Build a cybersecurity culture, but consider how easily your perimeter can be breached.
Speaking in the opening session of TEISS 2018, which was working under the theme of ‘Building an agile cybersecurity culture’, ethical hacker, social engineer and co-founder of Redacted Firm Freaky Clown (FC) highlighted common failings in what should be highly secure environments.
These include banks, he said, which do not have security gates inside, have CCTV cameras pointing the wrong way and fences that can be easily climbed. FC reflected on one case he had experienced in which a pass was required to be scanned to gain entry to a revolving door. However, he realized that the door operation system was left in ‘engineering mode’, which meant that it did a rotation every 15 minutes. As a result, he was able to gain entry by simply correctly timing his walking.
He also demonstrated that once inside, he was able to get access to open office spaces and photograph desktops, with unlocked PCs, and walk into company meetings unchallenged, including one where “they said how great they had been at security and had no breaches.”
FC added: “Make sure security as a whole works; it has to do everything or it all goes horribly wrong.”
In giving advice, he recommended enabling staff, and ensuring that security is built in and doesn’t become a blocker to their work. He also recommended encouraging the locking of computers when users move away, keeping desks clear and offering help to people.
“One thing that the British are really bad at is confronting people: we’ll never say ‘you shouldn’t be in here’ as they may be someone really important so you help them and show them somewhere to sit.”
He closed by recommending users find a company that will help you take an attacker's eye view on networks, as an attacker's mindset is very different to that of a defender.
Asked for his recommendations on how to change mindsets, FC said that a lot of work can be done on changing cultural behavior, something that is very hard to drive unless it is driven from the top of a company.
“Security has to be treated the same across the board and not only enforced on staff,” he concluded.