Home & Office

Cybersecurity drills useful but risky

While simulating cyberattacks can better prepare employees to manage security incidents, enterprises need to understand risks and challenges before doing so, experts caution.
Written by Ellyne Phneah, Contributor

More organizations worldwide are engaging in cybersecurity drills, which are more hands-on and practical in preparing employees for real incidents of cyberattacks, according to security experts. Such tests, however, can be problematic especially in large organizations and carry risks, they cautioned.

Earlier this month, the U.S. Department of Homeland Security stimulated a cyberattack exercise, part of a week-long training program for industries to help them learn how to deal with intrusions on their networks. Last week, tests were also carried out on computer systems for the 2012 London Olympic Games, which involved a denial-of-service (DOS) attack and a virus infection on organizers' computers.

Over in Asia, Singapore has also promoted collaboration among the Computer Emergency Response Teams (CERTs) in Southeast Asia, by planning and executing the Asean CERT Incident Drill (ACID) annually, which strengthens the readiness and ability of the teams to deal with transnational cyber incidents.

According to Anthony Lim, regional director of SecureAge, cybersecurity drills on top of theoretical training are useful in facilitating better response and handling of cyberattack incidents, just as how people learn hands-on in many other fields such as driving, cooking and gameplay.

Cyberattack situations, he told ZDNet Asia in an e-mail, are "visually remote" and "unkinetic". There have been many instances where companies do not know that they have been hit until some time later--usually when IT systems are not working well or act strangely, the data integrity have been compromised, or unusual reports are appearing on the log reports, he explained.

Guillaume Lovet, senior manager of FortiGuard threat response team at Fortinet, added that employees always react more efficiently to situations which are "experienced in a simulation".

Most people don't take the cyber menace seriously, he explained in an e-mail. A practical drill, as long as conducted in a thoroughly isolated environment, is invaluable for changing "this state of mind", he said.

Ng Kai Koon, senior manager of legal and public affairs at Symantec Singapore, said in an e-mail such drills will enable organizations to gauge how effectively they have implemented their IT security and also identify areas of improvement.

"It allows employees to know where their sensitive information resides, who has access, how it is entering or leaving their premises [as well as to] "instinctively" react to safeguard mission-critical data," he noted.

Difficult to conduct, high risk
While cybersecurity exercises are beneficial, there are challenges and risks involved, the experts pointed out.

Bigger organizations such as banks and government, being more likely attack targets, will appreciate cybersecurity drills, but their operations are much larger and it can be quite complicated for them to have a hands-on simulated cyberattack, Lim of SecureAge noted.

Many companies also find it hard to actually conduct such drills, because they are concerned primarily with day-to-day operations, Lim said, citing that it is tedious to shut down or isolate one or more sections of the company network to be used for the exercise.

It is hard to simulate typical cyberattacks and even if an attack is simulated, the responses are focused on operation issues, such as business recovery and continuity, customer service and response and threat to business transactions, rather than what caused or allowed such an attack and how to protect against it, he added.

In addition, the key challenges that organizations conducting cybersecurity drills face are identifying the objectives of the exercise, areas of practical, hands-on training to include, extent of staff involvement as well as determining the expectations and reactive action items, Lim said.

Ng of Symantec pointed out that even though such simulations promote employee awareness and engagement with the issues, organizations may run the risk of misdirecting resources toward less critical scenarios. "This could potentially misalign employee expectations and affect the level of preparedness and cooperation they display during a real attack."

In addition, if a drill of such "intricate and destabilizing nature" is poorly planned and executed, an organization's mission-critical data can be put at risk should unforeseen complications arise during the recovery process, he warned.

Elaborating, Lovet of Fortinet said the drill may get out of control, and the main risk is having a virus "hopping out of the testing environment into the real world". For example, a USB key containing sample malware could be "inadvertently" brought home by an employee involved in the drill or that a test virus could recombine with an actual virus present in the testing environment prior to the drill, and use virtual machine jail-escaping capabilities to "run free".

"These scenarios are potentially catastrophic for a company's image," he said.

At a broader level, there is also the risk that virus-writing skills will develop, if organizations encourage it for "testing purposes", Lovet added. When these skills are put in the wrong hands, they could lead to higher instances of cybercrime, he said.

Identify likely scenarios, isolate environment
To conduct the exercise in a safe manner, Lovet advised the drill environment must be physically and electronically isolated and secured.

If viruses are used, they must come with a "payload" that will be harmless out of the frame of the situation such as embedding a routine that check if the infected computer has a specific flag. The virus should also have a "kill switch" to automatically self-destruct after the drill, he added.

Ng said IT managers should identify likely scenarios and ensure that employees are adequately informed of remedial actions. This should include defending their critical internal servers and implementing the ability to back up and recover data as their top priorities during the planning phase, he said.

These scenarios and plans should be updated regularly to ensure they meet the needs of a rapidly evolving threat landscape, Ng added.

Editorial standards