Operation Bootstrap

InformIT just published an article from Chris Nickerson which describes some of the training we inherently receive in life.  You are taught things like “If you don’t have anything nice to say, don’t say anything at all” which are intended to make society as a whole function better and make everyone nicer to each other. This works great until someone chooses to exploit your concern for being rude and puts you in a position where you should question them, but are not likely to do so. Read the article, it’s 5-10 minutes and gives a great perspective on the risk associated with these mindsets. Chris makes the point that while Disney films have had a large impact on telling life lessons which promote better relationships between people, those same lessons weaken our ability to question that which doesn’t seem quite right. The maintenance guy you have never seen before, the phonecall that doesn’t sound quite like the CEO, or that email that looks legitimate but has something wrong. You want to question these things – but do you?

This article at DarkReading points out that a report from BT on ethical hacking, planned to be released later this week, provides some interesting statistics on corporate spending on penetration testing. This all looks like good news to me – there were a few statistics that stood out:

Call it realism, or call it pessimism, but most organizations today are resigned to getting hacked. In fact, a full 94 percent expect to suffer a successful breach in the next 12 months, according to a new study on ethical hacking to be released by British Telecom (BT) later this week.

This is not good on the surface, because clearly we aren’t doing a very good job at security if that many organizations expect to get hacked. On the other hand, it is great to hear that so many organizations acknowledge the threat exists and are being more realistic about the high probability of an attack.

The first step is to acknowledge you have a problem.

Also this bit:

Around 60 percent of organizations have budgeted for pen testing, while around 38 percent have not, the study found. Nearly 70 percent allocate 1 to 5 percent of their security budgets for pen testing, 17 percent allocated 6 to 10 percent, and 2 percent set aside 20 percent.

So it’s making it into the budget and is becoming part of the standard security regiment.

The remaining question that I didn’t see addressed in this article is how many organizations have developed remediation plans, prioritize the problems found in the pentest, and actually get things fixed. It’s great to know your vulnerabilities but if we want to move that statistic from 94 percent down south of 50 percent we need to start fixing those problems and keeping new ones under control.

Sounds like some good progress is being made.

If you haven’t already, check out the new batch of podcasts over at ExoticLiability. Chris Nickerson, Ryan Jones and DJ Jackelope are putting on what is currently the most down to earth security podcast in existence. The latest, Episode 12, includes an interview about the upcoming version of Kismet with Mike Kershaw.

Topics include everything including current events & trends, new tools, social engineering and even a manhunt or two. They normally have a guest and then discuss other topics that are relevant at the time. It’s a good show & they’re fun folks to listen to. Take a break and hang out with these folks – if only virtually.

According to this BBC article some swine flu victims have shown “zombism” type behaviors post-mortem. From the article:

After death, this virus is able to restart the heart of it’s victim for up to two hours after the initial demise of the person where the individual behaves in extremely violent ways from what is believe to be a combination of brain damage and a chemical released into blood during “resurrection.

I particularly like the 4th bullet under the “Symptoms – what to do” section:

If you feel yourself passing away, then notice your strength and vigor returning at an alarming rate, please attempt to restrain yourself to prevent infection and harm to others.

Remember, if you are going to turn into a zombie – do try to restrain yourself.

btw folks – this is silliness