Teachable Tabletop Exercises: My Year as a TSA OfficerSimple and quick tabletop exercise scenarios can reveal actionable opportunities to quickly improve an organization’s security. By: Rob Lelewski
As a security consultant with Secureworks® proactive incident response services, I frequently conduct tabletop exercises to help clients better prepare for what many consider the inevitable: a cybersecurity incident. Organizations interested in conducting a tabletop exercise range from those with significant regulatory requirements (e.g., financial institutions) to industries with fewer regulatory pressures (e.g., manufacturing) – and of course, organizations across the maturity spectrum may invest in tabletop exercises to prepare for "when, not if" scenarios.
More often than not, clients do not have a particular exercise scenario at the forefront of their minds and are open to suggestions on how a tabletop scenario should play out. Tabletop exercises require real-world simulations that showcase an organization's weaknesses and opportunities to bolster their defenses. With an organization's permission, we create simple scenarios that push the boundaries of what information we can obtain, mimicking the behavior of legitimate threat actors (without the risk of data loss). One of my favorite tabletop scenarios starts with a phone call.
The TSA Officer Scenario
One scenario that has consistently performed well during tabletop exercises consists of the following: With permission, and with the tabletop participants gathered together in the exercise room, I call the primary contact number for the organization, which is usually listed on the website. Since we're typically located in the facility in which we're performing the exercise, in order to convey a different area code from the organization's location, I call from my cell phone and while I'm on speakerphone to allow the tabletop participants to hear my interaction.
When the call is answered, in my most charming and TSA-like voice, I state, "Hi, my name is Jim McGregor and I'm a TSA Supervisor at O'Hare International Airport in Chicago. We found a tablet computer belonging to Jane Doe at a security checkpoint and believe that it belongs to your company. We found the name by looking at the e-mails as the tablet was powered on at the time. We also saw a few resumes and other documents. What would you like us to do with it?"
I conveniently ensure that Jane Doe is a Human Resources Director or some type of executive leadership position within my client's organization that has sensitive information on the tablet computer.
Prior to performing the call, I ask the tabletop participants what they believe will happen if such a call is placed to the primary contact number for the organization. The responses generally range from confidence to a reasonable degree of assurance that the event will be immediately reported to information security. Then, when I tell the participants that the call will be placed during the tabletop, right then and there, an array of facial expressions populate the room, which usually convey a worried look.
The Value of the Tabletop Exercise
Why perform such a tabletop exercise? Organizations spend vast sums of money to secure their environment, investing in a variety of technical controls, tools and tactics. While worthy investments, these exercises reveal that gaps can remain – for example, first points of contact – the person picking up your phone for your organization's main contact number or answering the main generic e-mail address – often doesn't understand what to do when a set of facts are presented that would likely constitute a security incident.
What We Learn from a Tabletop Exercise
In the situation presented, the following facts are clearly conveyed:
- A company-owned device has been lost.
- A foreign party, the TSA Officer, has accessed the device.
- The TSA Officer has viewed company correspondence, resumes, and other information. This constitutes sensitive information as well as Personally Identifiable Information.
In the past 12 months, I have presented variations of this scenario to approximately a variety of organizations. A sample of the results:
- 14% of the time, the person answering the call hung up on me.
- 14% of the time, I was provided the mailing address for the company and asked to drop it in the mail. No attempt was made to gather the TSA Officer's information, contact number, or any other relevant information. No report was made to the organization's information security team.
- 6% of the time, I was transferred to a voicemail box that was full and immediately disconnected.
- 33% of the time, my information was taken down, and I was told that someone would be in touch with me. During the rest of the tabletop exercise and in the days after, the event was not communicated to information security staff.
- 33% of the time, the call was either immediately transferred to information security or other appropriate staff members within an appropriate time frame.
Opportunities for Improvement
The TSA Officer exercise often identifies multiple areas of improvement that can tangibly benefit an organization's security.
First, front-line employees, such as those that answer the primary contact number, must be able to identify a potential cybersecurity incident. While front-line employees don't need to be fluent in the intricacies of cybersecurity, they need to have the skills to identify when a potential incident has taken place. A lost laptop with a third party accessing the data is an example of an event that warrants attention.
Second, all employees must also need to know how to "sound the alarm" and where to properly escalate events within the organization. A common failure we have observed has been that a message was passed to another internal party and simply "lost," not enabling information security teams to act.
Without both of these avenues solidified, the organization's incident response process is effectively militated.
Practice within Your Organization
The TSA Officer scenario is an incredibly simple exercise that can be performed over a lunch hour. While your specific scenario may vary, ensuring that front-line employees – and all employees – understand how to identify and escalate a potential cybersecurity incident will only serve as a powerful asset in your organization's overall security posture.