Nowadays, more and more companies have their products and resources exposed to the Internet to facilitate ease of access and faster adoption rates. As the number of components that are exposed publicly continues the grow, companies expand the attack surface that can be targeted by an attacker causing harm to the organization.
With the fast-paced technological evolution, the rules of the game have changed. The hide and seek game, mainly played by the white hats and the black hats, has moved to a new level of sophistication, and it keeps evolving. When it comes to knowledge and tooling, both parties are at the same level, but the white hats are at a great disadvantage because of the unaware and uneducated human factor. This is basically everybody who is not involved with or intrigued by security matters.
The unaware and uneducated group of employees is one of the greatest vulnerabilities within an organization. Unintentionally they can cause a huge amount of harm unless properly educated, trained, and made aware of the potential risks and threats that surround them. And, with well-invested effort and efficient measures, these employees could be turned into the greatest asset that a company has. But you need to present them the right educational tools whereby you create a mentality shift that could make a difference in an attack scenario.
“It is my judgment that the Internet itself is for the most part secure, though there are steps we know can be taken to improve security and resilience. Most of the vulnerabilities arise from those who use the Internet – companies, governments, academic institutions, and individuals alike – but who do not practice what I refer to as good cyber hygiene. They are not sufficiently sensitive to the need to protect the security of the Internet community of which they are a part. The openness of the Internet is both its blessing and its curse when it comes to security.”
by Vinton Cerf, United States Congress Joint Economic Committee on 23 February 2000
In the past years, the Yonder Tech board held many presentations and workshops on security-related topics. We started with less technical subjects like security hygiene, best practices, common cyber threats, known vulnerabilities, and went all the way to real-world threats’ analysis or reverse engineering.
But in time, they discovered that more and more colleagues aren’t interested in advanced topics, or they have gaps in the required security knowledge. Yonder created a new team internally to design more engaging resources and to avoid a lack of security principles in the future.
After some research, the team concluded that one of the most effective approaches would be to apply gamification. So, that meant they would prepare an interesting game script for cybersecurity-related quests.
“Games are the only force in the known universe that can get people to take actions against their self-interest, in a predictable way, without using force.”
by Gabe Zichermann
The team designed an interactive event with all the security topics that should be discussed during periodical security meetings and presented them as puzzles, technical challenges, and quests.
The whole idea behind this type of event was to see what would be the benefit of introducing gamification within the cybersecurity context to the general public (individuals from the organization. We offered everybody within the organization the setup to experiment with security in a controlled environment, under the guidance of people and at their pace.
Until now, there were three editions of security competitions within Yonder, each of them using a slightly different approach. At the start of this initiative, we invited the infrastructure teams because of their background and security related day to day tasks. Based on their feedback, the organizers then recommended teams with colleagues from different departments to extend the team’s expertise. The events used the Capture the Flag competition format and included challenges from the following categories:
We believe that practice and lessons learned are the key when it comes to security. After each competition, we gathered feedback from the participants to create a better simulation and a better user experience in the future. Furthermore, using the challenges that weren’t solved, we can prepare more relevant training and workshops to improve the security skills of our colleagues.
For this article we asked the team with the most impressive evolution between events (from the bottom of the rank to the winners of the latest competition) to summarize the CTF experience to share those thoughts with you:
I think the best part about this particular CTF was the level of involvement and different challenges that were up for ‘capturing.’ Those sudden rush moments when another team has overtaken you, are also part of the ‘CTF’ magic, trying to get back to your previous place by social engineering or by resorting to other ‘dirty tricks.’
One thing that could’ve been better would have been to have more competition and have it last a bit longer. All in all, I’d recommend participating in CTFs to anyone if they have the opportunity, the things you get to learn and experience with your peers, surely feel rewarding and fun.
The Yonder Cyber Threat Aware solutions also include games to increase security awareness within your company. Security is always important, but now that most companies have moved to working from home and completely in the cloud, security is even more imperative. Your employees can no longer walk to the IT department to check suspicious communications they receive. They now have to be more vigilant by themselves, especially as cybercriminals are ramping up their activity and the sophistication of their attacks.
So reach out to our CyberThreatAware@tss-yonder.com, and we can see if a security game or any of the other solutions we offer can be of benefit to keep your company and its data safe. Please click here for our Cyber Threat Aware solution page.