Retired Royal Naval officer Kieren Lovell shows Jeremy Swinfen Green, TEISS Head of Training, how to run ethical hacking exercises.
How can you persuade employees who work outside IT that cyber security is their responsibility? Kieren Lovell, Head of Computer Emergency Response at the University of Cambridge, has the answer.
It suits his naval background (he has served with the Royal Navy for 9 years and the Royal Norwegian Navy for 4 years) that Kieren uses a military scenario to raise awareness of cyber security. Put simply, he pits two organisations against each other. “Train as you fight”, he says, “and fight as you train.”
Also of interest: Shortage of in house cyber skills
He asked each to cyber-attack the other organisation’s live IT system and locate possible sources of compromise, using Open Source Intelligence (OSINT), entry-grade hacking tools, and hacking tools available to the public, in order to test each other's infrastructure.
(Before you ask, Queensbury rules applied. All participants signed NDAs, both sides were invigilated to ensure nothing too nasty happened, and zero digital footprint was left after the engagement.)
So what happened? Both organisations selected teams. These included non-technical staff – Kieran recommends including financial, HR and admin staff in these teams as these are the people who are most likely to be targeted by cyber criminals. The teams were instructed to find and delete critical information.
The contest began. Using tools like Shodan (the Internet of Things search engine), scanning tools, open source hacking tools, and liberal amounts of open sources intelligence from places such as social media, the teams probed and tested their enemies’ defences.
Sadly for Cambridge (shades of Kim Philby here?) they were overwhelmed by the cyber-savvy Estonians. To be honest though there is little shame in this, given that Estonia probably leads the world in offensive and defensive cyber security. (You can find out more about Kieren’s exercise at here.)
Also of interest: Cyber training pitfalls
Learning from ethical hacking
What can we learn? That hacking needn’t be the domain of the specialist. Given a minimal amount of training and using our common sense and insight we can all do it. With the right publicly available tools, anyone can create first-rate and highly effective intelligence reports.
Using multidisciplinary teams for these hacking exercises is key. But don’t they ask “Why am I here?” I queried. “They do at first”, Kieren agrees. “But once they have been shown how easy it is to attack people they understand”.
Kieren will amuse and astonish us when he describes his approach to ethical hacking at the TEISS conference on Wednesday 21 February. Don’t miss it.