With the increased attention on cyber and information security concerns, many organizations are conducting vulnerability assessments, developing effective policies and procedures, and providing ongoing training to their employees to tighten up their overall security posture. Once you have such mechanisms in place, it is critical to test those plans in order to assess your real readiness and level of preparedness if you are attacked or breached. This is where techniques such as penetration testing and cyber war-gaming come into play.
Penetration tests are a good way to validate your organization’s defenses. These tests exploit potential weaknesses that would allow a hacker to gain access to your organization’s information, either physically or through underlying systems. Penetration tests can vary in scope, from very specific to broad, and it is recommended that you perform them on an annual basis.
Cyber war games, also referred to as tabletop exercises, test an organization’s incident response – including management behavior and actions – as well as key operational processes in a simulated or imagined attack. This type of exercise focuses on an organization’s critical operational capabilities and performs a stress test on selected processes, followed by a lessons learned session to harden existing processes.
A cyber war game can be a controlled exercise or a randomly selected event. If an attack or breach method is selected but not actually performed, it tends to be less stressful than an actual simulated breach, which acts as a controlled experiment to test the organization’s response capabilities.
An example of a controlled exercise is a hypothetical scenario in which client files are accidentally deleted and you need to determine how you will get them back and what you will be doing while such efforts are taking place. An example of a randomly-selected experiment, on the other hand, is purposefully hijacking certain systems during an unannounced period and seeing how everyone responds. Think of it as an unannounced fire drill versus a drill that could have been announced days in advance.
Validation plays an important role within your organization’s overall information and cyber security program. However, it is only effective after prerequisite activities such as baseline assessments, policies, procedures, and training programs have been completed. At that point you can test your organization’s readiness if an unforeseen event were to occur and use the experience to improve your capabilities.
Sassan S. Hejazi is a director with Kreischer Miller and a specialist for the Center for Private Company Excellence. Contact him at Email.
You may also like: