I want to share a quick story from a pen-test I did today because this should terrify you.
Often times I find interesting vulnerabilities so I wanted to share them with you because I think the idea of what goes on during a pentest is often nebulus to a firm's owner and CCO. I think the extent of understanding what can be exploited is also lost.
The Client: $1.6B SEC Registered RIA in Los Angeles. 15 employees. 2 custodians.
The Vulnerability: I was able to take control of the RIA owner's home surveillance system (16 different internal cameras) and gained admin access to his security system. I was able to watch his wife fold laundry in the living room. I did ALL of that without ever once having to enter a password.
How did I do it? Check out the video below.
My thoughts: Penetration testing isn't just for regulatory compliance. Often times, we are able to catch these major privacy vulnerabilities before others do. These tests are about protecting your privacy and protecting your client's data.