As people, we make do with what we have, but once a better tool is within our reach we adopt it without looking back. For centuries we had no flowing water supply and managed just fine with the village water well, but nowadays it’s hard to imagine how life would be without this amenity.
Such is the case with pentesting – a set of cybersecurity system evaluation and testing methods. Today, pentesting is the most effective cyber risk validation method, simulating real hackers in exploiting vulnerabilities until a data asset or service disruption is achieved.
But as effective as the concept of pentesting may be, the way it is executed can be described as medieval. It’s desperately searching for someone to give it the boost it needs to catch up with the the 21st century. Here are 7 reasons why this revolution is imminent:
Reason 1 – A Dire Need
A cyber attack is no longer child’s play. Research provider Cybersecurity Ventures predicts that cyber crime will cost the world six trillion dollars in damages annually by 2021, up from three trillion dollars in 2015, which represents the greatest transfer of economic wealth in history. The stakes are growing and no one can afford being the next hacked corporate.
Reason 2 – Unbearable Cost
Pentesters are hard to come by and the best pentesters are “stupid expensive” billed at $2,500 per day. The bad news is that there are currently 300,000 unfilled cybersecurity jobs in the USA alone, and that number is expected to increase to 500,000 by 2021. This means there is no chance of pentesting service prices decreasing.
Reason 3 – External Exposure
Regulation requires pentesting be performed by an independent party. As a result, these tests are often performed by an external pentesting company who walks away with a list of your vulnerabilities. Afraid of privileged employee leaks? Then you should dread pentesting employee leaks. It’s time to take DIY pentesting to the largest extent possible.
Reason 4 – A New Day, Means A New Vulnerability
With BYOD, cloud applications, mobile apps, the crumbling of the perimeter, open source software, digital supply chains and IoT – the attack surface keeps growing, making it harder to keep all vulnerabilities and cyber risk exposures in check. It is like saying that brushing your teeth once a year will prevent you from having dental plaque and cavities. My point is that pentesting needs to be much more frequent. Some would say daily!
Reason 5 – Searching for Yesterday’s Vulnerability
The cyber crime industry is well funded and constantly working on new exploits and techniques; the bad guys are constantly evolving. What about pentesting companies? The large majority of them are comprised of small, local service firms that cannot afford to invest in the R&D of advanced tools to stay ahead of the curve. The result? More pentesters are testing for known and classic exploits while the real hackers have moved on to more advanced and innovative techniques.
Reason 6 – Cyber Insurance Missing Data to Underwrite
More and more firms are seeking cyber crime insurance to assure their operations and reputation can survive a serious blow. The insurance companies are working hard to size and underwrite that risk, however, their source parameter of underwriting – a standard pentesting score – is missing. Not for long.
Reason 7 – Regulators Have Had Enough
While regulators want to keep institutions solvent, they understand that cyber risk validation and control are critical to doing so. The GDPR regulation already requires (Article 32, 1d) companies to regularly test, assess and evaluate their security effectiveness and controls. Regularly doesn’t mean annually – they are two very different terms.
The world needs automated pentesting. Startups are slowly introducing the concept and the early majority is vesting resources in adopting it. Automated network pentesting is the technology that has the potential of catching like wildfire. Make sure you’re enabling your company to benefit from it sooner rather than later. It could be the difference between getting hacked and keeping the hackers at bay.
To read more about automated pentesting download our free brochure here.
How we improved our QA with Shift-Left testing
This article is part of Pentera’s Engineering Series – a behind-the-scenes look at the technologies we develop to keep companies secure. In this piece, we look at the testing processes that we use to QA our platform and deliver a high-quality solution. It almost goes without saying that testing is a critical part of the...
Five steps to mitigate the risk of credential exposure
Every year, billions of credentials appear online, be it on the dark web, clear web, paste sites, or in data dumps shared by cybercriminals. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, and data theft. While CISOs are aware of growing identity threats and have multiple tools in their...
WiFi – The Untested Attack Surface
Much of a company’s assets are connected to Wi-Fi networks. However, security teams are often less likely to validate these networks. This pushed us to wonder what we might find if we were to test a corporate WiFi network. After running the Pentera platform™️ over Wi-Fi, we found several vulnerabilities, which helped us gain insight...