Hacked in 39 seconds

Over the year I have been very fortunate to be asked to speak about cybersecurity at some cool places. From Leeds Natural History Museum (about the evolution of Risk) to London’s Medical Hospital (about advances in cyber in the NHS), I have presented at some interesting locations.

But today I had the opportunity to ‘bring it home’, and present in another very cool location, alongside some very interesting people too.

The Bunker

If you were fortunate to attend our seminar yesterday in The Bunker, Sandwich, Kent then you already know just how impressive the physical security is. But for those who missed out, let me give you an insight into what you missed…

George & Team

The day was expertly pulled together by Jenna Bryant, and George Crimmen, with George kicking off proceedings with an introduction to the format for the day, which would include a tour of the facility itself. 

George set the scene by explaining the title of the event; “Hacked in 39 Seconds”. He explained the research which came out of Clark School, University of Maryland, which shows an almost constant rate of hacker attacks that we experience every minute, of everyday. “So, when people say it is just a matter of time, they’re not wrong. It could be you in the next 39 seconds!”

The purpose of the day was to raise people’s awareness around the risks associated with cybersecurity and expand thinking beyond technology. But importantly the intention was to offer pragmatic advice and guidance, which people could take away and act upon immediately. And with this, George introduced my-good-self to the platform…

Cyber Risk Management

Anyone who has seen me present will know I always start by stating clear that it’s not my intention to sell ‘FUD’ (Fear, Uncertainty, Doubt). But we need to be honest with ourselves and take responsibility and accountability for our actions.

I covered a brief history of cyber, and a look into where we are today with the ‘Internet of Things’, and where we are headed. Here I explained how the IoT can be ‘weaponised’, and can be turned against us, because we’re not thinking deeply enough about how secure these devices are or what they are doing to us, and for us. To put it simply, we need to think beyond the obvious, when it comes to cybersecurity, we can’t just hand it to the IT department and expect them to fix it! 

What is required is a more holistic approach to Cyber Risk Management. This means moving beyond the technology, and almost seeing this as secondary to cybersecurity. 

We asked attendees to consider risks associated to;

• People
• Premises
• Policies
• Processes
• PC’s
• Providers

Given just a couple of moments to pause for thought, we asked them to take this back to their work place to consider this question with their teams. (Perhaps you could do the same in your organisation?)

Once finished, I handed over to our next speaker to give us some tips and advice to help protect us and our own lives.

Aimee Payne

As part of the Kent Cybercrime Police unit, Aimee’s role is multifaceted. I think it’s fair to say that helping to raise awareness of cybersecurity is not easy, but it’s vitally important if we are going to reduce the number of victims of these kinds of crimes.

Aimee expertly described the current landscape and what the key risks are. From the ‘script-kiddies’ and the organised gangs, to the insider threat posed by disgruntled employees. She explained the motivations behind some of the more well-known cyber attacks.

Aimee gave those in attendance some fantastic ideas on how to improve their own personal security, and sound advice that they could take back to their workplaces. She emphasised the importance of engaging with staff, making the point that “People are your first line of defence” Aimee advocated the use of cyber champions. I would agree with Aimee in part here, but I think if you get your education, training and awareness right then EVERYONE can become a Cyber champion.  Of course, this takes time, so start simply and move forward.

Aimee continued to offer practical advice, information and tools (like ‘HaveIBeenPwned”) that help you to identify if your data has been involved in a breach. Some may be aware of these tools, but some may not, so why not take a look if this is new to you, and while you’re at it take a long hard look at your use of social media. “It’s amazing what people give away on social media… usually information that helps hackers to guess your passwords.” Sobering words indeed.

Time for a tour

Now it was a chance for delegates to have a tour of The Bunker and see what we have to offer. Guests were given a briefing about the security of the site and taken on a tour of the facility. George ably assisted by Adam Ruffle, took the guests into the depths of The Bunker, giving them detailed information about the levels of security, and the considerable investment which has been made to make the site an ultra-secure location.

As George said, “Housing highly sensitive Data, our clients expect us to maintain not just physical security controls, but operational controls too. That’s why we’ve collected the necessary external certificates (such as ISO27001 and PCI DSS), so that you can rest assured that your Data is secure with us.”

Simon Fletcher

Once back in the room, it was over to Simon, to give us an insight into what happens when organisations don’t protect their technical devices. As the head of our ‘DETECT’ division, Simon explained that what his team do is to give organisations assurance that their technical infrastructures are secure.

Simon explained, “We help you sleep better at night, by giving you confidence in your technical controls. But if we find anything wrong, we can provide advice on how to fix it. What we do is complex. But what we provide isn’t complicated; It’s peace-of-mind.”

For those in the room, Simon illustrated his point perfectly by telling us of a recent case where a company had been attacked, and his team were on hand to assist. The story gave a fascinating insight into the mind of a hacker and how businesses can be left vulnerable when they don’t invest time, resource or money into the protection of their systems.

“Often when we carry out a Pen Test, we know that at some point we’ll come up against some resistance. On this occasion we were able to take over the entire network of the affected company within a few minutes. Within a couple of hours, we had access to everything. 

It was like a house with no doors or windows. They were completely exposed to the outside world.”

Simon went on to explain how they helped the client and got them back up and running. But it illustrated that the affected person had been left exposed not simply because of IT, but because of poorly configured IT, provided by someone who doesn’t understand cybersecurity.  Ignorance really is a dangerous thing.

Over to you… Andy Hague

And so, it was to the end of the session that Andy Hague, the CEO of Cyberfort provided an insight into why he believes what Cyberfort provides is so important. 

Giving example, after example he illustrated how the C-suite appears largely ignorant to the risks around them, or where they are aware, are still putting too much emphasis on technology. Andy couldn’t attend the earlier sessions, so it was interesting to hear him, in places, echo the words of George, Aimee, Simon and myself. This illustrates there is a common theme running through what we are all saying;

• Ignorance is not bliss – it’s dangerous
• Awareness across the business is vitally important
• Knowing you can trust your providers is key

Andy went on to tell us a truly jaw-dropping example of hacking, which involved a clever bit of marketing and a USB stick.  The details of this I cannot share with you here, but if you get chance to hear the story it is breath-takingly simple, with far reaching implications.

Our conversations continued into discussing cybercriminals methodology and even began to discuss the Dark Web. An area which Andy, Simon, myself and the team have varying levels of experience. But as we neared lunch, we knew people were hungry, and this was a topic that deserves a whole session of its own… maybe next time?

Finally, & in conclusion

We ended as we began, with the final words going to George as he provided an overview of who Cyberfort are and the three pillars; Advise, Detect and Defend. Bringing things to a close all that remained was for George to thank everyone for coming and to open the lunch.

For me the whole day was a fantastic example of the power of Cyberfort, not only the physical aspects of The Bunker but it was a demonstration of the skills and knowledge of the team itself.  But this skill isn’t just inwardly facing. Being able to reach out to people like Aimee and engage with subject-matter-experts within law enforcement.

There is little doubt that putting on an event of this nature is no small undertaking, and it takes a team to put something like this together. Special thanks must go to Hayley Tyler for help with facilities, and Jenna Bryant, and George for pulling things together and hosting.

Of course, without Aimee, Andy, Simon, and the guests it would have been just me in a room, talking to myself with a lot of food. So, a special thank you to them for taking the time to come along, talk and share their stories and insights. I hope they got as much from the session as I did.

Personally, I’m looking forward to the next one already.