You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
At work we have the opportunity to get someone in to do a workshop or presentation on cyber security for the whole Technology team (ie technical people who know what phishing is and have probably heard of SQL injection, but not security experts).
Anyone recommend any topics for an interesting/entertaining one hour session, preferably interactive rather than lecture?
Exploit hopping, ie how layers of exploits are built upon to get to the end game.
Just how much of your phone profile free WiFi networks can access.
and how much of the rest of your day that might affect.
I like both of these, thanks.
@peterno51 your description of "exploit hopping" reminds me of that Mat Honan piece from a few years back. Is that the kind of thing your were thinking of?
Similar, a good example, and you’ll fine loads of detail on, is Stuxnet.
The malware has multiple components each building upon the first, each getting more specific. Once access is gained through various levels of restriction and higher and higher up the tree towards what ever the malware writer is targeting.
Another example is the BA hack last week where, I think, it was a third parties embedded code in the BA website that was compromised rather than the BA site itself. This may have been simple to run but it would have required levels of hacking to get the malware code into the third party.
https://en.m.wikipedia.org/wiki/Stuxnet
If you’ve got a Tech team, presumably they’re up to speed with developments in technology? I had cause to look at the IoT not that long ago and given it’s potential pervasiveness it could give rise to some interesting discussions about where the balance lies between increased connectivity and increased exposure to cyber attack. Imagine getting hacked via a hairbrush!
Or if they like geeky stuff get someone in to talk about cryptography?
Social engineering. Typically much more effective than the latest 0 day...
Ask if they have any red team examples (where an organisation pays a bunch of security professionals to break in using whatever means necessary). Heard a great example at a conference lately where some red teamers were sitting outside an office thinking how to get in when they had a fire alarm test, everyone duely piled out in the car park.
The hackers then sent an email to all users (which they were able to find from LinkedIn) "Dear Employee, Thanks for taking part in the fire drill. We'd like your feedback on how it went. Please click here to fill out 3 questions". The link went to a corporate branded website, setup by the red team with the company logo etc.., with a fake "Enter your corporate username and password" box. Job done.
Does depend what they already know and what security related stuff you already do. If you don't already do them then I'd do a sort of red team exercise but more all hands on going through basic stuff that would be part of a normal red team exercise so they can see what's involved and give them food for thought. Would take more than an hour to get much value from it and you'd need to do follow up stuff (inc. eventually doing a red team exercise).
But also depends what your business is, where your threats come from, what technologies you use etc. as to what would be interesting/relevant. An hour really isn't much time to do anything other than skim the surface of cyber security unless you pick a very specific & relevant topic and deep dive into it.
https://www.ncsc.gov.uk/ is the UK's over-arching gov security org now, having a skim through some of the topics they cover in articles and blogs might give you some ideas to.
What can be done to detect that you are being compromised (once the edge and device protection has been circumvented) and how you go about designing and implementing apps and infrastructure to allow you understand what's happened, how it's happened and what infrastructure, apps and data has been compromised.
Based on; "doing stuff" to "keep them out" is "easy" but you'll find answering the question "how did it happen and what's affected" is much. much harder if you've not expended any energy in that direction.
Defender's advantage
Tales from a social engineer
IoT - just because you can does it mean you should?
A brief history of encryption (it's pervasive these days but how did we get where we are?)
It's always good to get some people in to talk about ethical hacking and show some examples of the escalation of a hack from one small exploit to full domain control.
Brings out the simplicities of it if you know what you're doing and the business is lax in certain areas.
Have a section on Cyber liability insurance. The financial implications/fines for breaches and covers you may/should consider.
Lego cyber crime?
http://decisions-disruptions.org/
<div id="pu253" class="clearfix colelem">
<div id="u205-11" class="clearfix grpelem">
<span id="u205">Decisions & Disruptions</span> is a tabletop/role-playing game about security in industrial control systems. D-D players are tasked with managing the security of a small utility company: they are given a budget that they can spend among different defensive options.
Decisions have to be made, taking into account a number of potential threats, known vulnerabilities of the infrastructure, past and ongoing cyber attacks, and of course budget limitations.
The game is to be played with 3 to 5 players plus a Game Master who directs the players, enforces rules and tells the game’s narrative.
</div>
</div>
<div class="verticalspacer" data-offset-top="386" data-content-above-spacer="385" data-content-below-spacer="115"></div>
Some great food for thought here, thank you Singletrackers.
How about a bunch of Pi's setup with honeypot distros and some real live cracking? Maybe one or two as a demo, then a couple more with cryptic hints on what to look for