Takeaways from a Cyber Security Event

Last week myself, Enda Kelly, Hannah Smith, James Matchett and Andy Kirkpatrick attended an MoD Cyber Security event at the BT Riverside Tower in Belfast.

The event started off with an introduction from one of the organisers who worked for BT. He chatted about the tasks that they in BT are faced with; regarding managing the security infrastructure of the BT network. He chatted a little about various scenarios, one of which demonstrated a recent attack against a car. He explained how the hacker was able to gain access to the cars onboard computer and remotely control it over the wireless connection via the car's internal sim card.

He chatted about his background and then a little about the challenges around making sure the infrastructure that BT manage is secure. It was quite a high level overview of what they perceive cyber security is and how they approach it.

He finished off the presentation with a video detailing a pen-testing exercise where testers managed to get all the way into the server room of a business from the carpark using a mixture of techniques, such as walking straight into the building with confidence, and using cloned RFID cards. (Funnily enough, they would have been foiled had the server room been locked with a physical lock as opposed to RFID entry). Just outlines how vigilant we need to be when it comes to people wearing passes and challenging anyone who attempts to enter through a security locked door at the same time as you.

For the intermission, the organisers left out lockpicks and padlocks for us all to try and break into. James Matchett (worryingly) proved to be quite adept at this, giving advice to Andy and the rest of us on how to pick locks. I'm already googling anti-lockpick locks for my house!

Also on display was some homemade equipment that could open a door from the inside by pushing the 'string on a hook' (I'm not sure what to call this contraption) and manipulating it in such a way to turn the knob on the inside of the door. The presenter explained the importance of not leaving a trace while gaining entry. He gleefully told us this was his 'hobby'. I am glad I don't recognise him as someone who lives near me.

The second speaker was a member of the Navy Reserve Cyber Security team and he spoke about how the army, navy and other forces operate under a joint forces command and that they face threats from various actors such as bored teenagers, right the way up to nation states. 

Lastly, we finished off with a Capture the Flag (CTF) challenge that put us into groups of four. We were pitted against various local businesses and organisations and cracked on with the various challenges presented. They were broken down into categories such as Web Hacking, Forensics, Packet Analysis, Cipher/Encryption and so on. An example of one such challenge was to analyse a packet capture file in Wireshark to find that there was a hashed string, which we could then base64 decrypt to reveal the flag.

We ended up giving a good account of ourselves, finishing second overall after narrowly missing first place, which was a brilliant way to end the event, especially given the number of teams present at the event.  ???

Overall the conference gave us a significant insight into the cyber security industry in regards to protecting critical services that we were able to bring back to Kainos in order to share and develop our collective knowledge. Learning about implementing 'Purple team' methodologies instead of the conventional red and blue teams taught me the vital importance of quickening the cycle of vulnerability detection, exploitation and ultimately remediation of any vulnerabilities.

One point that was continuously touched on is the fact than penetration tests should not simply be a training exercise for the Blue Team, instead, the blue team should not be given a script to respond to or prepared especially for the red team at all. If anything the blue team should not be able to tell the difference between Red Team attacks and legitimate external attacks except for critical circumstances.

Furthermore, we should move away from the practise of allowing and disallowing the red team any types of attacks, legitimate attackers will not have any restrictions or limitations to the types of attacks they will be able to use and neither should red team so that they can accurately pick up on all vulnerabilities.

I was most surprised to find out how much of cyber security actually happens away from a computer screen, there was a real emphasis on how you can have the best firewalls and application security in the world, but it all means nothing if you cannot secure both the physical hardware and the personnel who manage it. As someone who previously believed all cyber security happens on a computer, the talks and workshops on CMOE (Covert Methods Of Entry) including lock picking, electronic access control manipulation and personal covert surveillance have made me realise how critical physical security really is.  

James Matchett, Software Engineer at Kainos