Q
Manage Learn to apply best practices and optimize your operations.

Are cyberwar games beneficial to test enterprise security?

Traditional security testing is always recommended, but what about cyberwar games? Expert Mike O. Villegas discusses the best ways to test a security program.

My organization is considering conducting a security fire drill or even a cyberwar game to test our information...

security program. This seems like a big undertaking, but are cyberwar games beneficial to organizations?

Testing the information security program should be a continuous process. For example, once hardened, devices should be monitored by SIEM or federated identity management tools to be alerted of any changes that could affect the information security posture of an enterprise. Additionally, enterprises hire pen testers to validate the control structure is working effectively. Then there is the incident response plan. In the event of a breach or incident that affects security, the enterprise needs to ensure it is ready and knows what steps need to be taken to recover back to normal processing.

One of the ways to test the IRP is to exercise across the table incident scenarios with all affected parties involved. Occasional social engineering tests, such as emails to employees to test their ability to detect phishing emails, are always enlightening.

The use of cyberwar games is a method used by some organizations to accomplish the same; however, the operative word is games, and there isn't much value in testing the information security program as a game. Cybersecurity is not a game. Security awareness can include contests, such as cybersecurity-related puzzles on company newsletters or intranets, naming a cybersecurity mascot professionally developed by marketing for the information security group, free cybersecurity videos offered to employees during lunch periods in the company food court, and many other innovative and fun events can go a long way in increasing awareness. But to make them cyberwar games might marginalize the seriousness of cybersecurity. It might also affect employee productivity if they begin to question real work for a game.

If the purpose of cyberwar games is to test the information security program, there are more tactical and pragmatic methods that prove to be much more productive. These include vulnerability scans, penetration testing, monitoring, remediations, secure code reviews, DLP scans and blocks, FIM alerts and follow-up, SIEM alerts and follow-up, system configuration certifications and many more. Cyberwar games would be best served as an awareness tool rather than testing the information security program.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn about the latest advances in SIEM products

Find out if a security pledge could replace awareness training

Discover the most important parts of basic security testing

This was last published in July 2016

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Has your organization ever used cyberwar games to test a security program? Was it effective? Why or why not?
Cancel
I would argue that retained red-teaming (as opposed to cyberwar games) is a valuable addition to the defenses of your organization. This may have been what the question was really trying to get to (but perhaps the wrong word was choosen). Red-teaming goes a big step beyond penetration/vulnerability testing as it's an unannounced real-world threat actor attempting to breach your organization in any number of ways (following set of pre-agreed upon rules). It serves as a constant reminder that having good defenses is a continuous exercise and not a one-off or annual box-ticking exercise. It's also a great way to actually TEST your incident response plan and the preparedness of your first-responders as opposed to just sitting around and talking about the plan in table-top exercises!
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close