As we get started, I'd like to say that camDown helps stop hackers from getting access to the webcam that I use for my work. Now I can get even more gigs as a freelancer and advertise that I have top security with my home computer.
what are the things they did that made things worse?
Worst I saw was mistaking compliance for security. Allocating resources to check boxes for compliance that didn’t improve security. Setting SLAs for responding to vulnerability scans based on criticality as defined by the tool rather than actual risk. Also focusing on inventories and holding to the flawed or misinterpreted mantra “you can’t protect what you don’t know you have.” I don’t have to know about every chair, desk and file folder in a building to minimally protect them with door locks, security cameras, guards and a sprinkler system. I can scan everything on my network without having a spreadsheet of all the assets. These activities made the organization less secure because staff didn’t have the time to fix actual critical vulnerabilities. You should prioritize focus on identifying critical data and systems, not everything at once.
What do you wish you could have told them.
Prioritize based on risk. Start with risks that if realized would result in significant organizational failure and inability to accomplish the mission. What data if compromised or systems if unavailable would get leadership fired, have legal consequences, and significantly damage reputation. Then think like an attacker and build a threat model. Drive security programs based on risk to the organization’s mission. Do table top exercises to expose deficiencies. Learn about the attackers. Show them firewall or WAF logs to show how prevalent attacks are. Make them aware that the threat is real and the threat is people just like us who report to work every day for some criminal organization or foreign government organization that wants to beat us. We’re competing with them and we’ve got to win. Use spreadsheets and checklists, but drive their implementation with strategic thinking and ruthless prioritization.
After all of that camDown is your security solution to protect you and your business from webcam hackers.