February 2019 marked the start of an epic pilot project for New Brunswick education. Years of planning by many partners had gone into curriculum development for a Cybersecurity 120 course. The Department of Education, Cyber New Brunswick, industry experts and experienced teachers designed a course relevant for the industry of today and tomorrow. Caledonia Regional High School of Anglophone East School District is one of the schools in the province offering the pilot this year. Students work daily on labs, units of related study, international competition and provincial competition. The students at Caledonia Regional have found success in many of the course’s challenges.
I designed a lesson that had my students explore their physical school for vulnerabilities. Working with the school’s custodian I arranged several usually locked and latched windows and doors to be left opened. Students then searched the building for both known and unknown potential access points. It demonstrated that you can’t just assume an access point is secure and that a system of checks can result in fine security work. Grade 11 student Hope Steeves (@HopeSteeves) said of the experience “I noticed how much it was just like computer vulnerabilities. Mr. Kelly made us realize we should never assume a system is safe.” By getting up from desks and exploring a system from the inside helped students better understand how the process works with computers. Student Faith Christopher (@FirewallFaith) said “I understood it better than I would with a PowerPoint lesson. By doing this activity I could visualize the school as a computer system and the different entrance points available for threats.” Grade 12 student David Wood sums it up more succinctly by adding "Cybersecurity is like animal life, you always have someone trying to take you down.”
Projects like the vulnerability search are rarities as this pilot course has students at desks learning to protect and defend computer systems for hours each week. Learning via international competition as part of the Cyber Patriot / Cyber Titan program is now further supported by New Brunswick’s own Cyber Defence Hub competition. Students fix corrupt systems in a limited timeframe and report scores to provincial administration of the competition. These are really engaging experiences! Student Faith Christopher says about the competition “We did a Cyber Defence Hub competition and the Russian anthem started playing! We kept focussed and didn’t panic, because whether you panic or not, the same result will happen. Instead we all giggled and kept working.” Hope Steeves echoed this by saying “The Russian national anthem started playing! Our team stayed calm and had a good laugh due to pure shock really.”
Labs are at the heart of this course as students book seats in a remote training server. Labs each have documents which guide students through the configuration of local security policies, firewall rules, BASH scripting, user and group account settings, privacy settings and even remote desktop management. Each lab is mapped to a corresponding curriculum outcome through the hard work of the team at the Department of Education and Cyber NB. Hope and Faith, both grade 11s, are pursuing careers in cybersecurity directly out of high school. They are completing Computer Science 11 and 12 along with this Cybersecurity 120 pilot. This opens the door for powerful Co-op education opportunities in their grade 12 year. The school is also piloting a Mentorship Virtual Co-op program where Caledonia Regional students can use modern video chat technologies to work with experts around the world on authentic tasks while preparing for their careers. Cybersecurity is one of the virtual co-op opportunities for our rural school.
New Brunswick is positioned to be a leader in cybersecurity talent and careers Experiences for students like those at Caledonia Regional aid the Cyber Smart movement. Our students are staying focussed on their goal of being prepared to join and aid the cybersecurity industry as soon as possible. For more information about the Cybersecurity 120 program at CRHS please contact Mr. Kelly at the school.
When teaching cybersecurity concepts in K-12 schools it can be quickly assumed that these specific skills are best left to the grade 6-12 era of education. The problem with assuming this is it disregards all of the life skills involved in a career in cybersecurity. One recent video game that I’ve found can prepare kids as young as 8 years old to excel in a future career in cybersecurity. So what game is it?
Jurassic World Evolution for the PC, PlayStation and Xbox One consoles has everything a cybersecurity company would be looking for in regards to training a future workforce starting at the age of 8 or older. Before you stop reading let me explain why. The game can teach and instill multiple skills needed to not only get a job in the cybersecurity fields but to also thrive as an employee or employer in that field.
Rated T for Teen but the world disagrees!
Disaster Response - Calm Under Pressure
Oh, No! A tornado just appeared out of nowhere and is ripping apart your carnivore cages! The ability to stay calm and prioritize your response is key. First you have to open the emergency shelters for guests, Then, you have to rebuild walls to keep the threats inside their designated areas. You have to restore power and essential services and get those ranger teams out for repairs. You know that certain dinosaurs need the correct balance of forest and grasslands so you have to replace trees destroyed by the tornado. You have to do it every time there is a storm and as fast as possible to limit your park rating drop, and to ensure guests can continue to enjoy the park’s experience outside of the shelters. It is true magic to watch an 8-year-old take a deep breath and then execute this disaster response without blinking an eye, anxiety free.
From the moment you open the park you need to have enough power, emergency shelters, feeding stations, hotels and many other aspects planned and in place. This proactive work will go a long way in preventing unwanted events later on. Do you double up the walls in the carnivore pen or is there a better solution? How much forest do the huge Brachiosaurus need and can this be fixed on the fly without risk to guests? Did you remove the dead dinosaur before it poisoned the rest of the group? All of these efforts will be tested and players can respond to the tests with new knowledge and apply better park management. You can schedule ranger team feeding resupplies, genetically make new dinosaurs in the Hammond Research Centre because you know a current dinosaur is social and needs friends, and you can even genetically alter dinosaurs proactively to better survive in their environment.
Business as Usual - Financing
All of the guest amenities in the park including bowling alleys, restaurants, arcades, bars and shopping areas need management. How much do you charge for night-vision goggles at the gift shop to make sure you maximize profit but don’t limit your market? How many staff do you hire at each location? Dinosaurs cost a lot of money to create, so is your park getting enough guest action to warrant releasing a 2 million dollar dino? Will the investment in that new dinosaur raise your park rating? Is it worth completing a “Science Mission” that will reward you $350,000 if it involves creating 3 dinosaurs you aren’t ready for and costs $240,000? Will adding a Savannah Skin Pattern to your Raptor market better with audiences? Cybersecurity is a business that also deals with huge profits and huge losses. Getting students ready to handle choices that result in millions of dollars lost or earned can better equip them for the lucrative and risk-filled cybersecurity sector as employers.
Research is the cornerstone of Jurassic Park and also Cybersecurity. If you are not up on the latest research you are not ready for the newest risks. When a dinosaur gets sick with Avian Flu, if you haven’t researched the cure (or budgeted enough money to be able to do so immediately) your 2 million dollar Brachiosaurus is going to drop dead. If you aren’t sending regular Field Teams out to dig for DNA your dinosaurs will be less likely to survive the birth in the Hammond Research Centre, or, thrive in their environment and live a full life. A virus is a threat to both dinosaurs and cybersecurity companies and research is the solution in both worlds!
Life Finds A Way!
An unwanted event is bound to happen in the cybersecurity world. Just like in Jurassic World those employed in the sector need skills and competencies that extend beyond your CISSP standards and knowledge. Creating an ideal cybersecurity employee should start early and through games like Jurassic World Evolution key skills can be learned in an effective and engaging way. Life will find a way and game-based learning of this caliber can have students ready for life at all times! We can't all live in a bubble.
A few weeks ago I took part in the Cyber Summit in Fredericton. My day started off at 5:30am so I could catch the bus to Fredericton. At about 8:30am I arrived at the Summit. It was held in a large room with round tables, a few podiums, and some screens. We got there when hosts were saying their opening remarks, and NB Power announced their new Internship program.
After the opening remarks the room was split in half, one half was Cyber Patriot and the other half were just students who wanted to attend the conference. I was one of the students who wanted to attend. Our half of the room started off with a Big Data workshop. I learned what big data is and its importance. The people presenting also gave a small demo on how you can collect data from Twitter to see what people are talking about.
Next up they gave us a small nutrition break where we could stretch out legs, and talk to some people with booths. Personally I started with NB Power and asked a few questions. Then I spoke to a few universities that were being represented there finishing up and prepared for the next workshop.
The next workshop was a lot more hands on then the Big data one was. We were programming LED's with Arduinos, which was pretty easy, but still pretty fun. We had to place wires into the correct spots on the bread board and make two LED's blink at different speeds. In the end a student beside me actually had managed to program a RGB LED to flash in many different colours. The workshop ended pretty fast and it was lunch time. Our lunches were boxed lunches provided by the event. Mine was a veggie rap with some cheese and crackers.
After lunch there was a panel with 5 or 6 people in it. I can't remember everyone but I know Jamie Rees from NB Power as well as Dennis Ryan from Bullet Proof solutions were there. People asked questions and they answered, as well as Bulletproof announced a internship program. This panel was quite informative and I feel It helped me strengthen my understanding of Cybersecurity.
The last event of the day was pitching ideas for a book. The idea was a children's novel for school students to teach them about cyber security at a young age. We had a professional artist in so we could mull over ideas with him. I found that was a fun activity, but didn't really help out with my understanding of Cybersecuity. Our group had to leave before we finished however and left the other groups to finish it up.
On February 1st in the evening I was hit with some bad news. The CISSP exam that I had been studying for 8 months was now going to change. (ISC)2 released the information that on April 15th 2018 the exam would be based off a new blueprint, and the study material would be changing. This was bad news for me as before now we had planned to take my exam in June. Our first reaction was "Well let's keep going, and get the new material when it comes out." Which would have been fine, however my mentor told me that the new content takes months to actually come out, and I may have graduated before I ever I had the new material. So now instead we have pushed up my exam time. it went from June, to early in April. Now I need to work harder, and study more than i have before, but I am still ready, and determined to get that certification. I publish this blog just before taking the CISSP exam. My next blog will reflect on the exam process and my results.
Before I can Walk the Walk I was asked to Talk the Talk! Here's my presentation at BSides Fredericton in late November 2017. It was an update on progress so far and my goals for the future.
Let me start by saying that the organizers of the first ever BSides Cybersecurity Conference in Fredericton, New Brunswick are all class! Two gentlemen from local company Bulletproof and another experienced professional from NB Power executed a vision for a sharing conference that was well attended and kept a serious topic like cybersecurity fun and inviting even for those not directly in the industry. I had the pleasure of being a chauffeur and chaperone for Liam as he presented his experience in K-12 New Brunswick Cybersecurity Education for the first time. The following is a brief recap of the event from my teacher perspective and as a cybersecurity enthusiast and advocate.
After arriving at the hotel which covered two rooms from a tech award I received the previous year, Liam and I had local pizza delivered and then headed out to visit the venue. When we entered the hotel conference space Liam recognized Curtis (The Organizer) from Bulletproof and his colleague and supervisor setting up the venue. These two professionals spent nearly an hour chatting with Liam and sharing industry tales and hobby adventures. This in my opinion was the first time that a career in cybersecurity became real for Liam. These experienced Bulletproof staff members were both encouraging and inspirational in their dialogue focussed on aspects of cybersecurity and the training necessary to join the field. By the time the venue was locked for the night I sensed Liam was as sure as ever that these gentlemen represented exactly where he saw himself in short order. Liam headed to his room to practice his presentation and rest before the big day.
The conference started early and Liam was spooked by the suits and ties entering the venue. He must have felt under dressed for the event until the attendees who were not executives arrived. That's the beauty of BSides as it brings together company leaders, thought leaders and those who get the job done daily. The cybersecurity experience and talent in the room by 9am was impressive. The first presentation was from GNB and addressed cybersecurity from an accounting framework which seemed very logical and was digestible by those of us not in the industry. Liam then presented his experience in New Brunswick education both in personalized learning and cybersecurity education. His talk highlighted his past successes and passions, current efforts and future goals with some humour and example media included. He was followed by a tremendous presentation about using Honey Pots as a proactive cybersecurity method designed to gather intelligence that could be used by the industry to better protect data. You could tell as an outsider that these speakers were respected and valued by the audience. CyberNB also gave a welcome to the event that morning and I must personally thank them for covering the cost of my guest teacher for the day allowing this to happen. Sometimes that is what's needed to inspire years of cybersecurity effort in our K-12 schools.
After a wonderful lunch the heavy topic of machine learning in antivirus detection and cybersecurity added to the wealth of knowledge sharing and there was a cool talk about sparking engagement in cybersecurity and how that might happen best. Liam and I had had a full day and yet there was a long drive home ahead of us. We ducked out but not before I won a door prize called a Bash Bunny. To quiet the distaste of a non-industry winner I quickly handed off the tool to Liam and told him he could have it only if he would never use it against myself or CRHS or NBED. Deal! I'm so pleased I got to go to this event and though only a part of the $600 cost was covered I feel it is money well invested in personalized learning and thank those who helped wholeheartedly.
On Tuesday November 21st I had the opportunity to speak at the first annual BSides at Fredericton NB. BSides is a annual Cybersecurity conference, this particular one was run by Curtis Slade, an employee at Bulletproof aka the company that is doing the virtual Co-op. This event had multiple speakers from many companies, all with the goal of sharing the latest In Cybersecurity. In my case I was sharing educational experiences in cybersecurity.
Because this event was far away from where I live Mr. Kelly and I drove in the night before, and got a hotel. We had some pizza, ran over my presentation once or twice, but the best part of the evening was when we went down to the ballroom that BSides was held in and had the opportunity to meet Curtis Slade and Peter MacPherson. Peter MacPherson is the director of the security operations centre (SOC) at Bulletproof. Meeting him was amazing, he spoke about his different experiences, his hobbies relating to cybersecurity, and some of his tech. Hearing him talk about his experiences really energized me and it was inspiring me to try out some hacking.
The next day was BSides. I went down in the morning before Mr. Kelly, I found this frightening as I didn't know anyone there, I was the youngest person there and I have no real experience in cybersecurity. I had no idea how to talk to the people and I was really under dressed. I showed up wearing a Black T-Shirt and jeans and the room I walked into was full of men in suits and ties. I learned later that the way someone dresses doesn't necessarily represent the role they play in an organization.
After what felt like forever the Opening remarks started, then it was time for the speakers. First up was Rick Roulette, to be honest i don't overly remember what he was talking about, I was pretty nervous as I was scheduled after him. Once he was done I was up, I was pretty nervous. Of the 20 minutes i had available to me I probably only spent ten.
Next up was Peter Morin, and his presentation was about honey pots. Honey pots are essentially fake servers you mix in with your real ones, but they are left vulnerable. They are used to lure a malicious hacker in. They help alert the security team of their presence and will allow the security team to watch to see how they are attacking. This information can then be used to further security in the other servers. It's like having a second house meant for someone to break into so you know there's a bugler, and you can figure out the best way to prevent them from entering your real house.
. After Peter there was a lunch, It was soup and sandwiches, with cakes for dessert, however the bonding with the people there was much more valuable than the food. I got to meet more people in the cybersecurity profession, and grow my knowledge. After lunch they started to pull for prizes, there was Penetration testing tools made by hak5, and a few Raspberry Pi's, and a drone. I think there was more but I wasn't around for when they got drawn. I never actually won anything, but Mr.Kelly did, he won a Bash Bunny (more info here -www.hak5.org/gear/bash-bunny- ). Before I left we also listened to Sylvain Dumas, he spoke about machine learning, but we didn't have time to listen to the last one, and went home instead. It was a great experience, and if you are into cyber security I definitely recommend Bsides.
Last Friday, November 3 The Cyber Patriot team had its first round in the Cyber Patriot X Challenge as part of Cyber Titan. For those of you who don't know, the Cyber Patriot Challenge is a competition where teams of students are given badly corrupted operating systems and it is their job to correct them. Teams are made of up of 4 students and a coach. To actually do the competition, we use virtual machines, which allow you to essentially run a second computer from your regular desktop, We were using a software called VMware. Once the virtual machine is opened the clock starts ticking and you have to find as many security issues as you can in 6 hours. A simple Read Me file guides your team through the overall problem but rarely helps locate the specific corruptions. Forensics questions are also embedded making this more than a scavenger hunt.
The timer started at 9 am EST; we had to wait until 10am due to our Atlantic Time Zone. This was actually helpful as it gave us time to prepare for what was to come. Ten o'clock hit and we got the email giving us our passwords and any other tools we needed before starting. First we booted up the Linux image, then the Windows 7. We had one team member in charge of Linux, 2 in charge of Windows, and I worked on the Cisco Networking part of the challenge.
It started off quite well, Windows and Linux were getting points left and right, changing passwords, weeding out unwanted users, checking for updates, and much more. While overseeing those systems, my additional task was to do a quiz on networking. I had about two days experience before hand so most of the test was answered based on life experience and my current understandings. I finished with a score of 39.15 out of 50 and earned my team 20.5 out of the 22 points for Cisco Networking.
We worked until lunch, when our coach did something amazing, and showed up with pizza. In my opinion there is nothing better than pizza after a long time working. After pizza we got back to it. After you find the initial issues it gets more difficult to find the well hidden problems. As a team we fought hard and finished with about 150pts of the possible 220 in round 1. Round two happens December 8th!
I have been at work for the past few weeks, and I have gotten through the first few chapters (Page 151 to be exact) of my Official (ISC)2 Guide to the CISSP CBK. These chapters are about Security and Risk Management, which is domain 1 of the 8 domains in CISSP.
The first topic it talked about was the CIA triad. CIA stands for Confidentiality, integrity, and Accessibility, These three are rather self explanatory but are very important and will be used later, so its important to know about them. After the CIA triad it went to Security Governance, this was more complex, but it basically was talking about what someone in the role of a CISSP and what their role and responsibilities are when it comes to the Governance of security. Over all the content of the book isn't hard to understand, and I believe that anyone with dedication will be able to read, and understand its content. I still have much more to learn from it though, as I have only made it to page 151 out of over 1000 pages. Reading is an essential skill for this program!