A lot of us travel for both business and pleasure. A recent investigative news report on hotel security offered tips for the traveler but also underscored the value of vulnerability testing.
Producers from ABC News had security expert William Stanton attempt (and succeed) at getting access to their hotel rooms and ‘stealing’ thousands of dollars’ worth of their personal property. He used a combination of surveillance and social engineering methods to gain easy access. See link below for full report and video.
Although the security tips offered are great, the fact is that if no one had tested the security system from the point of view of an adversary, it is safe to assume that no changes would have been made to the security protocols of these two hotels. A chance to improve the security and safety of the guests would have been missed.
We all expect that quality assurance and quality control takes place at the factory that manufactures the coffee maker we use in the morning. We expect that the editor of the book we are reading has reviewed and corrected the copy before it went to print. Vulnerability testing is a simple yet so valuable method for insuring good security.
Failed tests are not a condemnation but rather provide insights and opportunities to learn. The tests are not meant to be an embarrassing ‘gotcha’ moment. When security management and officers are open to the red team method, and the results are portrayed to the security team in the right way, everyone has much to gain.
What’s more, adversarial methods of operation are constantly changing. It likewise makes sense that quality assurance should be a constant and consistent part of the system.
An ‘F’ on a test is a good thing insofar as test failures help insure mission success.
Related article: Red Teaming as a Security Assessment Tool