A Blog by Jonathan Low

 

Sep 5, 2019

How Companies Use Hacking Simulators To Train Cybersecurity Staff

Co-evolution continues. Cybersecurity experts continue to try to get out ahead of hackers, but the initiative remains with the offense. So far. JL


Adam Janofsky reports in the Wall Street Journal:

Companies and universities are building cybersecurity training centers that simulate real-world networks and breaches to train staff  to guard against and respond to attacks. At these so-called cyber ranges, companies can assess how their cybersecurity staff react to real-world scenarios, such as malware infections and data breaches. “We can put malware [and other tools] that steal information from our network on it, and allow my team to go in and fix the situation—not in theory, but actually do it.”
Companies and universities around the country are building cybersecurity training centers that simulate real-world networks and breaches to train staff and test theories about how to guard against and respond to attacks.
At these so-called cyber ranges, companies can assess how their cybersecurity staff react to real-world scenarios, such as malware infections and data breaches, said Ron Green, chief security officer at Mastercard Inc.
“It’s a great opportunity to create an environment where we can go full-out,” said Mr. Green. “We can put malware [and other tools] that steal information from our network on it, and allow my team to go in and fix the situation—not in theory, but actually do it.”
Mastercard built a cyber range at its St. Louis tech hub in 2016, and created a mobile range the following year that allows the company to perform tests and exercises around the country.
Mastercard used the mobile range—essentially a server rack outfitted in an armored box—this summer for an annual cyber defense exercise in Charlotte, N.C., with seven other financial services firms. Cybersecurity staff attacked and defended simulated computer networks, said Mr. Green, who leads about 650 cybersecurity experts and other staff.
Most businesses can’t afford their own cyber range, which can cost millions of dollars to build and operate, according to cybersecurity experts. Cyber ranges at universities, including Virginia Tech, the University of Maine at Augusta and Miami Dade College, offer small businesses an opportunity to train and test defenses. Many ranges operate in the cloud, with tools used remotely.
Security professionals at Mount Sinai Medical Center in Miami Beach, Fla., recently participated in a ransomware exercise on the cyber range at Miami Dade College, which was launched last year in partnership with Cyberbit, a division of Israeli defense company Elbit Systems Ltd.
Ransomware attacks on businesses more than doubled in the first quarter of 2019 from a year earlier, according to a May report from insurer Beazley PLC. For Mount Sinai, the practice session was “a valuable opportunity to sharpen our response to this kind of event,” a spokeswoman said in an email.
Virginia Tech sees its range, which opened in 2016 with $4 million in funding from the state, as a source of revenue. The university announced in July that it will rent its range to businesses and out-of-state schools. For about $20 per user per month, customers can remotely use its virtual environment and software, said Dr. David Raymond, the range’s director.
The range offers lessons in applied cryptography, fighting common cyber threats, such as distributed denial-of-service attacks, and other topics. About 5,000 students and faculty from more than 200 high schools, community colleges and universities in Virginia have trained on the range so far, Dr. Raymond said.
The University of Maine at Augusta also wants to sign up customers, including small businesses and municipalities, to practice on its range, said Henry Felch, an associate professor of cybersecurity and computer information systems. The university opened its range last month in a ribbon-cutting ceremony with U.S. Sen. Angus King of Maine.
For Mastercard, renting someone else’s range would have limited the kind of exercises it could do, Mr. Green said. He wants the ability to conduct both offensive and defensive drills without worrying about potential damage to systems at a host range.
“On some of these ranges you only get to use the equivalent of a little .22-caliber gun,” he said. “On our range, we can fire antitank rounds—we can do whatever we want—because we own this environment and if we break something it’s on us.”

0 comments:

Post a Comment