mailing list archives
Regulations and Cybersecurity
From: Dave Aitel <dave () immunityinc com>
Date: Wed, 17 Jul 2013 12:18:29 -0400
So Quantum Dawn 2
is coming up - and it's a good opportunity to talk about how exercises
like that in general work, and what they find, and so forth. These are
essentially faked table-top exercises, which leads a lot of the
technical people on this list to wonder how Wall Street playing what is
basically a weird Dungeons and Dragons game with hacking is going to
help anyone in any way whatsoever.
I totally feel you on this.
However, the Government does this sort of thing all the time, both for
disaster recovery efforts of all kinds (the best known is the National
Level Exercise <http://www.fema.gov/national-level-exercise>) and of
course in the military to examine potential responses to invasions from
both sides (if you haven't read the War Nerd on this subject, then
you're missing out:
What the government, and other groups like about them is that like
penetration tests, the goal of these table-top exercises is to find out
something surprising! And they usually succeed, even if the surprising
thing is somewhat boring. In most cases it's "I have no way to talk to
you securely when I really need it" or "the regulations, laws , and
contracts I am subject to forbid me to give you the data you most need".
(This is why most often these games involve quite a lot of lawyer time.)
Quantum Dawn 2 examines a hacker attack on the sector of the world most
vulnerable to cyber attack - the financial sector. Banks, insurance
companies, brokers, hedge funds, exchanges, and so forth, are your worst
case scenario for hacker attack in nearly every way. The are real-time.
They are heterogeneous and tightly tied across national and geographic
boundaries. They have emergent behavior that is very difficult to model.
They operate 24/7 and at high speeds with high sensitivity to latency.
They operate on tight trust, and reputational damage can be a fatal wound.
Generally when our clients ask us about these sort of games, they want
to know "What will we learn? What's the real value here?" and when the
test is done RIGHT, the only possible answer is "There's no way to know,
but there's no doubt you'll learn SOMETHING."
Plus, some people just really enjoy D&D. I know I did. (Your network has
been attacked by a Beholder, roll for save! :>)
Description: OpenPGP digital signature
Dailydave mailing list
Dailydave () lists immunityinc com
- Regulations and Cybersecurity Dave Aitel (Jul 17)