Jonathan Trull, CISA, CFE, OSCP
Heartbreak Ridge by Clint Eastwood is one of my all-time favorite movies. Marine gunnery sergeant, Tom “Gunny” Highway, played by Clint Eastwood is wrapping up his career after seeing extensive combat in Korea and Vietnam. In classic Eastwood style, Gunny is tough, hard-living and crude, but knows how to train and lead men into combat. In the final tour of his career, Gunny is assigned to a reconnaissance platoon filled with untested and unfit Marines with a bad attitude. Throughout the rest of the movie, Gunny sets out to prepare his men for the real fight that is sure to come.
Midway into the movie, Major Malcolm A. Powers—the incompetent senior officer overseeing Gunny’s platoon—plans and leads a training exercise in which Gunny’s platoon is to act as the enemy or red team. Major Powers leads the blue team responsible for finding Gunny’s platoon and ambushing them. Instead of allowing Gunny’s platoon to freely maneuver and attack like a real adversary, Major Powers orders Gunny to take his men to a predetermined position where they will wait to be ambushed. However, Gunny disobeys orders and leads his men on a successful counterattack against Major Powers’ poorly trained and unsuspecting forces. Major Powers is not too happy!
In a heated exchange with Major Powers, Gunny lays out several pearls of wisdom for training and leading. These can apply not only to combat troops, but also to IT security professionals:
- Train like you want to fight, because you will fight like you have trained
- Make mistakes in training—it is better and less costly than in combat or during a real (cyber)attack
In my recent Journal article, I explain how my team followed Gunny’s advice when we undertook a penetration test of the State of Colorado’s networks and IT systems. Our job—as the red team—was to attack Colorado’s systems just as a real attacker would. Our goals were (1) to test the IT security staff’s ability to detect and properly respond to our illicit activities, and (2) to identify critical weaknesses in the systems so that they could be patched before a real attack occurred.
Taking Gunny’s advice, we carried out the penetration test just as our adversaries would try to exploit us—without warning, during those days and times that are most advantageous to the attacker, and against the weakest targets, which included not just the computer systems themselves, but also the people administering and using those systems. Similar to Gunny, I had a run-in with a senior government official who was upset with the realistic nature of our attacks and was not thrilled with the number of systems being compromised by my team nor with the staff resources needed to remediate the deficiencies we had identified and exploited.
If you take just one thing away from my article it should be this: Prepare your IT security staff and infrastructure for the cyberattacks that are sure to come. My article suggests that realistic penetration tests are one of the best tools available for doing just that. Train your IT security professionals like you expect them to fight, because your systems, customers and confidential data depend on it.
Read Jonathan Trull’s recent Journal column:
“Security Through Effective Penetration Testing,” ISACA Journal, volume 2, 2012