As people, we make do with what we have, but once a better tool is within our reach we adopt it without looking back. For centuries we had no flowing water supply and managed just fine with the village water well, but nowadays it’s hard to imagine how life would be without this amenity.
Such is the case with pentesting – a set of cybersecurity system evaluation and testing methods. Today, pentesting is the most effective cyber risk validation method, simulating real hackers in exploiting vulnerabilities until a data asset or service disruption is achieved.
But as effective as the concept of pentesting may be, the way it is executed can be described as medieval. It’s desperately searching for someone to give it the boost it needs to catch up with the the 21st century. Here are 7 reasons why this revolution is imminent:
Reason 1 – A Dire Need
A cyber attack is no longer child’s play. Research provider Cybersecurity Ventures predicts that cyber crime will cost the world six trillion dollars in damages annually by 2021, up from three trillion dollars in 2015, which represents the greatest transfer of economic wealth in history. The stakes are growing and no one can afford being the next hacked corporate.
Reason 2 – Unbearable Cost
Pentesters are hard to come by and the best pentesters are “stupid expensive” billed at $2,500 per day. The bad news is that there are currently 300,000 unfilled cybersecurity jobs in the USA alone, and that number is expected to increase to 500,000 by 2021. This means there is no chance of pentesting service prices decreasing.
Reason 3 – External Exposure
Regulation requires pentesting be performed by an independent party. As a result, these tests are often performed by an external pentesting company who walks away with a list of your vulnerabilities. Afraid of privileged employee leaks? Then you should dread pentesting employee leaks. It’s time to take DIY pentesting to the largest extent possible.
Reason 4 – A New Day, Means A New Vulnerability
With BYOD, cloud applications, mobile apps, the crumbling of the perimeter, open source software, digital supply chains and IoT – the attack surface keeps growing, making it harder to keep all vulnerabilities and cyber risk exposures in check. It is like saying that brushing your teeth once a year will prevent you from having dental plaque and cavities. My point is that pentesting needs to be much more frequent. Some would say daily!
Reason 5 – Searching for Yesterday’s Vulnerability
The cyber crime industry is well funded and constantly working on new exploits and techniques; the bad guys are constantly evolving. What about pentesting companies? The large majority of them are comprised of small, local service firms that cannot afford to invest in the R&D of advanced tools to stay ahead of the curve. The result? More pentesters are testing for known and classic exploits while the real hackers have moved on to more advanced and innovative techniques.
Reason 6 – Cyber Insurance Missing Data to Underwrite
More and more firms are seeking cyber crime insurance to assure their operations and reputation can survive a serious blow. The insurance companies are working hard to size and underwrite that risk, however, their source parameter of underwriting – a standard pentesting score – is missing. Not for long.
Reason 7 – Regulators Have Had Enough
While regulators want to keep institutions solvent, they understand that cyber risk validation and control are critical to doing so. The GDPR regulation already requires (Article 32, 1d) companies to regularly test, assess and evaluate their security effectiveness and controls. Regularly doesn’t mean annually – they are two very different terms.
The world needs automated pentesting. Startups are slowly introducing the concept and the early majority is vesting resources in adopting it. Automated network pentesting is the technology that has the potential of catching like wildfire. Make sure you’re enabling your company to benefit from it sooner rather than later. It could be the difference between getting hacked and keeping the hackers at bay.
To read more about automated pentesting download our free brochure here.
CVE-2022-22948: Sensitive Information Disclosure in VMware vCenter
New zero-day vulnerability joins a chain of recently discovered vulnerabilities capable of operating an end-to-end attack on ESXi. Organizations should evaluate risk and apply vCenter client patches immediately. Executive Summary Pentera Labs’ Senior Security Researcher, Yuval Lazar, discovered an Information Disclosure vulnerability impacting more than 500,000 appliances running default vCenter Server deployments. This finding is...
4 steps to knowing your exploitable attack surface
Originally published on Dark Reading. According to a Cisco CISO Benchmark survey, 17% of organizations had 100,000 or more daily security alerts in 2020, and its trajectory has only increased. Source: Cisco 2020 CISO Benchmark Survey 2021 only followed this trend with a record year of newly-discovered CVEs – 20,137 to be exact, topping the...
The Security Miss in Misconfigurations: Taking a second look at firewall misconfigurations
Network misconfigurations take on many types and forms, and come about for many different reasons. Many of them stem from blind adherence to poorly-informed common practices or even just from simply not being aware that operating system configuration defaults inherently contain security misconfigurations. Let’s review 2 common misconfigurations to serve as our examples: Why closed...