• United States




Why staging a fake attack is only real thing to keep you secure

Dec 21, 20174 mins
Disaster RecoveryDLP SoftwareTechnology Industry

How the Napa County fires opened my eyes to the readiness - or lack thereof - most of us are to a real disaster, physical or digital.

fire chino hills california
Credit: REUTERS/Mike Blake

Being a Northern Californian, you can imagine that the Napa County wildfires in October and November impacted me. Granted that, while I did not suffer the monetary or psychological loss those directly affected by this disaster endured, being just 50 miles of the southern tip of the wildfire for weeks does teach you a thing or two.

For instance, gathering our most “important” stuff, keeping it in an accessible location for a quick exit, sleeping lightly at night, getting N95 masks, keeping our dog inside all day…these were some of precautionary measures I took. And I guarantee you, no mock drill or random alert would have caused me to act the way I did once our family was under direct threat from a powerful and unpredictable predator.

The digital enterprises of today (read: all enterprises), could be threatened any time by similar wildfires…aka cyberattacks. The usual growing number of culprits – insider threats, phishing, denial of service, ransomware… There are precautionary measures that most enterprises take to protect against this – SIEM tools, firewalls, anti-malware, backup, encryption, etc. But when a real-world attack happens and these porous defenses are exposed, heads roll. And the same pattern repeats. A new regime, more tools…

Extending my Napa County wildfire analogy a bit more, what if you were really being threatened – and you had some advance warning. What would you do? Imagine you’re a healthcare facility, and had 24 hours before a ransomware attack was set to encrypt all your patient records, thereby halting all patient care. What would you do? Or what if you were an energy company that was going to be hit with a DDoS attack that would last a week, crippling all your smart energy collection and billing systems? Where would you run?

The big issue with security prevention these days (and in the past, too) is that we keep spending more and more to protect against the attack that we hope never happens.

What if you turn that question on its head? Stage an attack here and now (and keep it staged with a very small team)? You could start with the “you have 24 hours before this attack happens” scenario, and see how the teams react. That day will bring forth all the training (or lack thereof) to prepare for the attack – asset identification, remediation measures, notification planning, compliance and legal ramifications, etc.

Or, panic sets in – people running around crazily not knowing what to do.

Either way, you’ll know where you stand.

For the more adventurous, you can make it even more real: stage an attack without any advance warning. Drives are encrypted and held to ransom, websites (internal ones, preferably) are defaced, customer records are stolen, network connectivity is impacted. See how the systems – both human and digital – respond. And once a semblance of normalcy returns, attack again.

If you think this is too Draconian, the only other alternative to this is speculating what you might do when the attack happens. Confirmation bias would propel us to believe that we are safe (and that our competitors are not). And like the Napa fires, where I thought I knew where all our critical assets were – #wrong – laboriously had to start inventorying the same.

What are our critical assets, how do I bring them together, how long would it take to grab the bags and run? These are existential questions that I never asked until – pardon my French – the shit started hitting the fan.

And this is exactly where most enterprises find themselves today…or worse. Because the fires seem so far away. Acknowledge that you will be hit, sooner than you imagine. Create a fake event – that looks and feels real to most of the enterprise – and see how you respond. It will open your eyes.

Then go back and identify the missteps. Did you not know where your critical assets were? Did you not know whose credentials were going to be compromised, aka your biggest liabilities? Did you not have a policy to disclose when and how customer data – if impacted – needs to be disclosed? Did you know the clauses of a cyber-insurance policy if you had one?

The Napa County fires certainly induced a sense of urgency and alacrity into our household. Keeping that hygiene and discipline in place is a challenge, as the threat of the fires recede. Ditto for the enterprise. Awakening and consistent enforcement is critical. Otherwise we will all get wiped out.


Ashwin Krishnan is the COO of UberKnowledge, a cybersecurity knowledge sharing, training and compliance organization.

As a former vendor hi-tech executive in the cybersecurity and cloud domain he has turned writer, podcaster and speaker. His focus is on simplifying technology trends and complex topics such as security, artificial intelligence and ethics through enduring analogies which he shares on his blog and his talks. Ashwin is the author of “Mobile Security for Dummies,” and as a recognized thought-leader he contributes to a variety of publications, including Entrepreneur Magazine.

Ashwin is a regular host with CISOs on podcasts such as the Cyber Security Dispatch where he bridges the education gap between what the security practitioners need and what the vendors provide; as a tech ethics evangelist he is frequently on main stage at conferences educating and empowering consumers and vendors alike on the role of ethics in tech; his recent speaking engagements include the Smart Home Conference, Fog Computing Congress, and the Global AI Conference.

The opinions expressed in this blog are those of Ashwin Krishnan and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.