"I put myself in the mindset of a hacker and simulate cyber attacks so that I can identify potential weak points in our systems and then set up appropriate defences," explains Nuri Fattah, Senior Security Consultant, at the NATO Communications and Information Agency.
It is not difficult for Nuri to put himself in the place of a hacker, as he was one himself, years ago. Now, he is putting his skills to work as the lead ethical hacker within the NATO Computer Incident Response Capability Technical Centre.
Coming from a family of engineers, Nuri started learning about computers at an early age. After completing his masters in IT security, he went down a different road: understanding how systems work in order to compromise them.
"At that time, I wanted to be challenged and find new ways to make systems misbehave. I was intrigued by how e-commerce sites guaranteed customers security on the Internet, so I started looking at how security was implemented, and how easily it could be bypassed,” says Nuri.
He eventually decided to devote his talents to private firms specialising in computer security and then started working for NATO more than seven years ago.
“I realized that there was a market for people who do what I do and that they got paid for identifying weaknesses with the end goal of securing those systems,” says Nuri. “It's basically a legal way of hacking into an environment in order to identify vulnerabilities and also to enable the decision-makers to identify the business risk to their own organisation by exploiting those vulnerabilities."
Training and improving responsiveness
Exercises are important. They allow NATO, Allies and international partners to test the responsiveness of cyber defence units in real conditions, providing an opportunity for national experts to share knowledge and to practice working together in a crisis.
"NATO takes part in many Cyber Defence exercises. The last one I took part in, called Locked Shields, was held in April 2013 and was organized by NATO's Centre of Excellence in Tallinn, Estonia,” says Nuri. “Its objective was to train teams of IT specialists from different Alliance and partner countries in how to detect and mitigate the effects of large-scale cyber-attacks and to deal with incidents, while collaborating with the other teams."
The exercise scenario was imaginary but the methods of attack and defence, and the conditions were real. The teams responsible for defending the systems consisted of experts and specialists from government organisations, military units, Computer Emergency Response Teams (CERT) and private companies.
Nuri led the NATO team, which was responsible for defending the exercise networks and systems. “It was challenging, stressful at times, yet fun, and required a dynamic strategy. And we won! Our team came first out of ten!”
"We played with various tools and techniques to see how we could best lock down and secure all systems, while still keeping them operational, with no compromise to their availability. Our main aim was to have the networks and system still fully functional, while under constant attack, and prevent them from being compromised," he explains.
Cooperation with the private sector
NATO also works with some of the largest private companies in the world, sharing experiences and expertise with them to avert and resist threats, and be able to help Allies in the event of an attack.
In particular, NATO has signed cooperation agreements with a number of private companies to jointly improve the resilience and security posture of NATO networks and systems (software, servers, computers, routers, etc.). Nuri's job is to carry out penetration tests to ensure that the applications or systems to be installed on the various NATO networks are secure. He helps identify flaws and encourage companies to deal with them.
“A good relationship between NATO and private companies is a win-win scenario, because the tests we carry out enable the Alliance to secure, or isolate access to vulnerable software, while the companies produce rapid updates or fixes which are of benefit to the entire IT community," Nuri explains.
Raising awareness of risks
Nuri also enjoys giving talks and hacking-based demonstrations to both NATO and external companies at various security conferences, in particular the annual NATO Information Assurance Symposium (NIAS).
NIAS is a unique forum presenting the latest expertise, challenges and innovations in cyber defence and information assurance. The purpose is to raise awareness and to highlight risks by explaining to people how, in practice, they may fall victim to various cyber attacks.
Nuri does not think that fundamental awareness campaigns – such as “don’t click on any links” or “don’t open attachments” – work on their ownbecause people generally think “it will never happen to me.”
“I believe in learning by doing,” explains Nuri. “You only learn the lesson once it has personally affected you. So every year at the NIAS, I run a fun segment like DEFCON’s Wall of Sheep, where we conduct various 'experiments' to highlight the fact that security professionals still fall for basic tricks."
The cases Nuri uses during his presentations involve new forms of cyber crime on social networks and mobile devices. The 2012 edition of the Norton Cybercrime report estimated that one adult in five online (21%) has been a victim of social or mobile cyber crime, and 39% of social network users have fallen victim to social cyber crime in particular.