The following is a proposal for a Master Thesis that we are announcing, anyone who is interested and about to write their thesis is welcome to contact us for more information.
Information Security Red-Teaming: Attack and Defense Exercises for the Security Novice
The purpose of this proposed master thesis is to chart the requirements of an educational security attack and defense (red-teaming), or security breach scenario, exercise that focus on the security novice and non-technical, and to establishing guidelines for how to run and evaluate such an exercise.
Red-team exercises often follow security-penetration standards to structure the attack scenario, like the Penetration Testing Execution Standard (PTES) or Information Systems Security Assessment Framework (ISSAF). However, PTES, ISSAF and other commonly used standards fall short in two respects. Firstly, they do not advise on how to actually setup a full scope attack-and-defense exercise. Secondly, they typically target the technical aspect of breaching systems, with little focus on the non-technical breaches, educating, explaining, or further awareness about incidents. In particular for the inexperienced security novice.
There is a differences between the security novice capability to realize what kind of threats and vulnerabilities can cause damage to their environment. Information security is a broad term, and encapsulate more than just a technical aspect. Breaches to security can mean many things, and not just that of a system failing to provide required confidentiality, integrity, and availability. It could be sensitive information being disclosed unwittingly, physical harm like fires and floods, or overhearing sensitive information being shared between coworkers waiting for the bus. Therefore, security is commonly said to lie with everyone, and not just an IT department or a CISO.
Security training thus becomes important to raise awareness and maintain operational stability. However, simply reporting the successful breach or disruption of devices or services, as is often the result of many red-team exercises, does not necessary raise awareness. Especially if the target audience lack the security knowledge to understand the consequences and implications therein.
This suggested master thesis therefore propose addressing this incomplete understanding of how to exercise read-teaming or security breach scenarios for the security novice, stretching beyond only the technical realm.
If you are interested, please don’t hesitate to contact Martin.Lundgren@ltu.se for more details about this proposal.