Well-designed IT systems provide your organization with increased efficiencies. They allow you to break down silos and they enable cross-functional collaboration based on shared knowledge. They also enable tighter integration along the supply chain, resulting in closer working relationships with your customers and suppliers. This digital transformation has resulted in IT users and organizations becoming more connected than ever, a trend that is expected to grow exponentially over the next few years.
This hyper-connectivity phenomenon, also referred to as the Internet-of-Things (IoT), has also significantly increased organizational risks on several fronts. Operationally, organizations are becoming increasingly more dependent on their IT systems to handle core activities in a highly available, reliable, and secure manner. Given that there are now many devices connecting to your systems, the probabilities of cyber-crime and information breaches have also increased. This is because managing across a non-standardized network of machines is a much harder task than managing a series of company-issued devices across a standardized private computing network.
On the legal front, organizations are also increasingly being held accountable for properly safeguarding data, regardless of to whom the original data belongs. There are a growing number of compliance-related mandates and efforts – ranging from HIPAA for healthcare, PCI for credit card processing and DFARS for government contracting, to name a few – that require organizations to not only secure, but also periodically validate their information security defenses.
Because of these realities, many organizations have spent a significant amount of resources on hardening their defenses against cyber attacks through upgrading IT systems, educating their users, and putting ongoing monitoring solutions in place. These are important and required efforts, but how could you actually measure their effectiveness and your readiness to respond in case your systems are hacked or information is breached?
Given the importance of digital safety and reliability to our economic well-being, the U.S. government proposed an approach through the office of National Institute of Science and Technology (NIST) that has become the go-to standard for many organizations’ information and cyber readiness efforts. Leveraging the NIST framework, organizations are encouraged to initially assess their vulnerabilities, develop a remediation plan, address identified weaknesses, and then perform a series of validation exercises to test their readiness.
The NIST framework recommends an ongoing cycle of such activities, since cyber threat models are continuously evolving. This is where techniques such as penetration testing and cyber war-gaming come into play.
Penetration tests are a good way to validate your organization’s defenses. These tests exploit potential weaknesses that would allow a hacker to gain access to your organization’s information, either physically or through underlying systems. Penetration tests can vary in scope, from very specific to broad, and it is recommended that you perform them on an annual basis.
Cyber war games, also referred to as tabletop exercises, test an organization’s incident response – including management behavior and actions – as well as key operational processes in a simulated or imagined attack. This type of exercise focuses on an organization’s critical operational capabilities and performs a stress test on selected processes, followed by a lessons learned session to harden existing processes.
A cyber war game can be a controlled exercise or a randomly selected event. If an attack or breach method is selected but not actually performed, it tends to be less stressful than an actual simulated breach, which acts as a controlled experiment to test the organization’s response capabilities.
An example of a controlled exercise is a hypothetical scenario in which client files are accidently deleted and you need to determine how you will get them back and what you will be doing while such efforts are taking place. An example of a randomly-selected experiment, on the other hand, is purposefully hijacking certain systems during an unannounced period and seeing how everyone responds. Think of it as an unannounced fire drill versus a drill that could have been announced days in advance.
Validation plays an important role within your organization’s overall information and cyber security program. However, it is only effective after prerequisite activities such as baseline assessments, policies, procedures, and training programs have been completed. At that point you can test your organization’s readiness if an unforeseen event were to occur and use the experience to improve your capabilities.