As with many “common sense” expressions “practice makes perfect” is wrong, completely wrong. The real wisdom is, “perfect practice makes perfect”. As the TAG Infosec Society plans our upcoming cyber and business recovery table top exercise I am applying something I learned as a baseball player in high school. We had an Iron Mike pitching machine that could really hum a fastball. We practiced with that machine over and over - perfect practice really - and there wasn’t a pitcher in the league who could get a fast ball by us. If, however, our opponent threw us something different, a curve ball or off-speed pitch, for example, they were golden. It didn’t take too long for the other teams to figure out that we had rehearsed one thing very well. In business continuity and risk management as in baseball you must be as ready as possible for anything and everything your opponent – competitor, criminal, terrorist, hacktivist, disgruntled employees or whatever – throw at you. And I am assuring that philosophy is applied to our planning process.
Our table top exercise is basically a live, unscripted catastrophic event response role play involving about three dozen people filling the same job function in the exercise that they do in “real life”, or, in effect batting practice for executives and security practitioners. Our primary exercise goal is to provide “perfect practice” for C-Level executives, senior managers and security practitioners as a team, mimicking the actual teams that face such challenges and must react as a team in order to keep their businesses viable. For this reason we are working hard to find the right balance of pitches to throw at the exercisers. We are, in effect, trying to avoid a single Iron Mike challenge and single threat response. We feel that this is as important to the exercise participants, the ones performing in the exercise, as it is to the observer who will possibly never have a chance to directly observe such an event until their company or agency is involved in an actual attack.
So far we have created a fictional international corporation based in Atlanta which has angered a terrorist organization. The background for our table top exercise includes high tech terrorist communications via a variety of side channels including encryption and steganography used with eBay and VoIP, failed and successful coordinated attacks using Electromagnetic Pulse (EMP)/High Energy Radio Frequency (HERF) weapons constructed by “engineers” from US-based terrorist cells. Our background also includes low tech techniques such as terrorists infiltrating the target company as employees, contractors and delivery people. We are weaving all of the background information together based upon a high likelihood of a particular technique or practice being utilized or having been reported as being utilized within the US under similar circumstances. Oh, and I should mention botnets which send commands from Yemen to computers within the target company to perform a variety of functions, such as attacking other organizations or just lying down and refusing to compute. Years back these type of attacks were pure fiction and most stewards of their company’s future could ignore them but companies of all sizes are increasingly the subject of such attacks from the list of bad actors I gave you earlier: competitors, criminals, terrorists, hacktivists, disgruntled employees and others.
The bottom line is that we are attempting to incorporate the broadest number of realistic elements into a full, rich day of learning and knowledge exchange. And we are applying what I learned in high school baseball: practice, even perfect practice, on a single Iron Mike-like skill will not get you to the championships. And, when it comes to threats to a company’s survival, we can leave nothing to chance.
Watch this blog for more information on the exercise as it develops. We anticipate registration and specific details being available sometime in July with pricing at $145 for TAG members and $295 for non-members for this unique, premium event for both participants and observers.
