Blog
Dungeons, Dragons, and Resilience: Role playing as a thought model for complex resilience

Dungeons, Dragons, and Resilience: Role playing as a thought model for complex resilience

In the 1970’s, game designer (and former insurance underwriter) Gary Gygax invented a game for simulating medieval combat he called Chainmail. This basic system then became the melee mechanics for his next game, Dungeons and Dragons. Almost every role-playing game since, in-person or online, has drawn inspiration from or elaborated on this model. Today and every day around the globe, millions of people (both affectionately and derisively called ‘gamers’) play in-person or online role-playing games. They simulate repeated interactions between attackers (which can be intelligent adversaries or forces of nature) and defenders. They roll dice or depend on computers to do the dice rolling, and they fret and argue the details about how to best prepare for, resolve, and ‘survive’ these encounters.

by Howard Smith
Blog
Rebranding: “Chaos Engineering” as “Resilience Testing”

Rebranding: “Chaos Engineering” as “Resilience Testing”

Last week, I had the opportunity to hear Aaron Rinehart brief on “Chaos Engineering”. Aaron is the Chief Enterprise Security Architect at UnitedHealth Group. His job is to break things. And by break things, I don’t mean innovate as in “move fast and break things” or break-in to things as in penetration testing but actually break systems. It’s a cool job. UnitedHealth is a beast of a company. Cobbled together through dozens of acquisitions, it has 270,000 employees and 200 million in revenue. Also worth noting, when seemingly every other health insurance company got owned by the Chinese in 2015, UnitedHealth dodged the bullet. Maybe they weren’t targeted. Maybe the breach wasn’t discovered. Maybe they got lucky. Or maybe there is something to this approach. As networks and applications (and their interactions) grow increasingly more complex and interdependent, the likelihood of cascading (and therefore devastating) failure also increases. Purposefully causing these failures in a deliberate and controlled fashion is possibly the only rationale way to persist in the faith of both system error and malicious activity.

by Rob Knake
Blog
Cyber resilience: A local approach

Cyber resilience: A local approach

In our previous blog posts we have looked at a case study of a vulnerable water plant and explored using Shodan to scan the internet for vulnerable programmable logic controllers. In researching what I wanted to write about next, I watched a presentation at Blackhat 2017 by two U.S. Attorneys about their investigation, arrest and conviction of Roman Seleznev, a Russian hacker and dealer of stolen credit card information. What struck me during the presentation was that many of his targets were small U.S. businesses (the presentation highlighted a few restaurants in the Northwest U.S.) because many of them were easier to hack as they had poorly configured remote desktop protocols and were storing credit card data in unsecure formats. The result of some of these breaches were the target businesses shutting down shortly after publicly announcing being compromised. This got me thinking, what is the affect of cyber attacks on small businesses? What about on rural hospitals? Or local governments and first responders?

by Nate Toll
Blog
Examining NOLA’s recovery from Katrina, with relevance to Harvey, Irma and Maria

Examining NOLA’s recovery from Katrina, with relevance to Harvey, Irma and Maria

Five years after Hurricane Katrina, I gave a talk with this title at a meeting in New Orleans hosted by FedEx and the Salvation Army. I recently stumbled across my slides (no snide remarks about my less than sterling filing system – please!). I had always meant to write something up along these lines but never quite got around to it. What I learned those few days in NOLA has great relevance to recovery from Harvey, Irma and Maria. Pain is inevitable, suffering is optional. I have come to fervently believe in these words from Ernie Broussard of Cameron Parish. When the winds come, the rains fall and the flood waters rise, lives will be disrupted. Some buildings will be damaged. Some roads will be washed out. We will feel pain. But if we have hardened what we can, if each of us has prepared ourselves for the inevitable and if we have worked with those around us to build those essential mutual support networks, then we can avoid true suffering.

by John Plodinec
Blog
Using Shodan as a tool to find vulnerable devices | GRI Blog

Using Shodan as a tool to find vulnerable devices | GRI Blog

In the last blog post, we looked at the case study of the Kemrui Water company as outlined by the Verizon Data Breach Report which underscored potential consequences of having industrial control systems connected to the public internet. This post will go a little bit deeper and look at the ease in which a device similar to those that were probably in use at the water company and connected to the public internet can be found and potentially exploited. For this process I used the tool ‘Shodan’. Shodan is essentially a search engine for internet connected devices. It ‘crawls’ the internet, sending out connection requests and recording the public results, which include banner information, open ports, and running services. There have been numerous articles and blogs that highlight how Shodan has been used to find internet of things devices such as webcameras, license plate readers, programmable logic controllers (PLC), even ships using satellite antennas and botnet command and control servers.

by Nate Toll
Blog
Making our infrastructure more resilient to cyber-attacks | GRI Blog

Making our infrastructure more resilient to cyber-attacks | GRI Blog

As we develop the concept of CINET, one of our main challenges is to illustrate how separation of control networks from the public Internet and the existence of a dedicated channel for information sharing could help make our infrastructure more resilient to cyber-attacks. There are only a few public cases of disruptive or disruptive cyber attacks targeting critical infrastructure. At this point, Stuxnet and the Ukraine power grid attacks have been beaten to death. In a series of posts, we are going to review a few less well-known ones. For those readers who treat the Verizon Data Breach Incident Report as the Bible of cybersecurity, this case study will be familiar. For the rest of you, here is a brief recap.

by: Robert Knake, Nathaniel Toll
Blog
Constructing a community narrative: Resilience requires action

Constructing a community narrative: Resilience requires action

Community resilience requires action. And in communities “action is at the speed of trust” (Sherri Moore of the USACE). As I’ve pointed out before, trust must be based on shared experiences, shared successes, a shared vision. Eugene Tan in Singapore calls this a “Master Narrative” – a common understanding of who we are, and how we’ve come to be. Let me make it clear up front that the Master Narrative and a call for action aren’t the same. You want your community to become more resilient – that’s the purpose of a call for action. But if that call is to be translated from words to action, your community has to believe in itself enough to take action. That’s where the Master Narrative comes in – one of the thing it must do is inspire confidence that “Yes, we can.” Thus, an effective call for action will have echoes of the Master Narrative embedded in it.

by John Plodinec
Blog
Now are we ready to talk about CINET? | GRI Blog

Now are we ready to talk about CINET? | GRI Blog

On Wednesday I testified before the U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection about information sharing. U.S. Rep John Ratcliffe (R-TX), chairman of the subcommittee, and Congressman Jim Langevin (D-RI), ranking member, were particularly interested in what more needs to be done in the two years since Congress passed the Cybersecurity Act of 2015. That act eliminated many of the excuses for why companies don’t share cybersecurity information. It also directed the Department of Homeland Security and other agencies to develop the means to share classified information with private companies.

by Rob Knake
Blog
To replace SSN with something more resilient, model it on the internet | GRI Blog

To replace SSN with something more resilient, model it on the internet | GRI Blog

Rob Joyce wants to get rid of the social security number. “Every time we use the Social Security number you put it at risk,” Joyce, the White House Cyber Coordinator told Washington Post Live recently. Joyce’s comments have led to no small amount of day dreaming by the technical community on the possibility of using a “modern cryptographic identifier” or (drum roll please) block chain. That’s all well and good. But the challenges with replacing the social security number as an identifier (with something more secure), aren’t technical -- they are everything else. And as Steve Bellovin points out, it would be really, really hard.

by Rob Knake
Blog
What is ‘cyber resilience’ — and how is it useful? | GRI Blog

What is ‘cyber resilience’ — and how is it useful? | GRI Blog

Cyber Resilience. It’s the latest craze in the field. But what does it mean? And more importantly, is it a useful concept? It may seem like a strange question to ask for my first blog post at the Global Resilience Institute but I have found that agreeing on definitions and frameworks is an important though often overlooked step in the field (anyone who disagrees should google “active defense” to see why).

by Rob Knake
Blog