Since the Middle Ages, chess has been used to teach strategic and tactical concepts to military leaders. For the same reasons, chess can be a great tool for today’s security leaders.
We’re going to take a look at the parallels between chess and security in a series of blog posts. In Part 1, we will consider the specific elements that make up the game of chess and how they parallel the core elements of effective security programs. In Part 2, we’ll look at some of the fundamental concepts in chess – such as time, space, material and structure – and how they are applied to security.
In chess, you buy your board and pieces, learn the basic rules, set-up the game and begin to play opponents. In security, it is much the same. You define your scope of operations; invest in people, processes and technologies; implement your controls, and begin to deal with attacks.
In chess, the board is your scope of operations. The game takes place within its boundaries and if any part of it is neglected, you give your opponent an opportunity to gain a foothold or initiate an attack. This principle is similar for security but in chess, it’s simple to observe an 8×8 board.
Observing the field of play for enterprise security can be much harder because there are so many factors to consider: outsourcing, third-party applications, unauthorized systems, cloud operations, etc. Just as in chess, if you neglect any part of the enterprise security “board,” you give attackers an opportunity.
If the “board” is the scope of your security program, then the “rules” of chess are security frameworks. The rules provide you with the basic knowledge necessary to play the game. Security frameworks are the elements and processes you need to build and operate a security program.
Beginning players take note: there’s a huge difference between implementing basic framework controls and the knowledge and strategy required to be able to use these controls to defeat an attacker.
Next, we come to the game pieces. In a chess game, pieces are the mechanisms used to implement your game strategy. In security, the “pieces” are your controls – you can use them to prevent your opponents from achieving their objectives. Just as the merits of chess positions depend on how well your pieces are deployed, the strength of your security program depends on how well your controls are deployed. Your ability to deploy controls effectively will depend on your understanding of how your controls work individually and collectively.
A beginning chess player starts with only a basic appreciation of each piece; this typically includes how each piece moves and a nominal “value.” To be a better player, you need to know how pieces exert influence, how they work together in attack, how to defend against an attack and how to kill off an opponent. Naturally, these principals also apply to cybersecurity controls. Each control has to be implemented and operationalized in a particular way to add value.
Let’s take a look at the individual pieces/controls first and then we will look at how they work together.
There are two aspects to the King in the game of chess. First, he is often the primary target of the attacker. The King is a valuable prize that will deliver victory to the opponent, so the King must be protected in the opening and middle games.
Secondly, in the end game, with the other pieces gone, the King often becomes the most powerful piece on the board. The CISO protects the interests of the company that an attacker wishes to harm and he is also the ultimate enabler and facilitator of cybersecurity because he is able to make important decisions and cut through red tape when necessary. Unfortunately, just like the King, the CISO is very vulnerable when an attack is successful.
In 1749, Philidor wrote, “the pawns are the soul of chess.” This was at a time when the main style of play was repeated, direct attacks on the opponent’s King with gambits and sacrifices that usually meant the attacking player would lose if their attack failed.
There is a strong parallel to this idea in security. It’s easy to believe that existing frameworks and basic security controls are flawed and that we need new and exciting ways of defeating attackers. The truth is that if we don’t pay attention to the basic controls and processes that give our security posture strength, we actually become weaker instead of stronger and make it even easier for attackers to defeat us.
In the same ways that pawns provide the structure to keep attackers at bay and allow maximum flexibility and efficacy of other pieces, getting the simple things right in security means that you can build new capabilities from a position of strength rather than from a position of weakness.
This means you really do have to pay attention to things like secure configurations, vulnerability management, access control and secure sdlc.
All the King’s (Other) Men
In chess, each of the remaining major and minor pieces has its own strengths and weaknesses – they can be very powerful if used properly, but will have little value in a poorly played game. For example, exposing a queen too early means she will be chased around the board for the rest of the game. Knights are very strong in closed games or when they can gain a central position without being harried by pawns. However, in open games, if they are left in a corner, placed in the center or unsupported by pawns, they are weak. Any piece used improperly will become an expensive trophy for your opponent.
Just as every piece has its place and its proper use in chess, each security control has to be used properly to build an effective security strategy. You really need to understand the controls you have, how they are deployed and maintained and how they fit into your incident response processes. If you don’t do this basic work they will become burdensome.
Many organizations that don’t understand this principle see security as consuming precious resources. They deploy it for unsuitable use cases or end up with expensive ‘shelf-ware’ that they pull out to impress management and auditors. These controls sound good on paper but in practice, they are worthless in the fight against cyber-attacks.
It’s also true that you need to go beyond an appreciation of the individual pieces to win at chess – you have to understand how the pieces can be used to work together to win.
This is also true in security – foundational controls need to work together to be effective at repelling attacks. In the same way sending an individual piece against the opposing force will be slaughtered in a chess game, any single security control will eventually be bypassed or defeated.
Defense-in-depth means your controls work in concert to provide layers of security that are relevant to each attack vector that an attacker may attempt to exploit. Moving pieces without understanding how they work together will do more harm than good, as you’re likely to create a situation with holes too complex to understand, giving your opponent an advantage.
The final thing to note is that in chess, your position is never static. The opponent is always looking for a weakness to exploit, probing and waiting for the right time. Strategies and tactics develop over time as new positional weaknesses are discovered.
This principal is exactly the same in security. You need to continually monitor and modify your position. Every organization is continually changing in terms of its business model and the technologies used to support it and your security must also evolve. Even in the most advanced security infrastructures, if your security is static, a weakness will always present itself.
In chess, you need to keep up on the latest theories, and what is happening in the various games being played around the world. While in security, you need to keep up on the latest attacks and defense techniques. You need to continually assess and improve your controls and your understanding of them.
Note that this is very different than preparing for an audit. An auditor is usually testing to see if a control exists and works for certain specific test cases. This work is very different than testing if a control or group of controls has been implemented to effectively thwart the array of attacks that you face due to your risk profile.
The way chess was played 50 years ago is now no longer effective. Similarly, effective security controls also have a lifespan. If you deployed a best practice authentication system three years ago, have you evaluated it to see how effective it is today?
Does it still apply to your environment now that virtualization, cloud services and messaging technologies have been implemented? Is it still the default solution for all of your authentication needs? Or has this single point of policy enforcement turned into a single point of pain for any new technology or project?
In chess, there is a big difference between learning where the pieces go and being able to play a real game with a chance of winning – the same is true for security. You can map a control to each requirement of a particular framework to claim compliance and you can implement many ‘best in class’ controls, but if you don’t understand how they work together you will be left with two questions: what league are we playing in and can we afford to lose?
In the next post, I will cover some ideas around game play, mental aspects, and the fundamental concepts in chess around time, space, material and structure and how all of these play in the security space.
Read part 2 here.
Title image courtesy of ShutterStock