Foregenix Blog

Duncan Slater

Embrace Failure To Improve Your Security

12/04/18 13:30

Like many others this week, I have been glued to the amazing action coming from the Gold Coast, Australia, as many of the world’s top athletes compete in the Commonwealth Games.  As I marveled at the athletes competing across a variety of sports, it got me thinking “what could we learn from these athletes?”

An athlete will repeatedly push their bodies to complete failure during years of training and conditioning sessions. They do this in the hope that when time comes, they will provide their best performance and hopefully return home with a medal.  It is only through the repeated failure that the athletes identify their weaknesses, adapting their training to improve their body and mind to ultimately give the best performance.  The mindset of the athlete to constantly seek to be faster, stronger, and better, is what drives them forward to their best performance.

So, in terms of cybersecurity, it’s the attitude of continually identifying failures as a way of improvement that we should take from these great athletes.  It is OK to fail, as this is how we identify our weaknesses and improve, so that when the time comes you offer the attacker the best defense of your environment possible.  Like the athlete, any network or digital environment should be continually tested for weaknesses, vulnerabilities, and exploits, which can then be patched. 

Similarly, your incident response plan should also be regularly stress tested for weaknesses and failures.  Any failures should be embraced as a successful test, as improvement can be made to achieve the best performance. 

Any test that fails to identify any failures should be seen with skepticism. What has been missed? Was the test sufficient to stress the environment? No athlete arrives at the start line of a major competition, having only run a few laps of the local park, in the hope that they will be good enough to win, they will have pushed themselves for, weeks, months, years, to reach their peak.  Testing of your environments defenses and responses should be no different, repeatably tested to the limit.

Unlike the athlete, swimming laps of the pool, or lifting weights in the gym will not get your network security in its best shape. So, what testing should you be adopting?  Just like our athlete, there is no one training method that will give the perfect results.  Testing could involve one, or all of the below:

  • Table top exercises - Key personnel are gathered to discuss various simulated emergency situations. 
  • Mock internal incident response - Testing your incident response plan to make sure it's effective 
  • Internal Pen-Test - An attack is simulated to come from within your network
  • External Pen-Test - An attack is simulated to come from outside of your network
  • Full Red-Team exercise - An attempt to gain access to a system by any means necessary 

The above list is by no means exhaustive and is just a flavour of the tests you could look to perform.  For anyone operating a card data environment, involved in the processing, storage, or transmission of account data, PCI DSS lists its own requirements for security testing.  It should however be noted that PCI DSS is considered the minimum security standards expected and not the standard to be achieved.

Athletes have a defined a competition date they’re pushing toward, but an attack on your environment could come at any time. There’s no time to lose, you must implement a policy to continually test and improve.

Remember, failures should be seen as a successful test, as they provide an opportunity to improve the security or incident response.  No-one wants their opponent to be the one to identify their weaknesses, especially in the terms of an attacker who could cause a real impact to your business, both financially and on your reputation.

Good luck to all those athletes competing on the Gold Coast.

If you need help reaching your security's peak performance, Foregenix offers a number of services, including training, workshops, mock breaches, table top exercises, and pen-testing.

View Penetration Testing Services

Free Webscan

TRENDING POSTS

David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More
Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More

Cyber Security Insights

Jake Dennys
10/09/18 11:37

Using a hosted payment page? This is why you still need to secure your website.

Many companies that host payment pages will boast of their ability to securely process payments. Whilst this may be true, it does not mean that your ...

Read More

Jake Dennys
22/08/18 13:25

Foregenix to join the PCI SSC Global Executive Assessor Roundtable.

We're proud to consider ourselves one of the industry leaders in the cybersecurity arena, and we are constantly striving to share our knowledge with ...

Read More

Akash Sharma
22/08/18 10:50

FGX-Web gets a fresh new look!

FGX-Web gets a fresh new look! Initially, FGX-Web was created to aid our Forensic Analysts in conducting investigations following a data breach. ...

Read More

Jake Dennys
16/08/18 17:12

What can a Website Security Health Check provide you?

Everyday there's another data compromise. Check the news, big breaches are happening all the time - and that's just the high profile ones. It's the ...

Read More

Kirsty Trainer
15/08/18 14:39

P2PE - What are the benefits to retail merchants?

Point-to-Point-Encryption, known to most as P2PE is a standard that is quickly becoming the preferred way for acquirers and merchants to secure ...

Read More