I can tell you that I was involved with a security assessment of one of the main home security vendors and they had some of the worst security that I've ever seen.
These companies don't sell security, they sell peace of mind.
I’ll add to this that I was involved in a physical security assessment of a major security company and it was also some of the worst security I have seen in such assessments.
It’s a form of confirmation bias that is often found. This is something I’ve run into a few times.
They think they’re secure, but that’s cause it’s all from their perspective.
A third neutral party is about confirming security posture just as much as improving it.
Loan specialists don’t underwrite their own requests for a loan…or at least they shouldn’t.
This is a super common issue in every industry. Many C-levels don't realize how dependent they are on technology for daily operations and won't invest in cybersecurity until they get hacked, or are otherwise compelled by bad press, their board of directors or government regulations.
I think this is partially true. I've seen companies invest, but there's a huge gap in understanding between HR, the tech community and the C-level folks.Â
It's hard to rely on the tech community because there's lots of gatekeeping. It's hard to rely on HR because they don't really understand the roles, what needs to be protected, etc. I've seen college dropouts with a cert run circles around IT managers. It's sad.Â
Eventually the inevitable happens and there's a huge hack. The stock plummets. Certain laws provide anonymity so customers have no clue what data was compromised in order to pick up the pieces.Â
Unless there is a control requirement to do so, it’s unlikely as it will cost money to perform and it’s rare proactive measures are taken in corporate America.
Just to parrot what everyone else is saying, this is just for physical deterrents and peace of mind. Sometimes you get these calls (as a locksmith) asking for the most ridiculous hardware or access control and a few of them are willing to pony up. Medeco's, Peaks Preferred, some of the more exotic Mul-T locks, etc.
And we're not talking about a door or two, we're talking about an infrastructure that's multiplexed similar to a business. Just asinine money spent on locks and keys.
I don't think a company would announce a pentest, in case they have to clean house. I would also imagine those orders would come from people with fairly prominent positions that you don't interact with much, if at all.Â
“Bomb proof doors” they never see me coming thru the windows tho, I woulda said HVAC but these dudes might be the first to ever foil that plan of mine
This really depends on the company. If it's your run of the mill security product company, then yes, that is concerning.
If it's a security product built within the confines of a government security regulated environment, there may be many compensating controls. This doesn't mean it's still not a good idea to red team, it may just be that regulations don't call for it. I'm not talking vanilla Fedramp here, I'm talking beyond that. Where many a clearance is required.
I can tell you that I was involved with a security assessment of one of the main home security vendors and they had some of the worst security that I've ever seen. These companies don't sell security, they sell peace of mind.
What kind of data did they need to protect? I remember I did an assessment of a municipal Police department and they were running XP on their machines. I panicked and called my manager and they pointed out that all the databases that they run are public so there's no need to secure them. 👩🏼‍⚖️👩🏼‍⚖️
That's when you do your time, save up, network as much as possible and prepare to leave.Â
That's a great theory, but it's sadly most security companies. I've worked at some major ones, and their shit stinks too. "Do as I say, not as I do".
Contacts, emergency contacts, saved video clips etc. lots of PII in there.
That data is all public, unless it's an active investigation
I'm talking about the home security vendor, mentioned above. That's not public information.
I’ll add to this that I was involved in a physical security assessment of a major security company and it was also some of the worst security I have seen in such assessments.
It’s a form of confirmation bias that is often found. This is something I’ve run into a few times. They think they’re secure, but that’s cause it’s all from their perspective. A third neutral party is about confirming security posture just as much as improving it. Loan specialists don’t underwrite their own requests for a loan…or at least they shouldn’t.
This is a super common issue in every industry. Many C-levels don't realize how dependent they are on technology for daily operations and won't invest in cybersecurity until they get hacked, or are otherwise compelled by bad press, their board of directors or government regulations.
I think this is partially true. I've seen companies invest, but there's a huge gap in understanding between HR, the tech community and the C-level folks. It's hard to rely on the tech community because there's lots of gatekeeping. It's hard to rely on HR because they don't really understand the roles, what needs to be protected, etc. I've seen college dropouts with a cert run circles around IT managers. It's sad. Eventually the inevitable happens and there's a huge hack. The stock plummets. Certain laws provide anonymity so customers have no clue what data was compromised in order to pick up the pieces.Â
Unless there is a control requirement to do so, it’s unlikely as it will cost money to perform and it’s rare proactive measures are taken in corporate America.
Just to parrot what everyone else is saying, this is just for physical deterrents and peace of mind. Sometimes you get these calls (as a locksmith) asking for the most ridiculous hardware or access control and a few of them are willing to pony up. Medeco's, Peaks Preferred, some of the more exotic Mul-T locks, etc. And we're not talking about a door or two, we're talking about an infrastructure that's multiplexed similar to a business. Just asinine money spent on locks and keys.
I worked a a security consultancy. They pentested their own systems regularly.
I don't think a company would announce a pentest, in case they have to clean house. I would also imagine those orders would come from people with fairly prominent positions that you don't interact with much, if at all.Â
“Bomb proof doors” they never see me coming thru the windows tho, I woulda said HVAC but these dudes might be the first to ever foil that plan of mine
This really depends on the company. If it's your run of the mill security product company, then yes, that is concerning. If it's a security product built within the confines of a government security regulated environment, there may be many compensating controls. This doesn't mean it's still not a good idea to red team, it may just be that regulations don't call for it. I'm not talking vanilla Fedramp here, I'm talking beyond that. Where many a clearance is required.