finding religion through a life-threatening moment

I’ve said it for years, and it continues to be one of my driving “laws” of security: People/organizations care far more after they’ve been violated. Newest case in point, Google*:

“Google is now particularly paranoid about [security],” Schmidt said during a question-and-answer session… After the company learned that some of its intellectual property was stolen during an attack…it began locking down its systems to a greater degree…

This is another reason I believe in penetration testing. Sure, it doesn’t quite yank one’s pants down, drive a kick to the balls, or incite that same sense of dread as a real event would, but it should strive to come as close to that as possible. It’s not just about popping boxes with an exploit, but rather demonstrating that, “I just stole your super secret plans. I just deleted your directory servers. And backups. This will cost you xyz. And I sold the backdoor to the Ukrainians, but not before I joined all your servers to a Chinese botnet and sold all your client data to your closest competitor.”

Shows like To Catch a Thief and Tiger Team (and that one social engineering/con/pickpocketing show…) did a great job in demonstrating issues and conveying a taste of the, “Oh fuck…” moments.

I understand we tend to learn through experience. From not touching an oven until we’ve been burned to not speeding until we’re pulled over to not wrapping up until you have the herps. But we all have the capability to be informed and not make the mistakes in the first place, or seek help in areas we don’t understand (yes, that costs money…).

I may, however, just be an ass about people who can’t (or don’t) think ahead…

* Google is a tough case to use, honestly. They had everything to gain by outing China, outing IE6, and raising their own, “we’re-just-being-a-good-steward,” stock. Still, they’re not unique.

2 thoughts on “finding religion through a life-threatening moment

  1. the reason incidents make people appreciate security more and work harder to adopt more secure practices/procedures/etc is that it changes their perception of how safe they are to that of being unsafe and thus a focal point for fear.
    the problem with fear as a driver of security, however, is that fears can be fairly easily assuaged and those charged with selling ‘solutions’ are particularly good at doing just that.

  2. > I understand we tend to learn through experience.
    A wise man learns from the lessons of others, a fool learns from his own.
    I’m not saying I’m a wise man, bu I don’t need to touch the stove myself to know that touching it when its hot is a bad thing…I’ll watch someone else do it.

Comments are closed.