Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using War Games To Make Organizations More Secure

Posted by samzenpus on from the what-doesn't-kill-you dept.

wiredmikey writes "Along with budget constraints and disconnect between IT and executive management surrounding information security, results of a recent survey show that a major problem is outright lack of understanding of threats. We all know the best way to get that budget increased, is to get hacked. Unfortunately, that could also result in you losing your job. Some companies, however, are taking creative approaches to both raise awareness and identify potential vulnerabilities. A manager with a large financial services group, for example, says that his company addresses security vulnerabilities by staging a series of what it calls 'war games,' in which a user or group of users is tasked with trying to compromise a system, while another user or group of users is tasked with preventing the break-in. Management needs to understand the security threat and its impact to business, and these 'war games' are an innovative and creative way for IT departments to convince executive management on security needs."

49 comments

  1. Err by chriseyre2000 · · Score: 1

    Lets play Global Thermonuclear War

    1. Re:Err by CRCulver · · Score: 3, Informative

      In case no one gets it, this post as well as the "The only winning move is not to play" quotation comes from the old Matthew Broderick film War Games . I'm going to the trouble of explaining that because I've been around on Slashdot for almost a decade, but I still think War Games is before my time, so I can't imagine what the youngsters make of these posts.

    2. Re:Err by Anonymous Coward · · Score: 1

      I like to think War Games is somewhat of a right of passage for geeks. There's a lot of subtle references that approach things like ethics and morality in that movie while still being interesting and funny on a technical level. Anyone that hasn't seen it and is reading this article needs to go watch it!

    3. Re:Err by Captain+Hook · · Score: 2

      Wouldn't this be more like Sneakers, admittedly not as geeky as War Games but certainly a better fit for whats being done.

      --
      These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
    4. Re:Err by Anonymous Coward · · Score: 0

      I graduated in 2006 and we watched that movie in High School, so there are definitely still young people being exposed to it.

  2. Interesting... by GameboyRMH · · Score: 1

    The only winning move...is not to play.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  3. Declaration, in preparation... by benbean · · Score: 2

    longint WarGamesMovieReferenceCount;

    --
    It's a Unix system - I know this.
    1. Re:Declaration, in preparation... by benbean · · Score: 1

      Hmm, need an edit option. I started with int, decided that wasn't going to be enough and made it a long, and wound up submitting longint. Grr.

      --
      It's a Unix system - I know this.
    2. Re:Declaration, in preparation... by icebraining · · Score: 1

      #define longint long

      --
      Dilbert RSS feed
    3. Re:Declaration, in preparation... by Anonymous Coward · · Score: 0

      long is always "long" as in twice the size of "short". Are you posting from 16bit hardware? :p

      Anality out of the way - I do get your point

    4. Re:Declaration, in preparation... by Anonymous Coward · · Score: 0

      I started with int, decided that wasn't going to be enough

      2147483647 War Games references should be enough for anyone.

  4. From inside? by Anrego · · Score: 2

    It's the old "with physical access" argument.. except scaled up. Someone within an organization would I imagine have a pretty good chance of compromising the system. Not saying it's acceptable.. but I would guess a reality.

    It's the trade off thing. You need to give people access to stuff so they can do their job. The more locked down you make things, the slower they work. Slower work is more expensive.. etc.

    So it has to scale. Your new "everything is riding on this" designs... yeah.. spend a fortune protecting it. But can people afford to spend a fortune protecting everything (serious question).

    1. Re:From inside? by Lumpy · · Score: 4, Interesting

      Most corporations "security" is theater anyways. They hire a company to do cleaning, so you can get into the whole place by being on the cleaning crew. This has been known as a attack vector for decades, yet it's still not fixed because companies are more interested in giving the CEO a 90,000USD desk than paying for their own cleaning crew that have been vetted and cleared. Plus you have maintenance people that are not a part of the company coming in to every department because the corporation is too cheap to BUY their copiers and hire a tech. so they are all rented and a random guy comes in every week to work on them. IT's trivial to get into the company and leave behind a box on the network to crack it from the inside and send the payload out, install hardware keyloggers, etc....

      Until companies realize that cutting all the executives pay by 10% and increasing the IT staff's pay by 50% and using the left over from the 10% cut at the top to hire permanent cleaning crew and a single copier expert for in the building, their security will not increase. The CFO can live without buying another new Porsche this month.

      --
      Do not look at laser with remaining good eye.
    2. Re:From inside? by bitslinger_42 · · Score: 1

      Of course not. You don't spend a fortune protecting everything. You figure out what the various things that need protecting are worth, and then apply an appropriate amount of security to them.

      What many companies don't recognize, though, is that if you use this model, you cannot have all your data in a single, flat security zone. I could require one-time passwords to access the highly-critical development application, but if that server is in the same effective security zone as the general-purpose web server that's got Internet access, no security, and hasn't been patched in 2 years, then the threats from the low security box dramatically increase the risk on the high security one.

      In the end, there's no substitute for identifying what you want to protect, who you're protecting it from, and how much it is worth (both to you and the attackers). Then apply security as necessary.

  5. Just the same way you test hardware/software by commodore6502 · · Score: 1

    After the lab shakedown, throw the unit into a real environment, and see if it breaks. Obviously security needs to be similarly tested, else you'll never know if it really works.

    --
    Information wants to be expensive AND wants to be free. So you have Value vs. Cheap distribution fighting each other.
  6. Kids these days.... by fuzzyfuzzyfungus · · Score: 3, Funny

    What happened to the reliable old standbye of kidnapping an executive and/or their family and threatening to return one finger every hour until the organization starts taking security more seriously? We've gone soft, I tell ya...

    1. Re:Kids these days.... by CRCulver · · Score: 1

      Wasn't there a SEAL team that caused a scandal by actually breaking into some admiral's home and terrorizing his family, taking their exercise a little too far? I looked at the Wikipedia article for Richard Marcinko, who I thought was the mastermind, but there's no mention of such an incident.

    2. Re:Kids these days.... by c6gunner · · Score: 1

      If you think that more than 15% of the stuff in Marchinko's books is actually true, I've got a bridge to sell you ...

    3. Re:Kids these days.... by PPH · · Score: 1

      It won't work. Whern I worked for Boeing, they had so many vice presidents, they considered them to be expendable.

      --
      Have gnu, will travel.
    4. Re:Kids these days.... by Anonymous Coward · · Score: 0

      How about using rubber fingers, "ketchup" and involving the law enforcement in a collaborative exercises? The FBI Academy might be interested.. Also, the summary suggests someone has rediscovered testing and measurement. Good for them!

  7. Deal with the real problem, maybe? by Geoffrey.landis · · Score: 3, Interesting

    The main problem, as far as I can see, is that IT people are busy demanding users adopt procedures to deal with threats that don't exist, rather than threats that do exist. In all of the many scare-laden emails from our IT department, I don't believe that I have ever once seen one telling us don't use the same password on multiple systems, that's insecure. They do, however, rigorously enforce the fact that passwords must be changed every 60 days, and are specified to be complex enough that a brute-force attack will take 6E17 years, instead of the old insecure passwords that could be broken in a mere 3E9

    --
    http://www.geoffreylandis.com
    1. Re:Deal with the real problem, maybe? by dbIII · · Score: 1

      once seen one telling us don't use the same password on multiple systems, that's insecure

      When that is enforced you get monitors covered in postit notes with the passwords to multiple systems and it's even more insecure :(
      It is of course insane that users tell me their internet banking passwords or even PIN numbers when I ask them to think of a new password to login - but a depressingly large number of new users do that despite never having met me before. To make things worse I'm actually talking about a situation where they are expected to type it in at a prompt, there is no reason for me to know it, and after the first time or two that happened I've asked them to pick a password they've never used anywhere else. They still say things like "why can't I use my X bank password of ***** ?"
      Maybe over the top policies are an attempt to get people to at least do something sensible instead of using their name as their password and hopefully end up in a useful middle ground.

    2. Re:Deal with the real problem, maybe? by Lumpy · · Score: 1

      Only a fool enforces rapid password changes and complex passwords.

      require long pass phrases. if sally the intern uses "I like green puppies!" for her password, that is far more secure than "X652F@z" and will not be on a sticker under the keyboard for anyone to find.

      How about companies stop letting retards run the IT department? at Comcast we had a username requirement that created usernames like the following...
      BillZ8767 and SallyM3212 the last 4 digits were the last 4 of your SSN

      If you forgot your password, when you called into tech support to reset it, you prove who you are by giving them your LAST 4 OF YOUR SSN! so I could sit at any desk, grab that phone and get logged into the users account without effort as everything I needed was on the screen. They implemented this because the IT director had a Masters degree and he knows more than us stupid IT staff... IT was in place until someone made a stink outside the company to the press. then they went back to the old system.

      --
      Do not look at laser with remaining good eye.
    3. Re:Deal with the real problem, maybe? by T_Tauri · · Score: 1

      Only a fool enforces rapid password changes and complex passwords.

      Or someone who has to follow rules like PCI DSS which requires you to change passwords at least every 90 days, be at least 7 char long, include numeric and alphabetic char, not be the same as any of the previous 4 passwords, auto lockout after 6 attempts for at least 30 minutes etc. Don't like that rule and the card companies don't want you handling card payments which makes business a bit hard.

      Personally I'd prefer the option of teaching people to use a decent password and not change/share it but we do not have that option. As it is its a constant battle* with users forgetting their new password, using someone elses, writing it down so they remember it etc. Rapid complex password changes are viewed by many users as a problem which they try to workarround in order to get their job done.

      * A battle we have pretty much won but needs constant vigilance to keep it that way which makes the IT people the bad guys.

    4. Re:Deal with the real problem, maybe? by DrgnDancer · · Score: 1

      Feh. I work in federal contracting. Passwords must be 14 characters long, contain at least 2 *each* of uppercase letters, lower case letters, numerals, and specials, must be changed every 60 days, and cannot be repeated for 12 changes. My friken *life* is resetting people's password. It's completely ridiculous. Add to the complexity requirements the fact that most of these people have accounts at multiple sites, all of which use the same standard, and which rarely require changes at the same time... You can imagine that unless they're some sort of savant most people are completely incapable of keeping track of it all.

      Arguing with the DSS (different DSS than your obviously) reps is like talking to a wall (to fair, they don't make policy and can't change anything anyway), and no one with the ability to change anything is interested in the opinion of some contractor sys admin or security guy.

      --
      I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
    5. Re:Deal with the real problem, maybe? by Anonymous Coward · · Score: 0

      Same area of work here- except I dont use a password to login, instead we use a smart card with an easy to remember pin#. It would be cool for all the various people with the need in IT, or even all users to get KeePass deployed in a standard PC image and train everyone in the organization to use it. Then you don't have to remember long passwords and they are all encrypted by one master passphrase.

    6. Re:Deal with the real problem, maybe? by bbasgen · · Score: 1

      Password strength is a reasonably important problem, and achieving a password anywhere near one that would take 3E9 years to break would be quite good. FWIW, you cannot apply straight math to the issue in the sense of 26^8, for example (e.g. 8 characters, lowers only). Shannon's work on entropy is a useful primer on the subject. The entropy of most human chosen passwords leads to the result that *even* mixed case, numeric and symbol passwords of only 8 characters in length are not particularly strong, because you are not truly using 96 characters. Consider that if you were, you probably would not enjoy typing them. :)

    7. Re:Deal with the real problem, maybe? by Anonymous Coward · · Score: 0

      Considering "I like green puppies!" matches password complexity requirements with uppercase, lowercase and special characters I think you countered you own argument against complexity. I guess I can sympathize with not wanting to change it every 60 days although I don't know how this is difficult as I've never had problems creating a 14+ character password I can remember.

    8. Re:Deal with the real problem, maybe? by uninformedLuddite · · Score: 1

      I once dealt with an IT security expert/guru who was supposedly the best in town(Adelaide isn't a big place) and his password was 'aardvark'. Did I mention that this was the root password on every machine he had access to at multiple locations/companies. He is still working and still respected. I used to play CS as 'aardvarkHater' anyone remember me? I was badass

      --
      The new right fascists are bilingual. They speak English and Bullshit.
  8. The ones you never see coming by petes_PoV · · Score: 5, Insightful
    Constructing war games is all very well, but they're limited to the imagination of a small group of wargame "designers" who set the parameters for the test. In reality, those are the weaknesses that have already been, or are easy to address. The ones that are the big problems tend to start with "How the hell did they do that?"

    One thing to be aware of with war games is a knowledge of what they are designed to achieve. Not all of them are there to spot weakenesses, a lot could be there merely to provide assurance or arse-covering. In those cases, "winning" by succeeding in breaking in could be the worst outcome - either personally for the winner, or the people who were supposed to stop them. Often blame and punishment is a much cheaper solution than a fix.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  9. What usually happens by dbIII · · Score: 3, Interesting

    The guy that said "you developers had better take things seriously or we'll get hacked" is the one that ends up taking the blame when the developers disobey and do incredibly fucking stupid things to make it easy to get hacked. About the worst I've seen is using the root password for the system as a password for an insecure database for a unauthorised hobby application and storing it as plain text with permissions so anybody could read it from the net if they just typed in the right URL. Of course the idiot had also opened up access as root via ssh despite even warnings about that being forbidden in the config file he had to change. It's only dumb luck and finding it quickly that dodged that bullet. A couple of other bullets were not dodged due to stupid things that were not quite as stupid.

  10. meatspace wargames by decora · · Score: 1

    next up... Target hires people to shoplift.

    oh wait, that'd be a complete and utter waste of time and money.

  11. this is new, HOW? by Gorshkov · · Score: 4, Insightful

    I remember doing security studies like this, years & years ago. We called them "Tiger Teams". This is hardly a new technique.

    1. Re:this is new, HOW? by CoccoBill · · Score: 1

      Nowadays, and even back then I suppose, these were called penetration testing and incident response plan/business continuity plan exercises. These are a standard practice that should be in the year clock of every security minded organization.

    2. Re:this is new, HOW? by Gorshkov · · Score: 4, Interesting

      Absolutely. I think the big difference between what TFA talks about, and what we did, was that it wasn't set up as a game, and we weren't employees - we were outside consultants.

      Nobody knew where, or how, we'd try to get in. All the staff would know is that "sometime in the next XX weeks/months" we would be trying to get in. Sometimes, they wouldn't even know that much. Let's face it - hackers don't tend make appointments before they do their thing.

      At the time, I didn't have any security training per se, but I did have a background in intelligence. The guy that headed up our Tiger Teams was a retired major from the SAS, who had spent a few years working at GCHQ before he came to Canada. It was one hellova interesting way to earn a living :-)

  12. The problem then becomes the untrainable by bl8n8r · · Score: 2

    The war-game model works fine when you have a group of employees with an invested interest in making their infra more secure. I can't see how this could work in any of the places I've ever worked for.  Many of the co-workers I've had do not want to expend any more energy in their jobs than what is needed to get a paycheck.  Many, many companies hire the cheapest labor they can find to click buttons on a windoze box and often they do not have the attention span, skill, interest or enthusiasm to make a 'war-game' anything less than a folly.  Don't get me wrong, I think the idea is great I just don't see it working effectively for 90% of the IT industry.

    --
    boycott slashdot February 10th - 17th check out: altSlashdot.org
  13. Outside help by petes_PoV · · Score: 1
    if your tech support are too indolent to care about security, then you already have a problem. The only thing you don't know is how big that problem is. In that case the only thing to do is transfer the budget for pay rises (or training) if there's still such a thing and assign it to pay for some consultancy. Tell the consultants where on the system the money is and just sit back .... :)

    Once the penetration exercise has been executed, you'll need more outsiders to analyse the results and recommend which of your lazy staff (including the lazy management who caused the problem in the first place by employing the wrong people) should be kicked out the door - and how far.

    Once some examples have been made, maybe *then* your staff will start to take an interest in security.

    As Machiavelli pointed out hundreds of years ago: fear is a great motivator.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
    1. Re:Outside help by Gorshkov · · Score: 1

      As Machiavelli pointed out hundreds of years ago: fear is a great motivator.

      And as my friend, who was also a campaign manager for one of the political parties here loved to say ..... "Grab them by the balls, and their hearts & minds WILL follow" :-)

  14. Great idea, bad practice by pasv · · Score: 1

    First off, I love the idea of wargames. They're fun, I used to participate in them from time to time. But it flat out shouldn't be done for a business unless the environment is extremely well controlled: 1.) live systems critical to the business can BREAK with hacking attempts 2.) any shells spawned during the wargame can be exploited by other attackers that aren't participants... 3.) during the wargame IDS are basically useless which is the PERFECT time for an insider to make a move, or an informed attacker to start his campaign

  15. Cyber Wargames by bughunter · · Score: 1

    Steve Jackson games originated this almost twenty years ago.

    --
    I can see the fnords!
  16. Would it be cheating by dadioflex · · Score: 1

    To break into the would-be attackers apartments the night before and shoot them? Too pro-active?

  17. This all goes well by malkavian · · Score: 1

    Until politics gets in the way. I seem to remember Randal Schwartz getting involved in this way back in the 90s at Intel (and a variety of other people who were tasked with 'ensuring that the security was sufficient'.
    When they probed, and used the techniques crackers would to obtain access, they were charged with Felony crimes. Despite that being in their effective remit.
    Incidentally, Randal spent about a decade fighting Intel on this, until 2007 when the charges were quashed retrospectively (as they shouldn't have been brought in the first place).
    This really is rediscovering what we all used to do in "the good old days", and tell the sysadmins about, making things more secure. Approach the sysadmin and gain the 'unofficial' approval, probe the systems, feed back and get beer and pizza for the effort..
    That changed late '90s to get a lawsuit landing on you instead as the suits got scared. At that point, security got rather worse (strangely, company management seemed to think that lawsuit threats were a better investment than real security spending).

    1. Re:This all goes well by BigJClark · · Score: 1


      I am an Oracle DBA for BagOfPucks(tm) company, and I just so happen to chum with a head software security guy at Symantec. He informs me off the cuff everytime there are undocumented zero day breaches, so that if pertinent (which they sometimes are), I can act accordingly to protect the system.

      Of course, I offset this with buying pizza and beer. Its a very good bartering system, I would imagine that if they ever needed to rebuild an Oracle backend, I would be tapped :)

      --

      Hi, I Boris. Hear fix bear, yes?
  18. Core Wars? by meburke · · Score: 1

    This is a GOOD thing!!!

    --
    "The mind works quicker than you think!"
  19. WOPR says:Welcome to Blast from the Past,Dr Falken by D4C5CE · · Score: 1

    There's a lot of subtle references that approach things like ethics and morality in that movie while still being interesting and funny on a technical level.

    Such as... acoustic *cough* couplers *cough*?
    Though in stark contrast to any director (apparently all filming for a perceived tech-illiterate audience) at least ever since Colossus, no self-respecting sighted hacker would have needed, used or wanted a voice synthesizer.

    Rumour (that spelling for a reason you'll see) has it that Commodore's sales took a hit in Europe that Christmas season as Wargames and/or rather its media reception got parents concerned of putting the tools (with 1541 drives, though not from the movie) for summoning Soviet-response armageddon under their kids' trees.

    At any rate it wasn't until Gen'82 so much rather than Gen'62 that the geeks would really get the girls (and better yet, even geek girls worth any wait)... ;-)

  20. Re:WOPR says:Welcome to Blast from the Past,Dr Fal by Anonymous Coward · · Score: 0

    Are you saying you didn't think Ally Sheedy was cute?
    I beg to differ.

  21. Rediscovering standard Penetration Testing. by Anonymous Coward · · Score: 0

    So basically they rediscovered what the Penetration Testers do regularly? Wow, way to go InfoSec group of that company... you just started doing what's being recommended and the approach taken by anyone who knows anything in INFO SEC.

  22. WOPR says:Welcome to Blast from the Past,Dr Falken by D4C5CE · · Score: 1

    The likes of Lightman, in their high-school years at least, only had a chance at the Jennifers of this world in the movies rather than in meatspace a/k/a IRL until 1995 approx. is all I'm saying. ;-)

    On a more serious note, "beaten by the bully of the block" would have been his more likely fate back in the day, with Jen being with the team captain (through not much of a choice of or own), and most of their educators at least implicitly defending the notion that all of this was condoned as a "perfectly natural pecking order".

    BTW must have been odd for Sheedy, herself and award-winning writer since age 12(!) IIRC, to be cast as someone needing Broderick's (hacking) help with her grades (and then ending up with the next nerd in Short Circuit soon thereafter)...

  23. Sysadmin work by Anonymous Coward · · Score: 0

    We periodically had "hack nights" when I worked as a sysadmin. We were fortunate enough to have times where I network wasn't being used. We'd start at 10:00 PM.

    The rules were: no looking at the code until you find a bug.
    Don't execute a brute-force attack or DoS attack unless you have a reason to and clear it with the other admins (since doing this right makes a horrible mess).

    While the actual quantity of "hack nights" was limited--it opened our awareness to whole new possibilities of attacks.

    Must've worked well, none of the systems we administered have ever been compromised--and we had plenty of outside attempts to do so.