1000 bad guys per day… every day
Not a day goes by lately when we can’t read news about breaches with damage estimations, about new vulnerabilities, about new innovative social engineering techniques, about enormous ransomware earnings, etc. Ensuring a strong security posture is really becoming a big challenge nowadays, so it is not surprising that many CISOs ask themselves how to proceed, how to really manage security risks effectively?
What influences cybersecurity risks and how to manage them effectively?
The main concern in the information protection is that it is always available to those who should have access to it, and in the exact form it needs to be in. Organizations have information resources in the form of data, which are mostly stored on computer systems. These systems may contain or will contain vulnerabilities, and these vulnerabilities can be exploited by a hacker, which is simply called a threat. And because, of course, we want the probability of the threat to be kept to a minimum, we will do everything we can to prevent this.
There are three mayor ways to reduce the risks:
- We protect assets with security controls – from a relatively small set of basic controls, such as classic firewalls and antiviruses from more than a decade ago, one can find more than 100 different security solutions in today’s enterprise.
- We use vulnerability management systems – in this way we know practically every day which systems do not have security patches installed and which patches should be installed faster than others.
- We monitor threats through Threat Intelligence tools – the purpose of this is to find out early enough whether industry-specific attacks are happening somewhere that can happen to us as well.
However, because the information system is a “living organism”, it means that all of the following is constantly changing:
- Adding new systems, upgrading parts of networks, connecting to cloud services, introducing new services
- Vulnerabilities are changing. Just looking at the Common Vulnerabilities and Exposures (CVE®) makes us think
- Threats are changing, whether it’s a new hacker group or a new campaign with never-before-seen attack techniques.
One of the best ways to check where we actually are is the good old Penetration test, or even Red Teaming exercise (what are the differences between the first and second I wrote in a blog post: What’s Red Teaming? Is it a pentest?).
Despite their popularity, such tests still have some drawbacks:
- The duration of the test until the final report is at least two weeks, and it can also be much longer
- The lack of experts for such service means a relatively high price
- The result usually depends on the experience and talent of the pentester, sometimes even the daily form or their well-being a
Due to the above, penetration tests are usually performed once a year and have the right value only on the day of completion with a “shelf life” until the first change.
So what would be the solution? In an ideal world, a pentest would be faster, cheaper, and more comprehensive, thus independent of an individual’s expertise. If I’m joking a bit I can say that we would, therefore, need 1000 perfect pentesters in one box and always available, preferably with a push of a button. Dream or reality?
Ladies and Gentlemen! I present to you the first and currently the only tool for automated, machine-driven penetration testing, PcySys PenTera. So that the unknown will finally become known, with just a simple push of a button.
Because each penetration test shows vulnerabilities that need to be remediated, which is often not easy at all in larger systems, it sometimes seems like it would be easyer not to know where all the problems are.
Is it really better not to know than to know?