Re: The joys of the phonetic alphabet
Everyone knows it's L for leather, A for orses, F for vescent ...
12 publicly visible posts • joined 20 Jan 2015
It's almost as bad as "cyber". Both are bandied about like, and worth as much as, election promises.
Good on El Reg for hitting the nail on the head though: "Details of exactly what constituted a "breach" were not made available by Carbon Black, which, like all vendors peddling these surveys, has a vested interest in talking up how insecure the online world is in order to sell more products and services."
And for those of us genuinely trying to hold back the tide in infosec, their rampant, selfsh, crass commercialism is doing us a disservice. Marketing tripe dressed up as "surveys" is a modern-day scourge.
Nope. There are permutations, combinations and variations e.g. cut neither wire; cut one only; cut the other only; cut one wire then the other; cut the other wire then the one; cut both wires together; fail to sever a wire completely; ... it's really not hard to think of many more possibilities.
It was a mistake to quote a probability figure, and a further mistake to ignore the business consequences ... and it's hard not to think of more mistakes in this scenario, with the benefit of 20/20 hindsight (or is that 50/50?).
If the hackers were subtle & sensible, they'd have gone to ground as soon as they got in to the network, immediately concealing their activities, going deep, and meddling with the security logs, alarms and alerts. Having done that, they could sit there for an indefinite period waiting for the logs of their initial access to be overwritten or discarded, and quietly watching for any signs of proactive security response. Then they'd have free rein, knowing that their activities were being neither monitored nor logged ...
Aside from the grizzly images and sheer horror of the whole event, the thing that sticks in my mind about that day was watching an amazing performance from the police commissioner (? The Top Dog anyway) giving a press conference live on TV before the dust had settled. He was immaculately dressed, and spoke coolly and calmly about the incident before the assembled mob of journalists, in a press room that I guess had been set up in advance. An astonishing oasis of calm if you think about the chaotic scenes and all the work that the emergency services were doing at that very point.
If YOUR organization had experienced anything on that scale, do you think your Top Dog, advisors and support krew would have been prepared to deliver such a virtuoso performance so quickly and efficiently? I still use this as an shining example of how crisis and incident management can/should be done.
I believe there had been an emergency exercise in central London just a week or two earlier, so all the emergency services were as ready for the incident as they possibly could be - another worthwhile lesson arising from an otherwise devastating mess.
An excellent way to hone up on business skills and speak the same language as the MBA types is, of course, to study for an MBA and become an experienced manager. I consider my MBA the best information security qualification I hold. I also heartily recommend CISM from ISACA which emphasizes the governance angles of our job, plus risk management, compliance, business continuity and other stuff that IT security (and "cybersecurity") pro's tend not to appreciate. There is MUCH more to being an effective information security pro than knowing about vulnerabilities in IT systems.
[By the way, "death management ears" tickled me. Freudian slip?]
If there's one thing I've learnt in life, it is that multiple bosses == bad news. Well, to be more accurate, it's not the bossing that matters, but the dilution of leadership and clarity of direction. If in fact the "co-chairs" were spookily aligned, why did SPE need them both? My guess is they were hedging their bets.
The reason that top brass are paid so highly is that (a) they have that rare combination of proven qualities (such as capabilities/expertise, experience, charisma, drive and motivation) to make good decisions more often than not, meaning that they are in high demand; and (b) they demand the $$$$$$ in return for their personal accountability when, almost inevitably, like gamblers they eventually make a seriously bad decision.