Print Page   |   Contact Us   |   Sign In   |   Register
ISSA International Conference
Blog Home All Blogs
Search all posts for:   


View all (11) posts »

Red Teaming: Build Brick Walls, Not a House of Cards

Posted By George Hulme, Friday, October 26, 2012

In his talk, House of Cards - How Not to Collapse When Bad Things Happen, Rafal Loś chief security evangelist, Hewlett Packard thinks too many organizations have a false sense of security that’s fed by a number of less than fully useful audits, penetration tests, security policies, and defenses they have in place. 

"Much of that this is what I call synthetic, like a fake war room scenario where you have people running hypothetical scenarios of what would happen if X, Y, or Z occurs. Real life never goes down like that,” Loś said. According to Los, using a Red Team, to independently test an enterprise’s security posture can improve the risk posture of that organization - when done right. "The best red teams really aren't just the ones that are going to break in the fastest. Most red teams, unless they are terrible, are going to break in. So it's not actually the question of whether they'll break in or not, it's what kind of value you'll get out of the red team exercise,” Loś said.

The first rule, Loś says is to make certain the red team takes relentless notes, so that you get the full value out of the exercise. For instance, it’s important to not only identify what was vulnerable, but also detail why it was vulnerable, what defenses may have failed. Also, aside from a data breach, it’s also important to measure the potential impact on the availability of your business-technology systems. "You want to be able to identify your brittle systems. These are what I call improperly interconnected, configured systems. Perhaps they were rushed to production, or the system is so complex no one understands the interdependencies. You want to see what happens to these systems when they are hacked,” Loś said. "What happens then is when they are hacked, everyone is shocked to see a customer-facing database to crash, or the availability of business-critical information is cut,” he said. 

Some of the keys to determining whether or not your enterprise is a house of brick, or playing cards, is to make sure all systems are within scope, so that a realistic assessment is obtained. And, when systems are breached, use those copious notes to conduct an in-depth postmortem. "Determine the amount of damage done. How bad was the breach? What were they able to accomplish? What controls did work? Which didn’t? What was the criticality of the data affected? Then use that postmortem to make these brittle systems much more resilient to business disruptions, not just data loss,” Loś advised. 

Additionally, Loś recommends companies not to get too focused only on what systems were breached, but also how quickly they were breached. This way, organizations would have something to measure their progress in securing their systems over time. "It’s about raising the bar,” Loś said. "

"The analogy I make repeatedly is the fire proof-safe that everybody has in their house. The safe isn’t outright fire-proof. It’s rated so that you know for X amount of cost, the safe will protect you for a specific period of time up to a certain temperature,” he said. "That’s also how IT security is. But people don’t think of it that way. They think their server is safe, or it’s not. But security isn’t that binary,” Loś said.

This post has not been tagged.

Share |
Permalink | Comments (0)
Community Search
Sign In
Sign In securely

1/25/2018 » 1/26/2018
January CISO Forum Scottsdale 2018

Women in Security Special Interest Group Monthly Webinar Series

February 2018 Women in Security - Denver Chapter

Copyright © 2016, Information Systems Security Association, All Rights Reserved
Privacy PolicyCopyright Information