Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
7/28/2015
10:00 AM
David Spark
David Spark
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

What 30 Classic Games Can Teach Us about Security

Information security experts share their thoughts on how participating in games and sports helped hone their professional skills.

8: Develop team-based situational awareness

Games: basketball, hockey, soccer, dodge ball

“If you ever watch a basketball, hockey, or soccer team, where the players have been playing for a while, they instinctively know where their teammates will be on the court, rink, or field,” explained Edward Haletky (@texiwill), managing director at The Virtualization Practice. “Similarly, in dodge ball you have to know where you are and where everyone else is at all times. It builds great situational awareness, which is required for security professionals -- something they can help others to learn as well as to use themselves.”

9: Flex real-time response skills

Games: Doom and first person shooters

“There is nothing like a Zerg rush to create the panic of a DDoS attack,” said Daniel Riedel (@riedelinc), CEO of New Context.

Eddie Schwartz (@eddieschwartz), international VP of ISACA and president and COO of White Ops, agrees. He loves the stress of playing the real-time first-person shooter game, Doom.

“True success is in your team's ability to be prepared, be agile, and act decisively in the face of much stronger numbers and innovative enemies,” said Schwartz.

10: Manage your resources

Games: Minecraft

“In security, we don’t have the luxury of unlimited time and resources to prepare against an attack, because we don’t know when it will come,” said Adrian Sanabria (@sawaba), senior analyst at enterprise security practice 451 Research. “In both Minecraft and information security, you have to understand the threats and your time/resource limitations. Then you have to act and hope the time and resources you have are enough to be ready when the attack comes.”

11: Learn how to hack

Games: Dungeons and Dragons, Rogue

“Dungeons and Dragons is complicated, literate, creative, social, open-ended, and has about a gazillion rules, all ripe for hacking,” said Bruce Schneier (@schneierblog), CTO at Resilient Systems Inc. “What better way to imbue someone with the security mindset?” 

Playing Rogue exposed Wendy Nather (@RCISCWendy), research director at Retail CISC/ISAC to “unintentional functionality” that resulted in a bug in the game’s code. “I learned how to cheat,” admitted Nather.

The bug, Nather discovered, was the unstoppable power of a reused arrow, which allowed her to get the high score.

“I learned how to think creatively, try functions in ways that were never intended, and hunt around for things to exploit,” said Nather. “In other words, I learned to hack.”

12: Build defenses and manage penetration

Game: Savage

The real-time strategy and first-person shooter game Savage taught Lee Holloway (@icqheretic), co-founder and lead engineer at CloudFlare, critical aspects of managing exploits in his defenses. The game uses a combination of intelligent commanders and soldiers who do the grunt work, and it was highly akin to Holloway’s work in security.

“A hacker will send the equivalent of his soldiers [his probes] to look for weaknesses in your infrastructure, and then attempt to exploit them when he finds them. Good products will deny these attacks, but you also need probes of your own, designed to watch for and record these attacks, sending the intelligence back internally so you can build a better defense,” explained Holloway. “Good security is a strong defensive foundation that denies the opponent intel.”

13: Plan for the worst

Game: SimCity

SimCity wouldn’t be much of a challenge if you didn’t have to deal with random natural (e.g., tornados, fire) and unnatural (e.g., monsters) disasters.

“Without the right planning and placement of elements in the game that prevent or mitigate these disasters, there is a negative impact on overall progress,” explained Jason S. Dover (@jaysdover), director of product line management at KEMP Technologies. “Data centers metaphorically mirror the complex infrastructures of the cities built in real life and in the game. The planning and architecture phase is the best point to think about how to prevent and mitigate security risks.”

14: Develop strategy or win by cheating

Game: Monopoly

Monopoly taught me to plan, not just react to what is happening this turn, but to think about what may or may not happen in the future; to have a strategy and be ready to react to things that are outside of my control from paying other players after landing at their hotel or going directly to jail,” said Adam Ely (@adamely), co-founder of Bluebox Security. “This planning of strategy, knowing where and when to buy and how to account for the unknown, is much like building a security program.” 

If strategy doesn’t work, then maybe you can cheat.

“Playing Monopoly, I would conceal the amount of money I actually had so that my competitors underestimated my buying power,” said Steve Prentice (@stevenprentice), writer at CloudTweaks. “This taught me to trust no one, especially when they look legitimate since I would never want to be taken by someone as underhanded as myself.”

David Spark is a veteran tech journalist and founder of the brand journalism firm Spark Media Solutions. Spark has reported on the tech scene for more than 18 years in more than 40 media outlets. He blogs regularly at the Spark Minute, and you can listen to him weekly on his ... View Full Bio
Previous
3 of 4
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
vickipadila
50%
50%
vickipadila,
User Rank: Apprentice
6/4/2017 | 11:56:01 PM
Re: Life Principles
Pretty good post. I found your website perfect for my needs. Thanks for sharing the great ideas. I liked the article, Ill be back to read more of your blog later =) Thanks for posting it, again!

happy wheels 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/28/2015 | 1:28:14 PM
Monopoly Cheating?
Is concealing your finances cheating in Monopoly? I always stacked my bills for the same reason that you did but would not constitute it as cheating but strategy. If it is cheating, I would be very surprised.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
7/28/2015 | 1:25:55 PM
Life Principles
Very interesting, great article. Many of these ideals can be leveraged not only in security but can be used as a good framework for life. I very much like how you applied each principle to real life security scenarios. Well done.
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10101
PUBLISHED: 2019-07-23
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side valid...
CVE-2019-10102
PUBLISHED: 2019-07-23
Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the...
CVE-2019-10102
PUBLISHED: 2019-07-23
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticat...
CVE-2018-18670
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Extra Contents" parameter, aka the adm/config_form_update.php cf_1~10 parameter.
CVE-2018-18672
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board head contents" parameter, aka the adm/board_form_update.php bo_content_head parameter.