Dailydave mailing list archives
Regulations and Cybersecurity
From: Dave Aitel <dave () immunityinc com>
Date: Wed, 17 Jul 2013 12:18:29 -0400
So Quantum Dawn 2 <http://www.sifma.org/services/bcp/cybersecurity-exercise--quantum-dawn-2/> is coming up - and it's a good opportunity to talk about how exercises like that in general work, and what they find, and so forth. These are essentially faked table-top exercises, which leads a lot of the technical people on this list to wonder how Wall Street playing what is basically a weird Dungeons and Dragons game with hacking is going to help anyone in any way whatsoever. I totally feel you on this. However, the Government does this sort of thing all the time, both for disaster recovery efforts of all kinds (the best known is the National Level Exercise <http://www.fema.gov/national-level-exercise>) and of course in the military to examine potential responses to invasions from both sides (if you haven't read the War Nerd on this subject, then you're missing out: http://exiledonline.com/the-war-nerd-this-is-how-the-carriers-will-die/). What the government, and other groups like about them is that like penetration tests, the goal of these table-top exercises is to find out something surprising! And they usually succeed, even if the surprising thing is somewhat boring. In most cases it's "I have no way to talk to you securely when I really need it" or "the regulations, laws , and contracts I am subject to forbid me to give you the data you most need". (This is why most often these games involve quite a lot of lawyer time.) Quantum Dawn 2 examines a hacker attack on the sector of the world most vulnerable to cyber attack - the financial sector. Banks, insurance companies, brokers, hedge funds, exchanges, and so forth, are your worst case scenario for hacker attack in nearly every way. The are real-time. They are heterogeneous and tightly tied across national and geographic boundaries. They have emergent behavior that is very difficult to model. They operate 24/7 and at high speeds with high sensitivity to latency. They operate on tight trust, and reputational damage can be a fatal wound. Generally when our clients ask us about these sort of games, they want to know "What will we learn? What's the real value here?" and when the test is done RIGHT, the only possible answer is "There's no way to know, but there's no doubt you'll learn SOMETHING." Plus, some people just really enjoy D&D. I know I did. (Your network has been attacked by a Beholder, roll for save! :>) -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Regulations and Cybersecurity Dave Aitel (Jul 17)