This session will be a case study, looking at how one organisation ran a Red Teaming exercise in support of their assessment security program, and the benefits derived from it.

The objective of this exercise was, firstly, to identify unique and novel vectors which may compromise the security of exams. By leveraging the expertise of individuals who were not members of the security team, this allowed the workshop to take a fresh perspective on potential threats.

Second, the workshop sought to identify a Most Likely and a Most Dangerous scenario. This gave the organisation actionable assessments on what the most likely threats to test security were, as well as identifying black swan events that could critically undermine the integrity of the tests. This allowed the test security plan to make informed decision about resource allocation, as well as articulate the risks.

Finally, the exercise aimed to educate staff on test security to improve their awareness of potential threats and to build a culture of security. Security is not the sole remit of the security team. It is dependent on the vigilance of all members of staff. However, getting staff to attend, and pay attention to, security training can be difficult. By providing an interesting and novel experience, the staff involved actively engaged with the workshop, leaving them with a better understanding of security.

The Red Teaming was run through a series of structured analytical techniques, each of which built off the previous one to create a complete picture of our Most Likely and Most Dangerous scenarios. The presentation will run through all of these to explain how these techniques came together to identify risks to test security.

The final 10 minutes of the presentation will be dedicated to helping attendees run similar programs for themselves. This will include providing examples of other techniques which may be useful, as well as providing tips on preparing for and running sessions.