access and PowerPoint apps. You can import .PPT and other presentation files, but you might lose some fidelity, transitions, and other aspects of your presentations. The same is true when Google Sheets is compared to Excel or other dedicated spreadsheets: while you can build a pivot table in the former, you probably wouldn’t want to use Sheets to produce complex financial models.

Fewer granular access controls to documents. Google Docs has three roles to choose from: a user can edit, can view, or can just post comments to a shared file. You can send a link and allow anyone access via email, and if you are the original owner of the document you can prevent other editors from change access permissions or adding new collaborators to the overall workflow. As owner you can also disable the options to download the file to your local desktop or print the document. That is about it: other online workspaces have more sophisticated access controls that allow more flexibility.

These user roles are established through email addresses of your workgroup. If you have users that have multiple Google IDs (such as their own Gmail account and a corporate email account that is hosted by Google) it can get confusing managing all the various access roles.

Another limitation is that with Google Docs, all documents can be either public or private (and shared among a specific list of email addresses). Other online systems are more flexible.

If you want to work offline, you have to plan ahead and make your documents available on your local desktop.

Fast Track blog: Is it Time for Citizen Developers to Replace IBM Notes?

Posted on by
Reply

Nearly 30 years ago, Lotus Software came out with a radical new tool called Notes that has since become a corporate staple. More than an email program, it was used by IT and non-IT alike to build collaborative apps. Think of it as the origin of the citizen developer movement.

But Notes has stalled and many corporations are looking to move on to something else. You can read my post on QuickBase’s FastTrack blog here about what can citizen developers do to get the decommissioning party for Notes started.

iBoss blog: There’s No Single Magic Bullet for IoT Protection

Posted on by
Reply

An earlier post of mine for iBoss addressed the issue of wearable fitness devices and smartwatches and their network threat. And while that post has lots of suggestions on how you can protect your network, there is still a lot going on with the IoT world.

In this post for iBoss, I discuss recent exploits using an all-webcam botnet, how the NSA wants to use IoT devices to profile your communications, and how enterprises are using mobile device management tools.

Subscribe now to Inside Security

Posted on by
Reply

You may be surprised that the overall rate of malware infections is at its lowest point in three years, at least according to one source (Engima Software) that measures these things through its own network of sensors deployed across the globe. Yet this average obscures a lot of other trends, such as that the rate here in St. Louis has actually not dropped all that much, putting my fair city at the number two spot for the most infected places to compute (Tampa is #1).

This is just one of the many news nuggets that you will get if you subscribe to my twice-weekly Inside Security email newsletter, a separate effort from Web Informant that is being done through the auspices of Inside.com. The company has started several other newsletters, including one on Teslas and one on virtual reality.

Also this week, two new forms of Mac-based malware have been discovered, one called Pirrit and one called Eleanor-A. For years the Mac has been a relative safe haven, especially when compared to Windows. But with the rise in its popularity comes a more tempting target for malware writers. The former one is a piece of adware that actually acts like an infection, while the latter comes as part of a fake document conversion tool called EasyDoc that is just a container for a collection of remote access Trojans that persist even after you try to delete the application.

Speaking of Safe Harbor, and by that I mean the EU’s prior privacy regulations that were struck down some time ago, there is now a replacement called Privacy Shield. I link to the new regulations, along with some insightful commentary at Ars Technica (for the non-lawyers) and at SociallyAwareBlog (for those that want more or who are lawyers themselves).

Finally, do you want to examine the code that ran the Apollo spacecraft guidance computers? Now, thanks to some diligent volunteers, you can on Github, provided you know how to read Assembler. The code contains copious nerd humor and 60s-era POV, along with modern day space enthusiast insider comments too. Houston, we have a program!

There is a lot more on my newsletter this week, including links to how to learn to become a CISO and other noteworthy security reports, so subscribe here now.

 

iBoss blog: Beware of wearables!

Posted on by
1

As more of our users start literally wearing their own gear to work, the number of threats from these devices, such as Fitbits and Apple Watches, increases. After all, they are just another remote wireless computer that can be compromised to gain access to your enterprise network. I talk about the potential threats and ways to mitigate them, along with other factors. You can read my post here on iBoss’ blog.

Fast Track blog: Signs you should replace Access with an online database

Posted on by
Reply

Many of us started out with database software with something like Microsoft Access. It came included as part of the Office suite, was fairly easy to get started and infinitely customizable for light database programming. But with all these advantages, it might be time to look elsewhere for alternatives, especially for citizen developers who want to build more sophisticated online database applications.

You can read my post here about ways to recognize when your Access is running out of steam.