Security Simulations: This Is Only A Test

Security simulations and tabletop exercises help CSOs practice and plan the best response for worst-case scenarios.

By Deborah Radcliff

October 01, 2004 — CSO — Imagine your workweek unfolding like this:

[Day One] A smoke alarm sounds at corporate headquarters on the second floor. Maintenance tells you that the detector (not a standard company-issued brand) is plugged into a network cable at your financial services company.

[Day Two] Traffic on your corporate network spikes to 20 percent above normalmost of it coming from business partners cross-selling your company's products.

[Day Four] A security guard, reviewing the past week's security tapes, notices a janitor escorting a stranger into the office via a side door. This person traveled to the second floor, alone, stayed for two hours, then left via the same side door.

[Day Five] The financial services Information Sharing and Analysis Center (FS-ISAC) releases a bulletin about a new vulnerability in various versions of OpenSSL (a Web security toolkit) that can cause a denial-of-service condition. Hours later, your HR department can't access the company's personnel system, including payroll.

These occurrences are all related, and could indicate not only trouble for your company, but indeed a coming infrastructure breakdown. But how would you recognize this? How would the maintenance tech and security guard know to contact the right people about the network jack and the visiting stranger? And even if they did, what do you do about it?

The best way to prepare for the worst is through practicewhich is why use of tabletop exercises is on the rise.

The scenario described here is one of several played out by 150 security executives from the financial sector in a two-day emergency response exercise hosted by the FS-ISAC at the Don CeSar Hotel in St. Pete Beach, Fla., in April 2004. Since March 2003, five such convocations (at a cost of $250,000 each) have been hosted by the Department of Homeland Security or the Secret Service for the financial, IT, and oil and gas industries.

"These scenarios hone your skills and remind you that your crisis plan needs to be reviewed and updated regularly and that threats always change," says Ron Hicks, manager of corporate security for Anadarko Petroleum. Hicks participated in an oil and gas industry tabletop in Houston in February, which was attended by about 70 percent corporate and 30 percent IT security executives. The blending of online and physical attacks is one of the newest wrinkles in the simulation game, but the bottom line for security pros of all sorts is that red team, blue team exercises can help create more detailed and useful incident response plans.Let the Games BeginThe tabletops run by the Secret Service-based Electronic Crimes Task Force (ECTF) are an extension of its charter to foster coordination between private-sector companies. Since 1998, the ECTF has held quarterly meetings with security executives from critical infrastructure companies, whom they also assist with cybercrime investigations. The exercises are developed and officiated by the Guidry Group, a corporate security firm that, for the past decade, has worked with the Secret Service and other law enforcement agencies in cases involving corporate espionage and fraud.