A month ago I spoke about risk metrics and continuous security validation at the ISSA Conference in Los Angeles. My audience was made up of decision makers and executives. After the talk I invited all the CISOs in the audience to learn to pick a few locks in the Capture the Flag event that AttackIQ was putting on with the team from Summerset Recon.
Of course we had the typical web, crypto, reverse engineering challenges, but what I wanted to teach some of the CISOs in the audience was how to pick a set of police issued handcuffs. The reason I found this so important was because like most things in life, there is the illusion of security and then there is reality and at a certain point you have to ask yourself, if you want to take the red pill or the blue pill. Most people assume that locks can’t be opened without a key or that lock picking is difficult. It might be hard to imagine, but this simply isn’t true and once you pick your first set of locks, you’ll see why your entire viewpoint of defense will change and you will want to challenge everything.
You might think picking an official police issued handcuff can only be done on TV shows, but it’s easier than you think. We started the demonstration with a set of cutaway handcuffs so that our CISO audience could see the mechanics as we used the official key to release and unlock the handcuffs. But then we demonstrated how to release the handcuff by inserting a pick at a slight angle and applying pressure to the upper cutout of a handcuff without a key. That day, every single CISO was able to pick the handcuff in under 2 minutes. What’s important about this was their look of surprise. What was once a unbreakable lock only CIA agents on TV could pick, wasn’t that hard to pick after all. We moved to show them more difficult locks and lock designs. Each breakable, once you understand the mechanics.
Your network and host defenses are the digital locks many of you think are unbreakable. To understand them, you must pick them, you must challenge them. The truth is, attacker techniques are not that complicated, there are patterns and only by running exercises that mimic likely attack scenarios will you understand your ability to prevent and detect an attack, before it actually happens.
I want to wish everyone a happy “Cyber Security Awareness Industry Day”, now go learn to pick some locks!