A recent survey has revealed some of the techniques used by hackers, both black hat, and white hat. The survey dubbed the ‘Black Report,’ aimed to get a fresh perspective on cybersecurity and attacks. Instead of collecting responses from IT –professionals and business owners, those surveyed were hackers from both sides of the fence – from the legitimate — penetration testers, who aim to highlight the flaws in organizations’ cybersecurity systems so that they can be improved, to the criminals who look to exploit those flaws for their own gain.
The report revealed how hackers compromise systems, the time it takes them to break in and, crucially, the methods that keep them at bay.
How they hack in
- 71% of respondents claimed they could breach a target in less than 10 hours.
- Once inside the perimeter, 78% said that critical data could be identified within a further 10 hours.
- For 72% of respondents, it would then take five hours or less for them to exfiltrate the data.
- In total, 54% of hackers surveyed said the entire breach would take 15 hours or less.
- Those surveyed used familiar methods to carry out their attacks:
- Phishing and network attacks were among the most common, and 88% said they used social engineering to gain information about their target.
- It’s not surprising that these methods are the most frequently used – they were identified as the most common attack types in Verizon’s Data Breach Investigations report 2018.
- The majority of respondents revealed their methods have to change regularly.
- 59% of hackers surveyed said that their attack methods become out of date or easy to detect within six months.
- 29% said that they were constantly upgrading to new tools or techniques that improved the efficiency and effectiveness of their attacks with each engagement.
- As a result, just 3% said they encountered environments that they could not break into.
- 79% said that target organizations’ security posture rarely left them impressed.
One of the reasons hackers might be unimpressed by an organization’s security posture is that, rather than expensive tools, they may have security under control by investing equally in people and procedures. They may have invested in some cyber security systems and software to help protect them, but the impact is not going to come from technology alone.
Keeping them out
The survey asked hackers what message they’d send to CEOs about security. The top responses were…
- that cybersecurity “is a journey, not a destination.”
- organizations will “never be secure.”
- security requires “a strong combination of people and technology.”
- goal-oriented pentesting was “very impactful” or “absolutely critical,” as 79% of respondents attested.
We absolutely agree. The right people and processes, including effective penetration testing, are essential parts of an effective cybersecurity posture. In our work, there has never been a situation where we have found no vulnerabilities for any organization whose systems we have tested, so you need to be empowered to find and fix those with a system that’s going to help facilitate that. Still, it’s not about buying the latest, most expensive system for threat prevention as that won’t stop every vulnerability from reaching you.
The same is true from a pentesting perspective: many pentests fail to provide the deep dive that’s needed. Some companies which offer pentest services will provide nothing more than a branded vulnerability scan, done with tools that could be used by any company. These automated scans typically do not include the mix of skills and experience, proactivity and proficiency of a qualified professional penetration tester with a technology background. In other words, they lack the knowledge and approaches that an experienced, skilled hacker would bring to bear when probing a network’s defenses.
Truly effective penetration testing services will provide a detailed overview of all the techniques used and will include the human element – showing how vulnerable your staff are to commonly-used methods such as social engineering and phishing. Beyond this, penetration testings should be performed periodically, with a detailed report handed to the organization with recommendations for them to implement themselves. As mentioned earlier, security is a journey, not a destination. Every time a new person joins a company or changes are made to the IT infrastructure, a new vulnerability could emerge.
This is why we offer ‘Pentest-as-a-Service©’ – where organizations get ongoing support from our professionals, who help to interpret and action the results of the Penetration Test. This helps our customers put the results of the test into practice, gaining a long-term view that will help them to put controls in place to prevent attacks, and crucially – to put procedures in place to deal with any threats if they do manage to get through.
For more details about our innovative Pentest-as-a-Service© approach, click here.
Cybersecurity Attacks that will Actually Lead to a Compromise
On January 15th, 4 PM UK time, our Cybersecurity Practice Director, Luke Potter, hosted a free webinar giving an informative talk around up and coming security threats that have been realized this past year within the SureCloud client base. He gives an insightful view on how the bad guys are finding new and creative ways to hack into organizations as well as individuals as well as advice on how to best prevent the new threat vectors.
The webinar is available on-demand via BrightTALK here.