Netflix series The Queen’s Gambit was another hit series last year that Britons – and the world for that matter – quickly added to their lockdown binge-watching lists. Not only was it branded a ‘must-watch’ show on Netflix, google searches for ‘How to play chess’ skyrocketed around the world. Although a popular game, high-level chess is extremely complicated. However, some of its basic rules and stratagems are useful in explaining something even more complicated: cyber-security, writes David Higgins, EMEA Technical Director at the cyber company CyberArk.
Let’s explore how.
If you ask someone with no knowledge of chess to play against you, they will play tactically. In other words, they will be reactive and make short-term decisions based on your preceding move. This tactic simply won’t work in the long run against a chess pro. That’s because chess pros use strategy, not tactics. They bait other players into positions that are beneficial to them. Chess pros aren’t just thinking about the next move, they’re thinking about the endgame. They see the bigger picture.
As cloud adoption increases, the threat landscape expands. To operate in this environment, businesses must strive to adopt the same mindset as chess pros in the digital world and see the bigger picture. One example of long-term strategy is investing in Privileged Access Management, PAM for short. PAM is an integrated part of a business’ day-to-day operations. It helps IT and security teams provision and deprovision access to different areas of a network for the accounts operating on their systems.
If, for example, a malicious GIF allows a cyber-attacker to gain a foothold on an endpoint in the network, PAM means the compromised account will likely only have limited control and reduced privilege on the system. The attack, in this way, is unlikely to penetrate the network any further. Instead of responding reactively to an attack, PAM allows businesses to deploy security measures pre-emptively.
In chess, the player with the white pieces always moves first. It’s also common consensus that this player holds the automatic advantage. In fact, in 1946 a man named William Franklyn Streeter discovered the ‘first move advantage’ – a concept dictating that the player using white pieces will, on average, win over 52 percent of all games.
In cybersecurity, the white hats (security professionals) can also take advantage of this concept. By understanding and locking down likely attack routes, white hats can limit black hats’ (cybercriminals) chances of success. Moving first, taking proactive security measures, and anticipating attacks will automatically provide businesses with the ‘first move advantage’.
This approach is especially pertinent when it comes to cloud security. Our 2019 Global Advanced Threat Landscape Report discovered that as many as 55 percent of UK businesses lack a privileged access security strategy for protecting business-critical applications and cloud infrastructure. And when evidence shows that 77% of cloud related incidents involved stolen credentials, this is an alarming result.
Deciding on the right approach to secure a multi-cloud environment may provoke delay. But this is an easily solvable challenge and one that must be prioritised.
Keeping the king safe
There’s a hierarchy between chess pieces. Pawns, the least powerful piece, are at the bottom. There are many of them and they have limited capabilities. The king – the piece that decides the end of the game – is at the top. Protecting the king, in other words, is of the utmost importance to a player.
Similarly, in cybersecurity, IT and security teams must work from the top downwards. They must prioritise the security of their organisation’s most privileged accounts and credentials – those that confer access to critical systems and information – first before moving down the chain of priorities. In the event of a cyber-attack, losing a few ‘pawns’ may be inevitable, but it’s crucial to prioritise the protection of the ‘king’.
Knowing your own vulnerabilities
You’ll often see people playing chess against themselves. Without a partner, it’s a useful way to practice moves and techniques, running through the decisions that they would make in certain scenarios. The same technique can be applied to security. In fact, according to research conducted at Black Hat conference in 2019, over 70 per cent of respondents said their businesses conduct ‘red team’ exercises. Simulated attacks can be employed to actively seek out vulnerabilities in their own security infrastructure – an effective way to proactively prepare for real attacks in the future.
Taking an integrated approach
One of the most hotly discussed aspects of chess are its ‘opening principles’ – the strategies players use to ‘open’ a game. And the most important opening principle is for a player to make use of the diverse range of pieces at their disposal. To win in chess, all pieces must be used to achieve the end goal of cornering an opponent’s king.
In cybersecurity, businesses must use a diverse set of tools to build their cyber-defences. This means using technologies such as antivirus software, encryption programmes, and privileged access management to cover all bases.
However, IBM’s recent Global Cyber Resilient Organization Report showed that “Organisations using 50-plus security tools ranked themselves 8pc lower in their ability to detect, and 7pc lower in their ability to respond to an attack, than those respondents with less tools”. Businesses shouldn’t invest in security tools on a whim to implement security that can be considered effective. History shows that attackers will often focus efforts on strategies that provide the most access and therefore, most impact. These tactics often stick to a similar pattern. Organisations should focus their own efforts and security investment on breaking these patterns first, before moving to more advanced measures.
Before the world moves on to the next Netflix sensation and chess is once again left in the safe hands of experts, let’s take some notes from a game that’s been a bellwether of strategy for thousands of years. The overarching take-away is that it’s always better to be proactive than reactive. Strategic preparations in advance of an event trump a tactical response after it. Integrating security measures into the very framework of your organisation’s processes using measures like PAM should be a priority. Those that let the cyber-attacker make the first move have already given away the advantage.
