The first step in protecting your enterprise is figuring out how to destroy it.
That's the approach to security taken by Jonathan Clemens, manager of enterprise security oversight at Intel. He recommends that companies conduct wargames to find their biggest weaknesses.
"By a wargame, I mean a tabletop exercise," Clemens said at IDG's LinuxWorld OpenSolutions Summit in New York City last week. "Sit down and be your biggest competitor, be an attacker, put yourself in the criminal mindset. ... Until you know how you could destroy your company you can't understand how you can prevent someone else from doing that."
Although identifying vulnerabilities to attacks may seem like an obvious step, when Clemens asked the audience whether they knew how to destroy their companies, just a few people out of several dozen raised their hands.
Clemens was wary of revealing specifics about wargames conducted at Intel. But he noted that Intel makes chips, and it would be damaging if the company made chips that could not perform mathematical calculations properly.
"What would happen if I was a competitor of Intel and I wanted to discredit them? Would that be a way to do it?" Clemens asked. "So you look at your core product (and) you look at who would want you to fail in that area. ... You go through these mental exercises and say 'what's the worst case scenario?'"
The worst-case scenario could involve the threat of physical harm, he told the audience, making note of a bank robbery in England last year that involved the family of a bank manager being taken hostage.
In a follow-up exchange with Network World, Clemens noted that IT managers handle data, rather than cash, but that attacks involving hostages are not unthinkable in the IT industry.
"If the financial industry, which has had centuries of armed robberies to deal with, can't defend against such an attack, how can the IT industry, where system administrators are in positions of similar responsibility, but over data rather than cash?" he questioned.
In his talk at the LinuxWorld event, Clemens also discussed emerging threats such as viruses aimed at mobile devices and custom attacks aimed at specific corporations.
"Being on the Internet is like sharing your toothbrush with 1 billion of your closest neighbors," he said. "There are people on the Internet who are smarter than you. .... There are people who are less ethical than us."
Clemens recommended that enterprises develop security policies, which should be high-level statements, not an attempt to address every conceivable problem. He discussed various layers of data protection, including risk assessments, training, physical security such as guards and surveillance cameras and network security measures.
"Does every device in your network have the ability to talk to every other device? If it does, why?" he said.