Not all pen tests are performed equally. Discover the risks and hidden costs in order to better protect your business.
Crowdsourced Pen Testing: Automated & Cheap, but Not Ideal
Penetration testing done automatically with a scanner that generates data and converts test results into a document is called crowdsourced pen testing. Crowdsourced pen tests will provide elegant reporting of vulnerabilities found on your systems for the bucks you pay. Tons of them are available, and they are cheap, or “economically viable.” But do they provide you with real-deal penetration testing?
Crowdsourced testing is an option: it relies on the cloud platform and multiple testers, rather than hired consultants or professionals, and is typically meant to test new products for defects. Vulnerability crowd-test reporting will send you a report of hundreds of vulnerabilities found on your network at low-, medium-, and high-risk levels. As an example, when a security breach occurs, the statement you may hear from the testing vendor is, “We told you guys. It was in the 900‑page report we submitted to you.” Now your regulator is considering a $2 million fine against your enterprise. And that won’t cover the price of repairing your business reputation.
Certificates & Reporting
Do you want a certificate that cost you $500 for your regulator to check off a box and relieve your team of further data protection obligations? Then, be ready to pay $2 million to $6 million for the first 1,000 stolen data records. Remember:
- A real-deal penetration test costs far less than $2 million, but certainly more than the $500 crowdsourced scanning report.
- By using an automated vulnerability scan report, you might pay the most attention to the high-risk items, sometimes you will consider the medium-risk issues, and often you may ignore or defer addressing the low-risk findings. Because of typical time and resource limitations, and the pressure to deliver a report, you may not give the report your full attention due to other demands.
- Every vulnerability can open a door to another vulnerability behind another security layer.
For example, if your SMTP server is accessible from the internet, providing the error message, “This domain is not allowed” can actually let the attacker know that there is a whitelist of domains behind this SMTP. From that point, the attacker will focus their efforts to gather more information about the whitelist and use it to bypass all the front-end spam filters. This security hole can be obvious enough to them.
Before the world financial crisis hit in September 2008, reports were filling the news about mortgage defaults, and the balloon of accumulated mortgage defaults was growing fast. The real-deal problem became obvious only after the crisis hit: everyone was looking toward unstoppable growth, but no one was seeing it.
This mentality translates to the information security space: real vulnerabilities are in front of you, you just need special glasses to discover them, but you often don’t discover them. Why not? Because you are busy, and that busyness is not a blessing. It’s important to remember that automated vulnerability reports are just the beginning. Experienced threat actors are more clearly focused: they will experiment with every single open door and window to find a way into your system, layer by layer.
Sometimes, chasing vulnerabilities isn’t necessary to cause damage: using a temporary user ID of “training” with the password “Pa$$w0rd” to provide unlimited system access for production system training is a common mistake easily detected by the experienced hacker who can use it to hack your entire system without even looking for vulnerabilities. Immature pen tests or inexperienced testers will often not find issues like these; only experienced professionals take the time to dig deep to open the locked doors. The password is strong in theory–eight letters, lowercase and caps, numeric and symbol–but it is a common password which will probably not be detected by the automated scans of a crowdsourced test.
What about log reports on your servers’ services and applications? Are they accessible for scanning tools to read? Even if they are, are those tools capable of reading and distinguishing blacklisted domains accessed from your network through running services, but not by users? Check your DNS server cache for the answer.
For example, on Windows servers, events are logged regularly, but no one is reading or scanning those logs. If you export an entire log of a specific service and filter it by component, you might encounter a hardware component failure in the server that has been malfunctioning for a couple of months, causing dysfunctional functionality and a serious security gap. Of course, this situation is heaven for threat actors, and such vulnerabilities are not the highest priority for most scanning tools.
Uncovering the Risks
The genuinely experienced penetration tester knows how to exploit your network to uncover the real high-risk vulnerabilities and can fully explain each risk, not the one who simply finds the highest number of vulnerabilities. Finding vulnerabilities, opening additional doors, and fixing them all will cost you much less than adding secure layer upon layer in an attempt to cover or hide networks or components susceptible to attacks.
When it comes to quality and security priorities, a penetration test is not a place to skimp: spend the money upfront with the right people, rather than having a breach and paying for it with company reputation and, ultimately, profits.
Want more? Read about...