Pen testing report: IT budgets should focus on entire security stack


Image: Vallepugraphics/Adobe Stock

A penetration test is a simulated security attack — essentially a war-gaming exercise an enterprise conducts against its own system to check for exploitable vulnerabilities. With a focus on the security of web app firewalls, pen tests target application programming interfaces, servers and any leaky point of entry.

Security firm Pentera’s second annual report on pen testing deployment in the U.S. and Europe found that 92% of organizations are lifting their overall IT security budgets. Eighty-six percent are increasing their budgets for pen testing, specifically.

SEE: DLL sideloading and CVE attacks show diversity of threat landscape (TechRepublic)

However, pen testing and IT security budgets are growing at a more significant rate in Europe than in the U.S., with 42% of respondents in Europe reporting a more than 10% increase in their pen testing budgets, compared with 17% of respondents in the U.S. By some estimates  the pen testing market will grow 24.3% through 2026, led by the major players in the sector: IBM, Rapid7, FireEye, Veracode and Broadcom.

Pentera, which automates security validation for companies, surveyed 300 security executives who hold vice president or C-level positions. The respondents were recruited through a global B2B research panel and invited via email to complete the survey, with all responses collected during December 2022.

Jump to:

Cloud and infrastructure services the top focus for pen testing

Pentera’s study found that, on average, companies have 44 security solutions in place, indicating a defense-in-depth strategy, where multiple security solutions are layered to best protect critical assets. In spite of large investments in these so-called “defense-in-depth” strategies, 88% of the organizations Pentera polled have suffered recent cyberattacks.

The survey offered a breakdown of the most-tested infrastructure layers:

  • Cloud infrastructure and services (44%).
  • External-facing assets (41%).
  • Core network (40%).
  • Applications (36%).
  • Active Directory and password assessment (21%).

The survey respondents’s primary motivations for pen testing are:

  • Security control and validation (41%).
  • Assessing potential damage of an attack (41%).
  • Cyber insurance (36%).
  • Regulatory compliance (22%).

“We conclude that CISOs must put a greater emphasis on validation of the entire security stack to ensure that they can effectively reduce their exposure,” said Aviv Cohen, chief marketing officer at Pentera.

Most CISOs share pen tests with IT ASAP

According to Pentera, 47% of chief information security officers polled said they immediately share results with their IT security team. While at first that might seem like a low number, given the potential implications for operational integrity, Chen Tene, vice president of customer operations at Pentera, said it’s a vast improvement over yesteryear when pen testing was an act of dotting the compliance “i’s.”

“People used to get compliance-based results and stick it in a box for certification,” Tene said. “When you look at it now, it has improved a lot — partly because more people are focused on cyber insurance, which is something they understand.”

One such company, Coalition, a cybersecurity and insurance company, does not require red-teaming exercises in underwriting, according to Tommy Johnson, security engineer at the firm.

“While it can show an organization has a mature security program and is thinking about security holistically, we don’t view it as a deal-breaker. To us, it’s a positive signal. We incentivize it,” Johnson said.

Other people and groups to whom CISOs immediately delivered results of pen testing included:

  • The board of directors (43% of CISOs went here first).
  • C-suite colleagues (38%).
  • Customers (30%).
  • Regulators (20%).
  • Archives (9%).
  • Nowhere (3%).

Barriers and resistance to white hat hacking

Could pen testing disrupt operations? CISOs worry about that. In fact, 45% of those who already conduct pen testing, whether manual or automated, said the risk to business applications or network availability prevents them from increasing the frequency of tests; 56% of respondents who do not conduct pen testing at all expressed that sentiment, too. The availability — or lack thereof — of pen testers was the second largest reason for not conducting tests.

Tene conceded that the disruption concern is legitimate.

“Lots of organizations suffer disruptions from pen testing,” Tene said. “When a pen tester goes into an organization and conducts intrusive tests, there is always the potential to create different levels of denial of service, for example, but when there is a person sitting in front of an administrator, you have a margin of error.”

Tene said automated pen testing, Pentera’s core business, offers benefits of speed and efficiency, making it easier to keep up a regular cadence of testing for everything from password hacking and lateral movement in a network to different kinds of exploitation and cross exploitation.

He asserted that, although “when you have a person, it’s great,” hiring teams of white hat hackers to pen test infrastructure on a regular basis is not within the budgetary scope of a lot of companies. In the study, 33% of respondents in the U.S. cited this as a reason they don’t do more frequent manual pen testing assessments.

“One person can do two or three actions at the same time, but a machine can do 10 or 15 actions at a given moment,” Tene said.

Pen testing vs. red teaming: Similarities and differences?

It may be tempting to conflate pen testing with red teaming, but while there is some overlap, there are key differences, according to Johnson.

“Generally, penetration testing is conducted to scan in-scope network assets for technical misconfigurations or vulnerabilities and confirm them via actual exploitation,” Johnson said. “Red teaming is more targeted.

“It usually involves a team that exploits technical and physical weaknesses to achieve an objective that would cause damage to an organization if a threat actor were to do the same.”

An example: Management may direct the red team to attempt to break into a data center and insert a malicious USB into a specific company server. This exercise can involve social engineering, badge cloning, technical exploitation and other tactics that are typically beyond the scope of a standard pen test.

SEE: Vulnerability scanning vs penetration testing: What’s the difference? (TechRepublic)

“Red teaming and pen testing have some overlap, but to me, the key differentiator is the objective: A pen test usually is designed to enumerate and exploit technical weaknesses, whereas a red team exercise exploits physical and technical weaknesses to achieve some predefined objective. However, both are designed to highlight security flaws that likely need to be remediated immediately.

What will drive pen testing in 2023?

Gartner predicted in October 2022 that spending on information security and risk management products and services would grow 11.3% to reach more than $188.3 billion this year.

Pentera said 67% of CISOs reported having in-house red teams, but that 96% of security executives reported that by the end of 2023 they will already have, or plan to have, an in-house red team for this critical task.

Tene said the near future will bring much more improved security toward cloud infrastructure.

“Companies are relying on the cloud, but security levels are unknown, and there are few security professionals who know how to examine it,” said Tene.

Tene also predicted there will be continued issues around credential exposure in threat surfaces characterized by remote access to the workspace, whether through VPNs, mailboxes, phones or home networks.

“This is the starting point for almost every attack,” Tene said. “However, the conceptual understanding of security around credentials will get much better, I think, and there will be much improved awareness around control of identity in day to day operations.”

Read next: Best penetration testing tools: A buyer’s guide (TechRepublic)



Source link