Getting The Most Out Of A Security Red Team

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/vulnerability/getting-the-most-out-of-a-security-red-t/240160471

By Ericka Chickowski
Dark Reading
August 27, 2013

When used effectively, a working red team doesn't just help IT security 
organizations find vulnerabilities in their environments. Red teams can 
also help organizations prove the need for increased budget in focused 
areas, substantiate claims of security improvements, and generally sharpen 
the skills of IT defenders called on to regularly defend against 
real-world attack simulations carried out by these in-house "bad guys."

"One of the best things I've done when starting new [security 
organizations] is starting a red team first," says John Walton, principal 
security manager at Microsoft, in charge of the Office 365 security 
engineering team, who uses red teams to test the efficacy of the service's 
security. "A red team will tend to justify additional resources. A red 
team can actually prove out why you need that additional investment, and 
can also help get the management aware of what the risks are 
specifically." According to Maranda Cigna, senior IT security manager at 
financial services firm FIS, her organization has similarly helped her 
counterparts in the network and technology teams justify head count and 
better tell the story of the true risks faced by their assets when they 
aren't properly manned. In her organization, the red teams focus their 
work within the data center.

"We've got pen testing, in general, happening against network devices and 
our Web applications, but I have a specific red team that just targets and 
attacks our data centers, and we're spinning through that on an annual 
basis," she says, explaining that beyond setting certain bounds around the 
data center, it is crucial to let the teams be creative in how they probe 
their targets. "We let them organically go through, see what they find, go 
down whatever rabbit holes that they want. When targeting a large data 
center, there's no way we could actually hit every single asset in there. 
But it’s a good depiction of how an attack against that data center would 
actually happen."

Whereas many external penetration tests can be gamed by organizations 
limiting the parameters in which the pen tester can operate or can simply 
be ineffective in thoroughly examining an environment, red teams 
frequently find more success. According to Scott Erven, manager of 
information security for Essentia Health, he believes internal red teams 
are more effective than penetration testing services.

[...]

--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/