I’m trying to access an online bank account. Where do I start? OK, login page: Let’s look at the source code for this page. Ah, I see a developer’s comment, ‘DbUsername:Bob’ and a garbled string, which I assume is a password. Encoded in base-64, let’s pop that into a de-crypter… and BINGO! We’re in.
OK, so hacking into a bank account might not be quite this simple, but this was the scenario facing 24 people with varying levels of experience of cyber security at the Cyber Challenge UK Cyber Camp last weekend. Journalists were invited to attend and try their hand at one of the challenges (albeit with a lot of guidance), as we masqueraded for half an hour as professional penetration testers.
The key message from the Cyber Challenge’s activities is that you too could have the attributes to enter a career in cyber security, you just might not know it yet. It’s a lucrative field, with six-figure jobs up for grabs and a startlingly small talent pool to choose from. You just have to look at the list of over 70 organizations that sponsor Cyber Challenge events — a list that includes the MoD, BT, PwC, Microsoft, and Sophos, to name but a few — who are all hoping that they will find a talented person to recruit and train.
The not-for-profit Cyber Challenge UK has been organizing events for around three and a half years now, and has no age restriction or requirement for previous training in cyber security. Their challenges are a mixture of online and face-to-face events, throughout the year, culminating in their masterclass event where a Cyber Security Champion is crowned. The first winner of the masterclass was a postman, Dan Summers, who now works for the IT Security division of the Royal Mail.
There’s a reticence towards cyber security from professionals who are used to dealing with traditional physical security. They think it is a highly technical and complex career that is beyond them. But the skills required are in many ways similar to that of a physical security expert: risk analysis, common sense, and attention to detail.
Speaking to the director of Enterprise Risk Solutions of Information Risk Management (IRM) plc, Phillip Mason, whose company set one of the cyber camp’s challenges for the weekend, he expressed frustration at how the perception of technical expertise was off-putting to people who could excel in the profession. A large part of the job, he said, is knowing how to talk to people and influence board-level to invest in security. Sound familiar? That’s what the Security Institute’s Chairman Emma Shaw told us back in May at IFSEC International, when speaking about physical security. Incidentally, she is managing director of Esoteric — another sponsor of Cyber Challenge UK.
Of the 24 people attending the cyber camp weekend, very few were from a cyber security background — Cyber Challenge UK board member Nigel Harrison, a former Lt Col in the Royal Signals — told us:
We see repeat customers a lot. We sought out new people who don’t think they have the skills [to work in cyber security].
Participants covered an age range of 19 or 20-year-olds in university, to people in their mid-40s looking for a career change. The weekend as a whole cost around GB pound 50,000 (US$65,595) to arrange, and was hosted in the Ministry of Defence’s Defence Academy, Shrivenham. Surrounded by real (and operational, we were told) tanks and army helicopters, I witnessed participants working together to crack websites as ethical hackers.
The principle of ethical hacking is quite simple: Developers are busy, and a little bit lazy. Top tech companies are often pushing hard and fast to beat their rivals to the next big innovation, and as part of that process, security, while important, often comes second. Without such a furious pace of development, ethical hackers might be seen as somewhat redundant, but there is no sign of a move away from the Internet as the go-to place for more and more of our daily activities. And with the Government opting to do more of its business online — tax returns, for example — in an effort to save money and move away from expensive face-to-face activities, any crisis in confidence in online could cause the country to “grind to a halt” in Lt Col Harrison’s words.
Cyber Security is important, and it’s not as scary and different from “traditional” security as an outsider might think.
I’m not sure I could resist the urge to push the buttons…global meltdown would likely ensue.
These machines don’t have ignition keys (for obvious reasons in a hurry during battle) and they weren’t de-activated, so while we were encouraged to jump in if we wanted, we were strictly told not to touch anything. The Borough of Swindon would never have been the same if I’d accidentally pushed the ‘on’ switch.
It’s interesting that the MoD sponsored/hosted this event. In the future we’re going to see a lot more cyber warfare to disrupt a country rather than direct physical attacks. It’s nice to see that the military is paying attention and looking at ways to build up awareness and do some recruiting.
Really interesting – is it a paid for opportunity?
The Cyber Challenge? No anyone can take part, no cost!
Definitely. There’s recognition at the top of Government that the skills gap is massive in cyber security, so they have to get on top of it now before it gets much worse.