How Penetration Testing Foster False Reassurance

Penetration testing itself is a good way to test cybersecurity, but only if it has been tested in every corner of the digital environment. If not, there is no need to test.

Image: Teera Konakan / Moment / Getty Images

Rob Gurzeev, CEO and co-founder of CyCognito, a company that specializes in managing and protecting attack surfaces, is concerned about past and present blind spots.In his Dark Reading article Protect the Castle: How World History Learns from Cyber ​​Security“Military combat often teaches a direct lesson and reminds us that the blind spots in the attack surface have long been the Achilles heel for defenders,” said Gurzeev.

As an example, Gruzeev refers to the 1204 siege of Gaillard Castle. It was thought that the castle could not be invaded. After nearly a year of unsuccessful attempts, the attackers somehow determined that the toilet and sewer system were not well protected. Planned, the next moonless night, medieval troops, equivalent to special operations teams, passed through the sewers, entered, set fire to the internal mechanics of the castle, and ended the siege in short order. ..

to see: Personal information theft prevention policy (TechRepublic Premium)

“Cyber ​​security attackers follow this same principle today,” Gurzeev wrote. “Companies usually have a significant amount of IT assets within the external attack surface, do not monitor or defend, and probably do not know in the first place.”

Some examples are programs or equipment.

  • Set up without security knowledge or involvement, and in some cases without IT knowledge
  • No longer used and forgotten
  • Used for short-term testing that is not obsolete

“Assets and applications are constantly being created or modified, and the pace of change is fast and dynamic,” Gurzeev added. “It’s a tremendous task for a security organization to keep track of all of them.”

Cyber ​​criminals understand this trend

Knowledgeable cybercriminals who don’t want to waste time and money are looking for the easiest way to reach their goals. “Attackers have access to a number of tools, technologies, and even services that can help them find unknown parts of their organization’s attack surface,” Gurzeev suggests. “Similar to the attackers of Gaillard Castle in France in the 13th century, but with the appeal of low casualties, low cost and high chances of success, practical attackers are accessible from outside the organization. Search for an attack target area. “

As mentioned earlier, it is nearly impossible to completely protect an organization’s cyber attack surface. This is due to the dynamic attack surface and the rapid change in software and hardware. “Traditional tools suffer from the assumptions, habits, and prejudices mentioned at the beginning,” explains Gurzeev. “All of these tools focus only on where they are pointed out, leaving an unaddressed blind spot for the organization, leading to violations.”

By tool, Gurzeev mentions Penetration test: “Penetration testing is a set of activities that are performed to identify and exploit security vulnerabilities. This helps to verify the effectiveness or ineffectiveness of implemented security measures.”

I have a concern

Gurzeev is concerned that regular penetration testing will follow the path of minimal resistance and stick to known attack surfaces. “By evaluating and protecting only known parts of the attack surface, it is virtually possible for an attacker to find unprotected network infrastructure, applications, or data that can provide unobstructed access to valuable resources. It’s guaranteed, “Gurzeev explains. “Instead, organizations need to invest more resources in discovering and addressing unknowns in the external attack surface.”

Suspicion confirmed

This CyCognito (Gurzeev company) press release We have announced the results of a survey conducted by Informa Tech. The survey was attended by 108 IT and security managers from a corporate organization with more than 3,000 employees in more than 16 industries.

The research report, Penetration Testing Failed Practices, immediately states: “Organizations invest heavily in penetration testing for security and rely heavily on it, but widely used approaches do not accurately measure the overall security regime or breach readiness. Two goals are stated among security and IT professionals. “

The press release explains why, “When using penetration testing as a security practice, organizations lack visibility into assets exposed to the Internet, providing a vulnerable blind spot for exploits and breaches.” I explained.

To get the right context, the report states that an organization with more than 3,000 employees has more than 10,000 internet-connected assets. However:

  • Fifty-eight percent of survey respondents say penetration testing targets assets of 1,000 or less
  • 36% of survey respondents say penetration testing targets assets below 100

The report then lists the concerns expressed by the survey participants.

  • 79% think penetration testing is expensive
  • If the cost is low, 78% will use penetration testing in more apps
  • 71% report that penetration testing takes a week to a month
  • 60% report penetration testing with limited coverage or too many blind spots
  • The 47% report penetration test detects only known assets, not new or unknown assets.
  • Wait 1-2 weeks for 26% to get test results

The frequency of penetration tests is described in the survey report as follows.

  • 45% perform penetration testing only once or twice a year
  • 27% carry out penetration testing quarterly

What does that mean?

If only known assets are tested several times a year, it seems logical to assume the worst. “The biggest point from this report is that what an organization wants or wants to achieve through penetration testing is two very different things,” said Gurzeev. .. “The value of regularly testing only a portion of the attack surface is very limited. Unless you continuously detect and test the entire external attack surface, your organization’s overall safety is overall. I can’t understand. “

Ultimately, according to Gurzeev, if an organization has an important “shadow” conduit that is attractive to cybercriminals, it will find it and abuse it. “Perhaps the walls and sides of the tissue are carefully protected, but there is a wide open, unsupervised passageway at your feet,” he added.

See also How Penetration Testing Foster False Reassurance

Back to top button