This is really about perspective. My job is security testing.  My perspective comes from having tested over 150 organizations’ security. When I get to a customer’s site I try to gauge their confidence prior to beginning. These tend to vary from super-cocky to just waiting for the hurting to be over. That’s the customer’s perspective.

Before I was a security guy, I was an IT guy. My job was to make sure everything works. You do your work, everyone’s email works, licensing is on point, so you spend idle minutes playing with whatever vendor silliness finds its way into your inbox. The you fight a fire somewhere, maybe change some printer toner. Rinse and repeat. Ultimately, IT boils down to an “Implement and Fix” cycle. What’s missing is the demolition.

As a cybersecurity consultant, I live at the edges. The forgotten zones. In that Solarwinds trial database you forgot about. In that server you swear you decommissioned two years ago. In that scanner you fought with for a week to get the documents to save to the proper network share. In that Group Policy you put in place for that OU that never quite materialized, In that switch stack you installed last week and haven’t finished provisioning.

So, back to testing.

I’m going to get a little technical here, but bear with me.

Recently, I was at a location where they had done a truly remarkable job securing the network. (You know who you are…) They had made great strides in securing the desktops as well. In theory, everything was golden. I could only use a graphical desktop session, I needed authentication, I couldn’t move laterally because internet access was blocked, Powershell was restricted by application controls… I was stuck. Then I realized that though Powershell was blocked, cmd.exe wasn’t. Application control was being done at the process layer, which means that subprocesses weren’t monitored. So I asked cmd.exe to kindly open me a Powershell session. Yay! Now I can elevate, I can move through the network like a ghost, I can exfiltrate juicy documents all day long without detection.

This scenario plays out in some form or another at every job. When I tell the client about it, the answer is,  invariably, “You shouldn’t be able to do that” or “We fixed that a month ago”.

This is why testing matters.

No matter how well you THINK you’ve done constructing your network, there is likely something, somewhere that isn’t exactly broken, but neither is it fixed.

My job is to find it and paint a big bullseye on it. In most cases we can figure out how it broke and where the failure in process lies that allowed the vulnerability to occur and go undetected.