<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
So <a
href="http://www.sifma.org/services/bcp/cybersecurity-exercise--quantum-dawn-2/">Quantum
Dawn 2</a> is coming up - and it's a good opportunity to talk
about how exercises like that in general work, and what they find,
and so forth. These are essentially faked table-top exercises, which
leads a lot of the technical people on this list to wonder how Wall
Street playing what is basically a weird Dungeons and Dragons game
with hacking is going to help anyone in any way whatsoever. <br>
<br>
I totally feel you on this.<br>
<br>
However, the Government does this sort of thing all the time, both
for disaster recovery efforts of all kinds (the best known is the <a
href="http://www.fema.gov/national-level-exercise">National Level
Exercise</a>) and of course in the military to examine potential
responses to invasions from both sides (if you haven't read the War
Nerd on this subject, then you're missing out: <a
href="http://exiledonline.com/the-war-nerd-this-is-how-the-carriers-will-die/">http://exiledonline.com/the-war-nerd-this-is-how-the-carriers-will-die/</a>).<br>
<br>
What the government, and other groups like about them is that like
penetration tests, the goal of these table-top exercises is to find
out something surprising! And they usually succeed, even if the
surprising thing is somewhat boring. In most cases it's "I have no
way to talk to you securely when I really need it" or "the
regulations, laws , and contracts I am subject to forbid me to give
you the data you most need". (This is why most often these games
involve quite a lot of lawyer time.)<br>
<br>
Quantum Dawn 2 examines a hacker attack on the sector of the world
most vulnerable to cyber attack - the financial sector. Banks,
insurance companies, brokers, hedge funds, exchanges, and so forth,
are your worst case scenario for hacker attack in nearly every way.
The are real-time. They are heterogeneous and tightly tied across
national and geographic boundaries. They have emergent behavior that
is very difficult to model. They operate 24/7 and at high speeds
with high sensitivity to latency. They operate on tight trust, and
reputational damage can be a fatal wound. <br>
<br>
Generally when our clients ask us about these sort of games, they
want to know "What will we learn? What's the real value here?" and
when the test is done RIGHT, the only possible answer is "There's no
way to know, but there's no doubt you'll learn SOMETHING."<br>
<br>
Plus, some people just really enjoy D&D. I know I did. (Your
network has been attacked by a Beholder, roll for save! :>)<br>
<br>
-dave<br>
</body>
</html>