This is the user sandbox of JJims. A user sandbox is a subpage of the user's user page. It serves as a testing spot and page development space for the user and is not an encyclopedia article. Create or edit your own sandbox here.

Other sandboxes: Main sandbox | Template sandbox

Finished writing a draft article? Are you ready to request review of it by an experienced editor for possible inclusion in Wikipedia? Submit your draft for review!

Cyber Tabletop

A Cyber Tabletop is a technical assessment and a test and evaluation best practice ^[1]conducted using subject matter experts of the system (usually the system architects and developers), red team members, and system users to identify cyber vulnerabilities early in the development life cycle. The goal of a cyber tabletop is to identify vulnerabilities of a system early in the development process, identify mitigations that can be implemented to reduce the identified vulnerabilities, and overall reduce the risk of a breach occurring once the system is fielded. Cyber tabletops can be conducted by any organization including healthcare organizations ^[2].

Overview

Cyber tabletops are conducted to identify vulnerabilities in a system or system of systems during its development cycle and can be "one of the most useful tools for cybersecurity testing, evaluation and training" ^[3] . Cyber tabletops use system subject matter experts, red teams, and system users to help identify vulnerabilities and mitigations increasing the overall cyber hardening of the system. Tabletops can provide a relatively cheap alternative to a penetration test especially when it can be as large as the Cyber Europe 2010 table-top exercise ^[4]. During the process of a cyber tabletop, system documents are collected and reviewed weeks before the actual tabletop is conducted allowing time for the red team to become more familiar with the system design and identify system vulnerabilities. Once the documentation has been reviewed, the actual cyber tabletop is conducted.

The cyber tabletop usually lasts a week but can vary depending on system complexity. The subject matter experts, red team, and system users gather in a room and the subject matter experts explain how the system operates. Once the subject matter experts explain the system, the red team and subject matter experts and system users break off into groups. During the next few days, these groups determine vulnerabilities that can affect the system, effort to breach the vulnerabilities, which is usually documented in a cyber security matrix ^[5], and mitigations that are implemented in the system to reduce the risk of a breach.

During the last couple days of the cyber tabletop, the groups come back together. The red team discusses each vulnerability they have identified while the subject matter experts and system users, discuss how the vulnerability is mitigated (if a mitigation exists).

At the end of the cyber tabletop, a report is generated documenting the vulnerabilities identified during the process, impact to the system if a breach occurs, and the effort an adversary would have to breach the identified vulnerability. This provides a priority of work for future system testing and changes ^[6].

Roles of participants

Facilitator

The facilitator ensures that the red team is provided documentation in a timely manner to ensure their are prepared when the cyber tabletop is conducted. During the cyber tabletop, the facilitator ensures that the group stays on schedule and does not continue to discuss issues not important to the cyber hardening of the system being assessed.

Subject Matter Experts

The subject matter experts are responsible for providing the system documentation to the facilitator and red team. The subject matter experts know the system being assessed and are usually the developers of the system and provide knowledge of the system during the cyber tabletop and the mitigations implemented by the system to reduce breaches of the system.

Red Team

The red team provides the adversarial assessment for the cyber tabletop. The red team reviews the system documentation and uses its expertise to identify vulnerabilities of the system. During the cyber tabletop, the red team identifies and discusses vulnerabilities of the system as well as identifies the effort it would take an adversary to breach the vulnerability.

System Users

System users provide mitigations that a user would take if the system performed at a degraded state or did not perform at all. For instance, a user may revert to a manual log book entry if their database is not accessible then populate the database with the manual log book entries once the system is restored.

Vested interest of reviewers

Reviews have a tested interest in the cyber tabletop. The program manager can identify critical system vulnerabilities with the least amount of effort a malicious user would have to use to gain access to to a system. This information allows the program manager to prioritize resources to make system design changes to reduce the threat of a breach using the vulnerability. Engineers are able to identify additional mitigations that can be implemented into the system to reduce the risk of a breach. System users can identify additional training requirements to reduce the risk of a breach or how to overcome system degradation if the system is breached by a malicious user.

Distinction from other types of technical reviews

The cyber tabletop is focused in finding cyber vulnerabilities of a system including threats originating outside and inside an organization (insider threat).

^ "Department of Defense, Developmental Test and Evaluation FY 2015 Annual Report" (PDF). p. 63. Retrieved 26 Feb 2017.
^ "DHS Cyber Tabletop Exercise (TTX) for the Healthcare Industry [Exercise Materials]". Retrieved 26 Feb 2016.
^ Chowdhry, Aisha (11 May 2016). "Tabletop exercises a useful tool in cybersecurity testing". FCW, The Business of Federal Technology. Retrieved 26 Feb 2016.
^ Everett, Cath. "Computer Fraud & Security". Science Direct, Volume 2011, Issue 7, July 2011, page = 5-7. Retrieved 26 Feb 2017. {{cite web}}: Missing pipe in: |publisher= (help)
^ Garvey, Paul; et al. "A macro method for measuring economic-benefit returns on cybersecurity investments: The tabletop approach". System Engineering, 11 Dec 2012, DOI: 10.1002/sys.21236, Section 2.0. Retrieved 26 Feb 2017. {{cite web}}: Explicit use of et al. in: |first= (help)
^ Christensen, Peter (10–11 May 2016). "Cybersecurity Testing and Training, TRMC/National Cyber Range, "Top 10" Lesson's Learned" (PDF). Retrieved 26 Feb 2017.{{cite web}}: CS1 maint: date format (link)

[1] "Department of Defense, Developmental Test and Evaluation FY 2015 Annual Report" (PDF). p. 63. Retrieved 26 Feb 2017.

[2] "DHS Cyber Tabletop Exercise (TTX) for the Healthcare Industry [Exercise Materials]". Retrieved 26 Feb 2016.

[3] Chowdhry, Aisha (11 May 2016). "Tabletop exercises a useful tool in cybersecurity testing". FCW, The Business of Federal Technology. Retrieved 26 Feb 2016.

[4] Everett, Cath. "Computer Fraud & Security". Science Direct, Volume 2011, Issue 7, July 2011, page = 5-7. Retrieved 26 Feb 2017. {{cite web}}: Missing pipe in: |publisher= (help)

[5] Garvey, Paul; et al. "A macro method for measuring economic-benefit returns on cybersecurity investments: The tabletop approach". System Engineering, 11 Dec 2012, DOI: 10.1002/sys.21236, Section 2.0. Retrieved 26 Feb 2017. {{cite web}}: Explicit use of et al. in: |first= (help)

[6] Christensen, Peter (10–11 May 2016). "Cybersecurity Testing and Training, TRMC/National Cyber Range, "Top 10" Lesson's Learned" (PDF). Retrieved 26 Feb 2017.{{cite web}}: CS1 maint: date format (link)

[1]

[2]

[3]

[4]

[5]

[6]