It's been very nearly an entire year since I gave my last guest lecture on the future of machine learning to Data Analytics students at NHL Stenden back in February. Since then, I've moved on from my position as Head of Software Engineering at BreachLock and taken the leap into entrepreneurship. I'm loving my new role as CTO and Co-Founder of Noon at Work, and relishing the learning and growth I've enjoyed since I joined the awesome folks at Builders in building out their newest venture, but I'd be lying if I told you I don't sometimes get nostalgic for the times when cybersecurity was my day-to-day.

That's why it was so refreshing and exciting to have the opportunity to deliver my first guest lecture at NHL Stenden's Emmen campus, focusing on making cybersecurity less of a mystery to students on the International Business program!

My aim was to take the very nebulous and spooky concept of "being hacked" and make it a real, concrete thing that International Business students brand new to cybersecurity could better conceptualise and understand. What does an incident actually look like? How do we tread the line between cyber paranoia (which can actually make system security much worse) and recklessness that puts customer data and company assets in danger?

What does a padlock do? Who does it keep out?

A photograph of a set of pin-tumbler lockpicks next to a transparent acrylic practice lock on a table.
We used a set of pin-tumbler lockpicks and some transparent acrylic practice locks to answer an important question: what do security measures like locks actually achieve?

We kicked off with a thought experiment and practical demonstration. We asked outselves the question:

What does a padlock do, and who does it keep out?

The obvious answer is "it prevents thieves from gaining entry" but this is an oversimplification. This practice lock (and many other real padlocks out there on the market) can be "raked" open with a tool costing less than $1 in five seconds flat. Add a pair of bolt cutters into the equation, and that time may well come down even further. A number of the students attending the session were able to open this practice lock with only a 2-minute tutorial, despite never having seen or handled lockpicks before (they were obviously warned to only use their new-found understanding of locks only for good and never evil).

The actual answer is more nuanced. A padlock like this keeps out honest people and opportunists–dishonest folks looking for an easy target. Using a padlock like this to secure your garden shed where you keep your rusty old lawnmower? Great! Use it to secure your jewelry store with $100,000 of jewelry and precious metals on-site? Not such a good idea.

This led us to the first of two lifelines business folks can use to get a handle on their cybersecurity posture: what does your threat model look like?

Threat modelling is the process of identifying threats to your system and defining measures to counteract them. It’s a great antidote to both carelessness and paranoia!

Is your web development agency maintaining a WordPress site for a local furniture store? If so, keeping your WordPress installation (and plugins!) patched and up-to-date and responding in a timely fashion to newly-disclosed vulnerabilities is reasonable. You probably don't need a dedicated cyber incident response team on-call 24/7, or a comprehensive network intrusion detection setup. Following simple best-practices for secure management of secrets (e.g. keys, passwords etc.) and basic network security hygeine (e.g. firewalls, IP address allowlisting) is probably fine. If a small-time hacker tries their luck, they're likely to give up and move on to an easier target long before they find their way in. Nation-state funded attackers, terrorist groups or organised ransomware gangs exploiting zero-day vulnerabilities are probably not concerns you or your client need to lose any sleep over. These adversaries have bigger fish to fry.

By contrast, has your consultancy been contracted by the government to manage and maintain critical network infrastructure that keeps the electricity grid online? Different threat model altogether!

While businesspeople may not be engaging in cyber threat modelling personally on a day-to-day basis, they are often the ones signing off on cybersecurity budgets, and in many cases have a deeper understanding of their customers, compliance obligations and business processes than their cybersecurity team. A little knowledge on what threat modelling looks like on the part of business folks in an organisation can help enormously in keeping communication with operations smooth and productive (and heads cool, especially during incident retrospectives).

What does a cybersecurity incident look like?

Screenshots of the 3 vulnerable web applications we used as part of the session.
The 3 hackable websites hosted for the session. From left to right: a crypto escrow startup landing page with a HTML injection vulnerability, a hiring manager's personal website allowing unrestricted file uploads and a blog for home coffee growers that exposes user passwords.

Next, the class split into 3 teams, each of whom launched a simple cyberattack on one of 3 vulnerable websites hosted specifically for the session (again, students were warned never to use what we learned in the session against any real website).

The aim was to put the students in the attacker's seat for a moment, to help turn the threat of a cybersecurity incident from a mysterious bogeyman that could strike at any time to more of a known quantity that can be anticipated, reasoned about and planned for.

I won't go deep into the mechanics of each attack here (see the end of the article for lesson materials) but briefly:

  • Team 1 attacked a hiring manager's personal website that asks prospective hires to submit their CVs via a file upload field. However, it accepts arbitrary file types (including PHP files) enabling remote code execution on the server if a web shell is uploaded. Team 1's objective was to deface the website by overwriting its homepage.
  • Team 2 attacked a cryptocurrency escrow service's landing page by injecting HTML designed to grab the IP address and credentials of the website's administrator by presenting itself as a "session expired" dialog. Team 2's objective was to exfiltrate the website admin's IP address, username and password
  • Team 3 attacked a blog for home coffee growers by exploiting a password exposure vulnerability. Their objective was to steal the admin's credentials and log in as them, taking over the website and stealing the user database.

All 3 teams, despite having this being their first brush with offensive cybersecurity, were able to successfully execute the attacks using payloads provided as part of the session materials.

We concluded with our second cybersecurity posture lifeline: what part of the attack surface of each of these websites did we exploit to carry out our cyberattacks?

First order of business when assessing cybersecurity risk as businesspeople is to get as complete a picture as possible about your organisation’s cyber attack surface. This just refers to all the different ways someone can attack your systems.

The vulnerabilities on these websites resulted from a failure of the hypothetical organisations in question to properly consider the attack surface of their web applications and perform adequate threat modelling with that in mind.

Tying Things to the Real World

A photograph of the components of the burglar alarm system we used during the session.
The burglar alarm system we used as part of the practical session.

We concluded the session by breaking out another bit of kit: an ADT-branded Visonic PowerMaster PM-360R burglar alarm system and running a key cloning attack against the RFID key fobs used to arm and disarm it. I'll keep the details of this attack off the record for now. Read chapter 2 of my Ph.D. thesis when it's complete if you're curious!

We considered whether we'd feel safe using this system to secure a home or business, putting our two cybersecurity lifelines to use: if this system were part of our attack surface, would our threat modelling find it to be sufficient to protect our house or place of business?

Wrapping Up

I'm set to deliver several other guest lectures a NHL Stenden before the end of this year, and I honestly can't wait. The campus facilities are amazing and the students are exceptionally curious and engaged.

As ever for my guest lectures, all materials for this session are open-source. If you'd like to download and use the demo applications yourself (or use them for teaching) you can find them on my GitHub (use these materials sensibly and legally please):

The slides and worksheets for the session (team 1, team 2 and team 3) are available on my website.