By Kim Crawley
If your organization is pentesting like it’s 2004, you’re missing most of the ways attackers are attempting to exploit your network in 2022.
Stale, outdated pentesting practices are putting enterprises, in all industries and of all sizes, at considerable risk. In today’s rapidly evolving cyber threat landscape, malicious hackers are breaching companies and cyber criminals are infecting them with ransomware at an unprecedented rate that even the most seasoned security teams haven’t experienced.
In the words of Roman Medina, CISO at Jefferson Bank in Texas, “I do think we may miss critical issues or vulnerabilities if we stick to the same annual pentest year after year. The way we pentest has to evolve. I am looking at starting a continuous pentest service next year.”
Let’s examine the issues with traditional pentesting.
It’s slow and static
Traditional pentesting methodologies and procedures were designed for the computer networks of 15 to 20 years ago. That’s when organizations typically hosted networks on premise. Those networks changed gradually. IT teams updated operating systems and applications infrequently and added new data assets only every so often. For a deeper dive on traditional pentesting flaws check out our white paper: Traditional Pentesting: a Turtle Chasing a Cheetah
Today, cloud providers have made it much easier for enterprises to leverage fully scalable and flexible networks. Containerization and virtualization make it possible for data assets to be added or subtracted on a dime. According to research from Palo Alto Networks, organizations can, and did add as many as 693 cloud services in a day.
Unfortunately, the new paradigm of enterprise computing means the old ways to pentest won’t cut it anymore.
Pentesting annually or according to compliance requirements is too slow and too infrequent to get an accurate understanding of your organization’s vulnerabilities day to day. In 2017, the number of CVEs (common vulnerabilities and exposures) spiked significantly. Since then, each year has been a record year for the number of CVEs discovered and reported. The pace is unrelenting.
Once a traditional pentest is conducted, which can be disruptive in its own way, a physical report is delivered with results. This report doesn’t plug in to the existing ticketing tools your team might have, and it doesn’t give you clear steps for remediation. The pentest results become the elephant in the room. When is your overworked, overburdened security team going to be able to take action on pentest results?
Let’s say your team does begin to tackle the issues presented by the pentest. They’re making headway through the results, but some issues need to be retested. Patches or other fixes issued need to be verified that they were an effective remediation measure.
Leaders in charge of approving pentests likely won’t be keen on the idea of having the two guys, two laptops, two weeks repeated again. Without verification that the issues were resolved, was the original pentest of much use?
Security teams should be searching for a pentesting solution that a) provides immediate value with actionable results and b) is easy to implement so retesting and remediation verification are easy to do.
Scanners used in traditional pentests surface noisy results, distracting from critical vulnerabilities.
Network and application vulnerability scanners can spit out massive amounts of vulnerability data but without much triaging or prioritization. Much like a doctor walking into a hospital and being told every single patient is a top priority, a vulnerability manager or other security practitioner needs additional context to know which vulnerabilities to tackle first. No amount of medical schooling, or security chops, can help you decide which issues to prioritize without going back to review every case. It’s not feasible.
In short, traditional pentesting has hardly grown with the needs of the industry. It’s time to start looking for new, innovative solutions to testing your digital environment for vulnerabilities. To learn more about the burgeoning list of issues with traditional pentesting, download our white paper.