Security professionals have many interesting debates about our field. For example, I think WarGames is the best hacker movie, but opinions vary by age and generation. There are also endless debates about what is the best hack, what is the best operating system (although this is more of a religious debate), what are the best technical certifications, and more. You can find many such challenges online and in your own community.
However, recently I found myself discussing useful examples that can be used in cybersecurity training. I realized that I don't have a list of “most interesting training examples”. After thinking about this question for a bit, here is my list:
- Tying it to a movie, book, or TV show provides instant context. For me, the best example is the payphone hacking with the whistle in Captain Crunch. Though an outdated reference, its use is relevant to the movie. War games And it's a culture established by magazine 2600. Phone phreaking is rarely practiced anymore, but it's still a good example of physical aggression.
- Speaking of documentation, I like the story of the arrested pentest team. They were arrested by the local sheriff, even though they had permission and a “get out of jail free” card. Although the story turned out well (charges were dropped), it's a great example of being protected and making sure your efforts are documented and approved.
- As an example of an attack surface/remote access, I love fish tanks. When talking about attack surfaces, the Target hack of HVAC systems is the most famous, but it's even more fun to tell the story of the hack of a thermometer in a high-tech fish tank connected to a Las Vegas casino network. And that's how I got into a discussion about the need for segmentation and monitoring for data exfiltration.
- The Internet is still the Wild West, and we love stories of researchers fighting back. One of the best is when researchers registered the domain name used by WannaCry, preventing it from executing and spreading further. This is a perfect example of looking for hardcoded flaws in software, but in this case, used for good.
- Ransomware gangs can be rude at times, such as when BlackCat filed a complaint with the Securities and Exchange Commission against one victim for not meeting reporting requirements. This is a good example of how criminals are constantly updating their business models and methods, the need for up-to-date contingency plans, and the need to stay on top of compliance trends.
- Operation Cupcake is an example of disrupting a terrorist website. MI6 replaced instructions on how to make a pipe bomb with a cupcake recipe. This is some James Bond-esque fun and can be used as an example of breaking the cyber kill chain by disrupting their operations. I love using the MITRE ATT&CK framework to show how to think about opportunities to disrupt an attack/operation.
Some readers may not find these examples funny – after all, “humor is in the eye of the beholder”. Still, simple, memorable, and relatable examples are the best when discussing cybersecurity lessons. I hope these examples were helpful.
As a bonus, here is a list of my favorite sticker sayings:
- Your password is Admin so I'll drink it
- Social Engineering Specialist: No Patches for Stupid People
- The speed with which I respond to your problems is inversely proportional to the poorness of your attitude.
- Stay calm and don't click on the link
- Tell us what you did and we can look at the logs.
- Please come back with the warrant.
- Hacker Elemental
- The risks I took were calculated, but I'm really bad at maths!
- The “S” in IoT stands for Security
- There are 10 types of people in the world: those who understand binary and those who don't.
- All your bases belong to us
- Whisky ISAC Member
- Got the route?
- I'm no superhero, but I'm a network engineer, so I'm close.
- Data is the new bacon
Photo by Rob Griffin on Unsplash
