In the current cyber threat landscape, reactive approaches to cyber defense simply aren’t sufficient. While many vulnerabilities are discovered and ethically disclosed by white hat hackers (allowing patches to be developed and installed before details of the vulnerability are publicly released), many more go undetected or undisclosed.
Between this and the current state of organizational patch cycles (with weeks or months between patch release and application), most organizations are likely vulnerable to attack. Avoiding a starring role on the news as the latest breach victim requires a proactive approach to security.
Penetration testing, also known as ethical hacking, involves having cybersecurity experts test the defenses of your network just like a potential attacker would, but with a much different intent. By using similar tools and techniques as hackers, penetration testers maximize the probability that vulnerabilities will be detected in testing rather than by an attacker in the real world. By taking advantage of penetration testing, you can find (and fix) your vulnerabilities before hackers do.
Outsourced consultants often run a vulnerability scan against the user’s systems and provide this as a pen test, so it’s important to know that these are two different tools.
A vulnerability scanner is a computer program designed to assess computers systems such as networks or applications for known weaknesses. The end result of a vulnerability scan is a list of the patches for known vulnerabilities that you’ve failed to apply. While this is a good first step in closing your cybersecurity gaps, it alone is by no means a thorough or complete examination.
The main argument in favor of tool-based vulnerability scanning is the price. For a small company with little budget, using vulnerability scanning on its own and closing the identified gaps is better than doing nothing. However, as a best practice (and to be in compliance with some security frameworks and regulations) companies should go to the extra effort and expense to have a penetration test conducted by a human-run against their systems.
Here are three reasons why you need a human-run penetration test:
As an example, let’s explore the now infamous Equifax data breach. The company is responsible for managing the financial data of millions of Americans, and a breach of Equifax systems was responsible for exposing the data of 148 million Equifax customers.
The Equifax data breach was caused by a number of different factors. A vulnerability in Apache Struts, a widely-used open source web server enabled a cybercriminal to install a web shell on Equifax’s computers. Using the access that this web shell provided, the attacker was able to expand their reach to internal systems, eventually providing them with access to the sensitive financial data entrusted to Equifax’s care.
While a chain of events made the entire Equifax hack possible, the crux of the issue came down to the fact that the Apache Struts vulnerability was unpatched on their systems. The Equifax hack occurred three months after a patch was available for that vulnerability, and the Department of Homeland Security even issued a warning that it was being actively exploited and should be patched as soon as possible. So why didn’t Equifax apply the patch?
According to Graeme Payne, the former CIO of Equifax and the one blamed for the breach, his security team thought that they had applied the patch. The team had scanned the affected servers for vulnerabilities, and the scan came up clean, implying that the vulnerability had been successfully closed. Obviously, the vulnerability was not actually patched, and the false-negative detection was likely caused by a misconfigured scanner.
The Equifax hack is the perfect example of the benefit of a human-run penetration test over a tool-based one. When Equifax’s team ran their vulnerability scan, the tool found no vulnerabilities in their attack surface. However, a human attacker looked deeper and found a string of vulnerabilities that enabled them to perform an “entirely preventable” attack that cost Equifax nearly two billion dollars.
In the modern world, cyberattacks are a significant threat to your organization, and doing everything that you can to prevent them is a wise business decision.