How To
Red Team Versus Blue Team: How to Run an Effective Simulation
Playing the role of an attacker can make your team better at defense. Our step by step guide to war gaming your security infrastructure--from involving the right people to weighing a hypothetical vs. live event.
By Robin Mejia
"If you're given a website and you have to break into it, that's an incredibly valuable experience," says Vigna. "You can read about PHP file inclusion and how it's a problem, but once you exploit one of those goodies, you really understand what's going on."
Red-Team Your Users
Even at National Labs, employees are often the weakest link in a security plan. But even if you don't have to worry about employees copying classified material onto home computers, it's important to think about how an enemy could exploit weaknesses in your employees' behavior.
Do they prop-open automatic doors? Click on e-mail attachments from strangers? You can test for these problems and similar ones.Assuming you have a written security policy and employees are aware of it, you may not want to announce a red-team exercise, since your goal is to determine the risks of normal behavior. Assante and Anderson have left USB devices lying around office buildings to see who picked them up and plugged them into their computers. They've also sent phishing e-mails to employees to see who would take the bait.
As with earlier exercises, consider the possible consequences of these actions, and also how you can use the exercise to provide training. Think scary blue warning screens when users click through bad links in spam.
Rinse and Repeat
If you've done all these things, you're probably feeling pretty good about your information security, and you should. But not for too long. Any CSO worth his or her salt knows security is a moving target. Bad guys are adapting. Even more important, your network is changing. In all likelihood, so is your employee base.
Sandia's Parks recalls visiting a client that had implemented a dual man-trap door system in front of a secure area. However, the badge-swipe controller that opened the doors was housed in the regular corporate office and also connected to systems in the human resources department. The result was that access to the "secure" area was controlled by systems located in non-secure areas. The badge-swipe system had been designed for building access. Then, later, the government mandated the man-trap dual door system, so the company simply extended a badge-swipe system it already had in place. "They hadn't thought about the fact that the badge system wasn't designed for that," says Parks.
Red-teaming helps companies understand the unintended consequences of those kinds of decisions, and not just at companies with double-door systems. Sandia's red team developed a specialty in wireless security because the need appeared.
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
Maximizing Site Visitor Trust Using Extended Validation SSL
Now with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.
- The Latest Advancements in SSL Technology
- Maximizing Site Visitor Trust Using Extended Validation SSL
- How to Offer the Strongest SSL Encryption
- Solving Online Credit Fraud Using Device Reputation
- Forrester Reports 321% ROI Through Device-Based Fraud Management
- Enterprise Management Associates: Taking the Botnet Threat Seriously
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
7th Annual Digital ID World
-
September 8 - 10, 2008Hilton AnaheimRegister now »
Anaheim, California
(ISC)2 members can earn up to 20 CPE Credits
Reference priority code ONLINE and save $800 off the full registration price — attend the program for $995
