back to article It's your what in a box? Here's a thing to make your bosses think about malware responses

Ever-exciting Cabinet Office minister David Lidington has put his name to a new infosec response testing tool developed by the NCSC, called (wait for it) Exercise in a Box. In a speech due to be delivered to the Cyber UK conference in Glasgow later today, Lidington will inform the world: "This new free online tool will be …

  1. Anonymous Coward
    Anonymous Coward

    Useless box?

    https://www.youtube.com/watch?v=aqAUmgE3WyM

  2. spold Bronze badge

    Taxercise in a box

    If they include the bit about sending us bitcoin then could be self-financing

  3. Anonymous Coward
    Anonymous Coward

    Exercise of the Pox

    Having been part of the alpha teststing for EiaB. I can say its not what they are making it out to be

    the "table top exercises" are more of a lead discussion around what if any defences you have.

    the "exercise" is just about enough to exercise a small generalist it team, but anyone with security training will beat it in 10 mins

    1. A.P. Veening

      Re: Exercise of the Pox

      but anyone with security training will beat it in 10 mins

      In other words: it is an exercise in futility.

    2. GnuTzu Bronze badge
      Megaphone

      Re: Exercise of the Pox -- Politics

      Well, that's a bit of a problem. From my own experience in table-top exercises, it's value is in making the higher ups more aware of what they up against. An improvement would result in making the higher ups more aware of what they need to do to be better aware of what their front-line security people are facing.

      Unfortunately, execs have this need to appear as if they are the originators and authors of all new ideas, and they can't afford to appear ignorant--which results in willful ignorance at the executive level. This is not just an idle rant. I know what it means to have relevant and important information fall on deaf ears, and then have to shift to a strategy that will allow higher ups appear as if they're on top of things. Gawd, I hate politics.

      1. A.P. Veening

        Re: Exercise of the Pox -- Politics

        I know what it means to have relevant and important information fall on deaf ears, and then have to shift to a strategy that will allow higher ups appear as if they're on top of things. Gawd, I hate politics.

        You are playing politics wrong. You should shift strategy, but in such a way that those suffering from deaf ears are removed. Very carefully document giving that relevant and important information. Let the completely foreseeable incident happen. Point out that you warned about it, but higher up failed to listen and/or act. At that point those higher ups will try to silence you. Go over their heads with the full documentation. The only time this fails, is when the higher ups not listening are when they are C-level and it isn't a regulated type of business. With regulated businesses like banks and insurance companies (but not limited to those), you provide the regulating authority with the necessary information.

        1. GnuTzu Bronze badge

          Re: Exercise of the Pox -- Politics

          Oh indeed, one does document such conversations in the hopes that incidents might provide the necessary leverage. Yet, I'm too white hat to induce such incidents to occur, and I'm not will willing to put forth the massive effort it would take to recruit the allies that could shine a light on such things; it's just not what I'm paid for. And, it's interesting how easy it is to succumb to the apathy created by such dysfunction environments, at least to some extent. I guess that's why it take serious political dysfunction for centrists to rise up. Are we there yet?

    3. Charlie Clark Silver badge

      Re: Exercise of the Pox

      So, it's not a new version of executive Farmsville.

      PS. That quote about cybersecurity and administrators is disturbingly inaccurate. Good admins will be reluctant to patch ever for reasons of stability and good cybersecurity bods will mistrust any patch they didn't write themselves. They are generally united against ill-thought out fads from above.

      1. GnuTzu Bronze badge
        Stop

        Re: Exercise of the Pox

        "good cybersecurity bods will mistrust any patch they didn't write themselves"

        @Charlie Clark: Really? Are you talking about managing one software product or an enterprise environment with scads of different type of devices and software products across hundreds of locations? And, if you're talking about something under PCI and other similar security standards, patches will be required (based on levels of vulnerability, e.g. CVSS), or you will lose your certification, and revenues will slam to a halt. Or, do you just sell hammers (gawd, I'm never going to let Home Depot live that one down). But, I do respect the paranoia; if I remember correctly, it was an exploit of the patching system that brought them down.

      2. Mystery Machine

        Re: Exercise of the Pox

        "good cybersecurity bods will mistrust any patch they didn't write themselves."

        Fair point if they wrote the OS running on the server they designed and built from raw silicon. Fucking honestly....

    4. steviebuk Silver badge

      Re: Exercise of the Pox

      European Institute of Applied Buddhism?

      I'll get my coat.

  4. Alister Silver badge

    In a speech due to be delivered to the Cyber UK conference in Glasgow later today, Lidington will inform the world:

    El Reg journalists travel back in time to report on the future!

    1. Anonymous Coward
      Anonymous Coward

      Standard technique of politicians to send out the text of speeches to journos before giving it so that journos can report the speech without having to travel to it.

      "Clever" politcians can game this system.

      First way is to put in some comment that will act as a dog whistle to all their supporters but which can be highly offensive to anyone else ... the comment gets reported and makes all supporters happy but when others make a fuss about it politician apologises for "mistakenly sending out an early" made by "an assistant" which used "language I would never use and immediately changed".

      Second way was, I gather, mastered by Tony Benn who in speeches would diverge from the speech he'd sent out and then say to the audience "take a look at the papers tomorrow - none of them will report what I've just said on this subject - they don't want people to know our ideas" knowing that unless a paper had sent a reporter to the meeting they'd only report what was in the "press release" version

  5. Anonymous South African Coward Silver badge

    Does it have a cat from a Mr Schroedinger inside?

    And is its name Greebo?

  6. Anonymous South African Coward Silver badge

    Nah, I won't have it on the company's network.

    Too risky, you never know what code is inside said box.

    Put it in a DMZ, or on a lab LAN and keep it there.

    1. steviebuk Silver badge

      But having just signed up to see what all this was about, they software they want to stick on your network, they give you the code for, so you can see what the code actually does. I've still not run any of it yet, I was just curious.

  7. Flywheel Silver badge
    FAIL

    Failed at registration confirmation

    It was going so well.. I watched (most of) the cheesy video, was inspired by the possibilities of it all and took the plunge and registered. I even read the T & Cs!

    Then I had to confirm my email address: they sent me a link and it could "only be opened in the browser that I used to register". So I had another go, disabling Ublock and Privacy Badger in my Linux-based Firefox-ESR - still no luck, and after 4 turns round the loop I gave up. I sent feedback - I even signed it with my GPG key to prove how L33t I am .. I wonder what'll happen next!?

    1. Anonymous Coward
      Anonymous Coward

      Re: Failed at registration confirmation

      If you hear helicopters, I'd check if they're black..

      1. Anonymous Coward
        Anonymous Coward

        Re: Failed at registration confirmation

        I've met the guys working on this. They're quite genuine and would probably try to help you out but getting a help request to them can be tricky sometimes.

  8. It's just me

    Apparently Americans are not part of "it's open for anyone to use"

    Tried to access it from the US and got

    403 ERROR

    The request could not be satisfied.

    The Amazon CloudFront distribution is configured to block access from your country.

    Generated by cloudfront (CloudFront)

    Request ID: VHAppfdRXhGS1TMFQ4-fnV21guIgWpEAhd8mfgddxw==

    1. JassMan Silver badge
      Trollface

      Re: Apparently Americans are not part of "it's open for anyone to use"

      Wow. Thats a seriously cloudy 403.

      Or is it realy just an ad for Cloudfront.

    2. Allan George Dyer Silver badge

      Re: Apparently Americans are not part of "it's open for anyone to use"

      Don't be too disappointed, Hong Kong is also not part of "anyone".

    3. mr_souter_Working

      Re: Apparently Americans are not part of "it's open for anyone to use"

      that's more information than I got......

      403 ERROR

      The request could not be satisfied.

      Request blocked.

      Generated by cloudfront (CloudFront)

      and i'm sitting in the UK (though my proxy does currently show that I am in Palo Alto)

  9. 2+2=5 Silver badge
    Joke

    The good cowboys wear the white hats don't they?

    > There's a mantra in the [Operational Technology] world that says cybersecurity are cowboys because they patch instantly.

    "Ladies and gentlemen, this is your captain speaking and I'd like to welcome you aboard this CyberAir flight to New York. I'm just waiting for the flight controls and engine management system patches to complete download and then we can push back. Installation should complete while we taxi to the runway which will take around ten minutes.

    "After take-off and once we have reached our cruising altitude of 35,000ft, we'll need to reset the systems by stopping the engines and rebooting. This will result in approximately three minutes of free-fall during which you may experience a sensation of weightlessness. Please do not be alarmed and I will illuminate the fasten seat belt sign in plenty of time."

  10. Potemkine! Silver badge

    We were told that users were the first line of defence.

    So we stack them together to build a wall around the datacenter, I hope it will be efficient.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019