…says Laura Kankaala, Security Consultant at F-Secure. She was one of four females at this year’s Disobey event in Helsinki showing how cyber security is done.
Their ‘Think Security Workshop’ was one of many events under the ‘Future Female’ umbrella. This organization aims to bring technology topics to ladies. The room was packed with mainly men.
F-Secure’s Christine Bejerasco (Consumer Security), Laura Noukka (Senior Risk Management Consultant), and Karmina Aquino (Labs) also led the workshop.
“It’s fun taking things apart,” remarks Laura Kankaala. “I’m trying to proactively secure everything within risk and privacy management so she doesn’t have much to do,” Laura Noukka adds, “but she’s succeeding.”
32 participants were divided into four teams of eight people, with attackers and defenders pitting their wits against each another.
Business at stake
Attackers, who had more resources, were ambitious outsiders trying to harm or gain assets on a network and systems owned and run by a subcontractor for a health company. Cyber security experts investigating, detecting, and preventing cyber threats and risks were the defenders.
The exercise’s scenario was as follows: the government has informed the CISO of a healthcare service provider of an upcoming security assessment so that company can be accredited.
In three months, the government would hire their own security consultants to check the service provider’s network and systems, and Government accreditation would mean even bigger business for them.
The CISO immediately got into action and hired a third-party GDPR-experienced cyber security firm to ensure that they pass the government’s security assessment by carrying out their own appraisal, and assisting them in securing their systems.
Several medium-sized hospitals in Finland have contracted UltraTerve to be the service provider of secure information storage for health information. UltraTerve is the go-to service for hospitals that cannot afford to hire their own team of IT security experts.
“The idea of the workshop is to learn how an attacker thinks so we can defend and to figure out weak points in the network that could be potential attack points,” says Christine Bejerasco.
The post-mortem
“I think they [the teams] did well. They really internalized the problem and were very engaged with the issue at hand.”
Each team had similar and unique methods and came with some enlightened ideas, including OPSEC (operations security) training the people at the company under attack – something defenders suggested.
“Typically, we think of technical solutions and we forget that people are actually part of the picture, and social engineering can bypass our strongest defenses,” Christine comments.
Saturday’s workshop, which the defenders won 6–5, brought some surprises too.
“I think none of us expected this given that the infrastructure was weak and they had fewer resources,” says Karmina Aquino.
There was also an undercover element, with HR personnel observing and scouting for talent.
“I stopped at each in order to notice who are the proactive ones, who are the ones to bring the most ideas, who is the leader, and who are the followers, etc.” explains Domnita Lungu in F-Secure’s Talent Acquisition section.
“This is because at the end of the day we don’t just hire a technically-skilled profile. But a person and how they behave in a group situation with a challenge at hand can reveal a lot about their personality, as well as ways of working and interacting with their colleagues.”
Photo courtesy of Mikael Peltomäki/Disobey
Categories