People don't really know how their cyber security skills are going to measure up until they've tried them.
Everyone would prefer never having to face a real-life cyber security incident. It's better if they can try out their skills on simulated threats. This allows them to make mistakes without suffering anything worse than embarrassment, and the lessons they learn will help them deal with real threats when they happen.
In a cyber security drill, a "red team" challenges a company's security measures while staying within prescribed bounds. IT staff can set up their own red team for some drills, though the most challenging tests come from outside security specialists.
After the drills comes a review to find out where people need to improve their skills and where policies need adjustment.
Each type of drill tests a different set of employees and skills. Some affect everyone, while others challenge the skills of the IT team. A drill may be announced in advance or sprung by surprise.
The following eight drills will help a business keep its employees' security awareness up and sharpen their skills.
- Tabletop Exercises
- Phishing Email
- Spearphishing Email
- Denial of Service (DoS)
- Adding an Unauthorized Device
- External Scanning
- Internal Scanning
- Physical Intrusion
1. Tabletop Exercises
A company that hasn't run any security drills should start with a tabletop exercise.
In a tabletop exercise, participants walk through a hypothetical security incident on paper, explaining how they would act. It ensures that they know what they're supposed to do and whom they should contact.
A tabletop drill is easy to set up, doesn't disrupt other employees, and establishes some basics. This is the first step toward live drills.
2. Phishing Email
Employees are supposed to be alert to phishing attempts. They shouldn't open attachments or follow links from dubious messages. But when people are in a hurry, they sometimes forget and go ahead and click, letting malicious software get into their machines.
A mock phishing email can have an attachment or link that alerts the testing team when it's opened. For example, a phishing test can have a link that goes to a mock login page. This will allow you to see how many people not only click the link but also insert their credentials.
3. Spearphishing Email
Spearphishing is targeted phishing. Messages are tailored to fool specific people, usually ones high up in the organization. Tricking them can lead to unauthorized business transactions and serious financial losses.
A spearphishing drill can use inside and public information to make its test messages convincing.
Targeting the CEO with a test email requires extra tact, but it's important to make sure the people who hold all the keys don't inadvertently give them away.
Phishing and spearphishing drills must be conducted without prior warning so that the recipients won't be on guard.
4. Denial of Service (DoS)
Some drills specifically test the skills of the IT department. Running a denial-of-service (DoS) attack is an example.
The first question it addresses is how quickly administrators notice that something unusual is happening. For example, they might be slow to monitor system performance, or the existing network defenses might be holding the attack off.
A sustained DoS attack can keep users from accessing the systems or make responses unbearably slow, resulting in loss of business. If the DoS attack significantly impairs performance, the question becomes how well the IT department can counter it. They should be able to adjust the firewall or switch to a failover system to keep service at an acceptable level. In addition, provisions may be in place to use an emergency filtering service.
IT personnel should know what's available to them and how to use it.
5. Adding an Unauthorized Device
Inside attacks may come from an unauthorized, malicious computer added to the network. It could grab information from databases or try to spread malware.
The red team brings in a computer with software for this purpose (but not for doing actual harm) and plugs it into the network. The IT staff should detect the abnormal activity and identify its source. Ideally, they'll locate the rogue device and unplug it. If it's well hidden, they should still be able to cut off its access to the network.
6. External Scanning
Networks constantly get scanned. Many of the scans come from legitimate sources, such as search engines. Others are the normal low-level probes for weaknesses that are a part of life on the Internet.
However, a persistent, thorough scan for vulnerabilities is a serious concern if it wasn't authorized. Scans that include a large number of login attempts need special attention. They can uncover weaknesses in the targeted system, break into accounts, and steal information.
The IT team should notice the traffic pattern that goes with such scans. The drill tests their awareness and the actions that they take. The appropriate response may be to log the attempt or to block it, depending on its severity.
7. Internal Scanning
Unauthorized scans from an inside source are more dangerous. Activity behind the firewall can grab information more easily than an external scan can. The result could be a steady stream of confidential business data going into criminal hands.
The red team can "infect" a company computer so it will probe databases or try to break into accounts. The IT team should identify it as a malware source and take appropriate actions, such as quarantining it from the network.
External probes constantly happen, but any unauthorized internal probe is an anomaly. Therefore, the IT team has to find and neutralize the probe to receive passing marks on the drill.
8. Physical Intrusion
This type of attack is dead simple, but it's important to see how well people control their computers. Members of the red team wander around the offices. If they find an unattended, unlocked computer, they deposit some "malware" on it, using a USB device or a download.
When the careless employee comes back, the screen will display a warning that the computer was compromised. The testers will then record which machines they were able to access. A visitor who did this maliciously could take control of a computer and use it to siphon valuable information out.
Cyber Security Drills Keep Everyone Sharp
It's embarrassing to be caught in a cyber security mistake, but it's better for people to blunder in a drill and learn than to let a real security threat into their systems. The focus should be on education, not blame. Everyone is careless some of the time, but practice leads to improvement.
Drills help management to identify the slowest learners. They can get remedial training, or they can be assigned tasks where security is less critical. With regular practice, thinking about cyber security becomes part of a company's culture.
As a result, employees will make fewer mistakes, and operations will proceed with fewer disruptions.
Drills are just one aspect of a complete business security program. Firewalls, protective software, and monitoring decrease the chance of anything going wrong through human error or otherwise. Exercises reduce the chance that a mistake will let threats get past the security measures. Together they make the operating environment safer.
Get a Cyber Security Assessment
A great first step in determining if you have gaps in your security is to get a cyber security and risk assessment. Get details here or call us at 800-481-4369.