The 3 Pillars of Cybersecurity Education: Building an Infosec Education Program in Your Organization
With technology’s breakneck speed, organizations trying to implement a cyber security education program will face hard challenges. In this post, we outline these challenges and propose the 3 pillars of cyber security education – qualities that any education program should have to ensure a strong security posture, along with practical suggestions that organizations can adopt.
The State of Cyber Security Education Today and Key Challenges
It is undeniable that technology is moving at breakneck speed, especially in the last decade. With advances in cyber security such as machine learning, zero-trust architecture and microsegmentation, we are better equipped than ever to tackle the threatscape.
But there is still a gaping hole in cyber security: contrary to the blazing pace at which technology advances, cyber security education – especially in enterprises – has remained stagnant in its implementation. The stakes are only getting higher. As remote work gets more common; as more organizations move towards the cloud; as the line between personal and work devices blur; attack surfaces can only widen.
One thing’s for sure: cyber security education must evolve with the times. In this post, we describe the key challenges in today’s cyber security education landscape, and suggest 3 focus areas to help enterprises craft a resilient, sustainable cyber security education program.
Key Challenges in Cyber Security Education Today
1. Out of sync: technology and adoption outpace security
With new technologies created daily, dominant enterprises and institutions naturally strive to adopt cutting-edge technologies to have an advantage as quickly as possible.
However, the high speed of adoption also causes a disconnect: what is taught in cyber security education circles lags behind the actual technologies deployed in the field. The breakneck speed of adoption also makes it impossible for educational institutions to update their syllabi on the fly, and thus when professionals go into the field, they are often unable to use their skills immediately.
This problem is compounded by the industry’s emphasis on certification. It is common for job requirements to include certifications, which incentivize job seekers to acquire them. Certifications provide accreditation and a common standard for applicants, but similar to syllabi, certifications often don’t change their curriculum frequently enough to keep up. As a result, job seekers are driven to learn concepts removed from the bleeding-edge tech that enterprises use.
2. Cyber security is hard to master and requires both breadth and depth
By nature, cyber security is difficult. Progression is hard: one must first master the foundation of a certain technology, then understand its insecurities, then in turn learn how to secure them. And that’s only for a single field!
Cyber security is also an extremely applied field; and to master it requires emphasis on doing rather than just knowing. However, since active professionals do not go back to education, only a minority of cyber security trainers are past practitioners. Thus, in terms of learning aids, there is a dearth of rigorous labs and practical demonstrations - critical for training today’s security professionals.
Without adequate resources and time to understand multiple disciplines, students gravitate towards understanding topics only superficially; perhaps by only learning vulnerabilities which are easy to understand, or theoretical concepts removed from real-world techniques. This approach is not tenable in a domain where defenders are naturally disadvantaged - the attacker only has to win once.
3. Lack of emphasis on ongoing training
Lastly, most enterprises do not implement their cyber security education strategy rigorously enough. Despite the ever-changing nature of cyber security, there is little emphasis on upskilling and ongoing learning, especially in the technical context. Furthermore, with the industry’s focus on certification, professionals lose the incentive to continue learning after securing the job, resulting in their knowledge stagnating.
As a result, most professionals learn cyber security haphazardly and on the job - an unsatisfactory alternative given limited time and other boundary conditions. A security gap ensues, as fledgling security professionals are not ahead of attackers who are constantly innovating and finding new ways to break into organizations.
Ironically, malicious parties are the ones constantly finding new ways to break into organizations. Photo by Stillness InMotion on Unsplash
The Pillars of Cyber Security Education
Despite these challenges, enterprises can still take action to strengthen their cyber security education program. Below, we propose 3 key pillars that any program should adopt:
1. Cyber security education must be ever-evolving
With technology’s breakneck speed as described above, a static cyber security education program is unsustainable. Instead, cyber security education needs to be in sync with the latest technologies and attacker techniques.
Educational content should be organization-specific
Every company uses a different tech stack and has widely differing processes. Therefore, instead of generalist training that is not impactful in the long term, make educational content and case studies contextual to the organization.
For example, the company’s syllabus should focus on in-house tools, and Red Teamers should learn about compromising their own security controls. This way, defenders can understand how attackers develop targeted attacks. Or, besides relying on external certifications, create an internal (re)certification program. Overall, prioritize upskilling mapped to an organization’s networks, rather than teaching a generic approach of attacking and defending networks.
Such organization-specific training should be conducted by active security practitioners - in specific, existing offensive and defensive teams who are intimately familiar with in-house tools and past incidents. They would be best qualified to share vulnerabilities and issues that they themselves uncovered. Although it is not scalable to have every instructor be an actual practitioner, there must be a fair balance so the entire team can learn from their experience.
Create a feedback loop
Teaching organization-specific case studies creates a self-sustaining feedback loop, where knowledge flows between new recruits and those working actively in the organization. As team members become more experienced, they in turn pass their knowledge to even newer teammates.
However, this knowledge transfer must be facilitated deliberately. Too often, security teams let this happen ad-hoc, and leave less experienced team members to learn on their own outside the organization. In short, a robust learning mechanism exists by design.
Once this feedback loop is in place, organizations should focus on ongoing upskilling. Every organization’s tech stack is constantly evolving (just look at the new policies added by cloud providers every year!), and the security and education aspects must keep pace as well.
Our Cloud Security syllabus covers the 5 most commonly used AWS components, but there’s still much more to AWS!
Correspondingly, curriculums should be updated at least quarterly. If external vendors are involved, their material should also be updated constantly to include the latest and most damaging attacks.
Compete globally
Lastly, we highly recommend that security teams participate in global competitions to measure competency. Cyber attacks happen globally, and participating in international competitions helps teams benchmark themselves against a global community to understand where they are and how they can get better.
2. Instead of aiming for invincibility, build resilience with a focus on attacker techniques
Currently, most cyber security education seems to focus on making networks completely invincible, which is impossible - remember the attacker only needs to win once.
Instead of aiming for invincibility, we recommend organizations discuss the assumed breach and focus on safely handling cyberattack situations. This paradigm leads to better insights - extrapolating the assumed breach can result in policy changes that protect the organization better. For example, by reviewing an assumed breach, an organization may decide to bake in the principle of least privilege into every aspect of design, architecture and implementation. This ensures that even if a breach does happen, it is both localized and can be detected extremely fast. As a result, the organization can revert back to its safe posture in minimal time. Another example is for organizations to institute a comprehensive backup policy, such that damage is limited if a ransomware attack occurs.
Resilience is also built by focusing on offensive techniques and a practical understanding of attacker TTPs. It is a common bias that complex and expensive technologies are inherently more secure. Many defenders and even pentesters/red teamers typically do not spend enough time to understand techniques that hackers are using on the ground, leading to a false sense of security.
Thus, when it comes to training, organizations should focus on attacker techniques. For example, incident response and forensics teams must understand what attacker tools are used. It should be mandatory for team members to download these tools and try them out against their own environments in a red teaming exercise, or in simulated environments where one can fully understand the indicators of compromise etc. This rids teams of the false sense of security and instead engenders resilience.
Lastly, employers should conduct practical exams when it comes to hiring. Seeing a candidate navigate a live exam will reveal how seasoned they are in the latest tools, techniques and procedures. Instead of relying only on certification, hands-on exams ensure that candidates’ skills are not based on random trial and error.
3. Cyber security education should be baked into the entire organization
Outside of technical teams, cyber security education should apply to the entire organization. We have identified 2 commonly neglected areas:
Social engineering and physical security
Social engineering is easier than ever today with social media. For example, with LinkedIn being a treasure trove of information, social engineers can easily scope an organization and map out its entire hierarchy, almost to the extent that they know what each individual is working on (at least from a technical standpoint). Given that most professionals want to showcase their technical achievements, it is easy for attackers to find out exactly which antiviruses and security products are procured - information that isn’t available otherwise .
Furthermore, social engineering training is absent in most organizations, most of which also lack policies that define what employees can reveal on social media. Neither is there any regular evaluation of employee LinkedIn pages. All these increase the risk of gullible users giving away critical information, which can lead to partial or full compromise of networks.
We have also observed increases in targeted “recruiter attacks”. In such attacks, an attacker claiming to be a recruiter from a top company (think Google or Facebook) contacts an employee on the pretext of hiring them. The “recruiter” then asks technical questions and the victim, in their zeal to impress, gives away information about architecture and other sensitive details.
Sometimes, that dream job interview is too good to be true. Photo by Dylan Ferreira on Unsplash
Organizations also cannot neglect the physical part of social engineering. In a culture where no one is used to looking at office badges, it’s easy for someone pretending to be a delivery man to break into a building. In a previous enterprise pentest, we also tried sending routers as gifts to top executives. The routers were backdoored, and many of the top execs ended up plugging those routers in their own homes.
There is a perception that technical professionals are somehow exempt from social engineering attacks, but at the end of the day, human beings are innately susceptible to social engineering - hence the need for rigorous policies to combat the bias.
Process and policy
Cyber security education should be imbued into existing policies and procedures. One familiar example is the adoption of new technologies. Companies often let IT, developer and QA teams take the center stage while security teams remain external. The security team only gets involved when there is a security-related test, but by that stage of adoption, it may be hard to fix inherent vulnerabilities.
Instead, when adopting a new technology, organizations should bake in the security aspect from the design phase onwards. For example, if an enterprise is adopting IOT networks, they could set up a task force that investigates and educates development teams on IoT security. Rather than letting adoption gallop ahead blindly, the task force can also design policies on how to manage and police the new IoT devices.
Similarly, if an organization already has security controls (e.g. Identity and Access Management), they should be used. Due to lack of discipline or prioritization, existing controls are commonly neglected, resulting in a larger attack surface. Not using security controls also facilitates internal threats and provides rogue employees with the opportunity to cause reputational and financial damage.
In summary, rather than limiting cyber security education to just cursory security awareness training, ensure that it is imbued into every aspect of the organization, for technical and non-technical employees alike.
How INE and Pentester Academy Can Help
Overall, evolving the education strategy for an organization is a long-term move.But done right, it results in massive dividends for your team and your organization's security. Together with our partners at INE, here’s what we doing to help enterprises with their cyber security education program:
Hands-on training on offensive techniques, covering the latest topics
We offer comprehensive cyber security training for both beginners and professionals. In line with the above philosophies, our syllabus focuses purely on practical offensive techniques.
By subscribing with Pentester Academy, students gain access to the AttackDefense lab platform, where they can perform - and understand - attacks based on scenarios authored by practitioners. Topics covered include the latest technologies such as AWS, DevSecOps, Windows, Linux and more. Our latest labs are on AWS, where students can pentest in a dedicated sandbox environment without the hassle and risk of using personal AWS accounts.
Annual subscribers also get to access bootcamp recordings.
We also conduct live online bootcamps — intensive courses where students receive guidance from an experienced instructor. Each bootcamp lasts 4-6 weeks, heavily emphasizes hands-on practice and includes a certification exam.
For more, check out our website or contact INE’s sales team for enterprise solutions.
Red Team certifications
To help hiring managers make better decisions, we also offer hands-on certifications via our Enterprise Security Labs, that cover Active Directory security. Our certifications can only be earned after a practical exam, and also focus on offensive TTPs. Find out more here.
Pentester Academy’s Certified Red Team Professional (CRTP) declares your expertise in attacking and defending real-world enterprise Active Directory environments.
Going beyond pentesting with INE
Although pentesting is critical in cyber security, a versatile security team needs to have multifaceted skills. That’s where our partners at INE come in: with a wide range of content, INE’s syllabus - which includes everything from data science to Azure - complement the Red Team techniques we teach. Check out INE’s free trial here.