The Unethical CIO

This penetration test was a complete disaster for the client.

Our team had gained unauthorised access to hospital software and we demonstrated to the client that this software could edit the medicine that nurses would administer to patients.

We could tamper with hospital files, medical records and even delete the thousands of records that would force the hospital to re-process hundreds of patients.

The CIO was livid. Furious. Embarrassed.

None of his security investments had worked.

He challenged every finding and every line in our report:

• “This can't be exploited because the person needs to first get access to a network port in the building”
• “This vulnerability can't be exploited because first you need to be local administrator”
• “My team is telling me that this vulnerability has been fixed, there must have been something wrong with your tools”
• “Even if somebody becomes domain admin, they are never going to go and edit patient records”
• “Your team showed that it could hack us but that doesn't mean that somebody will hack us”
• “We've never seen any hackers on our network so this will probably never happen”
• “Who would want to hack a hospital?”

This is called “Dark Risk Management”.

In the end, he buried our report and we lost a client -or, better put, he lost.

I can't imagine how he would have a clear conscience in view of how he handled the situation.

If you're in charge of cyber security and you haven't made decisions that you're proud of then here's how to make up for it:

1. Resign immediately
2. Donate to charity all the money that you made from compromising on your ethics and morals
3. Dedicate the rest of your life to alleviating the suffering of all humankind

Benjamin Mossé

17/02/2020