Using Scary but Fun Stories to Aid Cybersecurity Training
Security experts have many fun arguments about our field. For example, while I believe War Games is the best hacker movie, opinions vary based on age and generation. Other never-ending debates include what the best hack is, the best operating system (though this is more of a religious debate), or the best tech certification. You can find several such challenges online or in your own community.
However, I recently got into a discussion about useful examples to use in cybersecurity training. I realized that I didn’t have a list of “funniest training examples.” After devoting some thought to the question, here is my list:
- Tying into a movie, book or TV show provides instant context. For me, the best example is the pay phone hack using a Captain Crunch whistle. Although a dated reference, its use ties to the movie War Games and the culture set by magazine 2600. Phone phreaking is not really a thing anymore, but it is still a great example of a physical attack.
- In regard to documentation, I like the story about the Pen Test team that was arrested. Although it had permission and a “get out of jail free” card, the team still got arrested by the local sheriff. While the story turned out okay (charges were dropped) it is an awesome example of ensuring you are protected and your efforts are documented and approved.
- For an attack surface / remote access example, I love the fish tank. When talking about attack surface, the Target hack of an HVAC system is the most famous, but it’s more fun to tell the story about the hack of a high-tech fish tank’s thermometer in Las Vegas that was connected to the casino network. And that became an entry point for a discussion about the need for segmentation and monitoring for data exfil.
- The internet is still “The Wild West,” and I love stories where researchers fight back. Of this set, the best is when a researcher registered the domain name WannaCry was using which stopped it from executing and cut off further spread. This is a fitting example of looking for flaws hard-coded into software, though it was used for good in this case.
- Ransomware criminal groups are sometimes rude. An example is when BlackCat filed a Security and Exchange Commission complaint against one victim for not meeting reporting requirements. This is a great illustration of criminals constantly updating their business model or methodology, the need for current crisis management plans, and the necessity of staying up to date on compliance trends.
- Operation Cupcake is an example of disrupting a terrorist website. MI6 replaced instructions on how to make pipe bombs with a recipe for cupcakes. This is James Bond-type fun and could be used as an example of breaking the cyber kill-chain by disrupting their operations. I am a big fan of using MITRE ATT&CK framework to show how to think about opportunities to disrupt an attack/operation.
I am sure some readers don’t think these examples are humorous; after all, “humor is in the eye of the beholder.” Still, simple, memorable, and relatable examples are the best when discussing cybersecurity lessons learned. I hope you found these helpful.
As a bonus, here’s a list of my favorite Sticker Sayings:
- I drink because your password is Admin
- Social Engineering Specialist: because there is no patch for stupid
- My speed of response to your problem is inversely proportional to your bad attitude
- Keep Calm and Don’t Click That Link
- You can tell me what you did, or I can look at the logs
- Come back with a warrant
- Hacker elemental
- The risk I took was calculated, but man am I bad at math!
- The “S” in IoT stands for security
- There are 10 types of people in the world: those who understand binary and those who don’t
- All your base are belong to us
- Whiskey ISAC Member
- Got Root?
- I’m not a superhero, but I’m a network engineer… so close enough
- Data is the new bacon
Photo by Rob Griffin on Unsplash