Courtesy of the Institute for Information Security Professionals
As I mentioned in the opening CEO article, the inaugural Top Gun event in Manchester was a great success on many fronts. We had 20 participants, organised into the Red and Blue teams, plus 5 members of the Control Team, and the day just seemed to fly past, so intense was the concentration, interaction, ingenuity and fun.
We cannot give too much away as to the content of the case study or the processes we followed on the day, for fear that we might spoil some of the element of surprise for participants in future events. Suffice to say that those who were there threw themselves into the exercise and, accordingly got the most out of it, as well as proposing a few additional suggestions for developing and improving it for future players.
Let us however, convey the particular views of a member of one of the teams, and let them tell you what they thought of the event.
“TopGun, The Blue View. (Jay Abbott, PwC)
I have to admit, I was genuinely sceptical about the TopGun event as the idea of playing the Security equivalent of Battleships during one of my busiest times of the year was not one that featured far up the “to do” list, that said, I am genuinely pleased that I made the time to attend. We arrived with very little information about what was planned, and were immediately split into two teams, Red and Blue, The Red were of course the attackers, and Blue were the defenders and the teams split had been pre-planned by the organisers to ensure that a good cross section of skills rested in each team to keep things fair.
The remit was simple, we each were given suitable pieces of a puzzle, i.e. some deliberately sketchy information related to the organisation, typical of that you would find on your first day of work or your first information gathering exercise. From there it was a case of building a better picture of what you have and figuring out the best way forward (sound familiar?). At this point, the teams were physically split and departed into adjacent “war rooms” to prepare their respective strategies. We each could communicate with our “control” staff, who acted as the coordination of the event and holders of information. The co-ordination role was pivotal in the success of the event as they were able to coordinate the virtual attack and defence strategies in real-time to keep the feeling of real-life and to ensure that the game was fair.
From a blue perspective it was business as usual, we had a budget and an environment to protect, we had to evaluate the skills in our team, establish specialism’s that could work in key streams, and run the entire thing like a project.
All in all it was a very worthwhile day that created a great deal of discussion and provoked much debate. What I personally took from the day was something that I see all too often, but is perhaps not as obvious to all, to quote Paul Dorey on the day it is summed up in the phrase “Security is Asymmetric”. Put simply this is the fact that someone attacking an organisation need only find one hole or vulnerability in order to succeed, while those protecting the organisation must try to plug every hole and mitigate every vulnerability to be secure.”
Event wrap-up discussion and lessons learnt – great work everyone!
The participants captured their comments on an evaluation form and we are reviewing and acting on those comments. They also scored the event out of a scale of 1 to 5, and rated the event at 4.3 overall, but with specific scores of 4.5 for facilitation and presentation, and 4.6 for opportunity to discuss and exchange ideas. A great success by any measure.
Thanks to all involved, and to PwC, our hosts for the day.
Courtesy of the Institute for Information Security Professionals