“Human beings are notoriously bad at assessing risk,” Tom Van De Wiele, Principal Security Consultant for F-Secure’s Cyber Security Services, tells me.
And he has proof.
“We have a 100 percent hit rate,” he explains.
Since 2004, Tom has done “red team” exercises that charge him and his colleagues — usually in teams of three — with breaking into the facilities and networks of businesses. “We get the name of their company, their logo and their location and that’s how we start.”
Sometimes businesses have a specific task in mind to prove the red team’s effectiveness — like hacking an ATM or taking a selfie at the CEO’s desk.
But the result is always the same: They get in.
100 percent of the time.
This video gives you a taste of what it looks like when Tom and his colleagues target your company:
It looks exciting. But Tom’s advantage is that security is often “boring,” especially when you consider that one mistake is all the right criminals need.
“People are trying to protect themselves against evil hackers – but you’re going to leave your phone and laptop on a bus or a taxi.”
And knowing that a determined adversary can always find a way in, most companies are just plain doing it wrong.
“For 20 years, IT security was based on building barriers. Put in a firewall, put in endpoint protection – for instance. You need all that. But that just isn’t good enough anymore,” he tells me. “Security isn’t a wall. It has to be a football field filled with tripwires.”
Red teams — like hackers — are not limited by any scope. They go after anything with a company’s logo on it. You’d be shocked what they can do with reflective vest, a ladder and a can of compressed air.
And what do companies learn by doing this? Why pick a fight with a pro boxer?
To find your weaknesses before the wrong people do. Because when the cost of a typical data breach is nearing $4 million, the job you save may be your own.
Don’t think it works? Tom poses these questions to give you an idea if you’re being red teamed (or hacked) right now.
- Did someone you do not know ask to borrow your access card?
- Is a stranger working on the computer of a fellow colleague?
- Is someone running around the office without a security badge or without an escort? Maintenance guy? Consultant?
- Did someone tailgate in after you and/or was someone let in without passing the reception or security desk or without an escort?
- Has someone called you up on the phone asking for certain information about your computer or processes? Are they asking you to do something on your computer or to give out certain information about your computer? People calling you up and asking for personal and/or technical information are often phishing you.
Worried that you are vulnerable? You can be your own red team.
Take a look at this checklist from Tom and then take a quick stroll around. Answer just one of these questions wrong, and Tom’s 100 percent hit rate will remain intact.
- Is someone’s computer unlocked while they are away from his or her desk?
- Is your computer at the office, but seems to be connected to an airport Wi-Fi access point even though you are not at the airport?
- Are you logging on to something from the company from the internet — webmail or ticket portals, such as with only a login and password? You and your colleagues are now a prime target for phishing.
- Are you logging on to something from the company from the internet outside your office network and not using https://?
- Has something been plugged in between your keyboard and computer? Could it be a keylogger or rogue device?
- Has someone left a keychain with a USB thumb drive attached to it on the parking lot, bike shed or near your company or office? Deliver it to your security department so no one else finds it and plugs it in
- Are there any out of the ordinary devices plugged into the network?
- Are sensitive papers laying on the printer for a long time?
- Are you using a shredder or shredding service for document destruction?
- Are all wall outlets for network connections disabled when not in use?
- Do you see any indication, like misaligned screws, that a computer or other resource — office NAS, server, rack, etc — has been opened or compromised?
- Are there USB thumb drives, hard drives, tapes, CD-ROMS and other information laying around in the office? They should be behind lock and key.
- Do your computers all have full hard disk encryption? If not it takes a red-teamer 5 minutes to backdoor your machine.
- Are you storing the keys to certain locations that contain sensitive data in cheap lockers and not safe? Because we will go to Ikea or the furniture store and buy all the keys. If not, we lockpick.
These aren’t all his tricks, of course. Not even close. But if you answer these questions right, you’re way ahead of most businesses. And that’s a good start.
Interested in what a full red team experience entails? Get in touch with an F-Secure expert.