Unless you’re a valuable or high clearance entity, all of this stuff seems like adults having a fun pretend make believe time. Like that neighbor in a nice part of town who owns multiple guns and has a security system set up to protect his maybe… $2k worth of jewelry. And if you say stuff like this, there’s always that one guy who chimes in about that one time when it actually happened for realsies and they were so glad they had their twenty layers of protection and boobytraps set up.
The thing is though that it takes so little to just avoid things like this. If the security guard actually did his/her work and checked on unknown person coming in to the building. If the company used a password manager to share WiFi passwords (or maybe even Enterprise WPA with certificates), and make sure unused public ethernet-ports are not patched. Then these two very simple things would have made this much harder.
I think the sad part is that they had probably had some security guy tell them this already but people where just making fun of him because people don't believe things they can not see - so it takes a "pretend to be SPYs charade" to make people actually care.
And yet they still won't care, because most people have zero interest in their job. For those that do? They're lucky, work is fun, and they often love doing the best they can at their job.
So sadly for many only the threat of dismissal forces those unhappy ranks to do their job. Others have a strong work/duty ethic, and will do their best. One thing that can help overall is an entire corporate culture, where everyone is lambasted for such failures.
"You saw that <security guard> wasn't doing his job, and you didn't tell anyone? You're in trouble too!", and so on.
I think it fits the idiom of "aim for the stars and you'll land on the moon".
If you are the kind of company that has a focus on all aspects of security, and assumes a sophisticated actor is attacking, you will have a better chance at defending against unsophisticated actors.
If you plan your security around only defending 'less-sophisticated' actors then you might quickly find one slips through the cracks.
Value is in the eye of the beholder. All that security does is buy peace of mind, how much you have to spend for that peace of mind is very personal.
Same thing with attitudes to security of leadership teams. And if past events are indicative, there's way more leadership teams that don't give a rats ass about security than ones that do. Particularly when you're holding other people's valuables (data).
I initially read your first sentence as "Value is in the eye of the shareholder" and thought to myself: Hah, yeah, clever.
I've now coined the phrase, accidentally.
Along those lines, however, it's peace of mind against an actual intrusion, but it's also peace of mind against lawsuits for dereliction of duty, etc.
There are also some fantastic physical pentest stories on Darknet Diaries.
In fact this is the episode referring to Alethe from the article:
Company name is "Bishop Fox"
One of their products is called "Cosmos" https://bishopfox.com/cosmos
Too many secrets?
>Too many secrets?
What is that supposed to mean? Sneakers reference?
I feel like this is a repeating pattern for security companies these days. Trying to sell a holistic solution with fancy dashboards but essentially they're doing the same any script kiddie can do.
It's the active red team that impresses me more than these products like cosmos. And they surely don't have the resources to offer active pen testing to all their clients.
> What is that supposed to mean? Sneakers reference?
yes
https://www.darkreading.com/cybersecurity-analytics/security...
If they made this into a reality show, that's one show I'd watch.
F%#& Undercover Boss! Give me Undercover Boss gets hacked!
Not exactly this, but two decades ago they used to air a show on discovery channel you might enjoy : "It takes a thief",
https://www.youtube.com/playlist?list=PLc7mVBABUGE5IITXKHvnX...
Unless you cut it like Ocean's 11, it would probably get cancelled for being too boring to the general public.
At a previous job I worked with a really good contract pen-tester.
He would literally just walk into facilities and ask people to give them their passwords and they would give them.
The people working would also help him open wiring cabinets so he could do whatever he wanted.
You aren’t wrong.
I called a vendor once, wanting a server setting tweaked. I asked for the present state and when it came back completely different to what I was expecting I backtracked.
I’d queued changed on a competitors live environment. I don’t think you need an elaborate charade, just blaze in with confidence.
She is blonde and pretty, irrelevant to 99% of attacks, but when it comes to walking into buildings uninvited pretty is like a gate pass. This is why one needs a diverse security team so that at least one member is less likely to tollerate the attractive person just walking in like they own the place.
How I Rob Banks by Freaky Clown is a worthwhile read on red team hacking of buildings etc
It’s mostly story telling but it’s entertaining and thought provoking too