http://www.darkreading.com/vulnerability/getting-the-most-out-of-a-security-red-t/240160471
By Ericka Chickowski
Dark Reading
August 27, 2013
When used effectively, a working red team doesn't just help IT security
organizations find vulnerabilities in their environments. Red teams can
also help organizations prove the need for increased budget in focused
areas, substantiate claims of security improvements, and generally sharpen
the skills of IT defenders called on to regularly defend against
real-world attack simulations carried out by these in-house "bad guys."
"One of the best things I've done when starting new [security
organizations] is starting a red team first," says John Walton, principal
security manager at Microsoft, in charge of the Office 365 security
engineering team, who uses red teams to test the efficacy of the service's
security. "A red team will tend to justify additional resources. A red
team can actually prove out why you need that additional investment, and
can also help get the management aware of what the risks are
specifically." According to Maranda Cigna, senior IT security manager at
financial services firm FIS, her organization has similarly helped her
counterparts in the network and technology teams justify head count and
better tell the story of the true risks faced by their assets when they
aren't properly manned. In her organization, the red teams focus their
work within the data center.
"We've got pen testing, in general, happening against network devices and
our Web applications, but I have a specific red team that just targets and
attacks our data centers, and we're spinning through that on an annual
basis," she says, explaining that beyond setting certain bounds around the
data center, it is crucial to let the teams be creative in how they probe
their targets. "We let them organically go through, see what they find, go
down whatever rabbit holes that they want. When targeting a large data
center, there's no way we could actually hit every single asset in there.
But it’s a good depiction of how an attack against that data center would
actually happen."
Whereas many external penetration tests can be gamed by organizations
limiting the parameters in which the pen tester can operate or can simply
be ineffective in thoroughly examining an environment, red teams
frequently find more success. According to Scott Erven, manager of
information security for Essentia Health, he believes internal red teams
are more effective than penetration testing services.
[...]
--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
