Consider these examples:

1. From an effort perspective, the effort required to secure a system is significantly less than that required to exploit it.
2. From a cost perspective, it is less expensive to prevent a serious data breach than it is to clean up and recover from one.

Point 1 above was illustrated very clearly to me on the IISP’s TopGun event I attended recently, and is a scenario that you have to step back from to fully appreciate. Eg. If you have a smallish network, with most modern services such as web, email, mobile, databases, websites etc, then the effort to secure that is quite mammoth. You have to consider the perimeter, the information, how its stored and used, what services are on offer and the impacts etc. Then you have to consider every conceivable vulnerability, patching strategies and stay on top and at least up to speed with the curve of change. All of these efforts equate to a team of people, but all it takes to break in, is 1 person with a brain, motive, and a few freely available tools.

Point 2 of course, was illustrated very well by a study by the Pnemon Instutue LLC in conjunction with PGP and Vontu (Symantec), this study evaluated the true cost of a breach of data security and considered factors such as direct and indirect costs, and has trended the data over the last few years with enlightening results.

Despite both of these points clearly illustrating that the best way to tackle the security conundrum is head on and proactively, those of us in the industry will all surely testify that getting the right backing, funding, and often, even the right audience with the business, is still a hard task. From my perspective, I will keep on trying, and keep on flying the flag in the hope that one day reality sets in and my job / life gets easier!

                          

Related posts

• IISP Top Gun event, Manchester, 30 June 2008 (0)
• Anything that can be engineered by mankind….. (0)
• ACME Supercomputing Inc – Roadrunner Beware (0)
• Snort Rocks! (2)
• Security as a Career (0)

As I mentioned in the opening CEO article, the inaugural Top Gun event in Manchester was a great success on many fronts.  We had 20 participants, organised into the Red and Blue teams, plus 5 members of the Control Team, and the day just seemed to fly past, so intense was the concentration, interaction, ingenuity and fun.

We cannot give too much away as to the content of the case study or the processes we followed on the day, for fear that we might spoil some of the element of surprise for participants in future events.  Suffice to say that those who were there threw themselves into the exercise and, accordingly got the most out of it, as well as proposing a few additional suggestions for developing and improving it for future players.

Let us however, convey the particular views of a member of one of the teams, and let them tell you what they thought of the event.

“TopGun, The Blue View. (Jay Abbott, PwC)

I have to admit, I was genuinely sceptical about the TopGun event as the idea of playing the Security equivalent of Battleships during one of my busiest times of the year was not one that featured far up the “to do” list, that said, I am genuinely pleased that I made the time to attend. We arrived with very little information about what was planned, and were immediately split into two teams, Red and Blue, The Red were of course the attackers, and Blue were the defenders and the teams split had been pre-planned by the organisers to ensure that a good cross section of skills rested in each team to keep things fair.

The remit was simple, we each were given suitable pieces of a puzzle, i.e. some deliberately sketchy information related to the organisation, typical of that you would find on your first day of work or your first information gathering exercise. From there it was a case of building a better picture of what you have and figuring out the best way forward (sound familiar?). At this point, the teams were physically split and departed into adjacent “war rooms” to prepare their respective strategies. We each could communicate with our “control” staff, who acted as the coordination of the event and holders of information. The co-ordination role was pivotal in the success of the event as they were able to coordinate the virtual attack and defence strategies in real-time to keep the feeling of real-life and to ensure that the game was fair.

From a blue perspective it was business as usual, we had a budget and an environment to protect, we had to evaluate the skills in our team, establish specialism’s that could work in key streams, and run the entire thing like a project.

All in all it was a very worthwhile day that created a great deal of discussion and provoked much debate. What I personally took from the day was something that I see all too often, but is perhaps not as obvious to all, to quote Paul Dorey on the day it is summed up in the phrase “Security is Asymmetric”. Put simply this is the fact that someone attacking an organisation need only find one hole or vulnerability in order to succeed, while those protecting the organisation must try to plug every hole and mitigate every vulnerability to be secure.”

Event wrap-up discussion and lessons learnt – great work everyone!

The participants captured their comments on an evaluation form and we are reviewing and acting on those comments.  They also scored the event out of a scale of 1 to 5, and rated the event at 4.3 overall, but with specific scores of 4.5 for facilitation and presentation, and 4.6 for opportunity to discuss and exchange ideas.  A great success by any measure.

Thanks to all involved, and to PwC, our hosts for the day.

Courtesy of the Institute for Information Security Professionals

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)