"My predisposition to be a gamer -- and to gravitate toward certain kinds of games -- also predisposes me toward security," said Will Irace (@spblat), VP of technology alliances at Fidelis Cybersecurity.
Gaming is often a hidden form of training. In Ender’s Game, officials send the hero purposefully through a “game” to prepare him for the military. “The stress Ender goes through is not unlike the stress many cybersecurity professionals hit as well,” explained Steve Herrod (@herrod), managing director at General Catalyst Partners.
As you’ll soon see, there are plenty of analogies between gaming and security, but keep in mind that there is one significant caveat. While most games have structure, “the rules of cybersecurity are non-existent. There are no level playing field, no referee, and no arbitration authority,” noted Monzy Merza (@splunk), chief security evangelist at Splunk.
Read on for 20 sound security tips from a host of professionals and a list of great games to play to improve your infosec finesse.
1: Work as a team
“In both volleyball and security, working well with the rest of your team (IT, business operations, internal audit, etc.) is much more important than being the best individual player out there,” explained Robb Reck (@robbreck), CISO at Pulte Group. “An effective team knows when and where to pick up for the other players (what tasks are mine, and what are yours). One player who takes over everything ends up hurting the team in the long run.”
2: Manage the mind-numbing tedium of security
Games: World of Warcraft, poker
“Horrible, endless, boring repetition,” admitted Jayson E. Street (@jaysonstreet), infosec ranger at Pwnie Express, of the strategy necessary to win at both World of Warcraft and security. “You have to do repetitive tasks. You have to go out and collect a certain kind of trinket, or kill a certain type of monster a certain number of times to complete the quest. Not all infosec tasks involve fighting on the front lines of the cyberwar. The important things are repetitive such as making sure that systems are updated, making sure the IDS is configured properly, or enforcing policies.”
“[Similarly] poker, when done right, reduces to hours of tedium where you set up each hand to either be a small loss or a midsized gain,” said Jeffrey Bolden (@BlueLotusSIDC), managing partner at Blue Lotus SIDC. “Occasionally there is a situation you haven’t prepared for -- instead of a quick fold, you get unexpectedly raised and the hours of tedium are broken with a moment of terror when you realize you’ve lost control of the situation and you are the one facing a choice between surrendering your pot equity or making a large bet against odds. Good security, like poker, is about avoiding those moments through preparing for scenarios.”
3: Play defense and offense simultaneously
Games: basketball, Risk
"The problem with our current information security program is that it is completely defensive in nature, always playing a half-court game on defense,” said basketball fan Jeff Bardin (@treadstone71llc), chief intelligence officer at Treadstone 71. “Information security needs offense to keep the opponent in a defensive posture.”
“Immediate advantage goes to those who can outthink their opponents early on in the game” when playing Risk, added Alan Kessler (@kessalan), CEO at Vormetric. “Like data encryption, your territory determines your risks. Some locations are easier to defend or attack, just like industries such as financial or healthcare.”
4: Stay ahead of your opponent and be prepared for attacks from any side
“There are near countless numbers of ways that your enemy could approach and capture your king,” said Aaron Marks (@arcsource), VP of client services at Arcsource. “My job is to try to predict each potential method of attack and protect against all of them using every piece on the board working together.”
"In chess, when you don’t ask yourself what your opponent is threatening, you can easily lose valuable assets or get mated. Similarly, if you assume a piece is safe -- be it on the board or part of a system -- you will be compromised,” said Mikko Hypponen (@mikko), chief research officer at F-Secure.
“Chess also highlights the power imbalance between attackers and defenders. In chess, even the weakest piece, the pawn, can defeat the king,” added Dean. “If the pawn can evade the defenses and cross the board, it can instantly become one of the most powerful pieces in the game, the queen.”
“Playing chess pushes the raw computational power of the brain deeper than any other game of its type,” said Sam Curry (@samjcurry), CSO and CTO at Arbor Networks. “A chess master or even a grandmaster brings more analytical ability to the practice of security, in my opinion, than the practitioners of any other class of game.”
However, Mike Lloyd (@dr_mike_lloyd), CTO at RedSeal would argue that advanced chess would be more analogous to security because it relies on a combination of the computational power of computers with the reasoning power of humans.
“We need ‘blunder-free’ defenses from computers, but we also do not want to hand over all our security to machines because they do not understand the [ever-shifting] rules of the game,” said Lloyd.
5: Think outside the box
Games: Adventure, Grand Theft Auto, Dungeons and Dragons
“The most important skill in security is the ability to ‘think different.’ Not the boring corporate Apple slogan way, but the MacGyver way of using magnesium from a bike frame to create an explosion,” said Jeff Williams (@planetlevel), CTO and co-founder of Contrast Security, who learned his “out of the box” thinking from playing text-based UNIX games such as Adventure.
“You must be willing to do things the bad guys do without completely compromising your integrity,” added Dr. Chase Cunningham (@cynjachasec), threat intelligence lead at FireHost, of playing Grand Theft Auto. “If you limit yourself specifically to the bounds of the game, then you will never really accomplish much. You must be willing to operate on the fringes of the game and use your active imagination to grow your progress and beat the game. That is akin in my mind to how a good security professional should think.”
Nathan Wenzler (@Thycotic), senior technology evangelist at Thycotic, argued that video games are too limiting. With Dungeons and Dragons, “you’re only limited by what you can convince the Dungeon Master that your character is capable of doing… The more creative you can get with solving the problem at hand, the better you are rewarded. These kinds of skills lend themselves well to common troubleshooting and auditing processes in security.”
6: Understand your opponent
Games: football, martial arts
“To prepare the right way for a football game, a team works relentlessly on getting into the mind of the opponent. A ‘practice team offense’ essentially becomes the offense of the opponent. This way, the team’s defense is forced to practice what it will really face on game day,” said Steve Barone (@baronesteve), CEO at CBI.
“Someone out there, either in martial arts or in cybersecurity, will either be better than you or at least be in a situation where they have the advantage,” admitted Ben Johnson (@chicagoben), chief security strategist at Bit9 + Carbon Black.
Close the gap, advised Jeremiah Grossman (@jeremiahg), Brazilian Jiu-Jitsu (BJJ) black belt and founder of WhiteHat Security, “In infosec or BJJ, remaining calm and working the problem while in extremely stressful and uncomfortable positions is paramount… The person who has experienced the most scenarios and can execute the best tends to win.”
7: Prepare for an always-changing environment
Games: paintball, rugby, Starcraft
“Every time you take the field in paintball, you don’t know what you’re up against until the game gets started,” said Peter Fellini (@zensar), security engineer at Zensar Technologies. “Are these guys more skilled than us? Are they faster than us? Do they have better equipment?”
This same dynamic plays out in rugby. “The tactics for offense and defense in rugby change throughout the match and depend entirely on which plays you and the opposing team have available. It has taught me to be flexible in all aspects of security,” said Andrew Hay (@andrewsmhay), director of security research at OpenDNS.
If you’re not eager to get pummeled by paint pellets or other bodies, Nestor Rincon, founder of Rincon Dynamic, suggests playing StarCraft: “At any moment during the game, your opponent can suddenly switch tactics, and you have to be able to adapt. Otherwise, you risk losing the game.”
8: Develop team-based situational awareness
Games: basketball, hockey, soccer, dodge ball
“If you ever watch a basketball, hockey, or soccer team, where the players have been playing for a while, they instinctively know where their teammates will be on the court, rink, or field,” explained Edward Haletky (@texiwill), managing director at The Virtualization Practice. “Similarly, in dodge ball you have to know where you are and where everyone else is at all times. It builds great situational awareness, which is required for security professionals -- something they can help others to learn as well as to use themselves.”
9: Flex real-time response skills
Games: Doom and first person shooters
“True success is in your team's ability to be prepared, be agile, and act decisively in the face of much stronger numbers and innovative enemies,” said Schwartz.
10: Manage your resources
“In security, we don’t have the luxury of unlimited time and resources to prepare against an attack, because we don’t know when it will come,” said Adrian Sanabria (@sawaba), senior analyst at enterprise security practice 451 Research. “In both Minecraft and information security, you have to understand the threats and your time/resource limitations. Then you have to act and hope the time and resources you have are enough to be ready when the attack comes.”
11: Learn how to hack
Games: Dungeons and Dragons, Rogue
“Dungeons and Dragons is complicated, literate, creative, social, open-ended, and has about a gazillion rules, all ripe for hacking,” said Bruce Schneier (@schneierblog), CTO at Resilient Systems Inc. “What better way to imbue someone with the security mindset?”
Playing Rogue exposed Wendy Nather (@RCISCWendy), research director at Retail CISC/ISAC to “unintentional functionality” that resulted in a bug in the game’s code. “I learned how to cheat,” admitted Nather.
The bug, Nather discovered, was the unstoppable power of a reused arrow, which allowed her to get the high score.
“I learned how to think creatively, try functions in ways that were never intended, and hunt around for things to exploit,” said Nather. “In other words, I learned to hack.”
12: Build defenses and manage penetration
The real-time strategy and first-person shooter game Savage taught Lee Holloway (@icqheretic), co-founder and lead engineer at CloudFlare, critical aspects of managing exploits in his defenses. The game uses a combination of intelligent commanders and soldiers who do the grunt work, and it was highly akin to Holloway’s work in security.
“A hacker will send the equivalent of his soldiers [his probes] to look for weaknesses in your infrastructure, and then attempt to exploit them when he finds them. Good products will deny these attacks, but you also need probes of your own, designed to watch for and record these attacks, sending the intelligence back internally so you can build a better defense,” explained Holloway. “Good security is a strong defensive foundation that denies the opponent intel.”
13: Plan for the worst
SimCity wouldn’t be much of a challenge if you didn’t have to deal with random natural (e.g., tornados, fire) and unnatural (e.g., monsters) disasters.
“Without the right planning and placement of elements in the game that prevent or mitigate these disasters, there is a negative impact on overall progress,” explained Jason S. Dover (@jaysdover), director of product line management at KEMP Technologies. “Data centers metaphorically mirror the complex infrastructures of the cities built in real life and in the game. The planning and architecture phase is the best point to think about how to prevent and mitigate security risks.”
14: Develop strategy or win by cheating
“Monopoly taught me to plan, not just react to what is happening this turn, but to think about what may or may not happen in the future; to have a strategy and be ready to react to things that are outside of my control from paying other players after landing at their hotel or going directly to jail,” said Adam Ely (@adamely), co-founder of Bluebox Security. “This planning of strategy, knowing where and when to buy and how to account for the unknown, is much like building a security program.”
If strategy doesn’t work, then maybe you can cheat.
“Playing Monopoly, I would conceal the amount of money I actually had so that my competitors underestimated my buying power,” said Steve Prentice (@stevenprentice), writer at CloudTweaks. “This taught me to trust no one, especially when they look legitimate since I would never want to be taken by someone as underhanded as myself.
15: Learn to cope with failing equipment
Game: Ironman triathlons
“Triathlons require tremendous mental and physical preparation to endure both the demands of the course and the unexpected circumstances that inevitably conspire to keep you from your goal,” said James Bindseil (@Globalscape), CEO at Globalscape and Ironman competitor.
When your equipment breaks down on the course or in your IT environment, you need the mental acuity to press on, said Bindseil. “If you enter the race with a defeatist attitude, you’ve lost already."
16: Fill in network gaps
“Networks are ever-growing stacks composed of twisted pieces that at best fit together poorly leaving frustrating gaps, and at worst take the system down,” said Dan Kaminsky (@dakami), chief scientist and co-founder of White Ops.
“Any gap missed, and you can be leaving your data open to hackers and impending threats,” added Krčma.
17: Constantly assess risk
Games: extreme water sports
“Extreme sportspeople often take risks, but these risks are always analyzed and calculated,” said Marc Woolward (@vArmournetworks), CTO at vArmour and the current British and World Cup Masters champion of surf kayaking. “Like extreme sports, today’s digital enterprise operates within an inherently dangerous environment. The only way to survive and succeed in such conditions is to conduct careful risk assessments based upon known facts -- and act upon them."
18: Accept defeat. It’s part of security.
Games: Rymdkapsel, martial arts, paintball
“Much like security, the goal of Rymdkapsel (see GIFs) is to develop a system that can successfully defend your base against a never-ending onslaught of faceless enemies who cannot be reasoned with,” said Fidelis Cybersecurity’s Irace. “As in security, 100% success cannot be assured, and defeat may be inevitable, and that has to be part of the plan.”
“We don't always have to win -- we just have to protect ourselves from losing,” said Ben Tomhave (@falconsview), security architect at K12 and a practitioner of BJJ. “As defenders, we don't need to win so much as work for a tie, ensuring that attackers don't win,” he added.
“Playing paintball, you’re going to get hit, but you can’t think of that or you’ll be playing defense all day long. Think instead of how many people you’re going to hit,” said Zensar’s Fellini. “Have fun with security and understand that you’re going to get hit, but don’t dwell on it. Have fun and go out and hit the other team.”
19: Reveal patterns with minimal information
Games: Myst, logic puzzles
“In order to succeed in infosec, you need to have and understand the hacker’s mindset,” said Corey Nachreiner (@WatchGuardTech), CTO at WatchGuard. “For me, the puzzle solving in Myst encouraged and developed this sort of thinking.”
Similar to Myst, “logic puzzles such as Cheryl’s Birthday give you the barest minimum information with which you can find the answer through logical deduction,” explained Dave Bennett (@ionusecurityinc), CTO at IONU.
“In the game Myst, players are dropped into an environment they might not understand, with only a little backstory. They explore and extract little bits of information that might be useful to solve the connected puzzles that allow them to move forward to their objective,” said Sam Elliott (@Bomgar), director of emerging products at Bomgar. “For me as a security professional, identifying with the way a foe might be thinking is key to being able to develop solutions that help prevent them from being able to move forward.”
20: Exercise your social-engineering skills
Games: Diplomacy, Dungeons and Dragons, poker
“Games like Diplomacy, Dungeons and Dragons, and poker, with their high emphasis on the social domain and emotional quotient [as opposed to IQ], are important since much of security involves fundamental human conflict and understanding of people,” said Arbor Networks’ Curry.
“To immerse oneself in a character, improvise lines and actions, and then respond quickly to interactions from the group has helped shape a lot of the ways I handle presentations, brainstorming sessions, and troubleshooting,” said Thycotic’s Wenzler. “Most RPGs [role-playing games] reward players for talking their way out of situations and acting in a way that is appropriate for their role in the group.”
Conclusion: Gamers have the right mindset for security
“These types of games are similar to building a foundation and adapting to the changing threats information security professionals face,” concluded Bob West (@rkw59), chief trust officer at CipherCloud. “I'm convinced these games allow me to make better decisions not just in how information is protected, but also in making strategic business decisions.”