The security game - is your business fit enough?

Asks Tim Keanini, chief research officer, Tripwire.

  • Monday, 30th September 2013 Posted 11 years ago in by Phil Alsop

Information security has always required specialised knowledge – not least to decipher all the acronyms and geek speak! Joking aside, as networks become more complex, so too must information security morph into a multi-dimensional discipline that needs to constantly evolve if it’s to remain ahead of the game. This is especially at the enterprise level where expert knowledge is required to build an effective information security program.
However, technology and specialised expertise alone aren’t enough to adequately reduce security risks. Instead, just like a team where every player has a position on the field of play, every individual within an organisation must come together to protect it from falling foul of cyber criminals.
The problem is how to engage the entire organisation in a technology that many people consider to be so far outside of their expertise it might as well be a whole new ball game.


Match Fit
One place to start is the analogy used to describe cyber-security. Fitness works as a metaphor as almost everyone in our society has a personal understanding of health and fitness principals and how these principals affect their day-to-day actions. By reframing our cyber security programs as a kind of organisational and personal fitness regime, we can engage in an entirely different, more nuanced conversation about security with wider audiences.


For example, two key principals at work in effective fitness programs have strong parallels in cyber security:
· The first principal is to understand as much as possible about your opponent.
· The second principal is to use that knowledge to develop a strategy that leverages your strengths against that opponent.


Translating these principles to cyber security, imagine you find yourself in a ‘game’ against a hacktivist organisation, what do you think their ‘game plan’ is? Another way to ask the same question would be, ‘what information assets in our organisation offer hactivists the biggest payoff’?


Of course, the answer to this question will be specific to hacktivists as opponents. If you ask the same questions about cyber criminals or nation state attackers the answers will be different because those opponents play a different game.


This thought process can help you make your organisations cyber security ‘fitness’ program more specific.


While hactivists may not be everyone’s challenge, conversely organised cyber criminals are opponents everyone will have to play against at some point. These highly focused individuals are looking for access to customer data, intellectual property, competitive intelligence and financial data. This data has a street value and they can turn this data into profit.


If your business has any of this information - and that pretty much encompasses every for-profit and non-profit organisation in existence - then you need to ‘train’ to compete against cyber criminals effectively.


Training Regime
Since you can be pretty certain that cyber criminals will target specific assets and business processes, everyone’s basic training program should be focused on protecting the assets in your business that are most attractive to them.


However, hacktivists and nation-state attackers are a little more complex as they are driven by different motives so will target different assets and business processes. If your business is large enough to qualify as a target for either of these security threats, your fitness program needs to be specific enough to protect a broader range of assets and business processes.


Building an effective security fitness program requires self-knowledge, equivalent knowledge of your opponents, time and thought. The following checklist will help focus efforts to improve your organisation’s performance against targeted opponents:


Study Your Opponents
- What do my opponents consider a ‘win’ in the context of my business?
o Will they target specific data - for example R&D material or the customer database
o Or are they just looking to cause frustration – i.e. DOS attacks
- What payoffs are my opponents optimising for?
o Do they want to put me out of business?


Plan Potential Game Tactics
- Can you deflect your opponent’s precision?
- Can you use misinformation to make information goals more difficult to pinpoint?
- Can you introduce temporal change and variance so anything your adversaries learn about you is of limited use?


Evaluate Your Security Fitness Levels
- What is your time-to-repair for each information system?
- How can you improve system recovery times, especially for critical systems?
o Consider scheduling some practice drills to hone your skills
o Perhaps take a cyber security game plan and put it into play
o Just like a professional team, review your performance and learn from mistakes


The bad news is there’s no ‘one size fits all’ answer when it comes to cyber security. The good news is that, if you do work hard, you can develop a customised security fitness program that will give your organisation the best possible chance to survive a serious cyber attack with minimal damage.
Cyber security is a brutal, relentless game and everyone has to play. There is no such thing as a ‘forfeit’ or a bye week. Technology isn’t enough to survive so we have to begin thinking differently about the problem by building stronger, more effective teams.


No one said it was going to be easy but the alternative is to forget about offering up a defence, or even playing an offence, and instead just let the bad guys win! You are already on the playing field, it is time you act like it.