Why undergo a cyber security penetration test? Most organizations simply do them to meet compliance standards or to test the methodologies used by the IT security team. However, did you know that about a quarter of all companies perform poorly executed penetration tests – and in some cases do nothing more than validate known vulnerabilities?
A recent RSA security conference survey revealed a frightening statistic, 26% of companies are lagging in proper cyber security practices. Some companies even intentionally ignore their own security flaws. The reasons range from not having enough time to address the threat, to not knowing how or not wanting to spend the money to hire someone who does.
Only 46% Address Cyber Security Vulnerabilities Right Away
Of the companies that do address vulnerabilities, many do so only with half interest. During the conference, 155 security professionals representing many companies at the RSA conference revealed that only 47% of organizations fix or address their vulnerabilities as soon as they are known.
Even more amazing is that some companies wait – sometimes for significant amounts of time –before they do anything about it. Either by applying patches or “do-overs”, allowing time for hackers to infiltrate their IT infrastructure and attack it.
But if you think that’s jaw dropping, chew on this: 16% wait for one month to apply patches and 8% said they apply patches only once or twice a year.
There Is No Time, They Say
I once heard a preacher say that often people don’t have time to visit a relative, but always have time to come to the funeral. Almost 26% of respondents said their company ignored a critical security flaw because they didn’t have time to fix it. But if their systems go down – or worse yet, is compromised or hacked – they’ll have even less time because so much of it will be spent in restoration.
16% ignore critical security flaws because they didn’t have the skills to patch them.
The conclusion of this study is? Hoping for the best, is obviously not the best way to run an organization.
If You Can Hack Yourself, You’re in Trouble
71% of the IT professionals surveyed admitted that they would be able to hack their own company. And only 9% said this was highly “unlikely.” The fact that 71% felt they could indicates how weak and vulnerable many companies are – which means we are in dire straits.
But There Is A Difference Between Saying and Doing
During this survey, IT security analysts were asked how they might hack their own company if they so wished:
- More than 30% said they’d use social engineering, something like a phishing email or program
- 23% said they would think about attacking an insecure web application to get in
- 21% said that accessing username and passwords for cloud would be the way they would get in
- And another 21% said they’d target an employee’s smartphone,tablet or laptop
Now if the employees know how to hack their organization, how easy do you think it is for a professional hacker to do the same thing?
Does testing really matter? Why bother with something as routine as testing?
The truth is effective penetration testing offers an advantage over automated scanners. It allows you to see what a human attacker can easily determine and helps you discover misconfiguration vulnerabilities, something automated scans often can’t detect. And one of the biggest vulnerabilities found are the excessive misuse of user permissions which can easily give unauthorized access to hackers.
Human attackers often compromise a system by using a variety of vulnerabilities together. Penetration tests can simulate a variety of attack paths and thereby allow you to fix the errors.
All in All
It is important that you know all the vulnerabilities available to hackers through your organizations network. And sometimes the only way to really see these vulnerabilities is through penetration testing. It shows you which vulnerabilities are easy to exploit and which aren’t.
Yes, it’s important to know what vulnerabilities exist in your organization’s network. But which ones do you spend your finite resources correcting? Which vulnerabilities are easily exploitable, and which aren’t? Which put critical assets at risk? Which have to be fixed first? Without this context, you might spend time and money in the wrong place, leaving your organization exposed elsewhere.
A clearly described attack path, derived from a well-performed penetration test, can provide this context. For example, your organization might have an old Windows 2003 server running a mission-critical application. Because the server’s operating system is no longer supported by Microsoft, it will never receive patches – even for major, exploitable vulnerabilities. However, if the penetration test discovers that the server is in a properly segmented, hard-to-access network, then the vulnerability is likely of a lower severity. You should still address it, but only after more critical vulnerabilities have been mitigated. This kind of context enables better decisions about the use of finite resources to improve the organization’s overall cybersecurity posture.
Get Engaged, Get Value
Consumers of penetration testing can ensure a more valuable engagement for their organization by understanding what a penetration testing team does and by taking an active role from the beginning. Being highly engaged with the testing helps it generate and capture the appropriate context, which will allow the organization to make more informed decisions about where to allocate limited resources to improve its cybersecurity stance.
If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.
Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.