The harsh reality is that practically every business has been successfully attacked at least once over the last few years and from the perspective of information security the business environment is getting more hostile.
As the requirement for maximum efficiency, productivity and communications drives forward innovation in business computing, each leap forward opens up new potential vulnerabilities.
Organised crime, hactivists groups such as Anonymous and state level actors have been added to the threat landscape.
Faced by these powerful threats, information assurance professionals around the world have responded and, as discussed in the Spring 2014 edition of ITNOW, have been largely successful in keeping the situation manageable. Banks continue to trade, businesses buy and sell, and the internet still works. Sometimes individual companies are hacked and the consequences are expensive, but modern business reacts, adapts, and then carries on.
For a very long time, the military has conducted military exercises or wargames as part of its normal training cycle. These wargames take many forms including: Bohemia Interactive’s Virtual Battle Space (think of a realistic first person shooter, but with hundreds of soldiers as the players); mock battles on Salisbury Plain and straightforward table top exercises.
Business cyber wargames are closely related to the latter. One type of cyber wargame is penetration testing. This consists of testing company IT systems for various technical vulnerabilities, for example, checking for unsecured network ports, unpatched software or staff failing to follow company polices such as opening dubious email attachments.
Usually the attackers are white hat hackers who work for reputable firms who provide services including mock attacks on a company’s systems. This sort of testing is invaluable for the technical staff involved in network management, but they are not so useful in preparing the rest of the business.
Another type of cyber wargame is a committee or seminar game. This basically consists of staff sitting around a table discussing the situation and making decisions. Such manual pen and paper exercises are focused on the business, rather than the technical, aspects of attacks.
There are real advantages to such a manual game: it’s immediate, it’s simple, it’s immune to the usual problems with technology, and it gets people away from their laptops, tablets, smartphones and everything... and so concentrates on the wargame.
By considering information security and practicing incident management and reporting, the game should generate practical insights into security vulnerabilities that attackers may be able to exploit or it may simply allow staff to rehearse their responses before being potentially faced by a real crises.
Experience shows such games work very well as part of a wider company training package. A modest business cyber wargame can be prepared in only a few weeks and be successfully run within a single morning or afternoon.
Step 1: define the scope
The first stage is to work out the business aims of the training. Perhaps it is to test staff in handling the loss of business reputation in the aftermath of a publicised hack? It is important to remember that the wargame has to be designed to be played in a single room with the participants sitting around a table. A successful game should avoid being over ambitious. It is far better to run a few modest exercises that deliver some benefit than a grander scoped one that does not.
Step 2: prepare the script
Once the aims of the training are established, the facilitator can then develop the scenario. Potential questions can include: Who is attacking? What are their aims? How sophisticated are their methods? Are they persistent? The facilitator needs to develop an idea of how the game will progress. Normally, each stage of the game consists of a short briefing by the facilitator, perhaps with hand outs, and then the players should have time to make decisions.
Step 3: prior training
Warning the players of the scope of the game is an excellent way to motivate them to refresh their understanding of company policies on the subject.
Step 4: conduct the game
The players will assemble on the day and the facilitator will immediately present them with a developing crisis. Under time pressure, they will discuss the potential options open to them and then jointly decide on a course of action. It is good practice for the facilitator to routinely ask them to justify their response. Depending on the effectiveness of the players ideas, the scenario will develop and hopefully, as a result of the players choices, the crisis will be mitigated and the facilitator will be able to draw the game to a conclusion.
Step 5: hot wash-up
At the end of the game it is important to capture feedback from those taking part. Everyone should be encouraged to discuss what they could take from the game into a real world situation. It is important for the facilitator to highlight that any poor decisions are not the fault of a named individual; they are the fault of the organisation for not providing appropriate training or the result of inadequate company policies.
Final thoughts
Games really work as part of a training package. They can be invaluable mechanisms for helping identify potential weakness in a company’s systems. Research shows that taking part in such games does increase staff long-term awareness of information security. These games also help increase the staff’s chances of making better decisions when faced by the huge pressure of real cyber-attack.