23 June 2016

Cyber Pros Log into Desktop Cyber Training – For Free

Jun 2, 2016

The classroom is a computer screen. Participants are just names in a box and the instructor is a disembodied voice. But ask a regular, and they’ll tell you: They almost never miss a class.

Most Thursdays at 8 a.m. Eastern, they log in to learn something new, refresh their knowledge and get smarter. They’re all professional systems administrators and information security officers employed by government agencies and trying to stay up to speed so they can keep ahead of the bad guys. They are in the United States, Europe, Asia, watching on a laptop at home or in their offices and cubicles.

Wherever they are and whatever their job, what brings them together is the State Department’s Cybersecurity Online Learning (COL) program, an ongoing series of classes and workshops open to anyone with a .gov or .mil email address. Those who can’t make it live, can log in later and watch the recorded version of the session.

Recent sessions covered incident management and two-factor authentication, securing unstructured data at rest and even holiday cyber scams. On this day in May, the topic is the annual Symantec Internet Security Threat Report, a nationwide cyber security threat assessment. Kevin McPeak, security architect for public sector strategic programs at Symantec, leads the class and at class time, 38 students have logged in. Nearly 20 more will log in over the next 20 minutes.


McPeak runs through statistics: 
There were 430,444,582 new forms of malware introduced in 2015. 
Zero-day threats more than doubled from 2014 to 2015, reaching 54. 
From 2006 to 2012, there were eight to 15 zero-day threats yearly. Since, the numbers have soared. 
Spear phishing is getting more sophisticated, and large enterprises – that’s you, government people – have a 1 in 2.7 risk ratio. 

Now, a few minutes in, he’s asking a question: Are your organization’s cyber defenses adequate for the threat? No, say 86 percent of the respondents.

Next question Who is responsible for a breach?

This time the students are split. “Lance” opens the bidding: “Everyone. Security is a team sport.” Ken counters: “The real answer is who will give the response to questioning members of Congress.” They’re not all from the State Department, but their answers reflect a sense that others may make the decisions, but they’ll get stuck having to explain them.

McPeak moves on to DDOS attacks, describing how hackers build botnets, beginning with how they scan the Internet in search of sites running unpatched, vulnerable software.

By now there are 55 in the virtual classroom and McPeak is on a roll, running through more data and painting a scarier picture of the sophisticated faceless enemy. “Adversaries can move against our nation at the speed of light,” he says. They are organized. They are professional. They run campaigns. Set up call centers, write documentation. They take off weekends and holidays. “That shows professionalization,” he adds.

McPeak advocates a multilayered security posture, suggesting security isn’t a wall, but a series of solutions like a Russian Matryoshka doll, where one complete doll after another fits inside its match in an almost endless succession. Cyber defense needs to be like that, he says.

“An organization can do everything right from a cyber posture. But if a single piece of the puzzle is not properly managed, an adversary can spoof an identity,” he says, compromising the whole organization. Automation is essential. Monitor activity as it happens and not just after the fact, because by then it’s too late.

Students are asked questions as part of a confirmation process for attendance, but it’s up to them to take that proof of attendance to their certifying organization to earn continuing education credits. For the hearing impaired, COL provides live closed captioning for all morning sessions.

More data: Symantec found 78 percent of all websites had vulnerabilities in 2015 – 15 percent of them critical vulnerabilities. Hackers have started to worm their way into the nation’s physical infrastructure, too.

McPeak describes one recent infrastructure attack and Aileen, a student, types out a message to her classmates. “I know that dam,” she says. It’s near where she lives, controls her water supply. Evidence of cyber attacks are hitting home.

More data, more advice, before McPeak asks an open-ended question: “What’s the biggest impediment to securing your environment?”

Answers pop up on the screen.

“Convenience over security.”

“Paperwork.”

“Lack of resources and funding.”

“Bureaucracy.”

“End users!!!” one student writes. It’s the people, not the technology.

But another student counters: “The more you secure, the less end users can do, until they can no longer do their jobs.”

There’s the rub: security vs. convenience. McPeak moves onto the Risk Management Framework, talks about monitoring network activity, discusses behavior anomalies and then floats the threat potential of drones: You could land one on a building and use it to monitor WiFi networks. Think about that for a moment.

Before long, the hour is over and class draws to a close. Students type thank you’s and start to sign off.

Kevin Hunter, an IT liaison with the State Department’s Bureau of Educational and Cultural Affairs, responds to questions later. This was his sixth COL class so far this year. “I’ve registered for all of the relevant sessions that fit my schedule,” he said via email, “and now that most are given twice, I’ve been able to attend almost all of them.”

He shares information from the classes with colleagues and plays recorded classes when he misses the live ones. “All of the sessions have been useful as either a refresher on the topic or by providing new information,” he said. “I am studying for a CISM certification, and some of the material has been relevant to that.”

Joseph Costantino, an information systems security officer with the State Department’s Bureau of Information Resource Management in Geneva, is even more committed. He’s attended 35 sessions in the past two years. “As an ISSO, I need to keep up to date on threats, risks and mitigations,” he said via email after the class. He was able to use one class to help build a seminar of his own on securing mobile devices. “The information from that session allowed me to ask questions of experts and provide the most updated information to users for both their work and personal mobile devices.”

He says he’s used the program to help maintain his CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager) certifications and calls the classes “extremely valuable.”

COL is run by the State Department’s Diplomatic Security Training Center as a parallel offering to its live training programs for information system security officers, systems administrators, information assurance managers, system owners, executives and application programmers. The center is a certified center of excellence under the Department of Homeland Security’s Information Systems Security Line of Business (ISSLOB) Security and Awareness Training program. For more information, contact the center.

But COL is not part of the ISSLOB effort, however. The center provides role-based training both online and on-site, on-site training programs and online classes for government personnel.

Tobias Naegele is the editor in chief of GovTechWorks. He has covered defense, military, and technology issues as an editor and reporter for more than 25 years, most of that time as editor-in-chief at Defense News and Military Times.

No comments: