On 3 October 2018 Microsoft and NIPO organized a Cyber Security War Game at NIPO offices in Amsterdam. A very interesting day that helped us understand a lot on the techniques used by hackers and made us gain insights in the power of cloud platforms in helping you defend against both internal and external threats.
Info
The cyber war games are a business simulation event where one team must defend an (Azure) application from the attacks of another team. There is little to no upfront info on the application or any business processes for disaster. Is the application in a good state? Can we investigate what is going on? How should we divide priorities around all issues? How do we keep communicating well? Even without assuming high skills on the attackers you might be up for a big battle already. Let alone if the attackers bring out the big guns!
The event
So, on Wednesday 3 October NIPO staff was up for this battle. Manas Bhardwaj and Rob van Abeelen from Microsoft came over to lead the game. NIPO staff was divided in a red and blue team. One team was attacking, the other defending an application.
The aim of the cyber war game was to:
- Understand some of the techniques used by attackers to steal data.
- Understand the range of cyber security theft risks for custom developed software.
- Understand the Open Web Application Security Project (OWASP) 10 most critical web application security risks) and available mitigations.
- Understand the importance of a robust cyber security incident response plan.
- Work more cohesively as a team in the event of a cyber security incident.
- Gain insights into the power of cloud platforms in helping you defend against both internal and external threat actors.
Feedback gathered after the game
Playing the game was a very fun and sometimes (intentional) stressful exercise. Our NIPO colleagues looked back on the event as a good exercise to make you more aware of security, as it brought many security aspects to the forefront. It was a good learning environment, to see how systems can be vulnerable. It was fun and a very close to a real event.
Learnings from the Cyber Security War Game
Apart from a solid confirmation that our efforts to collectively maintain security standards at the highest levels is nothing less than a necessity for a cloud Saas provider, we found these valuable learnings:
- The attackers’ progress had several milestones, and the main breakthrough every time came from having a user account/password. We know how important it is to be careful with your credentials, but being confronted with how big a difference having access to one’s user account is, was impressive.
- We gained insight in (and access to) the tools that hackers use. It is shocking to see how easy it is to use them and the information that you can get if a website has a security issue.
- We learned we cannot only rely on tools (like Veracode) to catch all security issues when developing.
- Events like these clearly show the things you must think when looking at vulnerabilities in code and the competencies of the teams.
- Run exercises like these more often on our own system with a wide group of people. You cannot rely on a few colleagues when dealing with security threats. If they are sick/out, that can be a problem.
In conclusion, it was a very useful experience with positive feedback from our colleagues. We aim to repeat this session at our Madrid office soon.
