May 29, 2015
As cyber attacks go, this one would have been both impressive and financially crippling had it actually happened. Pharmaceutical firm Bromley Weyland partnering with County West General Hospital in a major drug trial in the U.S. involving 10 patients suddenly found that critical data relating to the trial had been altered and manipulated so badly it showed that some patients taking the drug and being monitored had actually flatlined.
Fortunately, it was all part of Symantec’s fourth annual Cyber War Games held in March, an exercise created, says Michael Garvin, its director of global privacy ethics and compliance, as a means so that company employees can learn how an attacker operates.
“The games give Symantec employees of all technical levels a first hand opportunity to learn how an attacker can exploit networks, applications, products, solutions and more, through a simulated real world environment,” he wrote following the event. “Obtaining this unique knowledge about threats allows our employees to help cultivate their security IQ and change the way they think about emerging threats and cyber criminal tactics.
“CyberWar Games simulations differ from regular training exercises, in that they are a fully immersive experience. Instead of having our employees go through disconnected individual hacking exercises, CWG provides a complete interactive challenge with an objective. This allows them to experience an attack from start to finish and understand the tools and thought processes that hackers commonly use.”
In a recent interview with Connections+, Garvin described it as a “personal skills development opportunity and team-building opportunity.”
In the 2015 edition, 1,500 registrants each playing on a team of four participated in a preliminary round of hacking. The top 40 individuals, chosen from a grading system based on performance, then advanced to the finals in which they were given three days to not only get into the West General patient database, but also patient records in order to obtain information on how the drug trial was doing and how it was being administered.
“That could be very valuable information for someone,” Garvin said. “The other half of the exercise was to sabotage the drug trial, change the data so that an obligatory body would say, ‘you know what, we saw an adverse reaction, you need to halt going to market with this thing.’ There are a number of different reasons why people would be interested in that.
“Motivations might be purely financial. If the company is publically-traded and it has to send out a notice to the press announcing it has to pull the drug, we know what that is going to do to their stock. If I was able to do that and I shorted their stock, I could make a significant amount of money. Likewise, if I had a buyer for the information, if I steal it, I could stand to make a lot of money selling that to a competitor.”
The 40 finalists, said Garvin, had a lot of success over the three days for it allowed each to be able to mimic the typical behaviour of an attacker.
A presentation he was scheduled to give at the 16th annual Privacy & Security Conference Reboot in Victoria earlier this year, but was forced to cancel due to illness, revolves around just that.
Entitled The Adversary’s Footsteps – Understanding Cyber Criminal Motives and Techniques To Improve Cyber Security – in it, he uses a quote from Sun Tzu, the noted ancient Chinese military general, strategist and philosopher, who once stated “if you know your enemy and know yourself, you need not fear the result of a hundred battles.”
According to Garvin, cyber security professionals and all ICT personnel need to not only understand their adversary, but prepare for them.
“Sun Tzu had a very valid point. We are trying to block and tackle an attacker, an adversary, without in some cases a good understanding of them. We probably know why they want to do it – the same reason you rob a bank because that is where the money is – but we do not understand in a lot of cases about the depth of how they are doing it. Also, understanding some of the techniques or tools and techniques to do it is important.
“A better understanding of the motives and the method gets us into a place where we can better determine how we should prepare for it and approach it when it happens.
“Another part of this quote that’s very interesting is about knowing yourself. There has been a lot done in risk management obviously over the last decade or so, but you come back to the question of how much do we really know about our capabilities? Are we sure that when something happens not only our technology, but our people are prepared to respond.”
Garvin likened it to a soldier being trained at boot camp before they go off to war. “You don’t go on the battlefield if you have never had a grenade go off around you. We need to prepare for the situations. How we are training information security professionals not just initially, but continuously is an evolving battle for lack of a better word.”
With 70% of organizations lacking the staff to counter cyber security threats, according to research firm Ponemon, he said the time has come to take a different approach when it comes to thwarting an attack.
Pilots, he said, combine classrooms with flight simulators to learn and continuously practice, while cyber security professionals train and prepares using 19th century techniques.
Opening up the communications channels across the entire organization when it comes to cyber security is critical: “The thinking used to be that I can defend and I can always stop attacks. The thinking now is starting to shift: Something is eventually going to happen and I will get compromised.
“We have seen a realization that someone who is determined and working on you 24 hours a day they will find a way. The question is can the organization detect that and respond to it quickly enough so it doesn’t become a breach. A compromise means somebody has got into my organization. The question is does it become a breach? Do they actually steal data back out?
He added that organizations need to get everyone on a level playing field so that if you are having discussions related to security, “we are all talking about the same thing. The further you can reach out into IT and the further you can reach out into to the business units, the better it will be.