Author: Andrew Stanistreet, Security Consultant Managed Services
So last month I decided to take on a new challenge in the form of a part-time second job – a few evenings in the week, in a kitchen, on my feet, untrained, no keyboards or mice. I’ve always enjoyed cooking and been curious about the other side of the kitchen pass so why not?
I’m very happy to say I absolutely love it. It’s great to get up out of the desk chair and run around the open kitchen, in full sight of guests, trying to figure out how I’ve managed to prep two deserts for a table which I’ve only just sent out starters for.
In a lot of ways, it’s similarities to cyber security were surprising to me. Although obvious when really thought about, the soft skills we are required to hone in our industry hugely help in a kitchen environment, the prime example of this being time management.
Sometimes I think back to sitting my OSCP exam, 24 hours to get everything done, and then I realise – I can probably plate and send a couple of soups, sharing platers and garlic mushrooms before I need to worry about the 15 minutes it’s going to take for the haddock to cook, which I’ve only just put in the oven.
The similarities of kitchen vs behind a desk aside, one of the things that made me feel like I was walking into a second workplace of comfort was their onboarding and training. One of the very first things in my training, second only to emergency situation training such as fires, was cyber awareness / security.
It was oddly fascinating to be on the flip side of something I’m so used to being on the delivering side of. Being training on what a phishing email looked liked, how to identify a potential attacker looking for a person to tailgate and how best to challenge an unknown person in a restricted area. This was followed promptly by data protection training.
It was nice to see because us as an industry are constantly saying these are things everyone needs to be aware of and, to an extent, I never expected this new workplace to have those things so front-and-center of the onboarding and training process. In part I fell victim to that age old trap of “but why would anyone target this place anyway?”
Because they can. It’s such a non-target that it becomes a target.
The staff are trained but their vigilance is scarcely put to the test. The training is great, however I took it almost as a challenge to say:
“okay, that was good – lets see how good they really are”
I’ve since spent much of my time outside of the kitchen just generally poking around the building. Making mental note of that one member of staff in particular that finds it easier to wedge a certain door open, than to keep their key card on their person. How there is a camera blind spot which with a bit of luck, an attacker could find themselves in a fairly sensitive area.
There has been more than one occasion that upon passing the front-desk, I’ve leaned over and locked the laptop sat there as it was unattended.
I suppose what I’ve really taken away from it, beyond my apparent passion for plating the perfect mixed grill, is a reaffirmation of something I knew from a cyber security professional point-of-view, but never knew from a first-hand point-of-view.
That a less-than-likely to be targeted business makes the best opportunistic target.
Because they are doing training. They are aware of it. But they fall into the trap of thinking that 20 minutes of training alone protects them and thus makes them complacent. 20 minutes of training which is not part of the routine quarterly required training. In a business that most people have been there for years.
One worry I have is that as an industry we tend to grow and expand, leaving smaller more vulnerable targets behind. This is why I’m very proud of the work that we do at Rootshell for some of our smaller clients. The ones that one breach could be game over, they don’t have the insurance or infrastructure to survive it and in certain circumstances, they’re the most likely to be targeted by an opportunistic attacker. Because again:
“Why would anyway target this place anyway?”
Because they can.
