Hi, everyone. In this video, we're going to be discussing applying Red Team and Blue Team exercises to your company, corporate processes and how your product or service is brought to market. This is one of my favorite ones, okay. So Red Team and Blue team, the concept originally comes from military sorts of exercises where Red Team performs offensive strategies and Blue Team is all defensive. And one of the reasons why you might want to apply this is, so that you can see where the vulnerabilities are in your company, but also how you can protect your company as well. So a lot of these sorts of strategies are used in cybersecurity. However, I like to look at it from also corporate processes because where our overhead team and vulnerabilities are often the biggest weaknesses are with those who interact on the outside with potential customers. So in a bank, or accompany somebody like a customer could call and say, hey, I'm a vendor, I work with this, I need access to this system and a receptionist who may not know, but I'm like, okay, sure, yeah, you need to be able to do your job. This prevents some of these sorts of issues. You may need to then build that. Remember the scripts? Non ideal conditions? How does your team respond? And how do your receptionist, team office management team respond if somebody calls up and says, well, I need access to this sort of an account to time with your supply chain. What scripts do you have? Okay, great, can you please come in and in person and show me some identification? All of those sorts of things. Because the thing is, the human element is often where we see the biggest vulnerabilities in a company. It doesn't quite matter so much how great and strong your IT, infrastructure and architecture is. If the human element is going to just give out the passwords and access and all this and let the guard down, the human element has to interact well with the technological one. So red Team vs Blue Team. Red team you're looking at testing your preparedness and exercising your response. Also, physical security, consultancy and planning ,surveys and audits and then the cybersecurity aspect there are going to be red team and blue team aspects of this so threat modeling, forensics events, cyber defense, risk analysis. Blue Team is going to be reinforcing your security, building your resilience. So while the Red Team is looking at committing attacks on by using, say physical security, tactical measures or cybersecurity once the Blue Team is going to protect it. So preparing, it's a good idea to group everyone together, administrative engineers, management and just get everyone on the same page. First of okay, well, here are the concerns, how do we use different tools in the instance of software? Which standards have we developed the software in within the frameworks of? So NIST guidelines could be one. Also, if you're developing certain tools or technologies that if you use a mission environments by military, do they meet the military specifications? Okay, great, they all do, awesome. Now we're going to start using the Red Team and Blue Team tactical fund stuff to see how it actually works and integrates with our processes. because it might meet all the specifications, but let's see how it functions in real life. Yeah, fun, okay. So, assembling the teams, try not to use the people who built the system for the Red Team, okay. Their goal is to protect it for a lot of developers. And I do have, like, really awesome developers on my team. I know that sometimes, people can be a little bit protective of their work. What I found is that it's best to kind of find somebody who's not too nice who wants to just go in and break stuff up and cause a bit of mischief. A certified ethical hacker is going to be a good person to use. And some of my employees are certified ethical hackers, their job is just to go in and, like, tear stuff up. Justifying vulnerabilities not to actually do anything bad. So, in a good way they determine whether or not somebody can do it. Do they operate within the framework of being a certified ethical hacker? Physical systems and cyber systems. Except for nuclear facilities, many companies don't plan full tactical Red Team assaults. As fun as it is, [LAUGH] I work with a lot of our service disabled veteran owned small businesses, and my brother served in Iraq and Afghanistan, and I really like going over Bed Team Blue Team strategies and tactical stuff. It's a lot of fun. Plus, I like playing paintball. So server rooms, camera security systems, fences, gates. Remember from various sorts of conversations in these videos, we're looking at the interaction points are often the points of vulnerability. So you might have a really great gate. Okay, gate's, awesome fence might be awesome, but where are the vulnerabilities between the fence and the gate? Are there weaknesses there? Also, with the cameras and security systems, the camera might be really secure and awesome, the security system might. But what about the network? How is your network protected? You might say, okay, great, we've got this great software. It's all encrypted data, but then you serve a room is just, like, completely open to everybody. Keep all this stuff in mind. So we've connected systems as well. Where people see a lot of issues with, say, the Internet of things and using different hardware tools that have software that are connected to a network, say, an MRI machine where a lot of the vulnerabilities are going to be in the network. And people might say, great this is a really high tech MRI machine, but the thing is, you've got to be able to protect it. And once you see vulnerabilities in that machine and then a bad guy could come in and have access to your network, then that can open up a whole breach of data. So employees can be the weakest link. Make sure that you've got scripts for your overhead team. Remember, if you've got receptionists and people answering phones and fielding questions and somebody calls and says, hey, I need access to this so that I can and I'm a vendor and I work with you guys and I'm able to do this. Make sure your receptionist knows, okay, well, can you come in in person? Can you provide me with your identification and cross check those different things? Have your scripts, have your experience, maps your standard operating procedures and make sure that everyone's all on the same page because the human element is where things go wrong. Testing environments. It's not always a good idea to test on live systems. This is why I like having virtual test environments where people can mess around a little bit, but then it's not going to be accessible to the public. And then it's safe to kind of get some ideas of where things are going. So in summary, take a look at your Red Team and Blue Team. Now the Blue Team, their job is to protect everything. Red Team does a lot of penetration testing, cyber system, physical systems and employees. Where I see a lot of companies go wrong is that like, we've got a great cyber system, we've got great physical security, but then they don't train their employees. They don't have the proper scripts. And quantitative decision making matrix is in place to really let the cyber system and the physical systems do their work because and see human element kind of messes up. It's free game, so keep all that stuff in mind, thanks.
