Breaking into a building, accessing the hidden world of a rogue intruder, and other “war stories” were shared at the third edition of the Cyber Risk Meetup held on 1st November, 2018 at JustCo in the heart of Singapore’s Central Business District. Co-organized with ICE71, the region’s first cybersecurity entrepreneur hub founded by Singtel Innov8 (corporate venture capital unit of Singtel), and NUS (National University of Singapore), the sell-out event of security practitioners and enthusiasts networked and shared best practices, thoughts and experiences on defending against the rapidly growing cybersecurity risks in the region.
Keynoting the event was lessons learned from Red Teaming exercises. As opposed to traditional assessments such as Penetration Testing, which may be scoped to focus only on technical risk. Red teaming assesses the organisation’s business risk and its ability to detect and respond to incidents
Privasec’s Chief Offensive Officer, and leader of the Red Team Karan Khosla, revealed two real-life case studies and the role social engineering played in gaining unauthorised access to buildings and secured areas
Most non-practitioners may over-estimate the effort and time spent on the actual attack phase, but in fact, he said, “most of the cases, reconnaissance takes up the 90% of time”.
Typical techniques to bypass physical access controls include looking legitimate (e.g. putting on officious looking uniforms), tailgating (following smokers back into the buildings via fire-exit doors), claiming false credentials in requesting for information such as access cards (and replicating them).
Another common technique is phishing, to extract confidential information such as user ID and passwords. In a case recounted by Karan, the password opened up access to a master mailbox that led to several inboxes of the senior executives.
The key to defend and protect against these social engineering attacks is identifying the weakest link – and usually this means enhancing security awareness of staff.
This was one of the key messages of the discussion panel.
Panelist Steve Ng (Lead, Digital Operations & Platforms, Mediacorp), David Robinson (CTO, STT Connect) and Viktor Pozgay (CISO,Avaloq Sourcing APAC), moderated by Shamane Tan (APAC Cyber Security Advisor) emphasised that whilst there are growing sophistication of attackers and number of breaches, there are basic Cyber Hygiene measures that can be adopted by everyone.
Exercising caution over the use of devices such as USBs, and adopting encryption when transmitting confidential and sensitive information are some well-known examples. Interestingly, while brute-forcing password may be a way to access a google email or Hotmail account, most hackers seek to reset passwords relying on answers found on social media to “what is your pet’s name”. The lesson is that whilst secure passwords are critical, minimal divulging of personal information on social media or other public platforms is also crucial.
Key best practices for enterprises were also highlighted during the 30-minute panel discussion. (LIVE FEED LINK HERE)
Gaining senior management level buy-in into cyber security polices and strategies is a priority, according to Viktor Pozgay (CISO,Avaloq Sourcing APAC).
Rapid remediation is an important defence when there is an incident. “When you have an intruder in your network, the question you need to ask yourself is how fast can you remediate”, and “if you find that it takes you weeks to patch, start making changes now”, said David Robinson (CTO, STT Connect).
Engaging a variety of vendors for different parts of security is also part of effective security risk management, to minimize single point of failure whether through legitimate or illegitimate methods, according to Steve Ng (Lead, Digital Operations & Platforms).
“People is your most important asset”, Steve said. Incidents need to be identified as early as possible, and with staff who are knowledgeable with the right skills and experience, they would be able to identify early warning signs and any anomalous behavioural patterns. “No one does the attack on day 1, there are leading indicators”, David agreed.
So, whilst the weakest link may be the staff, they are also key to protecting the organisation against attacks.
“Educate your people”, said Steve. Indeed, raising awareness of the cyber security landscape and the part that everyone can play in protecting the organisation is the ultimate best defence.