As people, we make do with what we have, but once a better tool is within our reach we adopt it without looking back. For centuries we had no flowing water supply and managed just fine with the village water well, but nowadays it’s hard to imagine how life would be without this amenity.
Such is the case with pentesting – a set of cybersecurity system evaluation and testing methods. Today, pentesting is the most effective cyber risk validation method, simulating real hackers in exploiting vulnerabilities until a data asset or service disruption is achieved.
But as effective as the concept of pentesting may be, the way it is executed can be described as medieval. It’s desperately searching for someone to give it the boost it needs to catch up with the the 21st century. Here are 7 reasons why this revolution is imminent:
Reason 1 – A Dire Need
A cyber attack is no longer child’s play. Research provider Cybersecurity Ventures predicts that cyber crime will cost the world six trillion dollars in damages annually by 2021, up from three trillion dollars in 2015, which represents the greatest transfer of economic wealth in history. The stakes are growing and no one can afford being the next hacked corporate.
Reason 2 – Unbearable Cost
Pentesters are hard to come by and the best pentesters are “stupid expensive” billed at $2,500 per day. The bad news is that there are currently 300,000 unfilled cybersecurity jobs in the USA alone, and that number is expected to increase to 500,000 by 2021. This means there is no chance of pentesting service prices decreasing.
Reason 3 – External Exposure
Regulation requires pentesting be performed by an independent party. As a result, these tests are often performed by an external pentesting company who walks away with a list of your vulnerabilities. Afraid of privileged employee leaks? Then you should dread pentesting employee leaks. It’s time to take DIY pentesting to the largest extent possible.
Reason 4 – A New Day, Means A New Vulnerability
With BYOD, cloud applications, mobile apps, the crumbling of the perimeter, open source software, digital supply chains and IoT – the attack surface keeps growing, making it harder to keep all vulnerabilities and cyber risk exposures in check. It is like saying that brushing your teeth once a year will prevent you from having dental plaque and cavities. My point is that pentesting needs to be much more frequent. Some would say daily!
Reason 5 – Searching for Yesterday’s Vulnerability
The cyber crime industry is well funded and constantly working on new exploits and techniques; the bad guys are constantly evolving. What about pentesting companies? The large majority of them are comprised of small, local service firms that cannot afford to invest in the R&D of advanced tools to stay ahead of the curve. The result? More pentesters are testing for known and classic exploits while the real hackers have moved on to more advanced and innovative techniques.
Reason 6 – Cyber Insurance Missing Data to Underwrite
More and more firms are seeking cyber crime insurance to assure their operations and reputation can survive a serious blow. The insurance companies are working hard to size and underwrite that risk, however, their source parameter of underwriting – a standard pentesting score – is missing. Not for long.
Reason 7 – Regulators Have Had Enough
While regulators want to keep institutions solvent, they understand that cyber risk validation and control are critical to doing so. The GDPR regulation already requires (Article 32, 1d) companies to regularly test, assess and evaluate their security effectiveness and controls. Regularly doesn’t mean annually – they are two very different terms.
The world needs automated pentesting. Startups are slowly introducing the concept and the early majority is vesting resources in adopting it. Automated network pentesting is the technology that has the potential of catching like wildfire. Make sure you’re enabling your company to benefit from it sooner rather than later. It could be the difference between getting hacked and keeping the hackers at bay.
Evading Detection: From Inception to Reality
In this article, we will show how it’s possible to use reflective loading to run Mimikatz while evading detection by Windows Defender. While this is a known attack method, recent improvements in windows defender blocked the method from working properly, so we needed to find a new way to handle dependencies. Read on to see...
When Being Attractive Gets Risky – How Does Your Attack Surface Look to an Attacker?
In the era of digitization and ever-changing business needs, the production environment has become a living organism. Multiple functions and teams within an organization can ultimately impact the way an attacker sees the organization’s assets, or in other words, the external attack surface. This dramatically increases the need to define an exposure management strategy. To...
Bypassing “air-gapped” networks via DNS
In order to protect an organization’s critical assets from Internet access, IT teams often create isolated or ‘air-gapped’ networks. These networks are often considered inherently untouchable. While air-gapped networks may not have direct access to the Internet, they still often require DNS services in order to resolve a company’s internal DNS records. This will prove...