Penetration Testing in 2022: Key Trends and Challenges
Just when you thought that we couldn’t be any more integrated with (and dependent on) technology, the Covid pandemic swooped in to prove otherwise. The rise in the use of applications and devices to perform even basic functions pushed companies and end-users to keep pace. Of course, one group of people always seem to be ready: cybercriminals.
Cyber attacks are steeply increasing, and attackers are cunning, always finding new ways to get what they want. Cybersecurity professionals continue implementing new tools and strategies to protect their organizations from attacks, while criminals are innovative in their approaches.
Penetration testing is one of the best ways to ensure organizations – and their data – are safe from intruders. Companies can patch holes and secure their networks by taking a proactive approach.
Core Security, by HelpSystems, have recently published their annual Penetration Testing Report, based on a survey of cybersecurity professionals. Each year, Core Security tracks trends, year-over-year changes, challenges, and improvements to look at the cybersecurity landscape comprehensively. This article will cover some of their findings from the 2022 report.
Why Pen Testing?
Explored in the report are several key issues relevant to pen testing, including:
- Security threats such as phishing, ransomware, and general misconfigurations
- Compliance concerns
- Disparate environments
- Testing team challenges and efforts
- Toolsets used for pen testing
- Integration with security assessment tools
- and more…
Why do cybersecurity professionals use penetration testing to keep their data, networks, and users safe? The top three motives reported by organizations are:
- Compliance (75% of respondents, up 5% from 2021)
- Measuring security posture (75% of respondents, up 2% from 2021)
- Vulnerability management programs (57%, down 17% from 2021)
While a double-digit decrease in pen testing for vulnerability management support is notable, researchers observe that many organizations are overwhelmed by the dramatically increasing threats and turn to ad hoc approaches to remain secure.
Commonly Reported Security Concerns
Organization representatives named a few significant challenges when asked about their top security concerns.
Coming out on top was phishing (80%), followed by ransomware (68%), and misconfigurations (57%). These concerns are in direct correlation with cyber attackers’ activity.
It’s worth noting that the concern over threats such as phishing and password quality (55%) demonstrate the vulnerability end-users pose to organizations. With social engineering penetration testing, companies can reduce the risk of phishing attacks by flagging vulnerable employees. These tests will also help organizations communicate risks and solutions to their employees, emphasizing the potential for nefarious activities related to user or company data.
Ransomware: An Urgent Concern
A paramount concern in 2022 is ransomware, which has dramatically increased. In the Core Security 2021 Malware Report, ransomware attacks were primarily initiated using phishing emails. According to research for the Malware Report, the average ransom from these attacks was $220,298, a number not considered pocket change for most organizations. The average cost for data recovery and malware removal due to a ransomware attack is $1.85 million globally.
The Impact of Remote Work
The last two years have dramatically impacted work dynamics, with companies worldwide announcing a permanent move to remote or hybrid models. While many employees rejoice at this newfound flexibility, security professionals see new challenges and a shift in priorities.
Security is an inherent difficulty with remote workers, as IT departments cannot verify how users manage their home networks, potentially opening them up to outside threats. Cybersecurity professionals can identify and account for vulnerabilities by running more network security tests.
The Penetration Testing Report surveyors asked respondents about the effect of remote work on their pen testing strategies and priorities. Perhaps unsurprisingly, the most significant shift was in the emphasis on tests of web applications (a rise from 26% to 35% of respondents). Network security tests proved another top priority (38%, down from 45% in 2021). Responses also showed that organizations had broadened the scope of their penetration tests.
The response was unanimous when asked whether they use pen testing tools for their penetration processes: all respondents use at least one tool or software to perform their tests.
The scope of pen testing tools cover a broad range, including SQL injection, port scanning, password cracking, and more. As such, security professionals tend to leverage various tools to ensure their needs are covered.
Most respondents (78%, up from 65% in 2021) use free and commercial pen testing tools. That’s a significant lead on free open source tools (11%, down from 24%), showing that organizations have devoted a budget to necessary software to keep their data and networks safe.
When asked how they evaluate penetration testing tools, 94% said that features and functionality are paramount. What is the most important feature? More than three-quarters of respondents are looking for comprehensive reporting.
A comprehensive threat library came in second place, with 67% of respondents naming it an essential feature. As attackers work around the clock to devise new ways of circumventing cybersecurity measures, tested and verified threat libraries that are regularly updated are crucial to ensuring pen testing efforts are efficient and effective.
Pen Testing is Integral
The yearly survey and subsequent Penetration Testing Report aims to give visibility on the scope of penetration testing in different environments and priorities as stated by cybersecurity professionals. The 2022 report has demonstrated that pen testing remains a crucial aspect of organizations’ security strategy.
Thankfully, businesses have increased their security budget, recognizing and responding to the increase in threats. Leveraging the right tools along with regular and thorough pen testing is the best way to ensure a reduction in security risks for organizations and their end-users.
About the Author: Having spent her career in various capacities and industries under the “high tech” umbrella, Stefanie Shank is passionate about the trends, challenges, solutions, and stories of existing and emerging technologies. A storyteller at heart, she considers herself one of the lucky ones: someone who gets to make a living doing what she loves.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.