There’s a rule in operations that during an event, you are only going to be (at best) 50% as good as you were when practicing. Which makes practice and critical evaluation very important to anyone in an incident response field. Whether we’re talking law enforcement, fire response, or computer security, the same rule of thumb applies. Most computer security response teams train informally, if at all, on an annual basis. That’s not nearly good enough, otherwise your company wouldn’t fail that annual penetration test every year.
In the classic films about the Pink Panther, Inspector Clouseau’s butler Kato tries to keep his boss on his toes by constantly plotting surprise attacks. The ongoing potential for conflict is Clouseau’s unorthodox training regimen.
While the Pink Panther was just a movie, there’s potential in the idea of having a Kato. Because real computer security incidents happen infrequently, there is opportunity for practice by internal team members. Most companies get their practice annually in the form of a penetration test, which isn’t nearly enough. These tests usually involve external agencies, and transfer of knowledge is questionable at best. There simply is not time during an engagement to provide the service and educate the client’s personnel. Likewise, there may be annual training, but it’s limited, and thin, and not integrated into an ongoing practice, which means it atrophies.
But what if Kato was on your payroll? If your internal security personnel were encouraged to test the defenses, they could learn a great deal. What if they were given bonuses for gaining access? Sure, they know the layout, that’s half the purpose; you might be a victim of knowledgeable hackers. By having your internal people test on an ongoing basis, with appropriate protocols, naturally, you get into the habit of constant vigilance. By trading off roles in the process, you ensure no one person becomes a bottleneck in the security profile. Your company becomes much, much more capable.
And it’s great management. You get a real opportunity to establish some team spirit, and boost individual pride.
Take a tip from an old movie, and get a Kato process going in your company. Clouseau considered it a best practice.
This blog and it’s contents copyright 2010 Digital Trust, LLC. All referenced trade mark and copyrighted materials are the property of their respective owners. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name or this paragraph is removed.