In the current cyber threat landscape, reactive approaches to cyber defense simply aren’t sufficient. While many vulnerabilities are discovered and ethically disclosed by white hat hackers (allowing patches to be developed and installed before details of the vulnerability are publicly released), many more go undetected or undisclosed.
Between this and the current state of organizational patch cycles (with weeks or months between patch release and application), most organizations are likely vulnerable to attack. Avoiding a starring role on the news as the latest breach victim requires a proactive approach to security.
Penetration testing, also known as ethical hacking, involves having cybersecurity experts test the defenses of your network just like a potential attacker would, but with a much different intent. By using similar tools and techniques as hackers, penetration testers maximize the probability that vulnerabilities will be detected in testing rather than by an attacker in the real world. By taking advantage of penetration testing, you can find (and fix) your vulnerabilities before hackers do.
Why Human-Run Penetration Tests Are Better
Outsourced consultants often run a vulnerability scan against the user’s systems and provide this as a pen test, so it’s important to know that these are two different tools.
A vulnerability scanner is a computer program designed to assess computers systems such as networks or applications for known weaknesses. The end result of a vulnerability scan is a list of the patches for known vulnerabilities that you’ve failed to apply. While this is a good first step in closing your cybersecurity gaps, it alone is by no means a thorough or complete examination.
The main argument in favor of tool-based vulnerability scanning is the price. For a small company with little budget, using vulnerability scanning on its own and closing the identified gaps is better than doing nothing. However, as a best practice (and to be in compliance with some security frameworks and regulations) companies should go to the extra effort and expense to have a penetration test conducted by a human run against their systems.
Here are three reasons why you need a human-run penetration test:
- With a human-run penetration test, you receive a much more comprehensive look at the security of your organization’s network. Vulnerability scans are excellent at finding top-level vulnerabilities in your systems, but they provide no information about vulnerabilities hidden inside your network (which could be exploited by an attacker with stolen credentials) or how multiple lesser vulnerabilities could be combined to produce a more critical vulnerability. The hands-on approach of human-run pen testing means that expert analysts will explore the ways that vulnerabilities can be pieced together to exploit your systems.
- Another advantage of human-run penetration tests is the available flexibility. Before performing a penetration test, the tester and the user talk through the project and set up rules of engagement. A vulnerability scanner typically focuses only on web application vulnerabilities, while a pen tester can take any approach and test any combination of resources that you want.
- Human-run penetration tests give you access to the knowledge and expertise of the penetration tester. While vulnerability scanners represent a lot of custom knowledge, it’s mainly embedded in the code and imperfectly conveyed through the report. With a human pen tester, you can ask specific questions about your environment or discovered vulnerabilities and get answers and advice on how best to correct them.
Equifax: A Real-World Testing Example
As an example, let’s explore the now infamous Equifax data breach. The company is responsible for managing the financial data of millions of Americans, and a breach of Equifax systems was responsible for exposing the data of 148 million Equifax customers.
The Equifax data breach was caused by a number of different factors. A vulnerability in Apache Struts, a widely-used open source web server enabled a cybercriminal to install a web shell on Equifax’s computers. Using the access that this web shell provided, the attacker was able to expand their reach to internal systems, eventually providing them with access to the sensitive financial data entrusted Equifax’s care.
While a chain of events made the entire Equifax hack possible, the crux of the issue came down to the fact that the Apache Struts vulnerability was unpatched on their systems. The Equifax hack occurred three months after a patch was available for that vulnerability, and the Department of Homeland Security even issued a warning that it was being actively exploited and should be patched as soon as possible. So why didn’t Equifax apply the patch?
According to Graeme Payne, the former CIO of Equifax and the one blamed for the breach, his security team thought that they had applied the patch. The team had scanned the affected servers for vulnerabilities, and the scan came up clean, implying that the vulnerability had been successfully closed. Obviously, the vulnerability was not actually patched, and the false negative detection was likely caused by a misconfigured scanner.
The Equifax hack is the perfect example of the benefit of a human-run penetration test over a tool-based one. When Equifax’s team ran their vulnerability scan, the tool found no vulnerabilities in their attack surface. However, a human attacker looked deeper and found a string of vulnerabilities that enabled them to perform an “entirely preventable” attack that cost Equifax nearly two billion dollars.
Testing Your Systems
In the modern world, cyberattacks are a significant threat to your organization, and doing everything that you can to prevent them is a wise business decision.