Embrace Failure To Improve Your Security
Like many others this week, I have been glued to the amazing action coming from the Gold Coast, Australia, as many of the world’s top athletes compete in the Commonwealth Games. As I marveled at the athletes competing across a variety of sports, it got me thinking “what could we learn from these athletes?”
An athlete will repeatedly push their bodies to complete failure during years of training and conditioning sessions. They do this in the hope that when time comes, they will provide their best performance and hopefully return home with a medal. It is only through the repeated failure that the athletes identify their weaknesses, adapting their training to improve their body and mind to ultimately give the best performance. The mindset of the athlete to constantly seek to be faster, stronger, and better, is what drives them forward to their best performance.
So, in terms of cybersecurity, it’s the attitude of continually identifying failures as a way of improvement that we should take from these great athletes. It is OK to fail, as this is how we identify our weaknesses and improve, so that when the time comes you offer the attacker the best defense of your environment possible. Like the athlete, any network or digital environment should be continually tested for weaknesses, vulnerabilities, and exploits, which can then be patched.
Similarly, your incident response plan should also be regularly stress tested for weaknesses and failures. Any failures should be embraced as a successful test, as improvement can be made to achieve the best performance.
Any test that fails to identify any failures should be seen with skepticism. What has been missed? Was the test sufficient to stress the environment? No athlete arrives at the start line of a major competition, having only run a few laps of the local park, in the hope that they will be good enough to win, they will have pushed themselves for, weeks, months, years, to reach their peak. Testing of your environments defenses and responses should be no different, repeatably tested to the limit.
Unlike the athlete, swimming laps of the pool, or lifting weights in the gym will not get your network security in its best shape. So, what testing should you be adopting? Just like our athlete, there is no one training method that will give the perfect results. Testing could involve one, or all of the below:
- Table top exercises - Key personnel are gathered to discuss various simulated emergency situations.
- Mock internal incident response - Testing your incident response plan to make sure it's effective
- Internal Pen-Test - An attack is simulated to come from within your network
- External Pen-Test - An attack is simulated to come from outside of your network
- Full Red-Team exercise - An attempt to gain access to a system by any means necessary
The above list is by no means exhaustive and is just a flavour of the tests you could look to perform. For anyone operating a card data environment, involved in the processing, storage, or transmission of account data, PCI DSS lists its own requirements for security testing. It should however be noted that PCI DSS is considered the minimum security standards expected and not the standard to be achieved.
Athletes have a defined a competition date they’re pushing toward, but an attack on your environment could come at any time. There’s no time to lose, you must implement a policy to continually test and improve.
Remember, failures should be seen as a successful test, as they provide an opportunity to improve the security or incident response. No-one wants their opponent to be the one to identify their weaknesses, especially in the terms of an attacker who could cause a real impact to your business, both financially and on your reputation.
Good luck to all those athletes competing on the Gold Coast.
If you need help reaching your security's peak performance, Foregenix offers a number of services, including training, workshops, mock breaches, table top exercises, and pen-testing.