October is national cyber security awareness month (NCSAM). While most companies plan activities and provide information via traditional means (compliance videos, dry awareness posters and messages, lectures and emails) to help their employees detect and prevent cyber attacks, Facebook honors NCSAM in true hacker style. We call it “Hacktober.” Facebook’s security team creates a series of simulated security incidents that are tested on Facebook employees throughout the month of October. The prize for spotting a Hacktober attack and reporting it to the team? Kudos and bragging rights of course. Oh, and a cool Hacktober T-shirt, poster or sticker.
Different attacks for different groups
We approach Hacktober with three goals in mind: raise awareness of security threats, educate our employees and have fun. To make the hacks more effective, we target specific groups within the company with the types of threats they are likely to encounter when they are doing their job. For example, some groups within the company are more likely to be targeted by "phishing" than others. One of our Hacktober attacks simulated targeted 'spear phishing' for these employees, but instead of delivering malware or stealing their personal information – rewarded them for discovering the threat or educated them if they fell for it.
Near the end of the month, the security team created a worm that shared fake Facebook news stories among employee Facebook profiles. While the worm was controlled by the security team, it demonstrated how quickly a piece of spam can spread on Facebook and was a useful tool to educate Facebook’s non-engineers about the importance of site security.
All hacks are explained after they are completed to provide details on what the hack encompassed, why it is important and what the ideal response would be. We not only want employees to understand the potential threats that exist, but also provide insight into how we should respond to them if they were ever to become more than simulations.
Why are we attacking each other?
Hacktober is more than a chance to prank our co-workers with hacks–it's an opportunity for Facebook employees experience real internet threats before coming across them in the wild. It's much easier to respect a security practice that defends against an attack you've experienced firsthand.
As part of the month, we also tested how employees escalate threats internally. One of our broader hacks convinced 22% of Facebook employees that their accounts had been compromised. The escalations that occurred as a result allowed us to test our tools for reporting suspicious activity in a controlled way, and helped us to tweak policies and systems to make improvements to benefit everyone. These hacks give us great insight into how similar incidents may play out, were they to actually happen in the future. They also provide valuable and meaningful insight into changes and updates that are necessary in our security practices.
At month’s end, we thank all of our employees for their good sportsmanship and participation and reward them with a Hacktober themed Happy Hour. On top of the games, food and libation, we also review the hacks and reveal tips for how to avoid them in the future. And of course, the Facebook security team begins planning for next year. Happy Hacktober!
Ryan McGeehan is a Director on Facebook's security team