fsebugoutzone.org:9999

       Post ARWheuB4LM7DmbDF0S by singe@chaos.social
 (DIR) More posts by singe@chaos.social
 (DIR) Post #ARWhepBatyZ4ImQ5dA by singe@chaos.social
       2023-01-11T06:10:48Z
       
       1 likes, 0 repeats
       
       This post-mortem of a major commercial aircraft incident is fascinating for me working in the comparatively younger and less mature field of cyber security https://admiralcloudberg.medium.com/crisis-over-the-atlantic-the-near-crash-of-air-transat-flight-236-671d3a0c4b04 (via @mendel@hacyderm.io)I eventually had too many screenshots to share so I’d just suggest reading the whole thing. Afterwards, my excited observations are below.
       
 (DIR) Post #ARWheqtaXtLlbW0jqK by singe@chaos.social
       2023-01-11T06:10:49Z
       
       0 likes, 0 repeats
       
       I strongly feel that security, like safety, is an emergent property of controls functioning correctly in a dynamic situation. I think we can learn a lot from the history of safety. This post mortem is fascinating because it doesn’t just focus on the initial vector or just the technicalities but even goes into the psychology of the operators when considering how to prevent similar situations in future.
       
 (DIR) Post #ARWhesY2OzIejFwYWu by singe@chaos.social
       2023-01-11T06:10:50Z
       
       0 likes, 0 repeats
       
       I long for the day security is so mature that we could go to similar depths after a hack, including how to optimise systems and alerts to account for complex interactions between humans and machines. Imagine interviewing the SOC operators to understand why they hadn’t properly responded to an alert.
       
 (DIR) Post #ARWheuB4LM7DmbDF0S by singe@chaos.social
       2023-01-11T06:10:50Z
       
       0 likes, 0 repeats
       
       But there are also tons of lessons about operators overly relying on automation - to the point they disbelieved there was a problem, and didn’t even do the appropriate checks, because they believed a problem so serious would have been highlighted by the emergency system. And this was 2001!
       
 (DIR) Post #ARWhevlyPdEIjLUEAS by singe@chaos.social
       2023-01-11T06:10:51Z
       
       0 likes, 0 repeats
       
       Beyond the big obvious lessons and parallels, there are lots of little one if you look for them - that the optional service bulletins *not* installed didn’t need to be disclosed, making it hard to figure out what state the engine was in - has strong parallels to patch management.
       
 (DIR) Post #ARWhexLoXrUdcnGMfg by singe@chaos.social
       2023-01-11T06:10:51Z
       
       0 likes, 0 repeats
       
       That even though there were legal mandates on the operator for compliance to a certain level - that needed to extend to the service provider. We’re still talking about legal mandates on the vendor - we’re nowhere near extending that all the way to managed service providers.
       
 (DIR) Post #ARWhezFVUHdVVoKM7M by singe@chaos.social
       2023-01-11T06:10:51Z
       
       0 likes, 0 repeats
       
       All in all, a fascinating read for those in the cyber world. I’d challenge you to up your post mortems to this level and see what system design features it leads you to implement or demand from your vendors. It might even be worth demanding such exercises from your pentest vendor.