Go on, get Hacked: War Games in Cyber Security
7 September 2015
Christian Toon, Senior Cyber Security Expert at PWC UK
Lost in translation? You’re not alone. With Cyber, Infosec, Information Governance and Data Governance, Big Data and Information Assurance, it’s easy to get lost in the terminology the industry and media use to describe something actually quite simple: the protection and validation of information (ranging from raw data, information, knowledge to wisdom and insight) and information systems (more often the technology that it sits on, but can also include more traditional types such as paper or disk).
What has traditionally been a backroom or IT function is now front and centre in any boardroom across the world. We need to wake up to our responsibilities here. No one is safe sadly, there is no 100% security, so we have to take the best approach to protecting the business in line with our risk appetite. Be careful though, it’s a fine line to walk between business enabling security and boring, dull compliance. Treat your employees, your first line of defence, as humans, and it can be both business critical and fun.
So where is the fun? I’ll tell you, but first picture this. An IT leader goes to his boss (who will certainly sit outside of IT) requesting some additional funds. A number of IT assessments have identified some holes in the software configuration files and fall outside of what they’ve budgeted for. He needs to get some connections changed, databases streamlined and optimised. The assessments showed they had some ports configured incorrectly and that the TCP contradicts the F11K. Unless the changes are made, the risk register actions will become out of date. If auditors find this, they’ll be in trouble as they need to secure their business and protect their IT.
If you lost interest through that… don’t worry, you’re not alone. The traditional assessment – non-conformity – remediate or accept the process of testing business ‘security’ is in my view, not ‘testing’. It’s basic IT procedural hygiene or business as usual. It plays a part in a wider security programme, but if you want to really test how secure you are against hackers, organised criminals and those other unsavoury characters, you want to get yourself hacked – legitimately. This is more than just a pen test, which by definition is scoped to focus on a small part of the business. I’m talking about targeting the business as a whole, like the bad people do.
This is where the fun comes in. In the last six months we’ve seen a shift with larger, more mature organisations wanting to test out their defences with real time ‘war games’. These involve getting past the security guard or receptionist and into the office, obtaining valuable intelligence and domain access and seeing at what point their systems detect a rogue operator. It certainly gets your blood pumping when you’re about to be strong-armed into a holding room and told the police are on their way.
But this is how a committed adversary will do it, they’ll use all available sources to gather intelligence before the attack. You then look at methods used to entice users to download, click or visit content that allows you to take control electronically. This isn’t done by sending you an executable program file over email any more. It may be in an innocent-looking office file from a recognised email address, and all they need to do is ‘enable macros’ to activate the payload. USB drive drops are also common, even an aware IT administrator can be targeted with a nice juicy 256 gigabyte solid state drive. After all, who would drop one of those intentionally?
Another favourite is building a fake website, not to sell Ugg boots or Ray-Bans, but coffee and sandwiches. Who wouldn’t want the chance to earn loyalty points or free food and coffee from a shop opening up just around the corner? All you need to do is register with some personal details.
The best thing about this sort of testing approach is that things get fixed. Showing the CEO how you just got hacked and what you need to fix the problem without the unwanted attention of the media or regulators gets the focus and resources required. The holes in the critical path get fixed, because they get it. Correlating the importance of open ports and outdated firewall technology can be tough, if not impossible to do. It requires a certain level of understanding technically as well as business acumen.
Boards are realising the risk of cyber security and understand that caution needs to be taken. Don’t just buy some off-theshelf software or empty vendor promises – get some real-time assurance on the security of your business.
Fun aside, this is a serious issue. It can be confusing for the uninitiated, which then causes problems. Misconceptions of organisations risk breeds a culture of uncertainty or worse a false sense of ‘security’.
Just because you haven’t been the victim of a cyber-attack or had your information stolen, damaged or held to ransom, doesn’t mean it can’t happen to you. Ignorance here is a choice. Something Robert S Mueller, a Director with the Federal Bureau of Investigation said over three years ago, certainly brings home the truth:
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
It doesn’t take a lot to get a view on the state of security at your organisation; if you’re struggling to identify who would ‘own’ this risk, then it may be worse than you fear. Speak to the CEO immediately.
Even starting from behind zero, with not having any board level accountability, you should start with the following:
• Understand the risks and threats that your organisation faces. • Identify what controls are needed to manage these risks.
• Know what is happening on your IT network, look to identify internal and external activity. • Employees are crucial to your defence and response capability. An awareness campaign that does more than the annual compliance ‘tick’ is required. There’s some really different approaches these days, making it fun and engaging.
• Be in a position to respond, almost instantly. When things go wrong even 3 days is too long to notify the people impacted.
• If you don’t have the skills and experience to deal with a breach, don’t panic. Use a reputable organisation to help you triage, investigate and recover. Get this sorted now, and only pay when you use them.
To hear more about Cyber Security, learn about the possible threats, as well as gain insight into what companies should do to protect their brands, business, and reputation with today's technolog, join the Chamber on 22 October at Collyer Bristow LLP.
Photo Credit: Global Water Partnership/Flickr, Perspecsys/Flickr,