Cyber

Book Review: Ctrl + Alt + Chaos - How Teenage Hackers Hijack The Internet Ctrl+Alt+Chaos I was lucky enough to win a copy of this book from the author when he posted a competition on BlueSky. The very short review of this book is that it’s well written, and an “easy” read that will hold your interest on a complex subject. To go into slightly more detail, meant in the best possible way, I want to emphasise that it’s an easy read. I usually read at night, when I should probably be asleep - but this is well-written, clear, and grabs your attention, so it’s suitable for the beside table or noisy commute; which can’t be said of many non-fiction books. ...

This is a sporadically updated list of online games that illustrate useful points about cyber security. For those I’ve tried, or intend to try, I’ve listed them below, with some brief thoughts so you can decide whether to spend time on them yourself. Please do contact me if there’s something out there I should play to consider adding it to the list. Despite my history in professional wargaming I’m especially interested in solo games that let players learn at their own pace, in their chosen context, and without even the most ephemeral consequences for errors. ...

By Nick Drage, a cybersecurity strategist, and Indy Neogy, a coach who specialises in how we deal with the future. This is a “personal blog” version, where I’ve added a couple of pictures. Indy’s publication on LinkedIn can be found here. Comments welcome anywhere. Cybersecurity Strategy in the New Era The Russian invasion of Ukraine has been shocking. As a hot conflict it inevitably makes us focus on physical threats. However, it has also necessitated discussions that produced a lot of useful articles about how to improve personal and organisational cybersecurity - in particular how to improve them in response to a raised level of cybercrime and cyberattack activity. ...

My previous week: Looking back on the previous week, I only realised that “playing as a team” was a common thread through the most significant and/or interesting events when I was putting together this weeknote. I watched a presentation by CrowdSec a “free and open-source collaborative IPS”. I need to experiment with the software, but I was impressed by the team behind it, and their approach to making something like this work while also keeping one eye on the business model. I’d be interested to hear from anyone using it, or with strong experience in how well crowd sourced threat intelligence works out. I took part in a couple of playtests of the Minimator game - operated as part of the work of the Research Institute of Sweden. This is a well put together game, probably aimed at policymakers, to explain basic concepts in how cyber defence and zero day markets work. There’s a lot of work gone into the game, and still a lot to do; but there’s definitely something in this and I’m optimistic about what the project will achieve in future. I was a sounding board for someone working through their career options, and they highlighted how much leading and being part of a team meant to them. I realise that aspect of work probably means more to me than I expected, my involvement in PlaySecure being the most obvious… but increasingly I find myself pushing to work with others before I’ve a fully formed idea. This has led to some promising concepts, but there’s also been many times that hasn’t worked at all after auspicious starts. At some point, but only after something has paid off, I should work out my “completion percentage” on ideas. Separate from that team based theme though, I watched Vivo; a delightful film, well paced, engaging, suitable for children if you’re up for “adult themes” and some definite peril. Not quite at the level of Hamilton... but still... definite peril...

My previous week: Various tribulations with online stores. Maybe I’m getting old and weary, but it seems harder and harder to just pay for something and then get what you paid for; or to trust any of the online review sites, which are obviously being gamed. I attended the National Cyber Deception Laboratory’s symposium. This was a good day, with some useful and quotable points of view - I expect to blog some summaries of different presentations as they go online. I’ve always been puzzled and frustrated why cyber security, as an industry, doesn’t engage with deception more, hopefully this event is the sign of a change in approach. I attended, and kind of helped run, and spoke at, the Enterprise Circus, which operated under the PlaySecure brand. This was a lot of fun, and I think like main event back in March 2021, it got a few people thinking something new. As always the aim is to just try something a little different, rather than just being yet another conference saying the same thing. A different approach to video call backgrounds

Three episodes of the WB40 podcast to listen to if you’re into Cyber Security Episode 209 - if you’re part of The Great Resignation, or considering moving out of cyber security, or coming in, it’s worth listening to the hosts and Lee Cox thinking through this kind of career change. Although not directly related to cyber I’d expect you to find the decision process, and the successes and failures, very relevant; as well as the importance of an ability to learn, rather than being a life-long subject matter expert in just one area; as well as the importance of transferable skills… as well the lack of innovation from employers… and and and… convinced yet? Go listen. ...

My previous week: Provided some feedback for a game/exercise design, which was enlightening because it’s rare that I’m in that situation, rather than being part of the design or operational team. Some thinking around the forthcoming Enterprise Circus. I’ve some trepedation about whether we can make the Circus metaphor work, but I think that is what makes this event work doing. As per our “pitch”, written by Phelim Rowe, using this metaphor is an “engaging prism”, which I hope will spark some new ideas. I enjoyed attending Level Up: Gamification as an innovative tool for public service design; this was particularly enjoyable due to the talent and experience on display - I essentially watched three people build a pitchable business idea in a little over half an hour. There’s some really interesting things happening in game-based methods right now. I was on a panel at the CISO Ensemble, and ran a panel as well. Running the panel was particularly difficult and enjoyable, great to get a range of views, and to figure out on the fly how to give everyone a chance to speak, forewarn them when they were “up”, while paying enough attention to the conversation. On that particularly busy day I also attended Cardstock; very useful, very interesting, I came out of with lots of ideas and a connection or two. One thing that particularly struck me, it might be observation bias, but for a generally skeptic-minded person like me, some of the greatest insights and mental leaps seemed to come from those with the greatest affinity to “magical” concepts such as astrology and tarot. Something to ponder. I finally made time to watch the Georgetown University Wargaming Society’s recording on WATU, presented by Sally Davis of DSTL. Good points well made, and also packed with useful academic references to strength through diversity. And I continue to play fantasy football, which I find such an interesting way to follow the NFL. For me in-particular it brings home just how big a part injuries play in the game, and the operation of the teams. A team figuring out CISO as a Team at the CISO Ensemble event

My previous week: Thinking through different and underused game formats: board games that support simultaneous or asynchronous movement, where a wall-mounted magnetic board would make “Play By Video” easy, and so on. A great chat with someone looking to use me as a cyber security associate, who asked all the right questions… such as “what are you interested in?” rather than “what do you have five years’ experience in?”. Other useful conversations about forthcoming projects and events, or working on existing ideas. Some “cyber security strategy” work, just helping someone think through their security roadmap and highlighting what they might have missed, or giving them a chance to explain their choices out loud to me before they face their stakeholders. And as always, I’m finding it useful to write up these weeknotes. I just wanted a free pixabay graphic about studying or thinking... but now I have to know why she's studying on a roof...

Weeknote 25th October 2021 Taking a cue from Sara Campbell of the Foster writing community, I’ve come up with a more interesting title than “Weeknotes”, but maybe this isn’t the most appealing title. Baby steps. I finished watching The Goes Wrong Show which has to be one of the funniest things I’ve watched over the last decade or so, along with Ted Lasso, and Community. I think I tend towards angry and/or painfully intelligent comedy, but we had to institute a house rule not to eat or drink while watching this, to prevent any unfortunate accidents. I’ve been drained and disappointed by the poor threat modelling that leads to the response to the death of Sir David Amess being a call for less Internet anonymity, and the response to the death of Sarah Everard being a call to contact the Police; but I suspect I’ve been naive about the intention behind those suggestions. I gave that training I mentioned last time, on common threats from the Internet, and only had time to scratch the surface when covering ransomware. I can only see that situation getting worse. I thought far too much about The Chair Game; a very simple idea, but surprisingly revealing in what thoughts it prompts. I look forward to playing and/or discussing it at some point. I fell behind on meetings, then fell behind further while looking at automated scheduling services to help me suggest times to several people, without getting into multiple simultaneous games of “email tennis”. I was disappointed at how many were just simplified clones of Calendly, requiring you to spend time in your calendar interface and scheduling interface simultaneously to manage your avalability, when the aim is to save your time. It took quite a while, But I was finally impressed by FreeBusy; particularly by its Guarded Availability functionality.

Last week Gave some training on common cyber security attacks, moving on to ransomware next session, where the challenge is limiting so much available material. Discussions on exercises with James Bore, other collaborators welcome. Some mentoring of a rookie speaker for BSides London on an interesting analogical approach they’re taking One of my game designs is getting out of hand, I’m regarding a lot of what I’ve done as “design notes” listing intriguing but rejected ideas once I publish something. I’m behind on scheduling meetings so I worked through some automated and semi-automated scheduling services, which just made me more bitter about the state of the technology in general; and also means I understand why virtual assistants are still so popular. I had my last coaching session with a kind of business coach, which has helped change my mind on the benefits of coaching. Get in touch if you want a recommendation. I attended the Autumn virtual meeting of Wargame Developments, a couple of sessions anyway. They/we are putting an updated version of the “WD Handbook” together, to act as a guide and introduction to the group. I’m very interested to see what comes out of that process. For years I’ve had an idea for a kind of “psychic massage” app, something that would give you an emotional boost when needed and/or at random - a lot of people, myself included, find those “you’ve got this” messages inspiuring even though we know how vaccous their source is. But it’s on the big pile of possible ideas, whereas Sarah and Leila have done something with their Feel Better Cards; worth checking out. In having done these weeknotes for a while now, I realise how often I would type out the same thing every week - for example trying to build something to make money, while also needing to earn money doing “day rate” work; also I realise how much I achieve, but also how unrealistic my plans are for what I can achieve each week. I wonder if the bottom of each weeknote should have an “ongoing whines” section, with a counter…