Back
CODED × KIBS
CODED × KIBS · Kuwait
CODED×Institute of Banking Studies

Technology &
Information
Risk Management

A two-day workshop with CODED and the Institute of Banking Studies — recognise the threats, strengthen the defences, and respond to a live breach.

Day 2 · 2026
Institute of Banking Studies, Kuwait
We’ll begin shortly
Press → to begin
Day 2 · before we begin
How long would your password last?
Type a password you'd actually use — watch it crack in real time
6
Characters
26
Character pool
3×10⁸
Combinations
Time to crack offline:instant
password1 Summer2023! Tr0ub4dor&3 correct horse battery staple
The one you actually use — how did it do? Today we make it uncrackable, then prove it.
What you'll walk out able to do

By the end of Day 2, here's what you'll be able to do.

Judge whether a password or a control is actually strong — and say why.
Map one control to ISO 27001, NIST, and PCI-DSS at the same time.
Read a policy critically enough to catch a dangerous gap.
Run a live incident: Detect → Contain → Eradicate → Recover → Learn.
The shape of Day 2

Yesterday we named the threats. Today we beat them.

Same rhythm as Day 1 — a story, an image, the term bridged to it, then something you do. Four topics that move from one password to a full incident at 2am.

1
Passwords & how they fall
Brute force, dictionaries, stuffing, hashing — and what actually holds.
2
Standards & controls
ISO, NIST, PCI — how a bank proves it's secure.
3
Policies that actually work
Policy, standard, procedure — and the gaps that sink them.
4
Incident response · the capstone
The 2am call — run it live, scored.
Topic 1 · Passwords & Authentication
The story
A leaked listAn employee uses the same password at work as on a shopping site. The shopping site is breached. Months later, attackers try that exact password against the bank's VPN — and walk straight in. The bank was never hacked. The password was just reused.

Most break-ins don't pick the lock. They already have the key.

Attack 1 of 4
The analogy

Every key on the ring.

A thief with a giant ring of keys, trying each one in the lock, one after another. With enough time and enough keys, one eventually turns — unless there are simply too many to get through.
trying every key…
The term & the link

This is brute force.

BRUTE FORCE Trying every possible combination until one works — automated, millions of guesses a second.
Like the key ring, it's beaten by too many keys
length adds keys faster than anything.
Every extra character multiplies the ring. That's why long beats clever.
Mini check · your call
Which takes a brute-force attack longer to crack?
Attack 2 of 4
The analogy

Start with the obvious keys.

A smart thief doesn't try random keys first — they try the ones everyone uses: the spare under the mat, "1234", the dog's name. Most locks open on the predictable guess.
123456passwordqwertythe obvious guesses, first
The term & the link

This is a dictionary attack.

DICTIONARY ATTACK Trying a list of common passwords and known patterns first — far faster than brute force.
Like the obvious keys, it targets predictability
"Summer2023!" falls first.
Mini check · your call
Why does an attacker try "Summer2023!" before "x9#mK2vQ"?
Attack 3 of 4
The analogy

One key, every door.

Someone copies the key you use for your house, your office, and your car. Steal it once from any of those doors, and they can now try it on all of them.
one stolen key, every account
The term & the link

This is credential stuffing.

CREDENTIAL STUFFING Taking passwords leaked from one site and trying them automatically against many others.
Like the one copied key, reuse is the flaw…
unique passwords break the chain.
This is exactly how the opening story's bank got hit — no hack, just a reused key.
Mini check · your call
You reuse one strong password everywhere. A shopping site you use is breached. Is your bank login safe?
Defence · the term that holds
The analogy

The one-way blender.

Blend a fruit into a smoothie and you can't get the fruit back. A bank should store your password like that — blended, never whole — so a stolen database is just smoothies, not keys.
Summer2023!3941de2b…scramble it — can’t reverse
The term & the link

This is hashing.

HASHING Storing a one-way scrambled version of a password, so even the bank never holds the real one.
Like the blender, it's one-way
but weak hashing blends badly — and can be reversed.
Mini demo · crack the hash

Watch a weak hash fall.

A leaked password, stored as a weak unsalted hash. Launch the dictionary attack — the recovered password is the point.

Leaked hash · MD5 · sandboxed
3941de2b1cfbe343743c5a8b7b45f63a
ready — launch the dictionary attack
Recovered password
Weak + unsalted = reversed in seconds. Strong hashing buys time — long, unique passwords + MFA do the rest.
Break 1 of 3
Break
15:00
Back at 10:15 — stretch, coffee, questions welcome.
? ? ?
Let's pause here.
I'm stopping for three questions before we move on — what's unclear, or what would you push back on?
When it was real

117 million passwords, cracked in days.

LinkedIn breach · 2012Password hashes were stolen and — because they were weakly hashed and unsalted — most were cracked within days, then fuelled credential-stuffing attacks for years.
Hashes first leaked
Full total by 2016
days
To crack the weak ones
Confirm figures before quoting live. Next: how a bank proves it's secure — standards →
Topic 2 · Standards & Controls
The story
The auditA regulator asks one deceptively simple question: "Prove you're secure." "We have firewalls" isn't an answer. You need a recognised framework, evidence it's followed, and an independent check. That's what standards are for.

"Trust us" isn't a control. A standard is.

Standard 1 of 3
The analogy

The kitchen hygiene certificate.

It doesn't promise no one ever gets sick. It certifies the kitchen runs a proper system — checks, records, reviews — and that an inspector verified it. The system is the point, not a single clean day.
certified — proven, not promised
The term & the link

This is ISO 27001.

ISO 27001 The international standard for an Information Security Management System — a governed, audited way of running security.
Like the hygiene cert, it certifies the system
not a promise you're unhackable.
Mini check · your call
A bank is "ISO 27001 certified." What does that actually tell you?
Standard 2 of 3
The analogy

The five-step safety checklist.

Good emergency plans follow the same arc every time: know your risks, prevent, spot trouble, react, recover. A simple, repeatable five-beat rhythm anyone can follow under pressure.
IdentifyProtectDetectRespondRecoverfive steps, every time
The term & the link

This is the NIST CSF.

NIST CSF A framework organising all of security into five functions: Identify, Protect, Detect, Respond, Recover.
Like the safety checklist, it's a five-beat rhythm
a shared map for the whole programme.
Mini check · your call
Which is the correct set of the five NIST CSF functions?
Standard 3 of 3
The analogy

The rules for handling cash.

A casino has extra, non-negotiable rules for anyone touching the money — cameras, counts, sealed drawers. Specific rules for the most sensitive thing in the building.
•••• 4012card data — strict rules, always
The term & the link

This is PCI DSS.

PCI DSS Mandatory, prescriptive rules specifically for handling payment-card data.
Like the cash rules, it's strict and specific
card data gets its own regime.
Here's the payoff: most good controls satisfy all three standards at once.
Mini demo · map the control

One control, many boxes.

Tap a control — guess which standards it satisfies, then watch the columns light up. Most cover more than one.

The controls — tap one
Standards it satisfies
ISO 27001
the management system
NIST CSF
the five functions
PCI DSS
the card rules
? ? ?
Let's pause here.
I'm stopping for three questions before we move on — what's unclear, or what would you push back on?
When it was real

Capital One, 2019.

A single misconfigured controlOver 100 million customer records exposed through one cloud misconfiguration — a gap a mapped, audited control set is designed to catch. Regulatory penalties followed, around $80M.
Records exposed
Regulatory penalty
1
Misconfiguration
Confirm figures before quoting live. Next: turning standards into rules people follow — policies →
Topic 3 · Policies, Standards & Procedures
The story
The clean policyA bank's access-control policy reads beautifully — approved, signed, filed. But buried in clause 6 is one line: leaver access is reviewed once a year. A resigned employee keeps live access for eleven months. The policy existed. The gap was in the detail.

A policy nobody can follow — or that hides a hole — protects no one.

Layer 1 of 4
The analogy

The constitution.

It sets the principles — what we stand for, what must always be true. It doesn't tell you which form to fill in; it tells you the rule everything else must obey.
the why — what we stand for
The term & the link

This is a policy.

POLICY The high-level rule — what must be true, and why. Short, stable, approved at the top.
Like the constitution, it's principle
the "what," never the "how."
Mini check · your call
Which of these is a policy statement?
Layer 2 of 4
The analogy

The building code.

"Buildings must be safe" is the principle. The building code makes it real and measurable: walls this thick, exits this wide, wiring to this spec. Now it can be checked.
specthe what — exact requirements
The term & the link

This is a standard.

STANDARD The specific, measurable requirement that makes a policy enforceable — "14 characters, MFA on."
Like the building code, it's measurable
it turns a principle into a check.
Mini check · your call
Policy says "passwords must be strong." What makes that actually enforceable?
Layer 3 of 4
The analogy

The recipe.

Anyone can follow a good recipe and get the same dish — exact steps, in order. No principles to interpret, no judgement required. Just do step one, then step two.
123the how — step by step
The term & the link

This is a procedure.

PROCEDURE The exact step-by-step instructions for the person actually doing the task.
Like the recipe, it's repeatable steps
the "how," for whoever does the work.
Policy → standard → procedure: principle, made measurable, made doable.
Mini check · your call
Who most needs the procedure written down?
The failure mode
The analogy

The unlocked back door.

The front is alarmed, the safe is bolted, the policy is framed on the wall — and one back door is quietly unlocked. The whole defence is only as strong as the line everyone skimmed.
lockedthe one door nobody checked
The term & the link

This is the policy gap.

POLICY GAP A weak or outdated clause that quietly undoes the rest — the line no one reads closely.
Like the unlocked door, it's one overlooked detail
reading policies critically is the skill.
Mini demo · find the gaps

Hunt the weak clauses.

A real-looking access-control policy. Five lines are quietly dangerous — tap each, then the reveal confirms why.

Gaps opened: 0 / 5
ACCESS-CONTROL-POLICY · v3.1 · INTERNAL
3.2 — Passwords
All staff must change their password every 30 days and may not reuse the previous one.
4.1 — Privileged access
For efficiency, the operations team shares a single admin account for server maintenance.
5.0 — Granting access
New access is granted on email request to the IT helpdesk, who action it the same day.
6.0 — Leavers
A user's access rights are reviewed once per year during the audit cycle.
7.0 — Exceptions
Where business needs require it, exceptions may be approved verbally by a line manager.
Break 2 of 3
Break
30:00
Back at 12:15 — stretch, coffee, questions welcome.
? ? ?
Let's pause here.
I'm stopping for three questions before we move on — what's unclear, or what would you push back on?
When it was real

Morgan Stanley.

Decommissioning gone wrongOld data-centre equipment was retired without a followed procedure to wipe it — devices with customer data left the building intact. The policy wasn't the problem; the missing procedure was.
Regulatory penalty
15M
Customers affected
0
Wipe steps followed
Confirm figures before quoting live. Last topic: when it all goes wrong anyway — the 2am call →
Topic 4 · Incident Response — the capstone
The story
02:00Your phone rings. Ransomware is spreading across the network right now. Every choice you make in the next ten minutes either contains it or makes it worse. There's no policy document open — just you, and a sequence you either know or you don't.

Everything so far was recognising the threat. This is surviving it.

Phase 1 of 5
Detect

Detect — the smoke alarm.

DETECT Notice something is wrong — and confirm it's real — as fast as possible.
The earlier the alarm…
the less it burns. Dwell time is the enemy.
Phase 2 of 5
Contain

Contain — close the fire doors.

CONTAIN Stop the spread first — isolate affected systems — before you try to fix anything.
You don't repair a room…
while the fire's still spreading. Isolate, then work.
Phase 3 of 5
Eradicate

Eradicate — put the fire fully out.

ERADICATE Remove the attacker and their foothold completely — every backdoor, not just the obvious one.
A fire that's "mostly out"…
reignites. Miss one foothold and they're back.
Phase 4 of 5
Recover

Recover — rebuild and reopen.

RECOVER Restore systems from clean backups and return to normal — verifying nothing dirty comes back with them.
Reopen too early, on a bad backup…
and you reopen the breach. Verify clean, then go live.
Break 3 of 3
Break
15:00
Back at 14:00 — stretch, coffee, questions welcome.
Phase 5 of 5
Learn

Learn — the incident review.

LEARN Find what let it in and fix it — so the same incident can't happen twice.
An incident you don't learn from…
you've simply scheduled again.
Detect · Contain · Eradicate · Recover · Learn. Now run all five — live.
? ? ?
Let's pause here.
I'm stopping for three questions before we move on — what's unclear, or what would you push back on?
Capstone · fully scored · assessment artifact

The 02:00 call.

02:03
Phase Detect
Score 0 / 100
Two days, one job

Recognise → Control → Respond.

You can now name a threat by how it behaves, prove a control against a standard, read a policy critically, and run an incident without making it worse. From the first opened file to the 2am call — that's the whole arc.

Capstone score recorded · Local Certifications assessment
CODED×Institute of Banking Studies
0 more — press
build / next back F full
CODED×IBS
Exercise1:00
1 / 6
screen blanked — press B to resume

Presenter & pointer controls

SpacePg Dn
Next slide / reveal
Pg Up
Back
L
Laser pointer (follows the mouse)
B.
Blank the screen
F
Fullscreen
S
Sound on / off (starts off)
T
Start 60-second exercise timer
?
This panel
Esc
Close / resume
Most USB presenter remotes send Page Up / Page Down — they already drive this deck.