Taking on make-believe hacking scenarios is helping firms better prepare for the real thing.
Clusters of corporate techies hunched over their laptops one recent evening in Mountain View, Calif., feverishly trying to figure out how RK Industries hacked into and stole critical information from its rival, EntraDyn.
It’s a common occurrence, but in this case the firms were fictitious, and the event — a simulated exercise put on by security firm Symantec — featured rock music, a buffet and an open bar for the participants. Even so, it had a serious purpose: Increasingly under Internet attack, more and more businesses are using “cyber war games” to learn how to spot and counter the tricky tactics used by hackers.
“It keeps you on your toes,” said Michael Scheck, an information security investigations manager at Cisco Systems, which hosts its own war games and takes part in others. In the fast-evolving combat with computer-savvy antagonists, he said, “you have to play cat and mouse.”
Getting bested by the bad guys can be expensive. A study sponsored by Hewlett-Packard last year concluded the average cost of a cyberattack on a U.S. company was $591,780 — and rising. In response, companies are sending their employees to so-called cyber-ranges and other venues to engage in make-believe hacking scenarios.
In a survey of about 1,400 businesses last year, management consultant McKinsey & Co. said it found that 3 percent of them had conducted “cyber war games to help ensure they are ready to manage a cyberattack.” McKinsey wouldn’t identify the respondents, but noted that “most were in high tech and financial services.”
Although several of those attending Symantec’s event at the Computer History Museum didn’t want their employers identified, companies represented there included Intel Corp. subsidiary Wind River Systems, Tesla Motors Inc. and Google Inc.
Many firms also routinely test their ability to withstand attacks, including utility Pacific Gas & Electric.
Using employees he calls “my ninjas” who periodically attempt to hack into the utility, James Sample, its chief information security officer, said “we do mock-up scenarios” to assess the company’s vulnerability to cyberattacks.
Firms find the war games especially helpful, where they compete against other companies to see who can best respond to hypothetical cyber incursions.
Mountain View-based Symantec, which sells widely used Norton antivirus software, puts on these “cyber readiness challenges” worldwide. It contends the games help participants think like hackers, so they can better recognize and respond to their corporations’ vulnerabilities.
“Every day you hear about new attacks,” said Samir Kapuria, Symantec’s vice president of business strategy and security intelligence. “What we try to do is take that knowledge of what’s happening to companies and organizations around the world, and weave that into the scenarios.” That way, he added, they can “hone their skills so the first time they are up against something, it’s actually something they’ve practiced.”
In Symantec’s virtual contest, which was akin to a video game, participants were given hints that helped them hack into the fictional RK Industries and figure out what RK stole from EntraDyn.
“Think of it as a giant scavenger hunt, where you are given a riddle or clue about how to find something,” said Josh Chin, executive director of Southern California-based Net Force, who placed third in the competition. Besides teaching him how to better guard his client’s data, he said, such exercises offer a way to “show how good you are” when pitted against other security experts.
During an earlier challenge Symantec hosted for its own employees, one grandstanding prankster even surreptitiously hacked into the game’s scoreboard, according to spokeswoman Pamela Reese. She said she wasn’t sure what the person was up to, but figured it was “either to improve their score or mess around with players’ names.”
Cisco’s Scheck said his company also has taken part in war games put on by the U.S. Department of Homeland Security and other federal agencies, some of which had the businesses work together to blunt cyberattacks. That’s been helpful, he said, because to counter sophisticated and organized hackers, “corporations are realizing they need to share more information with each other to make life more difficult for their adversaries.”
Finding skilled workers for that fight is another priority.
In March, Cisco, Workday, McAfee, PG&E and other companies sponsored a cyber war game in Pomona for college students, during which several of the firms recruited the players for their security departments, according to Daniel Manson, a computer information systems professor who helped organize the event.
Given the shortage of employees skilled in dealing with cyberattacks, he viewed the effort to hire the students as indicative of a major shift in corporate thinking.