Marketing is a masterful art. It works on each and everyone of us in different ways. It could be an advertisement on a car you’ve been dreaming of, or it could be a new gadget you think you may need. It might be a motorcycle or a new RV but whatever it is that got you to buy, clever marketing has played a role in it. You may be thinking, what does this have to do with work or my profession. How does marketing affect me and what’s this got to do with security? It affects you the same way personal ads do. While you may feel you are not being targeted you may consider that software and hardware security vendors put a ton of money into marketing their wares just as hard as automotive manufacturers do, but they feed of different emotions.
Automotive manufacturers, and other companies leverage feelings of joy, satisfaction, prestige, and lifestyle. Security companies play mostly on fear and technological superiority. They know if they push the right fear button and convince you that their product or service is going to keep you more secure than their competitors, you will likely take the bait. They know that the more times you see their add or hear their name you’ll start to believe they are the best.
In the past 24 years we’ve seen some mighty giants in the security hardware and software market brought to their knees by some hacker or group that wants to make an example out of them. During penetration testing, we also break through these brand name technologies much to the wonder of our customers and the dismay of the vendors. Why does this happen? In our experience, it is often an oversight of the set up, management or monitoring of the hardware or software solution. The security vendors tend oversell their solution and suggest that once it is installed, it will do the rest. The trouble is that in most cases the solution “isn’t” set up properly and is not being managed or monitored. The customer is not getting the support they paid for, and the vendor is falling asleep at the wheel. This is a real opportunity for a bad actor to leverage.
What can be done? Once the solution is in place and has been properly set up, in needs to be tested. Not by the vendor and not by the customer. It needs to be tested by a security pro that has the skill and experience to test the security solution to it’s limits. A good security pro will throw everything they have at it, and then some to ensure that the solution is working as it was designed to. If they find a bypass, or a workaround, you’ll know. If they gain access without detection, you’ll know. If there is a critical misconfiguration, you’ll know. If your monitoring company is falling asleep at the wheel, you’ll know.
The benefits of penetration testing are numerous. It is one of the only true litmus tests that you can perform to ensure that your people, processes, and technologies you are paying for, are working. Moral of the story is, don’t be so quick to go and by the newest security “thingy” just because you have the budget to. Test what you have and verify that it is working as it should. Save your money on that and spend it on another area that needs it. Feel free to contact us and inquire about the benefits of a penetration test, the process that are involved and the costs that are associated.