30th November 2018
A recent survey has revealed some of the techniques used by hackers, both black hat, and white hat. The survey dubbed the ‘Black Report,’ aimed to get a fresh perspective on cybersecurity and attacks. Instead of collecting responses from IT –professionals and business owners, those surveyed were hackers from both sides of the fence – from the legitimate — penetration testers, who aim to highlight the flaws in organizations’ cybersecurity systems so that they can be improved, to the criminals who look to exploit those flaws for their own gain.
The report revealed how hackers compromise systems, the time it takes them to break in and, crucially, the methods that keep them at bay.
One of the reasons hackers might be unimpressed by an organization’s security posture is that, rather than expensive tools, they may have security under control by investing equally in people and procedures. They may have invested in some cyber security systems and software to help protect them, but the impact is not going to come from technology alone.
The survey asked hackers what message they’d send to CEOs about security. The top responses were…
We absolutely agree. The right people and processes, including effective penetration testing, are essential parts of an effective cybersecurity posture. In our work, there has never been a situation where we have found no vulnerabilities for any organization whose systems we have tested, so you need to be empowered to find and fix those with a system that’s going to help facilitate that. Still, it’s not about buying the latest, most expensive system for threat prevention as that won’t stop every vulnerability from reaching you.
The same is true from a pentesting perspective: many pentests fail to provide the deep dive that’s needed. Some companies which offer pentest services will provide nothing more than a branded vulnerability scan, done with tools that could be used by any company. These automated scans typically do not include the mix of skills and experience, proactivity and proficiency of a qualified professional penetration tester with a technology background. In other words, they lack the knowledge and approaches that an experienced, skilled hacker would bring to bear when probing a network’s defenses.
Truly effective penetration testing services will provide a detailed overview of all the techniques used and will include the human element – showing how vulnerable your staff are to commonly-used methods such as social engineering and phishing. Beyond this, penetration testings should be performed periodically, with a detailed report handed to the organization with recommendations for them to implement themselves. As mentioned earlier, security is a journey, not a destination. Every time a new person joins a company or changes are made to the IT infrastructure, a new vulnerability could emerge.
This is why we offer ‘Pentest-as-a-Service©’ – where organizations get ongoing support from our professionals, who help to interpret and action the results of the Penetration Test. This helps our customers put the results of the test into practice, gaining a long-term view that will help them to put controls in place to prevent attacks, and crucially – to put procedures in place to deal with any threats if they do manage to get through.
For more details about our innovative Pentest-as-a-Service© approach, click here.
On January 15th, 4 PM UK time, our Cybersecurity Practice Director, Luke Potter, hosted a free webinar giving an informative talk around up and coming security threats that have been realized this past year within the SureCloud client base. He gives an insightful view on how the bad guys are finding new and creative ways to hack into organizations as well as individuals as well as advice on how to best prevent the new threat vectors.
The webinar is available on-demand via BrightTALK here.