Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using War Games To Make Organizations More Secure

Posted by samzenpus on from the what-doesn't-kill-you dept.

wiredmikey writes "Along with budget constraints and disconnect between IT and executive management surrounding information security, results of a recent survey show that a major problem is outright lack of understanding of threats. We all know the best way to get that budget increased, is to get hacked. Unfortunately, that could also result in you losing your job. Some companies, however, are taking creative approaches to both raise awareness and identify potential vulnerabilities. A manager with a large financial services group, for example, says that his company addresses security vulnerabilities by staging a series of what it calls 'war games,' in which a user or group of users is tasked with trying to compromise a system, while another user or group of users is tasked with preventing the break-in. Management needs to understand the security threat and its impact to business, and these 'war games' are an innovative and creative way for IT departments to convince executive management on security needs."

12 of 49 comments (clear)

  1. Declaration, in preparation... by benbean · · Score: 2

    longint WarGamesMovieReferenceCount;

    --
    It's a Unix system - I know this.
  2. From inside? by Anrego · · Score: 2

    It's the old "with physical access" argument.. except scaled up. Someone within an organization would I imagine have a pretty good chance of compromising the system. Not saying it's acceptable.. but I would guess a reality.

    It's the trade off thing. You need to give people access to stuff so they can do their job. The more locked down you make things, the slower they work. Slower work is more expensive.. etc.

    So it has to scale. Your new "everything is riding on this" designs... yeah.. spend a fortune protecting it. But can people afford to spend a fortune protecting everything (serious question).

    1. Re:From inside? by Lumpy · · Score: 4, Interesting

      Most corporations "security" is theater anyways. They hire a company to do cleaning, so you can get into the whole place by being on the cleaning crew. This has been known as a attack vector for decades, yet it's still not fixed because companies are more interested in giving the CEO a 90,000USD desk than paying for their own cleaning crew that have been vetted and cleared. Plus you have maintenance people that are not a part of the company coming in to every department because the corporation is too cheap to BUY their copiers and hire a tech. so they are all rented and a random guy comes in every week to work on them. IT's trivial to get into the company and leave behind a box on the network to crack it from the inside and send the payload out, install hardware keyloggers, etc....

      Until companies realize that cutting all the executives pay by 10% and increasing the IT staff's pay by 50% and using the left over from the 10% cut at the top to hire permanent cleaning crew and a single copier expert for in the building, their security will not increase. The CFO can live without buying another new Porsche this month.

      --
      Do not look at laser with remaining good eye.
  3. Kids these days.... by fuzzyfuzzyfungus · · Score: 3, Funny

    What happened to the reliable old standbye of kidnapping an executive and/or their family and threatening to return one finger every hour until the organization starts taking security more seriously? We've gone soft, I tell ya...

  4. Re:Err by CRCulver · · Score: 3, Informative

    In case no one gets it, this post as well as the "The only winning move is not to play" quotation comes from the old Matthew Broderick film War Games . I'm going to the trouble of explaining that because I've been around on Slashdot for almost a decade, but I still think War Games is before my time, so I can't imagine what the youngsters make of these posts.

  5. Deal with the real problem, maybe? by Geoffrey.landis · · Score: 3, Interesting

    The main problem, as far as I can see, is that IT people are busy demanding users adopt procedures to deal with threats that don't exist, rather than threats that do exist. In all of the many scare-laden emails from our IT department, I don't believe that I have ever once seen one telling us don't use the same password on multiple systems, that's insecure. They do, however, rigorously enforce the fact that passwords must be changed every 60 days, and are specified to be complex enough that a brute-force attack will take 6E17 years, instead of the old insecure passwords that could be broken in a mere 3E9

    --
    http://www.geoffreylandis.com
  6. The ones you never see coming by petes_PoV · · Score: 5, Insightful
    Constructing war games is all very well, but they're limited to the imagination of a small group of wargame "designers" who set the parameters for the test. In reality, those are the weaknesses that have already been, or are easy to address. The ones that are the big problems tend to start with "How the hell did they do that?"

    One thing to be aware of with war games is a knowledge of what they are designed to achieve. Not all of them are there to spot weakenesses, a lot could be there merely to provide assurance or arse-covering. In those cases, "winning" by succeeding in breaking in could be the worst outcome - either personally for the winner, or the people who were supposed to stop them. Often blame and punishment is a much cheaper solution than a fix.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  7. What usually happens by dbIII · · Score: 3, Interesting

    The guy that said "you developers had better take things seriously or we'll get hacked" is the one that ends up taking the blame when the developers disobey and do incredibly fucking stupid things to make it easy to get hacked. About the worst I've seen is using the root password for the system as a password for an insecure database for a unauthorised hobby application and storing it as plain text with permissions so anybody could read it from the net if they just typed in the right URL. Of course the idiot had also opened up access as root via ssh despite even warnings about that being forbidden in the config file he had to change. It's only dumb luck and finding it quickly that dodged that bullet. A couple of other bullets were not dodged due to stupid things that were not quite as stupid.

  8. Re:Err by Captain+Hook · · Score: 2

    Wouldn't this be more like Sneakers, admittedly not as geeky as War Games but certainly a better fit for whats being done.

    --
    These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
  9. this is new, HOW? by Gorshkov · · Score: 4, Insightful

    I remember doing security studies like this, years & years ago. We called them "Tiger Teams". This is hardly a new technique.

    1. Re:this is new, HOW? by Gorshkov · · Score: 4, Interesting

      Absolutely. I think the big difference between what TFA talks about, and what we did, was that it wasn't set up as a game, and we weren't employees - we were outside consultants.

      Nobody knew where, or how, we'd try to get in. All the staff would know is that "sometime in the next XX weeks/months" we would be trying to get in. Sometimes, they wouldn't even know that much. Let's face it - hackers don't tend make appointments before they do their thing.

      At the time, I didn't have any security training per se, but I did have a background in intelligence. The guy that headed up our Tiger Teams was a retired major from the SAS, who had spent a few years working at GCHQ before he came to Canada. It was one hellova interesting way to earn a living :-)

  10. The problem then becomes the untrainable by bl8n8r · · Score: 2

    The war-game model works fine when you have a group of employees with an invested interest in making their infra more secure. I can't see how this could work in any of the places I've ever worked for.  Many of the co-workers I've had do not want to expend any more energy in their jobs than what is needed to get a paycheck.  Many, many companies hire the cheapest labor they can find to click buttons on a windoze box and often they do not have the attention span, skill, interest or enthusiasm to make a 'war-game' anything less than a folly.  Don't get me wrong, I think the idea is great I just don't see it working effectively for 90% of the IT industry.

    --
    boycott slashdot February 10th - 17th check out: altSlashdot.org