Penetration testing often uncovers the same vulnerabilities over and over again while leaving other avenues of compromise wide open, a ‘red-team’ hacker has warned while reporting that his firm is still seeing “great success” using malware techniques and social engineering to compromise “complacent” firms that would seem to be following security best practices on paper.
“Most organisations think of security too narrowly,” Sense of Security chief technology officer Jason Edelstein told CSO Australia. “They think about security as the perimeter and the applications. But we have built models, studied major breaches, examined how malware works, and all the different attack avenues out there that bad actors use – and we have tried to replicate those with great success to get access to physical information and assets.”
Those techniques circumvent many of the protections that might be uncovered with conventional penetration testing, which has steadily grown in prominence as a measure of proactive security. Yet while pen-testing offers valuable opportunity to put some technological controls to the test, many security experts have concerns that it has created an artificial testing environment – and a false sense of security for compliance-minded boards.
“It’s not only about an organisation’s maturity, but about their appetite and risk culture,” chief operating officer Murray Goldschmidt said. “Companies are more inclined to invest in things for an audit reason – for example, that their corporate policy says they must have penetration testing done every year – but they may go with testing that is more predictable and repeatable, because it’s something they can give back to their audit committee.”
Predictability may suit boards but it’s the opposite of the approach that increasingly resourceful, creative, and profit-minded hackers take – and many companies make their jobs even easier by failing to take real action in the wake of a penetration test.
The recent Nuix Black Report, which surveyed white-hat and black-hat hackers about their perception of the security market, found that 75 percent of organisations only conduct limited remediation after a penetration test – and usually only focus on critical and high-priority vulnerabilities. Fully 64 percent said their biggest frustration was that organisations don’t fix things that they know are broken.
Such figures have played out in real time for Sense of Security ‘red-team’ experts that find it easy to compromise data even when pen-testing suggests a company’s security is in order.
Despite years of efforts to convince employees to share less about themselves and their work online, social media remains a fertile source for attackers shaping extremely effective social-engineering exploits.
“People tend to overshare these days, and you can easily build a whole model about who the key staff are, what takeovers are happening, who are the key press that they deal with, and what security technologies we’re dealing with on the other end and what we need to bypass,” Edelstein explained. “These things allow us to build very plausible social engineering scenarios, and we’re normally successful using these against targets.”
Fully 84 percent of Nuix Black Report respondents said they used social engineering as part of their attack strategies, and 76 percent spend 1 to 10 hours per week researching security news and technology. If organisations aren’t also learning, they will struggle to keep up.
New figures from Gemalto suggest that the imbalance of effort is continuing to take its toll: the company’s latest Breach Level Index Report found that 2 billion data records were lost, stolen or compromised in the first half of 2017 – up 164 percent over the second half of 2016. This included 3.5m records in Australia alone – but these voluntarily reported figures are expected to increase dramatically once mandatory breach reporting kicks in next February.
That reporting framework, as well as new security responsibilities due to the subsequent European Union’s general data protection regulation (GDPR) and a tightening of financial-industry PCI DSS requirements, is likely to cause grief for businesses that feel simply conducting pen-testing is enough of an investment to meet compliance requirements.
“Those standards have built-in expectations that organisations have ongoing, business-as-usual security activities,” Edelstein said, noting that while pen-testing may meet the standards’ requirement that companies take ‘reasonable’ measures to protect data, that doesn’t make them adequate in real terms.
“It comes down to whether CSOs are actually doing remediation on an ongoing basis, or just sweeping all the skeletons into the closet and hoping the audit doesn’t find them. Unfortunately, sometimes you need a global data breach to kickstart awareness.”
Yet despite the legislation, he warned, “many organisations still won’t do anything about it until there is evidence the government is following through with penalties. If it’s determined that there is no real incentive to incur costs to be compliant, or to align with the requirements of the legislation, many companies still won’t do it.”