Breaches are a certainty but F-Secure is training fresh cyber security consultant hopefuls to combat the online criminals.
Preventing a breach is not possible any more. Attackers are persistent and need only to succeed once; defenders must succeed 100 per cent of the time. ‘Game over’ is not an issue, however. F-Secure runs educational programs in Finland and Denmark in the art of cyber defense and attack. The recent acquisition of MWR InfoSecurity in the U.K. and abroad adds to the mix, combatting the well-known skills gap worldwide.
Tom Van de Wiele, F-Secure Principal Security Consultant for Cyber Security Services Delivery, explains that the international academy was set up to address “the general lack of experienced information security professionals that go beyond certifications.”
WATCH THE VIDEO TO FIND OUT MORE
F-Secure has been collaborating with the University of Helsinki for some years, offering a free online Cyber Security Base course. In February 2018, F-Secure announced its new cyber security academy at their 30th anniversary. Five Denmark-based trainees were selected from 248 applicants. They joined F-Secure in Copenhagen in September.
The academic world and European governments are still playing catch-up, but companies and organizations in the world are not. They need professionals who know the ins and outs of information technology, how to secure it, what risks to take, and which security principles to apply.
“Cyber security candidates need to be schooled in what they need to know in order to become a key player in the cyber security market, and ensure that the information age we are living in is the one we chose. Not the one we ended up in,” explains Tom.
Experienced consultants with years of real-life experience train the recruits. The program combines several elements including applied information security best practices, and practical subjects and exercises aimed at making participants experts in risk assessment.
Hollywood films have made the term “hacker” synonymous with criminals and subversives – known as black hat hackers. Trainees learn the art of ethical hacking, however.
F-Secure cyber academy recruits’ training starts with concepts such as network design, operational security and application security, and how companies today deploy and maintain technology in order to try and protect their data.
This principle covers domains such as application security, network security, and operational security, but does not shy away from showing what criminals are using to better advise customers on how to protect themselves. Without breaking the law.
“Ethical hacking is testing software and hardware IT security. Ethical hackers use the same techniques as real-life attackers in order to find vulnerabilities and weaknesses to ultimately improve security. It all takes place within a controlled setting in a non-destructive way,” Tom says.
“It’s based on needing to know which attacks a would-be attacker would use and knowing the trade-offs between testing coverage and depth. It also involves being able to give the right recommendations and mitigation paths to lower the risk for any given threat scenario.”
In some ways, cyber security is similar to boxing. So-termed red team testing is invaluable, as cyber criminals do not adhere to the (Marquess of) Queensberry Rules. Red teaming is not part of the standard academy training program, but recruits learn about this and get to participate in a real-life red team test as part of a team of specialists.
The art tests an organization’s ability to detect, respond and to recognize real-life targeted cyber attacks and involves worst case scenarios and requires expert knowledge spanning over multiple domains of information security. The scope and framework are pre-agreed with F-Secure’s customers.
“To be able to participate in a red teaming exercise as part of F-Secure, you need to be able to breach a company and maneuver within networks and applications while making the right trade-offs between being able to attain the objective versus being detected. Once those areas are well understood, exercises are given within selected domains with gradually increasing complexity to see if recruits understand attack patterns and defense approaches well enough,” comments Tom.
This can later be expanded to other domains of red teaming, including getting hands-on experience with radio frequency identification (RFID)-based access control, keys, locks, doors, and learning the shortcomings of privacy and awareness.
“Red team testing covers all domains of information security, be it cyber and/or physical security and processes. Scenarios include trying to gain access to an otherwise off-limits location, being able to access financial data, customer records, and intellectual property,” comments Tom.
“Red teaming not only gives a unique overview on how resilient a company is in detecting and trying to respond to these kinds of attacks, but will also show what changes a company needs to make as part of their defense strategy,” he adds. “Every company wastes about 25% of their information security budget. The problem is that companies don’t know which 25%.”
Blue teaming trains recruits in the arts of solid application and network design, and which trade-offs companies are making that might result in security problems. Exercises include network forensics and application security so that tools attackers use that flag a system compromise become second nature.
“Principles such as defense-in-depth and restricting access rights for users (known as ‘least privilege’) are taught, how they can be applied, and what their limitations are,” Tom explains.
“Classes are given on how to recognize incidents and respond to them in timely manner. How to be a team player that can communicate effectively and how to deliver the right evidence for the different stakeholders is also taught. We give our trainees knowledge on how to allow stakeholders to make the right decisions as part of an incident investigation, or indeed as part of an incident’s aftermath,” comments Tom.
Recruits also learn about breaking things regarding software and hardware, learning about the aspects of secure design principles and how to evaluate how certain vulnerabilities could have been prevented and why certain vulnerabilities have appeared in certain pieces of technology.
“This is based on what they find as part of the exercises and “war games” (attack simulations) we give them,” Tom remarks.
Trainees are also schooled on how to recognize and exploit vulnerabilities and weaknesses, reduce them, and find the trade-off between usability and security. Moreover, they are encouraged to engage in software development on their own, either by writing their own tools, or by contributing to open source projects to learn how difficult writing and integrating software can be first-hand.
“That means learning about the aspects of the software development life cycle (SDLC), cryptography and key management principles, combining software development with IT operations (DEVOPS), release management, and whatever else they need to know in order to be able to think like a developer. This assists our customers in making the right design and implementation decisions in order to avoid vulnerabilities later down the line,” says Tom.
Hardware cyber security forms part of the training too, but this is only given after recruits have built up a solid understanding of software security.
“At the very least, this means learning about secure hardware design, firmware, hardware assessment tools and methods, the chain of trust, the potential for side channel attacks, and other aspects used. This is to test the resilience of software and hardware working together when fending off cyber attacks,” Tom remarks.
An international initiative
Kristian Kristensen, F-Secure’s Cyber Security Services Delivery Director, explains that Danish candidates do not get preferential treatment. The Academy is an international initiative, and meant for those who pass the rigorous application process. This year’s successful recruits are Croatian, Irish, Polish, Romanian, and Swedish.
“This is because we dare to be the best – i.e. looking for the strongest candidates on an international scale. The clients we typically serve are international and have English as their business language anyway. We do have a slight preference for EU citizens, however, as this makes relation and security clearances easier.”
“But we aim for people with a passion for cyber security that are driven by challenge, curiosity, and a wish to help protect others in the digital realm while maintaining a strong ethical compass,” he concludes.
- F-Secure announced the cyber security academy initiative in February 2018
- This is the academy’s first year
- 248 applied for 5 Danish seats
- 5 different nationalities study there
- The program lasts for 1 year