What I learned from my time as a threat actor
Recently I took part in a team training day exercise resembling an escape room activity where we were to assume the role of an attacker and scour our office for various data to build staff profiles and gain access to classified data.
These are 5 things that I have learned and/or will now take away with me:
- Never write down passwords! - Not in plaintext or easily decipherable code. If for any reason you do write a hint down, do not leave it directly next to your laptop or computer device. Being in the role of a threat actor taught me to look at any minor detail and use it to try and log in. Also, as an aside, ensure you do not make your password empty characters – it’s very insecure and not as clever as it seems.
- Don't keep keys in the same room as lockers! - This is an ‘I locked all the doors but kept the windows open’ scenario, it's elementary that a person locks their safes, cabinets, and lockers and keeps the keys separately so that mediocre threat actors can't easily access them otherwise it defeats the purpose of using a lock.
- Account lockout policy is crucial! - Even though we took a while to get the passwords during the data hunt, there was no account lockout policy (intentionally), so we were able to brute force the laptop to gain access. If there was a policy that either did a long timeout or totally locked us out, we would have been unsuccessful in gaining access.
- Clear desk policy is important! - Never leave things like bank statements or any PII lying around, the data on these could be used to build up a profile on you, making it easier for threat actors to guess answers to things like security questions. Anything as trivial as a diary belonging to an individual who thinks nothing of noting down colleagues’ ages and birthdays for annual birthday cards may be of great value to a hacker.
- The company should have strategies in place to guide employees! - As an organisation, it’s important to guide employees where they may go wrong so whether that may be in the form of password criteria requirements or in mandatory learning on clear desk policy, it’s vital that the knowledge is widespread and known and not just available to tick boxes.
Other than discovering that I have the tendency to shout a lot when doing such activities, it was an eye-opening experience of just how much information can be gathered if an outsider was successful in getting into an office.
Aha! They've found a clue from this locker