Assessment of corporate security is a difficult but essential task. Regardless of industry, most companies allocate their IT resources to maintenance, upgrades, support and alignment with corporate strategy. While the necessity for improved security continues to be recognized as an important goal, its implementation by in-house IT staff is often inadequate. Therefore, outsourcing in forms of Security as a Service, auditing, and third-party penetration testing and vulnerability assessments are commonly utilized as solutions
However, microprocessor giant, Intel implements its own threat assessment in its companywide exercise of "war gaming". Featured in the fourth (and most recent) issue of Intel's own Premier IT magazine, senior information security analysts Tim Casey and Brian Williams provide a good overview this program. They have also authored this white paper on Intel's war gaming that delves deeper into its methodology.
These documents on Intel's risk assessment exercise read like a solid comprehensive program drafted by a leading security vendor. Intel's Information Risk and Security Group has acquired a thorough understanding of threat assessment and developed an effective method for employee security training. They have embraced a key component of security strategy that many organizations overlook: knowing defense is only half of the security equation, knowing the attacks is the other half.
"...day-to-day job responsibilities typically confine internal staff members to the defender mindset. Traditional security defense literature tends to talk in terms of amorphous threats, viruses, malicious code, and other impersonal terms. But living breathing, scheming people are the ultimate threat and enterprises need to understand their motivations and techniques to defend against them."
After an initial assessment of valued assets, they look at the traditional areas of network and physical vulnerabilities and examine potential attackers, both from within and outside the company. The decision is made to begin the war games, and then the fun begins.
Similar to its use by the military, they employ the role playing war game of attacking their own company. Instead of having a group of security professionals act out the threats, they have chosen a creative, and often more realistic approach.
"While traditional defense tests are conceived and run by the IT or security staff, war games pull in knowledgeable people-beyond the security experts-from across the company. War games focus the attention of multiple experts on a specific attack goal, exploiting multiple vulnerabilities in unique and often unforeseen ways."
The diverse team of participants usually consists of 8 to 12 members, with one information security specialist assigned as the facilitator for guidance. Based on predetermined areas of focus and needed support, specific war game scenarios are developed and played out by the participants. The situations start out as general threat concepts, such as Intel's suggestions:
- A disgruntled employee looks to steal your employee database (including names and social security numbers) for resale
- Organized crime wants to hijack your product shipments
- Industrial spies frequent an Internet café that's popular with your employees
- A rival company targets your leading-edge engineering designs
Intel wisely recommends the use of at least two scenarios, a "most likely" and a "most damaging". These critical situations are sometimes missed in conventional security assessments and audits. Once the scenarios are defined, the attack team goes to work, plotting against their coworkers and supervisors, and using their collective knowledge of corporate operations to achieve their goal.
The exercises can range from six hours to three days in duration, with a recommended day and a half limit. I have no doubt in Intel's claim in the value of findings from the end results. This platform for corporate risk assessment is ideal for identifying unique threats and revealing new points of vulnerability. Fortunately for participants, they're not responsible to fix vulnerabilities they discover (....very similar to many corporate policies regarding vulnerabilities discovered by security researchers).
I highly recommend reading their white paper, as I have just touched on a few aspects of this well designed program.
For those of you too lazy to read it, I offer you the anecdotal highlight: In one of the war games, the goal was to cripple a manufacturing production line. While most of the team fixated on taking down the responsible servers, one of the team members, a factory worker, came up with a simple low tech idea. His solution worked, accomplishing what the rest of the team was attempting to do, without all the complication and cost of attacking the servers-- simply disabling the shipping label printer.
This blog did not receive any funding from Intel, nor am I biased supporter of Intel. In fact, I'm looking forward to getting my hands on AMD's Turion X2 Ultra processor and before assigning a grade to Intel, I'm waiting to see if its going to "play nice" and "share with the rest of the class" the USB 3.0 specification.
Share your favorite war games with David Lightman at: greyhat@computer.org