fbpx

Paper Tigers

Cheating Cybersecurity Exams: Paper Tigers

 Cybersecurity Certification Exam Cheating

Cybersecurity certification exams are not easy to pass. According to Concise-courses.com, 70% of surveyed CISSP test-takers reported that the CISSP exam is “difficult.” As such, some individuals seeking credentials in the field of cybersecurity have looked for ways to cheat their way into certification.

These cybersecurity exam cheats (also known as paper tigers), however, cost everyone – the company issuing the test, those offering credentialing, and the cybersecurity industry at large. And, in the long run, they certainly don’t pay off for the student.

Dirk Groben, a cybersecurity professional who succeeded on the CISSP exam on his first try reports that “the exam was very difficult because it’s wide-ranging and does not just include technical information security. It’s a matter of understanding the whole picture for security and not just looking at parts. This new vision increased my professional experience with IT-Security cases. I did pass the first time but really took the full exam time of 6 hours.”

One might ask the question – why would students who are seeking entrance into the cybersecurity field – a field that strives to maintain the integrity of systems – find themselves willing to cheat on a credentialing exam? Proctoru.com attributes the willingness to cheat to pressure. “Pressure from parents. Pressure from peers. Pressure to keep scholarships. Today’s high school students face massive amounts of pressure to do well so they can get into a good college, then to do well in college so they can have a sturdy, competitive career afterward. Some students will go to any length in order to not disappoint their parents or themselves.”

Though cheating one’s way through a class or into a job might sound like a workable solution to a desperate student, in the long run, online cheating venues don’t offer any guarantees of a pass, nor do they ensure a test-taker success in the cybersecurity field. Unfortunately, however, resources for online cheating are readily available.

 Cheating Online Proctoring.  Source: http://www.executiveacademics.com/single-post/2016/1/5/Beating-Cheating-and-Defeating-Online-Proctoring Cheating Online Proctoring.  Source: http://www.executiveacademics.com/single-post/2016/1/5/Beating-Cheating-and-Defeating-Online-Proctoring

Executiveacademics.com released an article in 2016 that essentially teaches test takers how these cheating resources work. The article states: “We signed up for a few classes that required multiple proctored exams in an attempt to determine the best way to game the system for different online proctoring companies. With a bit of creativity, we designed a way to cheat online proctoring sites using a specific hardware set-up and a “helper” person.”

Other common ways to cheat include capturing the test, using a small-button camera, or utilizing brain dumps found online. What are brain dumps? Margaret Rouse, with Whatis.techtarget.com explains: “someone who has taken an exam might perform a brain dump by writing out as many of the questions as they remember, for distribution as a study guide for other people who intend to take the same exam.” According to Rouse, “brain dump Web sites for exam preparation purposes are fairly common, especially for computer-related certification programs.”

Though some brain dump sites manage to avoid detection, the risk of getting caught as involved in brain dump cheating scandals are steep. Rouse describes an incident that occurred In January 2003: “Robert Keppel was sentenced to 12 months plus a day in prison and fined $500,000 for maintaining a brain dump (cheatsheets.com) that sold Microsoft Certified System Engineer (MCSE) and Microsoft Certified Solution Developer (MCSD) exam questions.”

The ready availability of cheating mechanisms, and the willingness of students to seek them out, presents a major issue for test administrators, credentialing bodies, and for the cybersecurity field. The more cheating that takes place, the shakier will be the skills and professionalism of those holding certifications. According to Securelink.com, when it’s proven that cheating on a particular platform is possible, the vendor can suffer “brand damage, questions about its tech, and the ability to offer secure services.”

What can governing agencies do to control cheating and ensure that those endowed with cybersecurity certifications legitimately earned those credentials? Kenneth Brown, an Associate Dean of Undergraduate Programs for the Business School at UI, explains on ProctorU.com that accountability is difficult to enforce because of the difficulty that regulating bodies face in going after companies that facilitate cheating. “They are not U.S.-based,” says Brown. “They’re not tangible, necessarily.”

But cheating one’s way into a cybersecurity field that aims to prevent crimes via security breaches is a poor beginning for any IT student. Test-takers must realize that scamming the system to find brain dumps or access test questions may not even help when it comes to passing a certification exam. The reason certification exams are in place to begin with is to allow an individual to assuredly prove that he or she has the skills needed to do the job. Cheating through a cybersecurity exam does nothing to equip a candidate to handle the actual, challenging work of cybersecurity. Dirk Groben, with IT solutions, states: “I’ve read books for CISSP examinations. But forget the brain dumping stuff. The exam is about thinking different.”

If you’re thinking about cheating an exam, do yourself and the industry a favor and self-identify as a paper tiger.

Your Cybersecurity Methods Are Failing – Here’s Why

failing cybersecurity methods - christian espinosaAs much as every organization wants to believe they are cyber secure, the reality paints a different story. Cybersecurity methods continue to evolve with an emphasis on tactics and technology. This progression of companies and government agencies follows the cybersecurity status quo that it’s a hardware and software issue.

And that’s just a complete disregard for the real problem. If you want to know why your cybersecurity methods are failing, it’s because it’s a people issue. This is a major theme of my book, The Smartest Person in the Room. It’s a reality that most organizations don’t want to face. Not because they don’t accept this notion; it’s because they don’t even have an awareness of it!

The Cybersecurity Landscape Points to Failures

There is plenty of available data and statistics that illustrate failures. They don’t necessarily lead to the why, but they are important for context nonetheless. Cybersecurity risk is growing, and incidents are increasing.

If you’re in the industry, these numbers aren’t new to you. However, that doesn’t mean they shouldn’t be eye-opening. The numbers continue to trend up, and an organization’s go-to for this is money and defenses.

Cybersecurity Method Failures Aren’t About Spend or Defenses

Cybersecurity budgets keep increasing. Financial services, one of the most prone to cyber-attacks, spend 10% of their IT budget on cybersecurity. Tech giants like Microsoft spend even more. The company’s CEO said they would spend more than $1 billion. Government spending is up as well, with the 2019 budget for the U.S. at $15 billion.

It’s not a money problem. Dollars are essential to fighting the cyberwar, for the best technology, talent, and infrastructures. Unfortunately, many organizations believe if they spend enough, they’ll be free from attack. High budgets do allow for more technology and people, but it doesn’t always equal a successful program. Companies often learn, when something goes wrong, that money and processes do make their networks impenetrable.

All you need to do is look at the SolarWinds hack, which led to the infiltration of at least 18,000 government and private networks. It illustrates the weaknesses of supply chain security and certainly didn’t happen because they weren’t spending buckets of money. There’s no definitive answer on what the failures were for this case, but in looking at alternatives, it could turn out to be a people problem.

One possible line to draw was that the former Chairman of the Joint Chiefs of Staff said of probable cyber attackers, “If they know that we have an incredible offensive capacity, it should deter them from conducting attacks on us.”

The position was that if would-be hackers knew the prowess of the U.S.’s cyber arsenal, they’d cower. That didn’t really work out very well and points to a larger problem within the cyber community. This example in no way characterizes these experts as incompetent. Rather, it shines a light on the culture of cybersecurity.

What’s the Real Reason Cybersecurity Measures Aren’t Working?

As I said in the introduction, it’s the people entrusted with the security. It doesn’t necessarily mean they aren’t knowledgeable or don’t have training and experience. The profession is broken. Those who are practicing cybersecurity and the leadership that manages, hires, and recruits them need a reset.

Here’s why you’re failing and what you can do about it.

Cybersecurity Professionals Aren’t Passionate

Most would say that to succeed in a career, passion is necessary. If you look at those who have achieved great things in any profession, it wasn’t their intellect alone. They had the drive and were invested in their work. Most cybersecurity professionals don’t have this. They don’t take it seriously or simply want to punch a clock. They believe it’s a stable career and do the minimum.

On the other side, cybercriminals are passionate. This is their livelihood, and they treat their endeavors like Olympians chasing gold medals. When there’s this kind of imbalance in protectors versus perpetrators, the hackers are going to win.

The Prevalence of Paper Tigers

Paper tigers in cybersecurity are diluting the profession. What it means is they look good on paper — they have a certification or multiple ones as proof that they know what to do.

Unfortunately, they don’t.

They have very little real knowledge or experience. Organizations hire them, and they immediately become a risk, not a value. They don’t know what they don’t know, and that’s scary. Paper tigers also tend to have fragile egos, so they’ll never admit they don’t have the answer or understand the situation. They’ll keep backpedaling and become defensive instead of being communicative and collaborative.

The situation becomes worse as paper tigers hire paper tigers. Then you have a whole team of “professionals” that have no idea how to protect your data and infrastructure.

A Culture of Insecurity

As I just touched on, paper tigers are insecure. So are many in the profession, regardless of their skillset. Technical folks take a lot of self-worth and value in their career, and that would plummet if they suddenly admitted they weren’t the smartest person in the room. They feel they have earned their way because they have the certifications or degrees on the wall.

Insecurity means people are closed off from learning and growing. Their blind spot keeps getting bigger. In turn, they begin making cybersecurity methods more complex and complicated, believing only they know how to apply them. Such a framework doesn’t provide any guarantees that you’re free from risk. In fact, they can make you less secure. It’s like having 10 locks on your door but leaving it wide open. It’s an illusion of security.

Insecurity and Fear Lead to Posturing

Those in charge of cybersecurity also have fear mixed with insecurity. They are fearful that peers or leadership will find out that don’t have all the answers or experience. So, they counter by posturing. The posture they present is that they “know” what’s going on and how to be cyber secure. This defense mechanism results in using big words and overcomplicating the basics. In reality, there are five CIS (Center for Internet Security) Controls that will stop 85 percent of all attacks. Further, cybersecurity professionals who posture don’t even cover the basics:

  • What do you do?
  • What are you trying to protect?
  • What’s important to the business?

Paper tigers and insecure people aren’t going to ask any questions! They’ll just start laying out jargon and puffing their chests. They only want to seem like they have it under control when there’s a fire in the kitchen, and they don’t even know what baking soda is.

The Biggest People Problem? Communication

There’s a consensus among many that technical people have bad communication skills. That’s not universally true, but I would say it’s the biggest people problem in cybersecurity. They are long on jargon or buzzwords and short on substance.

They also often can’t articulate how and why they do things, and they certainly butt heads with business-focused colleagues. Poor communication skills or lack of altogether is why cybersecurity groups fail internally most of the time.

If there’s no openness in communication, there’s no collaboration or teamwork. Cybersecurity has to be a group effort, and everyone must be on the same page. That’s hard when there are communication barriers.

Moving from Failure to Succeeding in Cybersecurity

Fundamentally, if your business has been the victim of cybercrime, it was likely a people problem. If you haven’t had an incident, it’s probably a matter of if, not when. In either situation, you need to make some people changes.

My approach to solving the people problem and bolstering cybersecurity is the Secure Method. This approach focuses on soft skills and helping professionals lead with their head and heart. It’s a step-by-step guide with seven parts:

  1. Awareness of self and others
  2. Mindset moving from fixed to growth
  3. Acknowledgment of self (removing ego) and others when they make positive changes
  4. Communication (words, tone, and body language): learning how to articulate feelings and situations and listening
  5. Monotasking (concentrated work)
  6. Empathy (looking at other’s perspectives with compassion)
  7. Kaizen (change for the better by being better)

I’ve given you a very brief explanation of each step. There is a lot more, including how to make it through each step. The Secure Method is actionable, and any organization can use it to solve the people problem.

You can read all about it by ordering my bookThe Smartest Person in the Room. It will give you a unique perspective on cybersecurity and how to harness and develop talent to really be cyber secure.

Cybersecurity “Professionals” – Reboot Needed

cybersecurity certifications

Introduction

The cybersecurity industry is broken. What we have very loosely defined as a cybersecurity “professional” is not cutting it. The organizations that need cybersecurity deserve better.

This article focuses on cybersecurity certifications, yet addresses a larger issue with the overall cybersecurity industry – stringent license requirements, as opposed to certification exams that can be easily “gamed”.

Cybersecurity Certification Trend

I’ve noticed a trend that seems to be getting worse.

The trend is this:

Fewer people seem to care about the cybersecurity profession – they just want to learn what’s on a certification test so they can get “certified” and get a high-paying cushy job where no one holds them accountable.

This trend bothers me in a number of ways:

  1. Cybercriminals are winning. Cybercriminals, at least the good ones, take their trade seriously. Otherwise, they’d get caught more often. Many certified cybersecurity professionals, the “good guys”, are not really professionals anymore – they don’t take their trade seriously. This is the primary reason the cybercriminals are winning.

  2. It’s apparent the “instant gratification” wave is here. Many people don’t want to put in the effort to learn a trade anymore. They just want to study the bare minimum, pass a certification exam, get hired, then fake it at a job as long as possible.

  3. B Players hire C Players. C Players hire D Players. We’ve ended up with an industry filled with C and D players. Certified people that don’t really know what they are doing can’t make proper hiring decisions and, most of the time, let their ego get in the way. Their ego prevents them from hiring someone “smarter” than them; a new hire that actually knows what they are doing might find out that the person that hired them doesn’t know much, and has been faking it.

  4. Inflated salaries. Salaries for people that have a certification (such as the Security+), no experience, are paper tigers, and could care less about cybersecurity are grossly inflated. This perpetuates the problem, as the lure of money attracts people, like moths to a flame, to a career field that they have no passion for and, therefore will not develop skill towards.

  5. Cybersecurity certification classes. People that just want to pass the test are not ideal students and are difficult to deal with as a trainer. They constantly ask “is that on the test?” and say things like “why are we learning that, if it’s not on the test?”. I often wonder if certification courses are helping or hurting the industry. Alpine Security’s trainers are awesome and really enjoy helping people that want to learn, pass the exam, and make a difference, but it is demoralizing, draining, and damn-right frustrating dealing with people that don’t care about cybersecurity and just want to pass an exam though.

Who “just wants to pass” the certification exam?

There are two main categories.

  1. People that heard cybersecurity pays well, just want to make money, and don’t care about the industry or profession.
  2. People that are mandated by their employer to have a cybersecurity certification for their job. This could be private or public sector.

Solutions

I can’t point out a challenge, without offering some solutions…

Licensing Requirements

Add licensing requirements for cybersecurity professionals. Many cybersecurity professionals protect your health records (PHI), intellectual property, and sensitive data (PHI – credit card data, date of birth, SSN, etc.). Just about every other industry has federal and state licensing requirements. If a barber needs a license to cut your hair, shouldn’t a cybersecurity professional? A cybersecurity professional protects your identity and medical records and may also be responsible for securing a hospital network and the life-sustaining medical device connected to your grandmother.

Cybersecurity has no license requirements. If I want to become a “Cybersecurity Analyst”, I don’t need a license. I can just start promoting myself as such, study brain dumps or exam crams, pass a few cybersecurity certification tests, become the “expert”, and provide ineffective cybersecurity for my organization.

cybersecurity certifications licensing

For comparison’s sake, let’s look at the licensing requirements to become a barber. A barber license is required in all 50 US states to work as a barber. The barber license requirements vary by state, so I’ll just pick one for comparison to a cybersecurity analyst. I’ll go with Arkansas because I grew up there from age 12-18. Here are Arkansas’s Barber License requirements (https://www.barber-license.com/arkansas/):

Step 1. Complete a Barber Education Program

As a candidate for an Arkansas barber license that has not been licensed in other states, you must first complete a formal barber program that is at least 1,500 hours in duration.

Step 2. Apply for an Arkansas Barber Technician Certification

The Board issues barber technician certifications for students who have completed at least 20 full working days of study in an approved school of barbering and at least 20 hours of study in the sterilization of tools and the barber laws of the State of Arkansas.

Step 3. Apply for an Arkansas Barber License and Take the Required Examinations

Once you have completed the required barber program, you must apply for a barber license at least 10 days before the date of the next barber examination. The Board furnishes all applicants with the appropriate forms.

The barber examinations include both a practical demonstration and a written and oral test. You must submit a completed application, along with a certification of your completed barber school hours, before you are eligible to participate in the examination process.

Step 4. Learn About Job Opportunities in Barbering and Keep your Arkansas Barber License Current

Your Arkansas barber license must be renewed every odd-numbered year, before your birth date. There are currently no continuing education requirements for licensed barbers in Arkansas.

So, to sum it up, to be a barber in Arkansas, you need:

  • 1500 hours of training. This is the equivalent of 37.5 forty-hour weeks.
  • 20 FULL working days of study in an approved barber school
  • 20 hours of sterilization training
  • Pass required exams (plural):
    • Practical demonstration
    • Written Test
    • Oral Test

To become a cybersecurity expert in ANY state in the US, you need:

  • This section intentionally left blank…

If licensing requirements are tied to risk, it seems the risk is greater with cybersecurity professionals. I mean I certainly don’t want to get a bad haircut from an unlicensed barber. But, I’ll take the bad haircut any day over an unskilled paper tiger not securing the medical device that is providing life support to my grandmother in the hospital.

Certified cybersecurity paper tiger

Make cybersecurity certifications practical-based

This gets rid of cybersecurity paper tigers. You generally can’t pass a practical unless you know what you are doing. EC-Council is taking this approach with CEH Master. Licensing requirements would fix this too.

Industry leaders need to step up and put purpose before profit

At Alpine Security, we are making an effort to attract our ideal students and repel the others. This is a bit risky, as we are a business and need to generate revenue. I cannot, however, in good conscience support a broken system that hurts the cybersecurity industry and those the industry support. I’ve thought about pulling Alpine Security out of the cybersecurity certification training business altogether. This only hurts the students and professionals that actually care though, as I believe we offer outstanding training with trainers that are passionate about cybersecurity.

Downsides of Changing the Status Quo

I know, I know…but, what about the cybersecurity skills shortage…the skills gap we hear about incessantly every day? Won’t licensing requirements, practical exams, etc., make this worse?

Not really.

The “skills gap” primarily exists because cybersecurity is considered “white collar” (an antiquated term), where a college degree (any degree) matters. As if a college degree in political science or history makes a person qualified for a cybersecurity job? Really? I’d rather take someone “blue-collar” that has gone through 1500 hours of focused cybersecurity training, an apprenticeship, and passed a practical, written, and oral exam.

Yeah, but that’s 1500 hours? Isn’t that a lot? True, but a 4-year college degree is more than 1500 hours of time (mostly wasted) and a hell of a lot more money.

As for the skills gap, I’d rather have one person that is a professional, is passionate about what they are doing, and has a license in cybersecurity, than 15-20 people that are paper tigers.

One real tiger can easily take out 15-20 paper ones. I don’t know what the real cybersecurity skills gap number supposedly is, but if we divide it by 15-20, it isn’t that big of a deal.

What we are doing now, the status quo is not working. It’s time for a change.

Conclusion

I don’t have all the answers, but I think it’s worth opening the dialog and working to address this cybersecurity “professional” challenge, rather than pretending it doesn’t exist. Perhaps cybersecurity licensing requirements are the solution. I am willing to commit some of my time to make this happen. Alpine Security will also be more selective of students. Our goal is to help the industry and our clients, not contribute to the problems in our industry.

Here’s a simple list we developed to attract the right students and repel the rest for Alpine Security’s cybersecurity training:

Not a good fit for Alpine Security’s training:

  • Think of what you do for work as a job, rather than a career
  • Have a fixed-mindset
  • Make decisions based on your ego, rather than what is right and adds value
  • Are lazy and value short-cuts

Good fit for Alpine Security’s training:

  • Believe in a career, not a job
  • Have a growth-mindset
  • Want to make a positive difference
  • Willing to put in the time to learn a trade and become a true professional

Check out Alpine Security’s Training Schedule.

Cybersecurity Paper Tigers are Killing Us

cybersecurity certifications

A paper tiger is a fake tiger, made of paper. It may appear to be a real tiger, but it has no substance, is unable to stand up to challenge, and can’t perform any other tiger duties.

Wikipedia defines a paper tiger as this:

“Paper tiger” is a literal English translation of the Chinese phrase zhilaohu (纸老虎/紙老虎). The term refers to something or someone that claims or appears to be powerful and/or threatening, but is actually ineffectual and unable to withstand challenge.

comptia security+ logo

CompTIA has made the Security+ exam more difficult by adding “performance-based questions” to help with the paper tiger issue.

How do paper tigers relate to cybersecurity?

In my mind, the “paper” is often a cybersecurity certification and the “tiger” is the person holding the certification. A person with a CompTIA Security+ certification, for instance, may appear to be a real cybersecurity tiger. If this person just memorized exam questions, didn’t learn any material, and passed the CompTIA Security+ certification exam, they are a cybersecurity paper tiger though.

My company, Blue Goat Cyber, gets routine inquiries about our cybersecurity training. Many people assume we will just “teach the test”. Some people have even mentioned to us that other cybersecurity training providers offer onsite exams allowing people to take the exam “open book” and “as a group”, even though the exam is supposed to be taken solo, closed book. These behaviors breed more paper tigers. Is it any wonder why we have so many data breaches?

Cybersecurity Paper Tigers are Killing Us

Cybersecurity paper tigers are killing us for a number of reasons:

  • They don’t know enough to actually help with cybersecurity defense. Paper tigers are often responsible for cybersecurity controls, plans, policies, training, etc. The paper tigers don’t actually know much though, so the risk of them doing something wrong or ineffectively is very high. This is sort of like asking your 5 year old if he can drive your car. He says “yes”, so you let him drive to the grocery store. The outcome will not end up well.
  • They hire other paper tigers. People tend to want to be around people like them. Also, paper tigers typically have fragile egos, so hiring someone that knows less than them is often what they do. Fragile egos stem from incompetence and being “found out”.
  • They devalue cybersecurity certifications. Cybersecurity certifications still have a worth, but they used to mean more before the influx of the paper tigers. In the past, if you hired someone with the Certified Ethical Hacker (CEH) certification, you knew they had a certain level of knowledge, skills, and abilities. Now, you may see someone certified that doesn’t really know anything. I’ve interviewed people with penetration testing certifications that couldn’t tell me what nmap was…
  • They are not passionate about cybersecurity. This is sort of the elephant in the room. People that are passionate about a topic, industry, career, etc., make efforts to master these areas. Paper tigers are dabblers. They dabble just enough to give the appearance of expertise. If they are dabblers in their careers, the chance is they are dabblers in everything in their life.

Cybersecurity criminals are masters of their trade – not dabblers. A dabbler will always lose to a master.

ceh master

The CEH Master requires a practical. Paper tigers need not apply.

What can we do about the cybersecurity paper tiger issue?

There are two areas to focus on to get rid of paper tigers:

  1. Cybersecurity certifications that require a practical. Many certifications are moving towards having practical components to them. The CEH, for example, has two programs. The first is “Certified Ethical Hacker”, where you have to pass a multiple-choice exam. The second is “Certified Ethical Hacker Master” where you have to pass both the CEH multiple-choice exam and a CEH practical exam. Paper tigers may be able to pass a multiple-choice exam, but they will likely fail a practical exam, unless they actually learn some stuff. Learning some stuff may strip them from the paper tiger status!

  2. Hiring procedures. We need to do better at interviewing and screening cybersecurity applicants. Just because someone has multiple cybersecurity certifications, doesn’t mean they know the material. It’s an employer’s duty to screen applicants appropriately. The people doing the interview need to know about the certifications or be certified in those areas themselves in order to discern the paperness of the tiger. For instance, if I’m interviewing someone with a Security+ certification, I should know the basics covered in Security+ so I can validate the candidate’s knowledge.

Let’s do the cybersecurity industry a favor and work to get rid of the paper tigers.