CEOs cite cybersecurity as the biggest threat to the world economy and as a result, the global spend in cybersecurity is expected to surpass $1 trillion by 2021. An enterprise cyber attack can turn into a catastrophe in a matter of hours, potentially damaging any business at any point in time. As we see from the past few years, the greatest have already fallen.
When you think about it, it’s no different from a domestic burglary – a criminal picks the lock on the door and enters the house, avoiding the alarms while searching for the safe. They crack it open, get the jewels and make it out without being caught. In our context, a cyber burglar.
When it comes to malicious hackers, the biggest difference is the number of conductor hallways, vents, shafts, and doors one can use. If you take into account the settings of anti-viruses, firewalls, application firewalls and Windows group policies, etc., it amounts to thousands of parameters. Multiply this complexity when it comes to cloud and heterogeneous environments and it becomes clear that the chances of neglecting a vulnerable security control are very high.
Did We Leave the Door Open?
There is a new rule of equality – everyone is being hacked. If a door is left open, it will be entered. Public websites and applications are exploited as they are released. That’s simply how the internet works in 2020.
The same goes for internal controls. One must assume that at least one point of the organization has been compromised. An attacker will make an attempt on every misconfigured control to progress laterally towards the critical data or services and it only takes one to succeed.
Validation is Calling
The IT network is a living organ constantly undergoing changes – adding and removing users, changing segmentation, new systems, cloud migration -it’s endless. Show me a patch-perfect iron-clad network today and in two-month, I can assure you, its controls will decay in efficacy.
Some people refer to it as instrumentation, others as control validation, but the simplest term is security hygiene. And if it’s hygiene we’re after, misconfigurations is the dirt and it’s often the result of human error.
Our networks are in need of continuous, on-demand testing to ensure controls are kept in tune at all times. As I mentioned earlier, it takes only one misconfiguration for an attacker to progress the attack.
The “Cyber Toothbrush” Rush
An ideal solution should take the form of a ‘crawler’ roaming the network, checking that all controls are enforced and changes have not created weaknesses. For example, Windows Circular Nested Active Directory (AD) Groups, where privileges are misconfigured to enable a regular user to achieve higher privileges than intended, is a hacker’s slam dunk. Are you confident there are none in your network? Only a continuous solution will allow you to answer that question.
Such a solution to this problem is long overdue and many technologies are on the rise to address it. When reviewing them, it’s important to use a few qualifying questions to ensure their operational burden doesn’t cast a shadow over their benefits.
3 Key Requirements for an Ideal Solution
- Fully Automated: Many security validation solutions provide a ‘playbook’ approach to risk validation, repeatedly testing for one known attack vector. Despite various claims of ease of use, these require design, maintenance and constant updates. The ideal tool should have a one-click-to-validate approach.
- Agentless: Part of the pain in information security is managing software agents with the promise of an ultra-lightweight one that you won’t mind. All agent-based systems require installation, documentation and upgrades, providing a weakness by its own right. The ideal tool should work without agent deployment.
- MITRE ATT&CK™: It is key that any cybersecurity validation system is compliant with the evolving matrix of adversary techniques to assure you are covered and validated against them. It’s essential to validate and cover the known and existing threats out there, understand what has been validated against, and evolve with the industry over time.
The Toothbrush Test
The most cost-efficient solution these days is validating your security controls. Whether you have a budget item for this or need to ‘borrow’ from other validation budget items, it’s the most efficient way to make sure you’re at the top of your game with quick and contextualized remediation measures. The ultimate question to ask yourself is, “can I run this solution every day?” The answer should be yes, and the practice should follow suit.
How we improved our QA with Shift-Left testing
This article is part of Pentera’s Engineering Series – a behind-the-scenes look at the technologies we develop to keep companies secure. In this piece, we look at the testing processes that we use to QA our platform and deliver a high-quality solution. It almost goes without saying that testing is a critical part of the...
Five steps to mitigate the risk of credential exposure
Every year, billions of credentials appear online, be it on the dark web, clear web, paste sites, or in data dumps shared by cybercriminals. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, and data theft. While CISOs are aware of growing identity threats and have multiple tools in their...
WiFi – The Untested Attack Surface
Much of a company’s assets are connected to Wi-Fi networks. However, security teams are often less likely to validate these networks. This pushed us to wonder what we might find if we were to test a corporate WiFi network. After running the Pentera platform™️ over Wi-Fi, we found several vulnerabilities, which helped us gain insight...