Instead of imagining myself as a chess piece, I prefer to try and look at the chess board as a whole and see where the biggest perceived vulnerabilities or weakness lie.
Most organisations could be seen as being modelled the same ‘in terms of staff ratio’ to a chess board. Usually, there is only 1 king (CEO), and then the rest of the chess pieces are multiplied the further down the management chain you go (e.g. 1 queen, 2 knights, 2 rooks, 2 castles and 8 pawns).
Imagine that a game of chess is a potential threat to an organisation and the white chess pieces (hackers) are planning to infiltrate the black chess pieces (the organisation). At first glance, their focus point would be the King – or the value that the King represents – to win the match.
The whole strategy would then, in most cases, be a series of moves backwards from the King, trying to eliminate the second, third and fourth tier of defences. Most attackers would just see the pawns as an annoyance and would assume that they pose no difficulty or threat when it comes to defending the King. They are merely just a disposable asset or hurdle to overcome.
It might be worth taking a step back and thinking about the benefits and power that pawns actually hold. You could use them to not only annoy and stop attackers but also to attack back when the enemy is not looking.
Like George S. Day and Paul J.H. Shoemaker state in their book Peripheral Vision: Detecting the Weak Signals That Will Make or Break Your Company, “the biggest dangers to a company are the ones you don’t see coming.” On that same token, that would imply that the biggest dangers to an attacker would be the ones they don’t see coming, as well.
Now, put that into business context, assuming that the pawns are the non-management part of the organisation, such as the receptionist, call centre staff, support staff, back office employees, etc. When hackers attempt to breach an organisation, they would usually have to go through these lower levels of defences to work their way up the management chain who, in turn, would have the required permissions they would be after to gain access to the critical data.
Imagine if you were able to give each pawn piece the power to question every move the attacker makes, as well as the tools to verify the information received. In other words, most attackers hide under false pretences and pretend to be someone they are not.
Let’s say the attacking chess piece (castle) came head-to-head with the defending pawn piece but was not able to move past as the pawn as it was being protected by another defending piece. In the real world, the castle would just refer itself as a knight and just hop over the defending piece and continue its attack without giving the last move a moment of thought.
If the pawn did not know or could not verify that this piece was ‘who’ it said it was, then it would usually let it past as to avoid any business conflict.
However, imagine that the pawn was now able to call its bluff, question and verify everything about that piece. Should the castle now not pass all the checks, the pawn has the tools to let the chess master know that there is now a potential threat. The castle is still stuck at the entry point and is now forced to retreat or wait there while other parts of the organisation come to the pawns defence.
To cut a long story short, never underestimate the power of the pawns. By making sure you equip them with the correct tools and processes, you could be stopping any attacks at the front door. Now, this will not deter all attacks but hopefully, it will frustrate the attacker enough to move to another easier target.
Can you imagine yourself as a chess piece protecting your organisation during a cyber attack? Which piece are you, and why? How do your actions and strategies in battle match the capabilities of the chess piece you picked?
If so, why don’t you tell us in a few words and have a chance to win one of three great prizes: http://www.tripwire.com/infosec-2016/contest/.
See the top personas from this contest come to life at Infosecurity Europe! Grab a free t-shirt design of your favourite persona at the Tripwire Booth (D20). Click here to find out more about what we’ll be doing at this year’s show.