"Think like a hacker" – easier said than done. Many of us w, b recognize script kiddies or black-hoodied nation-state hackers, but it can be difficult to understand what kind of security trouble these people would be able to do. In addition, the cybersecurity threats we face are different when we are defending a power plant compared to designing a mobile application for making massage therapist appointments.
That's why we created Cyber Bogies. Cyber Bogies are our gallery of "usual suspects" - malicious and otherwise troublesome people that may form some kind of threat to IT systems or processes. The list includes crackers, opportunistic abusers, common criminals, incompetent users, insiders, and other kinds of miscreants. Our intention was to create memorable personalities that tickle your imagination and help with putting theoretic threats into context.
Cyber Bogies are a fine-tuned version of Persona non Grata. The characters are based on stereotypes and caricatures, which make them memorable and easier to understand. That's why Cyber Bogies include North Korean hackers, Eastern Asian espionage, state-sponsored Advanced Persistent Threat groups, Brazilian scammers, Eastern European cybercriminal groups, and teenager script kiddies. These are actual phenomena and relevant cybersecurity threats for some. However, we do not want to offend or discriminate against any nationality or ethnicity in any way. For example, "Nigerian Letters" is a type of financial scam named for its origin, but it does not mean that Nigerians are scammers. The idea is that you can pick the relevant threats and Cyber Bogies for your case from a bigger catalog.
You can use Cyber Bogies in threat workshops for brainstorming.
For example, everyone can pick a Cyber Bogie card randomly. Then take turns:
1. Read the Cyber Bogie description briefly to others.
2. Explain how this Cyber Bogie would attack the system or why it's not relevant.
3. Everybody else can comment.
4. Write down the threats you found.
After you have listed possible threats, start checking what kind of mitigations you have already in place, or you could implement.
Check the gameplay instructions for ideas on gamifying threat discovery!
Pick the most relevant Cyber Bogie characters threatening the security of the system you are developing. Pin the characters on your office wall and rename them if you like to make talking about them easier. When you are planning new features or changes, think what harm the Cyber Bogies could cause:
* "Is there something new Charlie Cheater could do if we add this feature?"
* "Script Kiddie Jonne should not be able to make a denial of service attack that would put the website down."
* "Competitor Engineer Alex should not be able to dig out important algorithms by reverse-engineering our firmware."
You can use the characters and threat scenarios also for test planning.
Copyright notice:
Cyber Bogies is © 2020 Nixu Corporation. This work is licensed under the Attribution-NonCommercial-NoDerivatives 4.0 International license (https://creativecommons.org/licenses/by-nc-nd/4.0/).