As a CIO or CISO, you’re accountable for protecting your company, its data, systems, employees and customers, from security threats. It’s not enough for you to invest in security technologies, mandatory training or new policies. You need to know that all those investments have actually worked.
The only way to verify the effectiveness of your security is to test it.
Your first thought might be compliance assessments, internal spot-checks or routine penetration testing and vulnerability scanning.
But these kinds of tests are often limited in scope, or focused on validating specific technology controls. They fail to test whether security actually works holistically as a system, and they fail to put security effectiveness in a business context, where protection is aligned to the sensitivity and risk of a particular asset.
The answer is to use a “red team” engagement.
Taking its name from US military war games, red team security testing involves hiring external “white hat” (good guy) hackers to simulate how an attacker would actually try to get into your business, using any means at their disposal.
While other kinds of testing look for failures in specific sets of controls in isolation (are these ports open? Have the default access credentials been changed?), a red team engagement is scenario-driven and goes after specific goals: for example, to exfiltrate customer records or disrupt mission-critical operational systems. In other words, a red team engagement is designed to help you test the security of what really matters to your business.
Naturally, this means exploiting technology vulnerabilities, which are often caused by simple misconfiguration, poor design or poor patching. In a recent podcast, Sam Barltrop from Cisco's EMEAR Security Advisory Service described how his team managed to sneak in through a side door, so to speak, in a recent engagement:
“We worked with a company in Birmingham that had spent a lot on network security, assuming that if they can’t be attacked from internet, they would be ok. We found that their office Wi-Fi network was well secured, and the guest network was segregated off, which was great. But in the warehouse, they assumed that the only devices on the Wi-Fi would be barcode scanners, and that network wasn’t as well secured. Just by sitting in the car park with a laptop, we could get onto the warehouse network and work our way through to get hold of all their customer data and shipping details.”
On paper, your security might be great, but that’s not the full picture. Every system has assumptions and weak points that only come to light when actually tested by someone with a fresh perspective and the mind of an attacker.
But testing shouldn’t just be limited to technology. As research tells us time and again, security breaches often involve exploiting weaknesses in employee behaviour and failings in security operations. Red team security testing therefore also targets the people and processes involved in making security happen in the real world — like your receptionist handing out visitor badges, or a loading bay door being propped open. A red team hacker will be happy to use phishing, “tailgating” through security doors, and social-engineering attacks to get access to systems and data.
You can read a full account of a recent engagement using such social engineering attacks in this four-part blog:Part 1 | Part 2 | Part 3 | Part 4
To get the most out of a red team engagement takes a degree of preparation. You and your security teams need to decide on the right objectives, and work is involved in setting up the exercise (for example, creating dummy data and briefing some internal staff). Given the investment required, a red team exercise is unlikely to replace your routine security practices — but it’s not intended to.
For advanced security organisations, a red team exercise is a chance to see whether all the hard work, user training, technology configuration and process refinements have paid off, and an opportunity to identify final areas to work on.
For CIOs and CISOs struggling to get the rest of the organisation to take security seriously, the results of an assessment like this can be a sobering wake-up call for the Board, or even a shot across the bows (“what do you mean a guy with a fake badge just walked into our offices and walked out with all our payroll data?”).
And for IT leaders who are new to the business, a red team is a chance to see what they’re really working with, so they can focus their efforts and budgets in the right places.
There’s one scenario when you really shouldn’t use a red team: when you know that your security is full of holes. You’re not going to learn anything new by watching an elite hacker exploit a weakness you already knew was there.
As a CIO you’ve learned some hard truths about IT. That people and process will eat technology for breakfast. That a real IT infrastructure never behaves the way it looks on paper. And that if you want to be successful, you need to start by identifying what’s most important to you and your business, and focus there — else you risk being dragged in a million directions.
Is it time to apply the same principles to your security?