play your way to success: building tomorrow's workforce · your cyber workforce – you’re...
TRANSCRIPT
NICE Working GroupCompetitions Subgroup
Laurin BuchananSecure DecisionsJake MihevcMohawk Valley Community College
Play Your Way to Success: Building Tomorrow's Workforce
Gamification: it’s not just for kids
Is this your training? >>
If games & competitions are not part of your plan to recruit, educate, and retain your cyber workforce –you’re behind the curve
We’re here to help!
2
NIST NICE Cybersecurity Workforce Framework (CWF)
NIST Special Publication 800-181Taxonomy and common lexicon that describes cybersecurity work:• 7 Categories• 33 Specialty areas• 52 Work roles
─Knowledge, skills and abilities to perform each work role
3
https://doi.org/10.6028/NIST.SP.800-181
Employers use framework to assess workforce and identify gaps
Training, certification and education providers now map
content to NICE CWF
NIST NICE Working Group (NICEWG)
Brings together public and private sector participants to advance cybersecurity education, training, & workforce development
Six Sub-Working Groups:• Apprenticeship• Collegiate• Competitionshttps://www.nist.gov/itl/applied-cybersecurity/nice/about/working-group
4
• K-12• Training and Certifications• Workforce Management
NICEWG Competitions Sub-Group
Vision:Promote a spectrum of competitions that advances knowledge, skills and
abilities to nurture and expand a diverse national talent pool.
Mission:Empower a public and private
competition ecosystem by providing guidelines, standards, and best
practices for players, teams, schools, sponsors and organizers.
5
6
Need to grow capability & capacity in the workforce
Technical and virtual environments are important training toolsDoctors, pilots, first responders, military, professional athletes
Brain science shows repetition is essential to knowledge retentionMuscle memory: repeating tasks
enhances neural pathwaysMultiple avenues mean more
neural pathways & stronger retention
7
Gaming changed mental models of learners
Gaming encourages players to try different keys, different paths to win
Gamification encourages repetition• Provides positive incentives, not just
negative ones >> training is “sticky”
• As skills improve, challenges should too!
Competitions and games come in all flavors
8
9
K-12 Collegiate Workforce
Benefits of competitions and gamification
10
Many map learning & skills to NICE CWF
Promotes learner engagement
Encourages ethical practice and skill development in a controlled, legal environment
Opportunity for practitioners to fail and learn what happens, how to recover without impacting business environment
Employers can identify talent inside and outside the organization
Case Study: Attracting interest in cyber careers
11
Attracting kids to cybersecurity issues and work roles
Need to create positive “first contact” with cybersecurityStudents explore branching comics on different topicsCyber ethics story about
Student Council electionFollow a real world cyber
crime investigation: meet characters with different cybersecurity work roles, see impacts of choices
12
13
Storytelling is a powerful tool
Comics engage students whodon’t want to read text or watchvideos
Words and pictures scaffold comprehension and learning of abstract concepts like cyber
Literally “see yourself” in comics Critical for developing
self-efficacy
14
15
16
17
18
19
Memorable or exaggerated endings reinforce
learning 20
Address any topic or concept with comics
Comic shows consequences of choices,
not bound by realityof time or distance
Experience consequences of bad decision in a safe environment
Scoring turns comics into challenges and competitions
Case Study: Central New York Hackathon
21
Mohawk Valley Community College (MVCC)
MVCC: CAE 2Y
Utica College: CAE-CDE
SUNY Polytechnic
Air Force Research Lab in Rome, NY
Central New York (CNY) Hackathon: 1 event/semester
22
CNY Hackathon
8 different colleges participate
Teams composed of students from each college
Competition elements• Infrastructure (CCDC)• Capture The Flag (CTF)• Wireless Challenge
23
Competition infrastructure
24
172.18.13.t
192.168.t.5Web Server
CentOS
Team RouterCentOS 7
192.168.t.1
192.168.t.0/24
172.18.0.0/16
CNY HackathonSpring 2017Blue Team
Network Topology
Yum repo172.18.0.6
ScoringEnginesInternet
192.168.t.7Shell
Ubuntu
192.168.t.8Mail
Windows
Blue TeamNetwork
TBDBackupCentOS
Hackathon Router172.18.0.1
t = team number
172.18.14.t[1-4]External Kali VMs
192.168.t.10[1-9]Internal Kali VMs
DNS172.18.0.12
CTF172.18.20.1
Bunions?
Use Proxmox virtual environment
Competitors develop more than technical skills
Soft skills:• Leadership
Team Leaders – HANDS OFF• Teamwork
Teams created by script
Students learn WHY they need to learn networking, operating systems and coding so well
25
Students learn where they stand -need to work harder?
26
Students are engaged
Students WANT to come back better next year
Failure at CNY Hackathon?
Failure to work as a team
Failure to learn anything
Failure to be ethical
Success at CNY Hackathon:
• Great team comes together
• Epic failure leads to lessons learned!
27
CNY Hackathon Lessons Learned
28
Challenges need to be incrementalAvoid “rounds”Visual scoreboard >> engagementRed Team professionalism is criticalManage the competitive elementPrizes oriented towards the goals of the event:
• Most Valuable Teammate (MVT) • Most Improved (MI)
Benefit to MVCC goes beyond enrollment
Industry develops CNY exercises • Provides DIRECT alignment with
workforce needs • Faculty update curriculum 2x year!
Students see path:
29
0
20
40
60
80
100
120
140
160
180
1 2 3 4 5 6
Cybersecurity student enrollment over time
Strong performer Employment Red Team
Years of competition
Benefit to student’s next stage of development
Cyber is such an APPLIED discipline — it is uniquely geared toward competency-based education
Competitions map to career credentials: CompTIA Security+ and Certified Ethical Hacker “scenarios”
30
Case Study #3: Practice, training and education for the cyber workforce
31
Emerald Down: regional exercise
Pacific NorthWest Economic Region
Began in 2012 with IT teams from various organizations
Organizations had to reach out & cooperate• Learned what other organizations could do• Developed new partnerships and contacts• Cyber Incident Response Coalition and Analysis
Sharing (CIRCAS): public-private cyber resilience coalition
32
33
Emerald Down V: Board game simulation
https://vimeo.com/207705607
Different levels of government and military had access to varying levels of response
Game incorporated elements of luck, timing, relative power, etc.
Developed Cyber Annex to WA State’s Comprehensive Emergency Response Plan
Repeated exercisesfind gaps in plans
& what needs updates
34
Benefits of advanced exercise
Organizations explore how their Cyber Plans
integrate with WA State’s Cyber Annex
to Emergency Response Plan
Builds trust among technology and security practitioners
35
Raises awareness: public gains understanding and connects personally with cybersecurity
2018 global competition in Las Vegas: 2 hour LIVE broadcast
The future has arrived: cyber competitions as e-sports
“Shall we play a game?”
36
NICE WG Competitions Subgroup Resources
https://www.nist.gov/itl/applied-cybersecurity/nice/about/working-group/competitions-sub-working-group
• One-Pager on competitions
• “Cybersecurity Games” white paper
• Letter: “Ten Things Parents Need to Know about Competitions”
• Podcast interviews with cyber competition community members
• Coming soon: Competition Guides 37
Additional resources
Cybercompex.org
CTF-time.org
Academic competitionsNCCDC: http://www.nccdc.org/National Cyber League: https://www.nationalcyberleague.org/
GirlsGo Cyberstart & CyberStart from SANSWhy is NY State not participating?
38
National Cyber League
39
National Cyber League
California Mayor’s Cyber Cup
Regional competitions all across CaliforniaHigh school cyber teams compete for their city
Cities, mayors, business and parents see first hand the importance of cybersecurity
Focused on awareness and fun
Vision for New York?
Questions?
40
Join NICEWG Competitions Subgroup!• [email protected]• Subject line: Competitions Subscribe• Include your full name and email
address in body of message
Laurin Buchanan [email protected]
Jake [email protected]