Useless box?
https://www.youtube.com/watch?v=aqAUmgE3WyM
Ever-exciting Cabinet Office minister David Lidington has put his name to a new infosec response testing tool developed by the NCSC, called (wait for it) Exercise in a Box. In a speech due to be delivered to the Cyber UK conference in Glasgow later today, Lidington will inform the world: "This new free online tool will be …
Having been part of the alpha teststing for EiaB. I can say its not what they are making it out to be
the "table top exercises" are more of a lead discussion around what if any defences you have.
the "exercise" is just about enough to exercise a small generalist it team, but anyone with security training will beat it in 10 mins
Well, that's a bit of a problem. From my own experience in table-top exercises, it's value is in making the higher ups more aware of what they up against. An improvement would result in making the higher ups more aware of what they need to do to be better aware of what their front-line security people are facing.
Unfortunately, execs have this need to appear as if they are the originators and authors of all new ideas, and they can't afford to appear ignorant--which results in willful ignorance at the executive level. This is not just an idle rant. I know what it means to have relevant and important information fall on deaf ears, and then have to shift to a strategy that will allow higher ups appear as if they're on top of things. Gawd, I hate politics.
I know what it means to have relevant and important information fall on deaf ears, and then have to shift to a strategy that will allow higher ups appear as if they're on top of things. Gawd, I hate politics.
You are playing politics wrong. You should shift strategy, but in such a way that those suffering from deaf ears are removed. Very carefully document giving that relevant and important information. Let the completely foreseeable incident happen. Point out that you warned about it, but higher up failed to listen and/or act. At that point those higher ups will try to silence you. Go over their heads with the full documentation. The only time this fails, is when the higher ups not listening are when they are C-level and it isn't a regulated type of business. With regulated businesses like banks and insurance companies (but not limited to those), you provide the regulating authority with the necessary information.
Oh indeed, one does document such conversations in the hopes that incidents might provide the necessary leverage. Yet, I'm too white hat to induce such incidents to occur, and I'm not will willing to put forth the massive effort it would take to recruit the allies that could shine a light on such things; it's just not what I'm paid for. And, it's interesting how easy it is to succumb to the apathy created by such dysfunction environments, at least to some extent. I guess that's why it take serious political dysfunction for centrists to rise up. Are we there yet?
So, it's not a new version of executive Farmsville.
PS. That quote about cybersecurity and administrators is disturbingly inaccurate. Good admins will be reluctant to patch ever for reasons of stability and good cybersecurity bods will mistrust any patch they didn't write themselves. They are generally united against ill-thought out fads from above.
"good cybersecurity bods will mistrust any patch they didn't write themselves"
@Charlie Clark: Really? Are you talking about managing one software product or an enterprise environment with scads of different type of devices and software products across hundreds of locations? And, if you're talking about something under PCI and other similar security standards, patches will be required (based on levels of vulnerability, e.g. CVSS), or you will lose your certification, and revenues will slam to a halt. Or, do you just sell hammers (gawd, I'm never going to let Home Depot live that one down). But, I do respect the paranoia; if I remember correctly, it was an exploit of the patching system that brought them down.
Standard technique of politicians to send out the text of speeches to journos before giving it so that journos can report the speech without having to travel to it.
"Clever" politcians can game this system.
First way is to put in some comment that will act as a dog whistle to all their supporters but which can be highly offensive to anyone else ... the comment gets reported and makes all supporters happy but when others make a fuss about it politician apologises for "mistakenly sending out an early" made by "an assistant" which used "language I would never use and immediately changed".
Second way was, I gather, mastered by Tony Benn who in speeches would diverge from the speech he'd sent out and then say to the audience "take a look at the papers tomorrow - none of them will report what I've just said on this subject - they don't want people to know our ideas" knowing that unless a paper had sent a reporter to the meeting they'd only report what was in the "press release" version
It was going so well.. I watched (most of) the cheesy video, was inspired by the possibilities of it all and took the plunge and registered. I even read the T & Cs!
Then I had to confirm my email address: they sent me a link and it could "only be opened in the browser that I used to register". So I had another go, disabling Ublock and Privacy Badger in my Linux-based Firefox-ESR - still no luck, and after 4 turns round the loop I gave up. I sent feedback - I even signed it with my GPG key to prove how L33t I am .. I wonder what'll happen next!?
Tried to access it from the US and got
403 ERROR
The request could not be satisfied.
The Amazon CloudFront distribution is configured to block access from your country.
Generated by cloudfront (CloudFront)
Request ID: VHAppfdRXhGS1TMFQ4-fnV21guIgWpEAhd8mfgddxw==
that's more information than I got......
403 ERROR
The request could not be satisfied.
Request blocked.
Generated by cloudfront (CloudFront)
and i'm sitting in the UK (though my proxy does currently show that I am in Palo Alto)
> There's a mantra in the [Operational Technology] world that says cybersecurity are cowboys because they patch instantly.
"Ladies and gentlemen, this is your captain speaking and I'd like to welcome you aboard this CyberAir flight to New York. I'm just waiting for the flight controls and engine management system patches to complete download and then we can push back. Installation should complete while we taxi to the runway which will take around ten minutes.
"After take-off and once we have reached our cruising altitude of 35,000ft, we'll need to reset the systems by stopping the engines and rebooting. This will result in approximately three minutes of free-fall during which you may experience a sensation of weightlessness. Please do not be alarmed and I will illuminate the fasten seat belt sign in plenty of time."