Why you might need live cybersecurity exercises

When it comes to preparing for cyber attacks, there are a variety of tools and techniques that you should employ: firewalls and intrusion detection devices for sure. But some tools are less obvious, and involve more of the human organizational element. This is where a company called CyberGym comes into play.

In one of my favorite scenes from Jerzy Kosinski’s Cockpit, the secret agent protagonist is applying to become a spy. He is sitting in a room with his fellow recruits, waiting for the testing period to begin. What he and his compatriots don’t realize that is that the waiting room is actually under observation and part of the testing process to see how well the newbies will collaborate with each other. The recruits are subjected to a variety of temperature extremes and every so often an employee will come in to tell them that there will be additional delays before the tests will begin. The goal is figure out which of the recruits will get annoyed with the forced wait and how each one will endure these hardships. This is a lot like the CyberGym live fire exercise: you want to see how people do under pressure and how they will create allies. Who is going to crack and make things difficult with others? Who is going to demonstrate leadership?

CyberGym was co-founded by managers from the Israel Electric Corporation and has some specific facilities that relate to SCADA controls and power conditioning equipment that are found in the typical power plant. It has been used by global corporations from many different industries. The average engagement last several days as they run through a series of attacks and other malware intrusions.

IMG_2006I visited CyberGym‘s offices in Israel last month as part of a trip that was partially sponsored by the America-Israel Friendship League and the Israeli Foreign Ministry. Their operation is contained in a series of huts that are scattered around a historic eucalyptus grove about a half hour north of Tel Aviv. The notion is that nothing prepares a group of IT security workers better than having to be part of a live fire-fight exercise. One hut contains the attack team, a second contains the defending team, and a third is for judges and observers. Each team contains both security staff, IT and corporate management, and others from a specific company.

The idea is to replay a particular attack and see how the teams respond. Since its inception, CyberGym has conducted hundreds of these exercises, and they now have facilities in Portugal and the Czech Republic in addition to Israel. They look to see what the defenders do first, how they work together, and what things they fall down on. When I visited, the company’s founder Ofir Hason said that often the right response wasn’t anything technical, but coordinating what the team was going to do and how they actually worked together.

Fighting cyberthreats is a team effort, and involves a combination of technical and non-technical skills. Often convincing your management that you have to do something relies more on your power of persuasion than knowing how to block a remote shell executable or neutralize some malware. I like the name CyberGym too, because it implies that you need to condition your response “muscles” with real exercises, not just doing some academic threat management scenarios. Like a physical gym, you need to bulk up and do some resistance training to build your strength and add to your conditioning.

Sure, there are other teamwork-building exercises that can be done less expensively (everyone falling backwards or trying to climb through a ropes course) – but these aren’t specific to the cybersecurity realm and don’t really address this specific realm. If you want to see how your cyber team handles the next attack, you might want to book some time at the gym – the CyberGym that is.

Network World: Netanyahu wants Israel to become a cyber power

It isn’t often that a speech from a head of state at a tech conference is relevant to IT security managers, but Prime Minister Benjamin Netanyahu’s address at last week’s third annual CyberTech 2016 focused on where the Israeli government and its IT security industry are heading.

Netanyahu offered a plan for cross-country sharing of cybersecurity threats, demonstrated his knowledge of the tech industry, described the economic opportunities of cyber-tech and outlined policy changes that he wants to see to further strengthen Israel’s role in both overall technology and cybersecurity in particular. You can read more in my story on Israeli cybertech progress in today’s Network World.

Network World: ten best enterprise password managers reviewed

In my 2013 review I looked at several different password managers, some suitable for enterprises and some primarily for consumers. Since then the field has ballooned and there are now more than two dozen different products on the market. As a data point, even the popular TV show “Shark Tank” evaluated a password manager startup in its current season.

LM1 2factorFor my own current season, I looked at ten tools: Dashlane for Business, Keeper Security’s Enterprise, Lastpass’ Enterprise (now part of LogMeIn), Lieberman’s Enterprise Random Password Manager, LogMeOnce Enterprise Edition (shown at right), Manage Engine’s (now part of Zoho) Password Pro, Agilebits’ 1Password for Teams, StickyPassword, SplashID’s TeamsID, and SingleID. The two strongest products in terms of protecting individual user logins are Lastpass and Keeper.

You can read the full review here, along with a description of some larger issues and overall trends with using these tools.

SearchSecurity: Virtualization security tools defend across clouds

The days when IT managers used different security products to protect their on-premises and cloud infrastructures are happily coming to a close. There’s a growing awareness that migrating virtual workloads to new IT infrastructure requires different levels of protection with security mechanisms built-in.

In this story for TechTarget’s SearchSecurity, I talk more about this trend and some of the products (such as Catbird’s shown above) that can be used to protect your cloud-based resources.

Detecting malware with Sophos XG Firewall and Security Heartbeat

Sophos has developed an interesting and innovative new security product that bridges the gap between its endpoint and network protection products. Called Security Heartbeat, it requires a Sophos XG firewall and any of Sophos’ cloud-based endpoint protection agents. The entry level firewalls start at $300 and larger models can go for ten times that, with support contracts extra.


We tested the Sophos products during November 2015. Sophos is not as well known as other firewall vendors, but the use of the heartbeat is such an obvious benefit and the kind of innovation that you wonder why it hasn’t been done before.

Brian Krebs and the Rise of Mexico’s ATM Skimmers

ATMs have long been targets for thieves; there was the Tyupkin malware, which could control cash drawers, reported on last fall. But a more popular form of attack is carried out via ATM skimmers, which are typically overlays attached to the outside of the ATM unit. When you insert your card into the machine, these skimmers capture your account number and PIN, which will be used later to clean out your account.

ATM Skimmers Threaten Travelers

PC Magazine has a long list of suggestions about how to recognize these skimmers, as well as how to take care when you are getting cash in a new location to ensure you’re accessing the legitimate ATM service. This is especially a problem now that many ATMs are being made by private vendors and are situated in non-banking areas such as bodegas and bars. That could be an issue, especially with the rise of more sophisticated ATM skimmers. It is hard enough to obtain foreign currency from a legit machine, given language and other issues. Now you have to worry if you are just giving your identity to the bad guys

As ATMs become more popular, the crooks are paying more attention and getting more sophisticated in compromising operations. With that in mind, it’s worth reading a series by security analyst Brian Krebs that he posted in September. Earlier this year, he was invited to come down to Mexico and see the problem firsthand. He managed to find at least 19 different ATMs that all appeared to be hacked and retrofitted with tiny, sophisticated devices that store and transmit stolen data and PINs via Bluetooth technology. These ATM skimmers could have been installed by compromised employees bribed to open up the machines and insert the necessary circuit boards to trap customer data.

As Krebs wrote in one blog post, “Stolen card data can be retrieved from the Bluetooth components wirelessly: The thief merely needs to be within a few meters of the compromised ATM to pull stolen card data and PINs off the devices, providing he has the secret key needed to access that Bluetooth wireless connection.”

Unlike the more traditional ATM skimmers, there is no way to immediately know if a machine has been tampered with other than by analyzing the Bluetooth signals coming from the machine. In fact, Krebs found one such machine coincidentally at his own hotel! Despite meetings with the hotel security staff, he wasn’t able to get the ATM disabled.

Are Fake ATMs a Concern?

After more gumshoeing, Krebs was able to zero in on a company that is apparently producing these devices and masquerading as a legit ATM manufacturer. A fake ATM? Hold on, can that really be possible? Krebs described how it could work by generating canceled transactions. “For example, if the transaction is canceled before it reaches the processing switch of the customer’s bank, there would be absolutely no record of the customer using the ATM, despite the card data and PIN being compromised,” he wrote. This would make it harder for the banks to track down the compromised ATM, particularly if these canceled transactions were spread around the country.

Krebs mentioned that the problem isn’t unique to Mexico: Back in the U.S., a Connecticut fraudster was arrested in 1993 for placing fake ATMs across the state. The tipoff? These fakes never contained any actual cash to dispense.

Given these exploits, there are a few suggestions you should remember the next time you need get to cash. First, follow the PC Magazine suggestions on being aware of the kind of ATM you are about to use. Second, when abroad, use a bank-owned machine whenever possible and not a private, third-party ATM; the ATM skimmers that Krebs found were all from private parties.

If you do travel abroad frequently, make use of a special debit card that has a limited balance in case it does get compromised. Finally, examine your bank statements and reconcile all of your account activity as soon as possible after you return to ensure your account hasn’t been compromised.

SearchSecurity: Emerging security threats you are up against now

Blended threats and improvements to man-in-the-middle exploit kits have made malware more available to a wider audience of less-skilled cybercriminals. These bad actors can now launch drive-by attacks with just a few mouse clicks. At the same time, increases in state-sponsored hacking and the growing complexity of keeping modern browser plug-ins up to date have made the number of threats facing the enterprise network more numerous, sophisticated and pernicious. And even that old chestnut of social engineering has been made easier, thanks to the popularity of social networks that enable criminals to pose as co-workers or friends, mistakenly build trust and use that trust to steal credentials and assets from the unwitting.

You can read my post on SearchSecurity here on these and other trends in the threat landscape.