​Security gaps going undetected, untested because IT staff can’t think like cybercriminals

Recent findings that Australian businesses are failing to test their IT security adequately – or even at all, in some cases – highlight a major business risk that is being exacerbated by the inability of many IT practitioners to think like outside intruders, a security expert has warned.

The Trustwave Australian Security Testing Practices and Priorities survey, conducted amongst 200 Australian businesses, found that just 40 percent of respondents considered their organisations to be highly proactive in addressing security testing – and that 14 percent aren’t testing network, database, application or mobile security at all.

This came as “a little shocking” to Michael Gianarakis, Asia-Pacific director of the Trustwave Spider Labs security team, who drives regular penetration-testing efforts for customers and has noted persistent shortcomings when it comes to testing critical operational elements.

That exposure was exacerbated by security testing that was failing to keep up with changes in internal systems, with most of the surveyed companies less than diligent about doing regular testing. Some 14 percent said they conducted daily security tests and 23 percent said they ran testing weekly, but fully 27 percent said they ran security tests between once a month and once a year.

A further 8 percent said they only tested security on an as-needed basis – reflecting often-patchy security policies that were reinforced by the finding that one in three organisations fails to test security even after major infrastructure changes.

“If you’re not doing security testing, you are missing out on really understanding your full exposure to the security threats you are facing,” Gianarakis told CSO Australia.

The survey analysis also noted marked differences in testing practices based on the type of infrastructure: while 64 percent of respondents said they had tested their network in the past six months, just 30 percent said they had tested their mobile applications.

Testing mobile applications – which varies from network testing by demanding “a holistic view” that includes evaluation of data encryption and the configuration of network communications protocols – was “a distinct form of testing” that required skills and procedures that were new to many companies.

Growing mobile adoption had driven “a definite increase” in mobile application testing, but many companies’ testing investments were being limited by factors such as the ability to give security testing adequate visibility within the organisation.

Fully 25 percent of respondents said their primary stakeholders “are not fully committed” to doing regular security testing. Other inhibitors included not having enough staff (30 percent), budget (29 percent), or time (28 percent).

These findings corroborate a recent Gartner warning that many organisations are falsely linking IT security spending with a sense that their practices are mature.

Many executives were benchmarking their spend against their industry peers, research director Rob McMillan warned in a statement, “but could be spending on the wrong things and be extremely vulnerable.”

“General comparisons to generic industry averages don’t tell you much about your state of security,” he said. “You may be spending appropriately, but have a different risk appetite from your peers.”

Different companies will also have very different approaches to testing, and capabilities to execute that testing. Availability of suitable security-testing skills, for example, was a major issue – particularly since some 35 percent of respondents said they were only using in-house staff members to conduct security testing.

While many organisations did have talented IT security staff internally, Gianarakis warned, many were coming from an internal view of the network and struggled to build the outward-in conceptual framework that real attackers would use when targeting the organisation.

“It is a niche skill set,” he says, “and the challenge around finding skills is real. But one of the things I look for when I hire – and where a lot of people fall down in terms of the skill set – is doing a penetration test to simulate what an attacker would do.”

“A lot of people who work in general IT think very much within the parameters of the system and the way it’s supposed to operate,” he continued, “but attackers think outside of the intended uses of the system. A lot of internal teams struggle because they don’t really have the mental image of how to attack the system – and that’s a key constraint” on the efficacy of internal testing.

These and other limitations have driven many Australian organisations to bring in outside assistance for regular security testing – with 14 percent of respondents relying exclusively on third parties and 48 percent using a combination of both.

Yet doing so didn’t excuse businesses from the need for better security: “there is this view among some that you can outsource your risk,” he said. “Unfortunately, you can’t: security risk is business risk, and you can’t outsource that. Security is not somebody else’s problem; it’s your problem.”

The implications of a poor testing regime are significant: not only can businesses with poor testing habits not rest assured that they have closed potential avenues into their systems, but those businesses may have no way of knowing that outside hackers have identified vulnerabilities and exploited them.

This was particularly a risk for Asia-Pacific organisations – which, recent studies suggest, are being regularly compromised. Cybercriminals are spending 3 times longer lurking undetected on the networks of penetrated Asia-Pacific organisations than in the rest of the world, according to FireEye’s recent M-Trends 2016 Asia Pacific Edition – which suggested that most APAC security breaches never became public and that their victims are simply overwhelmed when trying to respond to attacks.