120 likes | 305 Views
CyberCIEGE: An Interactive Tool for Information Assurance Training and Education. Presented to FISSEA 22-23 March 2005, North Bethesda, MD Dr. Cynthia Irvine Naval Postgraduate School. Naval Postgraduate School Cynthia Irvine Michael Thompson Albert Wong Matthew Rose Naomi Falby Students
E N D
CyberCIEGE: An Interactive Tool for Information Assurance Training and Education Presented to FISSEA22-23 March 2005, North Bethesda, MD Dr. Cynthia IrvineNaval Postgraduate School
Naval Postgraduate School Cynthia Irvine Michael Thompson Albert Wong Matthew Rose Naomi Falby Students Klaus Fielk Ken Johns Rob Lamore Justin Lamoire Marc Meyer Tait Leng Teo Rivermind Ken Allen Bill Chinn Scott Gallardo Brian Morgan Sponsors US Navy NETC ONR OSD CyberCIEGE Team
CyberCIEGE Solution • Teaching tool that engages the imagination • Virtual world shows consequences of security choices • Student responsible for organization IT • Keep organization virtual users happy • Purchase hardware and software components • Design networks • Configure components • Manage IT staff • Ensure physical security • Require background checks for certain information access • Provide IA training • Ensure that security does not get in the way of productivity • Protect organization information assets from cyber threats • Greater asset value greater attacker motivation
Motivation • Information Assurance is implicit in everyone’s job • Personnel need to understand their important role in IA • Administrators must know security impact of choices • Managers must understand how IT infrastructure can support (or detract) from security policy enforcement • Certifiers must appreciate big-picture security • Problem: • Training and Awareness can be boring • Good security practice is not “automatic” • Should be like washing hands and using seat belts • Many security measures combine for overall security • Complexity is hard to convey and hard to internalize
Elements of CyberCIEGE • Simulation Engine • All security policies & wide variety of security mechanisms • Graphics easily added • Scenario Definition Language • Describes how Simulation Engine runs • Rich semantics • Triggers for “plot twists” and to log student progress • Scenario Definition Tool • Supports scenario creation using a GUI • Encyclopedia • How to use the game, security facts, why you lost • Movies • Supplements encyclopedia
CyberCIEGE Use • Student presented with objectives • Scenario includes • Physical setting • Virtual users, each with work goals • Also have happiness factors • Enterprise assets, each with two values • Value to enterprise • Value to attackers • Student must meet objective • Secure physical environment • Keep users happy and productive • Apply enough security to keep attackers away • But do not interfer with user productivity! • Complex scenarios may have phases • Logs record student success or failure
Example: DoD Directive 8570.1 • Create Scenario(s) to depict your organization • Can be run in stages • Emphasize security policy and procedures key for your organization • Logs show student progress and success • Scenarios for different user populations • Awareness for typical users • Training for key personnel • CyberCIEGE does not replace specific HW/SW training • Education, Training and Awareness • Supplement existing classes • Create new scenarios for classes • Example: Certifier Case Study Scenarios
Meeting Mandates for IA ETA • Mandates for IA Education, Training & Awareness • More ETA requirements • Resources for achieving goals limited • How can you ensure that • All personnel have annual IA awareness training? • Personnel put training into daily practice? • Make system administrators &certifiers aware of complex issues? • Interdependencies • Impact on organizational productivity • CyberCIEGE is fun • Contains hooks for student assessment • Can be tailored to your organization
CyberCIEGE Opportunities • Tailor CyberCIEGE for your organization • Example: Medical/Health • Create artwork for clinic or hospital • Develop scenarios for HIPPA and health-specific topics • Develop tools for automated student assessment • Develop tools for progressive scenarios • CyberCIEGE website for sharing • Advanced versions of CyberCIEGE • Wireless • Mobile ad hoc presents changing topology and devices • Multiplayer • Students attack others and defend their organization • Want something big? Combine forces! NPS and Rivermind Seeking Partners
More Information • Available to US Government at no cost • Sim. Engine, Current Scenarios, SDT, Encyclopedia, Movies • Non-government availability • Contact Rivermind for a pre-release license • First Rivermind commercial release: April 2005 • CyberCIEGE Website http://cisr.nps.navy.mil/cyberciege.html • CyberCIEGE Email cyberciege@nps.edu • Naval Postgraduate School • Cynthia Irvine irvine@nps.edu • Rivermind, Inc • Ken Allen kallen@rivermind.com