Awareness-building through live hacking making cyber risks tangible
Despite numerous press reports on security incidents, the risk of cyberattacks often remains very abstract. Live demonstrations of typical hacker attacks show how criminals act and how easily they can often penetrate systems. In this way, they create awareness and make cyber risks tangible.
Successful hacker attacks can have significant consequences, as numerous prominent examples show. Most readers will still remember the successful ransomware attack by the extortion Trojan WannaCry on Deutsche Bahn in May 2017, the request for payment of which could be read on the display boards of many train stations. The most recent examples of prominent victims are the industrial company Krauss Maffei, which lost production due to a Trojan attack in December 2018, and the Fürstenfeldbruck Clinic, which had to do without computer support in November 2018 because malware completely paralyzed IT operations.
Despite these sometimes spectacular examples, which are only the tip of the iceberg, the topic of IT security often remains abstract. Managing directors, department heads and employees recognize the risk, but make no connection to their own behavior and to the daily decisions. This can have serious consequences. Security measures are ignored or circumvented in order to develop, produce and deliver faster. Investments in IT security are discussed endlessly and postponed again and again. Simple convenience also poses a significant risk. It is not for nothing that the most popular password in 2018 is “123456”.
Also Read: How deepfake endangering cyber security
We therefore looked for a way to make the consequences of such decisions and routines tangible, and to demonstrate the importance of each individual for the IT security of a company. First experiences with live hacking lectures at trade fairs and conferences were very positive, the interest was immense. This motivated us to use the concept for events in companies and to develop it further.
Setting up such a live hacking event is quite simple. We do not need any special equipment or specially equipped rooms for this. Two laptops and a projector are sufficient. With distributed roles, the presenters, as attackers and victims, show how cyber attacks work and how easy it is often to bypass or eliminate security measures.
With our training courses, we address everyday use of laptops, smartphones or emails, as well as industry-specific situations in the IoT or robotics environment. We have developed three scenarios that we can present live in companies. We are also happy to deal with the individual requirements and situations of the customer on a project basis.
Scenario 1: Dangerous manipulation of industrial plants
The Internet of Things (IoT) offers tremendous opportunities, but also increases the target area through which criminals can penetrate industrial plants. The manipulation of machines and tools is particularly dangerous when human lives are endangered. We show how hackers work using the example of an app-controlled industrial cooling system that we simulate with standard PC components such as a CPU fan. The successful attack shows that industrial plants are not immune to manipulation, even in supposedly secure environments with double transport encryption, anti-virus, firewall and intrusion detection systems (IDS).
Scenario 2: Mobile hack from the end user’s perspective via open WLAN networks
In this scenario, we demonstrate how hackers can easily access passwords, credit card numbers, and other confidential information using the Evil Twin method. To do this, you install a WLAN in public space whose name (SSID) is identical to that of an official offer, for example “WIFIonICE” on the train or “Telekom_LH-Lounge” at the airport. If the user has already logged into one of these official networks, the devices remember the SSID and now connect automatically. They cannot differentiate between the right and the wrong offer. If the signal of the hacker network is stronger than that of the real one, the user does not connect to the servers of Deutsche Bahn or Telekom, but to the PC of the hacker.
Scenario 3: Intrusion into internal company systems using social engineering
This scenario is intended to demonstrate to employees how quickly they can become victims of an attack themselves. The attacker sends a deceptively real phishing email, which he uses to get the employee to run malware. This gives the attacker access to internal systems and can then dig deeper into the infrastructure.
Also Read: Why Programming is important for Hackers
The advantages of live hacking
Companies are legally obliged to train their employees in handling IT resources and sensitive data. For example, the European General Data Protection Regulation (GDPR), which has been in effect since May 2018, prescribes appropriate measures in relation to personal data and requires documentation of the training courses carried out. Otherwise there will be severe penalties.
To fulfill their duty, companies today prefer web-based training. They are easy to use, inexpensive and flexible in terms of time. WBTs are certainly justified and are an important building block in awareness training, but they also have a significant disadvantage. The topic of IT security remains abstract, is “ticked off” with the final test and put back to the files. There is often no lasting change in the understanding of security and behavior. Live hacking events are therefore the ideal complement to WBTs because they make it possible to experience the possibilities of attack and create consternation. Their influence on the behavior of employees is therefore much higher than with WBTs and has a long-term effect.
Despite many spectacularly successful attacks, cyber risks all too often remain abstract. The lack of understanding and the lack of a personal connection can have significant consequences for IT security. Investments are not made, security measures sacrificed to a faster time-to-market, or undermined out of convenience and ignorance. Live hacking creates the necessary awareness at all levels and in a wide variety of scenarios. The fields of application range from daily use of passwords, e-mails or WiFi networks to industrial scenarios in the IoT and robotics area. In our experience, live hacking events are of great interest to employees and management,