IoT makers, in-house devs inching towards better security as IBM hacker team makes pen-testing less testing

Increasingly-accessible penetration testing services are helping businesses build iterative security testing into product development lifecycles and Internet of Things (IoT) manufacturers are among the most enthusiastic adopters, the head of IBM’s penetration testing operation has reported as the nascent unit nears the end of its first year in operation.

Despite the widely acknowledged value of running formal penetration-testing, many businesses have historically been running it infrequently or skipping it altogether due to budget, time, or resource constraints.

This has often left gaping security holes that are easily exploited by hackers: 88 percent of hackers and professional penetration testers interviewed in Nuix’s recent Black Report said that they could generally compromise a target within 12 hours, and 69 percent said they were almost never caught by security teams at the target organisation.

Even when they are compromised, many organisations are failing to fix the faults that penetration testing teams find: 75 percent of Black Report interviewees said the organisations only conducted “limited remediation”, generally of critical and high-priority vulnerabilities, even after a penetration test identified numerous other vulnerabilities.

There are many potential reasons for this seeming lack of urgency – budget being a common one for many organisations – but Charles Henderson, global head of IBM’s X-Force Red pen-testing team, told CSO Australia that many companies are reporting that the formal penetration-testing process is simply too complex and burdensome to follow.

“The rapid pace of business means that companies can’t sit around and wait to procure a security tester, and line up meetings to schedule or scope a test,” he explained. “Very often, the process takes over the test to the detriment of the overall client experience – and this ends up turning off a lot of the very people that security testing is trying to reach.”

This observation has driven the X-Force Red team to focus on modularising its penetration-testing services, making them available through an online portal that allows customers to engage the team’s services with more immediacy.

Businesses “need to be able to act quickly and decisively in their security testing,” Henderson said, “but by the time most firms are able to engage a security tester, the need for security testing has become obsolete. As an industry, we need to meet them on their terms and not our terms.”

That approach had not only seen the IBM X-Force Red team engaging with a growing number of organisations that value the ability to rapidly access and initiate penetration testing on short notice, then pivot on its results to address security issues as they’re found.

The team’s four-pillar approach – which includes network, application, hardware and device security – has even won support from IoT device manufacturers who are beginning to invest in better security testing to counter the sector’s reputation for poor and unpatchable security – which has been so bad that consumer watchdog the US Federal Trade Commission is running $US25,000 ($A33,250) competition for a tool that can facilitate automatic IoT device patching.

“Where we were with application testing 10 years ago, we are now with IoT testing,” Henderson said. IoT vendors “are saying that they want to integrate with the security world but that they can’t slow down their release cycles, so they want on-demand testing that they can leverage throughout the release cycle.”

Delivering truly on-demand testing has required streamlining the process of planning and executing the testing – something that Henderson believes the Red team has gotten down to a science through a combination of deep-dive hardware testing and other penetration-testing regimes.

“We’ve found that we can shorten the lead time for a test from months to hours, just by expediting the process that leads up to testing,” he said. “I’ve never had a client say ‘I enjoyed the monumental scoping exercise you put me through, or the 10 phone calls that we had leading up to the test’. [Conventional preparations] turn off a lot of the very people that security testing is trying to reach – which is why we want to make the process enjoyable rather than being an arduous burden.”

Organising and executing testing around the portal has made testing into “a very collaborative, enlightening process” in which individual testers can feed back their vulnerabilities as they’re putting security defences through the process. The result is a more iterative, collaborative process that Henderson says has helped the Red team rapidly gain traction since it was announced in mid 2016.

Easier access to testing will help the many companies that want to become more proactive around security testing – something that Henderson said is particularly common within Australian businesses. “Australia, in general, is very much on the path to success,” he explained.

“Many clients want to pivot from doing just 1 or 2 tests per year to having a security program where they write custom code or deploy new infrastructure – and then test it. I see clients more and more moving to be aggressive and take security on, rather than becoming a security victim.”