Can Penetration Tests Be Done Without People On-site?
In an effort to contain the CoronaVirus and stop its expansion, countries all over the world have closed their borders. Enterprises globally are fast to follow suit by halting employee travels and prohibiting external visitors from entering their offices. However, within these restrictions and with minimal physical contact, business must go on. Fortunately, some services, such as accounting, legal or even HR, can easily be rendered remotely. But when it comes to cybersecurity, that is not always the case.
Physical access to the local network is often required and is available only from within the organization’s premise. Such is penetration testing!
Can Pentesters Be ‘Contained’?
Senior pen-testers are among the cyber security professionals who travel the most. They are highly sought individuals with a large set of hacking tools and a great many years of practice. Experienced pen-testers are invited to organizations around the world for days or weeks at a time to try their best at cracking cyber defences and networks. Large corporations often prefer the same person to work across different territories in order to reach consistency in testing and reporting among the company’s affiliates.
Security Must Go On
Since the work of security validation can never stop, Coronavirus-days limitations are forcing security professionals to come up with remote alternatives for penetration testing. One that will eliminate the need to bring people into the office and share space and keyboards. Everything that can be done remotely must comply, if it comes with reduced costs and increased efficiencies, even better.
WANTED – Remote Pen-testing Software
In an ideal world a CISO would ask for software of this sort:
- Does exactly what a pen-tester does
- Doesn’t require any agents to be installed
- Works on-premise, but may be activated remotely
- Prioritizes remediation according to truly breachable vulnerabilities
- One that any IT person can operate
It just so happens that a technology invented in 2015, is in its prime in 2020. This algorithm-based technology mimics an ethical hacker with a large set of tools and techniques and can produce a full penetration test remotely, anywhere on earth.
Yes, but does it “walk the talk”?
This approach is, more often than not, faced with skepticism, which turns into wonder, then buy-in, excitement and eventually, evangelism. The reason for these transitions lies within one’s ability to watch the pentest at work as it occurs, as if it was a James Bond movie screening. Truth be told, when it comes to networks, automated testing wins over manual testing, similar to the way your phone will, most times, beat you at chess. The power of the machine in terms of searching for credential data, automating relay techniques and running 24 hour long tests without tiring, is inconceivable.
A single test run proof-of-value is free for this technology for enterprises. So a test-drive is the recommended thing to do.
The version of an MSSQL database is a valuable piece of information for cyber attackers. With the version details in hand, they can attempt to find and exploit any of the version’s known vulnerabilities. As part of our research at Pentera Labs, we attempted to obtain the version of the widely-used MSSQL (Microsoft SQL Server)...
Digitalization initiatives are connecting once-isolated Operational Technology (OT) environments with their Information Technology (IT) counterparts. This digital transformation of the factory floor has accelerated the connection of machinery to digital systems and data. Computer systems for managing and monitoring digital systems and data have been added to the hardware and software used for managing and...
Despite major investments in their security suites, organizations continue to be breached. Our Co-founder and CTO, Arik Liberzon, recently sat down with CyberNews to discuss the value of the adversarial perspective and where his inspiration from Pentera came from. Starting out, I arrived at the idea for Pentera and Automated Security Validation in a pretty...