Training is a critical step in being prepared to respond to real cybersecurity incidents. A quick and easy way to help prepare your team is to hold short 15 minute table top exercises every month. Here are a few of the important questions you may want to ask while holding a tabletop exercise:
Do you have a Cybersecurity Incident Response Plan?
Do you have compliance requirements you must adhere to? (PCI-DSS, HIPPA, FISMA, IRS, or Sarbanes-Oxley)
Who should you notify internally in your organization? External to your organization?
Do you have a backup point-of-contact for key roles in your organization? (For example, who do you contact if the manager who handles cybersecurity issues is out sick or out of town on vacation?)
What are the resources available to your team?
Who do you contact to get more resources? (For example: consultation, equipment, or additional cybersecurity professionals.)
Here are some tabletop exercises you can use:
- An employee casually remarks about how generous it is of state officials to provide the handful of USB drives on the conference room table, embossed with the State logo. After making some inquiries you find there is no state program to provide USB drives to employees -.
- Your agency has received various complaints about slow internet access and that your website is inaccessible. After further investigation, it is determined that your agency is a victim of a DNS amplification attack which is currently overwhelming your DNS server and network bandwidth -
- Have one or two people from your agency visit two Chinese recommended by our federal partners as safe for browsing. Have the team identify which logs would be needed to trace this activity through the network -
- The news is reporting that a major chemical plant, located 2 miles away, has had a significant toxic chemical leak. There is a chemical "cloud" and your office building is in the path of the plume -
- A pandemic flu starts. Employees start calling in sick, but it's not clear if they are ill or afraid to go out in public. Enough people are absent that the organization struggles to maintain the IT infrastructure -
- Your agency has received a phone call indicating that you will experience a Telephony Denial of Service (TDoS) attack beginning in two days unless you pay a ransom by 12 p.m. local time -
- An international terrorist group publicly claims successful cyber attacks on various government organizations. You learn that your organization's official social media accounts have been compromised and someone is sending out notifications through your social media website to your public claiming that your organization has been compromised -
- You receive news that an employee accidentally disclosed sensitive personally identifiable information records. This occurred when they accidentally emailed a document that had not been properly scrubbed to a contractor ...
- One of your organization's internal departments frequently uses outside cloud storage to store large amounts of data, some of which may be considered sensitive. You have recently learned that the cloud storage provider that is being used has been publically compromised and large amounts of data have been exposed -
- Numerous sensitive internal documents are found on the internet. It appears that the multi-function printer/copier is connected to an external facing IP. All documents found on the internet are known to have been printed or copied on this machine -
- An employee calls to ask for the password for the Wi-Fi network, indicating they would like to use it on their personal cellphone. You don't have a Wi-Fi network. A scan of the building indicates there are 4 Wi-Fi networks broadcasting a variety of names that suggest people are using them for work purposes -
- Malware containing a backdoor is discovered on the surveillance cameras used in sensitive locations, including the conference room used by senior executives. It was determined that the cameras were active during several meetings -
- A routine financial audit reveals that several people receiving paychecks are not, and have never been, on payroll -
- A severe vulnerability has been identified in a common open source application that is used to securely transmit information. This common application provides communication security for application such as web email, instant messaging and some virtual private networks ...
- The browser deployed on all machines in your organization has a significant zero-day vulnerability which is actively being exploited ...
- You have been notified that a device, which appears to control an aspect of building management (such as a water valve or HVAC), is found to be accessible from the internet -
- An executive from your organization has been requested to speak at an international symposium. The country, known for past espionage, has a customs policy that requires off-site "inspection" of computers, smartphones, and other technologies -
- Cybersecurity has become a big topic of interest to the leadership of your organization. How do you develop a holistic, cost-effective security awareness program?
- Upon review of your logs, several of your organization's internet facing assets are being scanned. After investigation, the scans are originating from what seems to be a legitimate private cyber security company that refuses to disclose any information -
- You have been notified that your organization may be targeted through spear phishing emails and social engineering phone calls ...