User:JJims/sandbox

= Cyber Tabletop = A Cyber Tabletop is a technical assessment and a test and evaluation best practice conducted using subject matter experts of the system (usually the system architects and developers), red team members, and system users to identify cyber vulnerabilities early in the development life cycle. The goal of a cyber tabletop is to identify vulnerabilities of a system early in the development process, identify mitigations that can be implemented to reduce the identified vulnerabilities, and overall reduce the risk of a breach occurring once the system is fielded. Cyber tabletops can be conducted by any organization including healthcare organizations.



Overview
Cyber tabletops are conducted to identify vulnerabilities in a system or system of systems during its development cycle and can be "one of the most useful tools for cybersecurity testing, evaluation and training". Cyber tabletops use system subject matter experts, red teams, and system users to help identify vulnerabilities and mitigations increasing the overall cyber hardening of the system. Tabletops can provide a relatively cheap alternative to a penetration test especially when it can be as large as the Cyber Europe 2010 table-top exercise. During the process of a cyber tabletop, system documents are collected and reviewed weeks before the actual tabletop is conducted allowing time for the red team to become more familiar with the system design and identify system vulnerabilities. Once the documentation has been reviewed, the actual cyber tabletop is conducted. The cyber tabletop usually lasts a week but can vary depending on system complexity. The subject matter experts, red team, and system users gather in a room and the subject matter experts explain how the system operates. Once the subject matter experts explain the system, the red team and subject matter experts and system users break off into groups. During the next few days, these groups determine vulnerabilities that can affect the system, effort to breach the vulnerabilities, which is usually documented in a cyber security matrix, and mitigations that are implemented in the system to reduce the risk of a breach.

During the last couple days of the cyber tabletop, the groups come back together. The red team discusses each vulnerability they have identified while the subject matter experts and system users, discuss how the vulnerability is mitigated (if a mitigation exists).

At the end of the cyber tabletop, a report is generated documenting the vulnerabilities identified during the process, impact to the system if a breach occurs, and the effort an adversary would have to breach the identified vulnerability. This provides a priority of work for future system testing and changes.

Facilitator
The facilitator ensures that the red team is provided documentation in a timely manner to ensure their are prepared when the cyber tabletop is conducted. During the cyber tabletop, the facilitator ensures that the group stays on schedule and does not continue to discuss issues not important to the cyber hardening of the system being assessed.

Subject Matter Experts
The subject matter experts are responsible for providing the system documentation to the facilitator and red team. The subject matter experts know the system being assessed and are usually the developers of the system and provide knowledge of the system during the cyber tabletop and the mitigations implemented by the system to reduce breaches of the system.

Red Team
The red team provides the adversarial assessment for the cyber tabletop. The red team reviews the system documentation and uses its expertise to identify vulnerabilities of the system. During the cyber tabletop, the red team identifies and discusses vulnerabilities of the system as well as identifies the effort it would take an adversary to breach the vulnerability.

System Users
System users provide mitigations that a user would take if the system performed at a degraded state or did not perform at all. For instance, a user may revert to a manual log book entry if their database is not accessible then populate the database with the manual log book entries once the system is restored.

Vested interest of reviewers
Reviews have a tested interest in the cyber tabletop. The program manager can identify critical system vulnerabilities with the least amount of effort a malicious user would have to use to gain access to to a system. This information allows the program manager to prioritize resources to make system design changes to reduce the threat of a breach using the vulnerability. Engineers are able to identify additional mitigations that can be implemented into the system to reduce the risk of a breach. System users can identify additional training requirements to reduce the risk of a breach or how to overcome system degradation if the system is breached by a malicious user.

Distinction from other types of technical reviews
The cyber tabletop is focused in finding cyber vulnerabilities of a system including threats originating outside and inside an organization (insider threat).