“Human beings are notoriously bad at assessing risk,” Tom Van De Wiele, Principal Security Consultant for F-Secure’s Cyber Security Services, tells me.
And he has proof.
“We have a 100 percent hit rate,” he explains.
Since 2004, Tom has done “red team” exercises that charge him and his colleagues — usually in teams of three — with breaking into the facilities and networks of businesses. “We get the name of their company, their logo and their location and that’s how we start.”
Sometimes businesses have a specific task in mind to prove the red team’s effectiveness — like hacking an ATM or taking a selfie at the CEO’s desk.
But the result is always the same: They get in.
100 percent of the time.
This video gives you a taste of what it looks like when Tom and his colleagues target your company:
It looks exciting. But Tom’s advantage is that security is often “boring,” especially when you consider that one mistake is all the right criminals need.
“People are trying to protect themselves against evil hackers – but you’re going to leave your phone and laptop on a bus or a taxi.”
And knowing that a determined adversary can always find a way in, most companies are just plain doing it wrong.
“For 20 years, IT security was based on building barriers. Put in a firewall, put in endpoint protection – for instance. You need all that. But that just isn’t good enough anymore,” he tells me. “Security isn’t a wall. It has to be a football field filled with tripwires.”
Red teams — like hackers — are not limited by any scope. They go after anything with a company’s logo on it. You’d be shocked what they can do with reflective vest, a ladder and a can of compressed air.
And what do companies learn by doing this? Why pick a fight with a pro boxer?
To find your weaknesses before the wrong people do. Because when the cost of a typical data breach is nearing $4 million, the job you save may be your own.
Don’t think it works? Tom poses these questions to give you an idea if you’re being red teamed (or hacked) right now.
Worried that you are vulnerable? You can be your own red team.
Take a look at this checklist from Tom and then take a quick stroll around. Answer just one of these questions wrong, and Tom’s 100 percent hit rate will remain intact.
These aren’t all his tricks, of course. Not even close. But if you answer these questions right, you’re way ahead of most businesses. And that’s a good start.
Interested in what a full red team experience entails? Get in touch with an F-Secure expert.
This is a guest post from F-Secure fellow Kamil Janowski. Have you ever worked on…
August 17, 2017