Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using War Games To Make Organizations More Secure

Posted by samzenpus on from the what-doesn't-kill-you dept.

wiredmikey writes "Along with budget constraints and disconnect between IT and executive management surrounding information security, results of a recent survey show that a major problem is outright lack of understanding of threats. We all know the best way to get that budget increased, is to get hacked. Unfortunately, that could also result in you losing your job. Some companies, however, are taking creative approaches to both raise awareness and identify potential vulnerabilities. A manager with a large financial services group, for example, says that his company addresses security vulnerabilities by staging a series of what it calls 'war games,' in which a user or group of users is tasked with trying to compromise a system, while another user or group of users is tasked with preventing the break-in. Management needs to understand the security threat and its impact to business, and these 'war games' are an innovative and creative way for IT departments to convince executive management on security needs."

2 of 49 comments (clear)

  1. Re:From inside? by Lumpy · · Score: 4, Interesting

    Most corporations "security" is theater anyways. They hire a company to do cleaning, so you can get into the whole place by being on the cleaning crew. This has been known as a attack vector for decades, yet it's still not fixed because companies are more interested in giving the CEO a 90,000USD desk than paying for their own cleaning crew that have been vetted and cleared. Plus you have maintenance people that are not a part of the company coming in to every department because the corporation is too cheap to BUY their copiers and hire a tech. so they are all rented and a random guy comes in every week to work on them. IT's trivial to get into the company and leave behind a box on the network to crack it from the inside and send the payload out, install hardware keyloggers, etc....

    Until companies realize that cutting all the executives pay by 10% and increasing the IT staff's pay by 50% and using the left over from the 10% cut at the top to hire permanent cleaning crew and a single copier expert for in the building, their security will not increase. The CFO can live without buying another new Porsche this month.

    --
    Do not look at laser with remaining good eye.
  2. Re:this is new, HOW? by Gorshkov · · Score: 4, Interesting

    Absolutely. I think the big difference between what TFA talks about, and what we did, was that it wasn't set up as a game, and we weren't employees - we were outside consultants.

    Nobody knew where, or how, we'd try to get in. All the staff would know is that "sometime in the next XX weeks/months" we would be trying to get in. Sometimes, they wouldn't even know that much. Let's face it - hackers don't tend make appointments before they do their thing.

    At the time, I didn't have any security training per se, but I did have a background in intelligence. The guy that headed up our Tiger Teams was a retired major from the SAS, who had spent a few years working at GCHQ before he came to Canada. It was one hellova interesting way to earn a living :-)