QA Cyber Security Technical Consultant, Graeme Batsman, looks at Intrinsic vs. Extrinsic Project and Programme Management.
Over the last few years I have worked on different accounts from massive corporations to central government departments. Sadly, I have seen all sorts of amusing situations, for those of you that think poor security as amusing. One thing in common across most organisations, when it comes to poor security isn't necessarily the employee's lack of experience but more to do with poor management or you guessed it…. Something which makes the world go around….cash.
Numerous in house or externally managed projects/programmes get little/no security oversight let alone a Pen Test. A project/programme will have an overall Manager/Director, various leads and resources. Think about it, if a programme with a budget of tens of millions has 100 full time staff for three years, can't it afford 1-2 full time security resources? Unfortunately more often than not, this isn't the case resulting in the security versus project team staffing ration to be poor.
QA Cyber Security Technical Consultant, Graeme Batsman, explains why poor physical security often leads to easier hostile reconnaissance or social engineering.
We often bang on about cyber security and its importance (rightly so!), but we should not overlook the importance of physical security. Would-be attackers will always look for weaknesses in the company or the supply chain, and that may/will include weaknesses in building security. This month I learnt this first-hand while teaching a large group of under 18s. Story below…
One of the exercises was ProRat. It is not brown or black as you may imagine – it is a Windows remote access trojan. The delegates install it and they can remotely control another Windows 10 PC. It has tonnes of functions which work assuming anti-malware is off and the TCP port is open. You simply download and run it, and the ‘attacker’ enters the local IP of the ‘defender’ and you hit connect.
