9.4. Summary
You can plan your testing in fine detail but the reality is that, once the engagement begins in earnest, the parameters change quickly and you must be prepared to adapt accordingly. I quoted in Chapter 2 that 'the first casualty of war is the plan' but a better quote from a 19th century Prussian general is that 'no plan survives contact with the enemy.'
The common theme throughout this chapter is simple: systems that were supposed (and believed) to be secure were not – nowhere near – and for the attacker (the testers, in this case) compromising these systems was a matter of studying how they worked, finding a weak point (either something that had been overlooked or an inherent weakness) and exploiting it. Remember that obscurity is not the same thing as security and very few things are genuinely secret. We didn't need access to classified information to take control of a critical SCADA system, only to Google and the right phone numbers. All we needed to get access to a secure laboratory was a good cover story, and to attack a classified supercomputer we went after the weak end point – a home user.
Once you learn to look at security as a whole, as a sum of its parts, you realize that nothing is truly secure – there's nothing that can't be compromised. The job of a penetration tester is not to prove that weaknesses exist but to find them, exploit them and be the catalyst for change.
Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
