Conference Paper

Model-driven Cyber Range Training: A Cyber Security Assurance Perspective

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Security demands are increasing for all types of organisations, due to the ever-closer integration of computing infrastructures and smart devices into all aspects of the organisational operations. Consequently, the need for security-aware employees in every role of an organisation increases in accordance. Cyber Range training emerges as a promising solution, allowing employees to train in both realistic environments and scenarios and gaining hands-on experience in security aspects of varied complexity, depending on their role and level of expertise. To that end, this work introduces a model-driven approach for Cyber Range training that facilitates the generation of tailor-made training scenarios based on a comprehensive model-based description of the organisation and its security posture. Additionally, our approach facilitates the automated deployment of such training environments, tailored to each defined scenario, through simulation and emulation means. To further highlight the usability of the proposed approach, this work also presents scenarios focusing on phishing threats, with increasing level of complexity and difficulty.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... The procedure begins by analyzing the organization's system. The Assurance Tool [28] evaluates the current security level and reports the most significant security issues that must drive the following training process. Then, hybrid training programmes are produced, and tailored to the organizational needs and the trainee types. ...
... Thereupon, the experts also apply the STRIDE threat model [21] in order to capture the current security status of the piloting system, including the potential threats, vulnerabilities, and the proper deployment of the required defense mechanisms. This information is also part of the core sub-model (a well-structured XML or JSON format [28]) and offers a common and widely-used vocabulary across the whole training experience. ...
... The goal is to estimate the current security status and identify the weak points (e.g., system or behavioral vulnerabilities). The platform's Assurance Tool [28] deploys monitoring modules in the piloting system that disclose its technical features (such as the type and version of the running software or the installed hardware components) and check if it operates securely. Then, it searches to widely-known security repositories (i.e., CVE) and automatically discovers the active vulnerabilities of the system (e.g., if a server uses MSQL 5.5.35, then it is vulnerable to buffer overflow attacks based on the CVE-2014-0001). ...
Article
Full-text available
Nowadays, more-and-more cyber-security training is emerging as an essential process for the lifelong personnel education in organizations, especially for those which operate critical infrastructures. This is due to security breaches on popular services that become publicly known and raise people’s security awareness. Except from large organizations, small-to-medium enterprises and individuals need to keep their knowledge on the related topics up-to-date as a means to protect their business operation or to obtain professional skills. Therefore, the potential target-group may range from simple users, who require basic knowledge on the current threat landscape and how to operate the related defense mechanisms, to security experts, who require hands-on experience in responding to security incidents. This high diversity makes training and certification quite a challenging task. This study combines pedagogical practices and cyber-security modelling in an attempt to support dynamically adaptive training procedures. The training programme is initially tailored to the trainee’s needs, promoting the continuous adaptation to his/her performance afterwards. As the trainee accomplishes the basic evaluation tasks, the assessment starts involving more advanced features that demand a higher level of understanding. The overall method is integrated in a modern cyber-ranges platform, and a pilot training programme for smart shipping employees is presented.
Conference Paper
Full-text available
This work considers training needs for cyber defence and discus the gamification of training. The use of game play mechanics will be considered with a special emphasis on strategies to encourage users to engage in desired secure behaviours. The use of games and game play mechanics has been shown to be able to make the training more engaging. Serious games may as well help increase motivation amongst learners. A possible design of a gamified training system for cyber security that complies with these requirements is introduced. Based on these analyses, the paper concludes for the feasibility of the approach overall.
How Effective Is Your Security Awareness Program? An Evaluation Methodology, Konstantinos Rantos and Konstantinos Fysarakis and Charalampos Manifavas
How Effective Is Your Security Awareness Program? An Evaluation Methodology, Konstantinos Rantos and Konstantinos Fysarakis and Charalampos Manifavas, Information Security Journal: A Global Perspective, vol. 21, n. 6, pp. 328-345, Taylor & Francis, 2012.
CUMULUS Project. Certification infrastructure for multilayer cloud services project, 2012. D2.2 Certification models
  • M Lagazio
  • D Barnard-Wills
  • R Rodrigues
  • D Wright
Lagazio M., Barnard-Wills D., Rodrigues R., Wright D. Certification Schemes for Cloud Computing, EU Commission Report, Digital Agenta for Europe, 2014, 7. CUMULUS Project. Certification infrastructure for multilayer cloud services project, 2012. D2.2 Certification models. , http://cordis.europa.eu/docs/projects/cnect/0/318580/080/deliverables/001-D22Certificationmodelsv1.pdf.