What I learned from hacking the Winter OlympicsBlog
Finding his way into places where he shouldn’t be is something Joshua Knight excels in. From the internal computer systems of the 2002 Winter Olympics in Salt Lake City to the aftermath of the 9/11 attacks, finding vulnerabilities and helping companies and governments prevent malicious attacks has been his key objective.
In 2001, while working as a penetration tester, he was tasked with finding vulnerabilities in the cybersecurity systems protecting the upcoming Winter Games. In the wake of the 9/11 terrorist attacks both the federal government and large corporates sought to head off any potential attacks and make sure the cyber-infrastructure supporting the games was as secure as they thought it was.
Hacking the 2002 Winter Olympics
Because of the sensitivity surrounding the games, the organisers were looking for the top people in the field to try and hack the games’ servers. “The advantage I had was that I specialised in hacking the Windows server environment, something of an emerging specialty back then,” Knight told the Dimension Data Tech Know Podcast. “With the games’ websites being hosted on Windows Server systems, this gave me a starting point.”
Based in Kansas, almost 1,000 miles from Salt Lake City, and with only limited information to start with, he slowly gained access to the web servers. While being careful not to raise any alarms, he was able to backend database servers, and from there move on to systems hosting more sensitive information, including information on the athletes.
“At this point I had achieved what I set out to do, and so I reported the issues to the security team so that they could remedy the issues,” Knight shared on the podcast. “Which more often than not meant ensuring that the operating systems and applications running on them had been properly patched,’ he says.
A changing landscape
The terrorist attacks on 9/11 fundamentally changed that way the establishment viewed security and the amount of funding that went into cybersecurity, from both government and commercial entities.
“Security has gone through four major paradigm shifts,” Knight added. “From the web, to internet, to cyber, and now to digital.”
With each shift the area of concern has changed, from just attacking web servers, to attacking systems connected to the internet, to cyber-attacks on critical infrastructure such as power stations, and now with entire digital ecosystems under attack by criminal organisations and nation states.
This change in attitude regarding the importance of cybersecurity has, become a critical issue for all organisations.
Governance is the answer – not technology
“The increased focus also turned my career from one where I was a hacker for hire - trying to penetrate secure infrastructure in order to ensure that no-one else could - to one where the focus is more on the issues surrounding compliance, regulation, and governance,” Knight continued. “I used to think that technology was the answer to all security questions, but my experience post 9/11 taught me that governance should always be the starting point for security discussions.”
For any cybersecurity strategy to be successful it’s critical that policies, procedures, and standards are put in place first and only once these have been established does technology come in to reinforce this.
This has shifted not only what needs to be done when implementing a security strategy, but more importantly who is involved in the conversations. Knight points out that it’s no longer just the CIO or the CISO who are part of the security discussion. The CEO, CFO, and the audit teams are an integral part of building out a security strategy.
“The great part of security technology today is that many of the concerns of these groups can be directly addressed via technology,” he added. “This includes governance, risk and compliance, access management and management of all digital systems.”
Security’s next step
Every organisation is looking to the future and they are aware that securing the software-defined environment is critical. Security needs to be embedded into software-defined systems.
“One of the key differences between 20 years ago and today is that the security story is boiled down to a place that makes sense,” according to Knight. “I believe that we are going to see the role of the CISO replaced by the Chief Trust Officer, a role that encompasses security, privacy, and audit. Security is just a part of the equation, and forward-thinking organisations are already trying to figure out what this role will look like.”
Be sure to listen to the full story of what Joshua Knight learned from hacking the Winter Olympics on the Dimension Data Tech Know Podcast!