Weird Security Term of the Week: "Tabletop Exercise"

In honor of International Tabletop Day, this Weird Security Term of the Week is “Tabletop Exercise.”

The Problem:  Your organization has gone through a major breach, and is trying to put the pieces back together.  You’ve brought in consultants, hired on new people, and have concluded that you are at square one in regards to your security posture. The difficult part now is, where do you go from here?  The consultants have given recommendations, but you aren’t sure that their ideas are too much or not enough.

You could start implementing Proof of Concept hardware into your environment, but the higher ups are nervous about allowing that kind of access to an outside party without understanding what it’s all about.  On top of this, many in your organization don’t entirely get what it is they’re trying to defend against.

A “Tabletop Exercise” helps run through complicated and changing scenarios without the need for hours upon hours upon hours of installation, configuration and implementation time.  On top of which, the open structure allows for people of varying levels of experience to sit down in the same room and understand terminology, tactics and responses.  In addition, the ideas and scenarios can change rapidly- adapting to the strengths and weaknesses of standard and proposed actions; and the environment allows for a low-stress forum for the exchanging of ideas and solutions, since at its core it can be considered a game- a useful and powerful learning tool, but still a game.

The Solution: Tabletop Exercises can be of great benefit, but it can be difficult to begin without a starting point. Thankfully, there are a number of organizations that have already provided a number of packages that can be adapted to organizations needs quickly.

Solution the First:  FEMA Emergency Planning Exercises

Because of the massive amount of fields that the United States Department of Homeland Security (DHS), and its disaster arm the Federal Emergency Management Agency (FEMA) have had to deal with over the years, they have become very good at creating simulations to see what they might be coming up against in the future. These tabletop exercises are designed to scale to nearly any level- from small business hiccups to national-level disasters dealing with both physical and virtual issues.

Solution the Second:  EPA Emergency Response Tabletop Exercises

The EPA deals with critical functions for the safety and well being of enormous amounts of citizens, using not a lot of people and a huge amount of automated systems.  When dealing with situations that could spiral out of control quickly, these exercises can be a great starting point.

Solution the Third:

There are a number of organizations that perform exercises on a regular basis for a wide variety of groups. for instance has a number of publicly available Tabletop Exercises, but at the same time they also have the ability to perform custom or guided exercises for organizations that require additional concerns.

Honorable Mention: NIST’s Guide to Test, Training and Exercise Programs for IT Plans and Capabilities– NIST SP800-84 (PDF Link)
Running through a Tabletop Exercise can be of tremendous benefit when in the planning stages of a major rollout, but it can also be tailored to more advanced situations.  When facing a potential issue that is very difficult to simulate in reality, a Tabletop Exercise can help to walk people through situations that they might not otherwise have the opportunity to face before having to deal with it for real. Understanding concepts and not being blindsided when faced with a major problem can turn response times from minutes to seconds- and that can make a huge difference.  In addition, these exercises can turn into full on simulations should the topic allow, and if it turns out the team would like to test out procedures and lessons learned- reducing that response lag even further. Ellzey has been involved in Information Security and Technology for the better part of the past 15 years. During that time, he has been published as part of the compilation Security 3.0, the writer for the Ramp with 5 Levels, and a contributor at LIFARS with the Weird Security Term of the Week series. More information about Kurt can be found on LinkedIn or on Twitter.