How penetration testing can promote a false sense of security

Penetration testing in and of itself is a good way to test cybersecurity, but only if every nook and cranny of the digital environment is tested; if not, there is no need to test.

cybersecurity.jpg

Image: Teera Konakan/Moment/Getty Images

Rob Gurzeev, CEO and co-founder of CyCognito, a company specializing in attack-surface management and protection, is concerned about blind spots—past and present. In his DarkReading article Defending the Castle: How World History Can Teach Cybersecurity a Lesson, Gurzeev mentioned, “Military battles bring direct lessons and, I find, often serve as a reminder that attack surface blind spots have been an Achilles’ heel for defenders for a long time.” 

More about cybersecurity

As an example, Gurzeev refers to the 1204 siege of Château Gaillard—the castle was thought to be impenetrable. After nearly a year of failed attempts, the attackers somehow determined the latrines and sewer system were poorly defended. Plans were made, and on the next moonless night, the medieval equivalent of a special-ops team made their way through the sewers, gained entry, set fires to the inner workings of the castle, and, in short order, the siege was over.

SEE: Identity theft protection policy (TechRepublic Premium)

“Cybersecurity attackers follow this same principle today,” wrote Gurzeev. “Companies typically have a sizable number of IT assets within their external attack surface they neither monitor nor defend and probably do not know about in the first place.”

Some examples are programs or equipment:

  • Set up without the knowledge or involvement of security, sometimes even without the knowledge of IT
  • No longer used and forgotten about
  • Used for short-term testing that are not decommissioned

“Assets and applications are constantly created or changed, and the pace of change is fast and dynamic,” added Gurzeev. “It is a monumental task for any security organization to stay apprised of all of them.”

Cybercriminals understand this tendency

Savvy cybercriminals, not wanting to waste time nor money, look for the simplest way to achieve their goal. “Attackers have access to numerous tools, techniques, and even services that can help find the unknown portion of an organization’s attack surface,” suggested Gurzeev. “Similar to the 13th century French attackers of Château Gaillard, but with the appeal of lower casualties and lower cost with a greater likelihood of success, pragmatic attackers seek out an organization’s externally accessible attack surface.”

As mentioned earlier, completely protecting an organization’s cyberattack surface is nearly impossible—partly due to attack surfaces being dynamic and partly due to how fast software and hardware change. “Conventional tools are plagued by something I mentioned at the start: assumptions, habits, and biases,” explained Gurzeev. “These tools all focus only where they are pointed, leaving organizations with unaddressed blind spots that lead to breaches.”

By tools, Gurzeev is referring to penetration testing: “Penetration testing is a series of activities undertaken to identify and exploit security vulnerabilities. It helps confirm the effectiveness or ineffectiveness of the security measures that have been implemented.”

There are concerns

Gurzeev is concerned that periodic penetration testing takes the path of least resistance, sticking to known attack surfaces. “Assessing and protecting only the known portions of the attack surface virtually guarantees that attackers will find unguarded network infrastructure, applications, or data that can provide unimpeded access to valuable resources,” explained Gurzeev. “Instead, organizations need to devote more resources to discovering and addressing the unknowns in their external attack surface.”

Suspicions verified

This CyCognito (Gurzeev’s company) press release announces results from a survey conducted by Informa Tech that involved 108 IT and security managers from enterprise organizations with 3,000 or more employees across more than 16 industry verticals. 

The survey report, “The Failed Practice of Penetration Testing” mentions right away: “While organizations invest significantly and rely heavily on penetration testing for security, the widely-used approach doesn’t accurately measure their overall security posture or breach readiness—the top two stated goals among security and IT professionals.”

As to why, the press release explained, “Research shows that when using penetration testing as a security practice, organizations lack visibility over their Internet-exposed assets, resulting in blind spots that are vulnerable to exploits and compromise.”

To get the proper context, the report mentions that organizations with 3,000 employees or more have upwards of 10,000 internet-connected assets. However:

  • 58% of survey respondents said penetration tests cover 1,000 or fewer assets
  • 36% of survey respondents said penetration tests cover 100 or fewer assets

The report then lists the concerns expressed by survey participants:

  • 79% believe that penetration tests are costly
  • 78% would utilize penetration tests on more apps if costs were lower
  • 71% report it takes anywhere from one week to one month to conduct a penetration test 
  • 60% report that penetration testing gives them limited coverage or leaves too many blind spots
  • 47% report penetration testing detects only known assets and not new or unknown ones
  • 26% wait between one to two weeks to get test results

As to how often penetration tests are conducted, the survey report states:

  • 45% conduct penetration tests only once or twice per year
  • 27% conduct penetration tests once per quarter

What does it all mean?

It seems logical to assume the worst if only known assets are tested a few times a year. “The biggest takeaway from this report is that what organizations want or are hoping to achieve through pen testing versus what they are accomplishing are two very different things,” said Gurzeev. “There is very limited value in testing only a portion of your attack surface periodically. Unless you are continuously discovering and testing your entire external attack surface, you don’t have an overall understanding of how secure your organization is.”

The bottom line, according to Gurzeev, is if an organization has a significant “shadow” conduit that would be attractive to cybercriminals, they will find and exploit it. He added, “Perhaps the walls and flanks of your organization are carefully protected while a largely open, unmonitored passage exists right under your feet.”

Also see