One of the most important things we like to emphasize is that the greatest security flaws, the weakest link in the network chain, happens when you “don’t know what you don’t know.” Therefore a systematic approach to security process assessments should be par for the course in all organizations with significant assets.
A great testimony to this was found in the stories offered by a security firm which conducts penetration tests for clients with the goal of discovering IT security risks.
These penetration tests can discover security risks that are both potentially embarrassing and create huge risk for an organization. Such was the case when a penetration test was conducted for a large multi-national company.
The penetration test found 20 IP cameras that were at risk from an undocumented way to bypass the authentication system with the username: “root” and the password: “m”. Once the researchers had control of the IP cameras they were used to watch people enter information and discuss corporate activities.
Imagine being in a boardroom and you are being spied on without your knowledge? Discussions, keystrokes, passwords, strategic decisions, all potentially compromised.
One of the lessons learned was that typical automated network security scans would not have detected this potential exploit. A deeper review and analysis by security consultants identified areas of potential risk which were then tested and analyzed with available technology.
The security consultants approached this organization like a real criminal intent on breaching the walls of the firm, by any means necessary. And in the end found a hidden rat hole that was covered up.
So the moral of the story is two-fold. Don’t trust technology alone to secure your borders. This can create a false sense of security. And regular comprehensive assessments of your organizational security, like a corporate financial audit, is a good thing.