Bond: I think that’s enough, Goldfinger, you’ve made your point.
Goldfinger: Choose your next wittisism wisely, Mr. Bond, it may be your last.
Bond: Do you expect me to talk?
Goldfinger:No Mr. Bond I expect you to die!
Okay, okay… Yes I have a fascination with James Bond! What nine year old growing up in the late 70’s and early 80’s didn’t want to be the suave, debonair, and dangerous Mr. Bond. With all the cool gadgets and cars, spying was easy and the women easier! Ahhh, the days of a chocolate milk martini, shaken not stirred was “de rigueur” and the realistic cap guns that had the look of a Walther and the magazine for the caps have long faded into the past.
So what does this have to do with security and risk? A lot if we look at all the social engineering and breaking in, whether buildings or computer systems, to obtain information to protect the interests of the Crown and save the world! Ah, yes it was very simple and the computers could be fooled with the very simple brute force attack. Why? Because it follows the fact that users, no matter how evil or clever they are, want easy access to their systems, and Mr. Bond was smart enough to see through their facade and guess it in a few tries. Why was Mr. Bond able to get information from people? Because he understood the words that opened up the gate to the helpful human nature and how to use deception to appeal to that human nature.
Eureka! Thank you Mr. Bond! The whole time you were just preparing us for our as unknown careers in the cyber world. Through your skullduggery and exploits we have the basic framework for penetration/security testing and assessment: reconnaissance, enumeration, analysis, exploitation, and exfiltration. Is that all of the steps? No, but these are the main areas that set the stage for what we do as security professionals engaged in that type of activity. In a round about way it is also a way for security professionals to identify risk through assessment and what those mitigating controls should be.
With that said, are security and risk inherently the same? No, but there are commonalities as they are both trying to identify vulnerabilities for remediation before the incident.
Okay, enough for tonite and an okay start to kick off the blog!
Bond Must Die!! 