back to article It's mid-year report time, let's see how secure corporate networks are. Spoiler alert: Not at all

Companies are still leaving basic security flaws and points of entry wide open for hackers to exploit. This according to research from security house Positive Technologies, which says that its penetration testers found that enterprises were rife with things like months-old unpatched vulnerabilities and unsecured access points …

  1. mmccul
    Stop

    Pen testers are not risk assessors

    I've had to clean up the mess a pen tester left more than once. They create artificial flags that have nothing to do with the actual valuable data of the corporation, declaring complete success when they get to a resource that is relatively low value (not SOX, not the primary product of the company, not publicly available,...), often engage in dodgy business practices like stepping outside the confines of the test (e.g. engaging in the pen test before they're supposed to start), rarely emulate specific threat actors, often mixing techniques from one threat actor with methods used by other threat actors, completely ignorant of the actual risk profile of the organization, all in an effort to scare people to pay them more money.

    In one case, the pen testers required me as a defender to actually not engage in normal defensive actions that were part of my everyday job, like blocking attackers detected through automated reports and systems. Often, pen testers are given these blank check views by requiring the security teams to temporarily disable key defensive systems, at least for the attackers' source IP block.

    It's long past time to recognize that a pen test is not a replacement for an actual risk assessment that evaluates all types of risks, adversarial, structural, envrionmental and accidental. Management that I talk to is getting risk fatigue, where they start to see pen testers as chicken little, so the theoretical value of the pen tester, to shock management into paying attention to security, is having the opposite effect, blinding management to a more detailed and strategic view of where the security dollars can be most effectively spent to reduce the overall risk to the company.

    1. GnuTzu

      Re: Pen testers are not risk assessors

      I like the point about "Chicken Little". Insider threat programs, risk evaluation, pen testing, and vulnerability management all need to be coordinated. And, I've been too many places where there isn't even proper identification and classification of data assets, and that's a key step in evaluating risk--because you can't evaluate risk without knowing what is at risk.

    2. Flakk

      Re: Pen testers are not risk assessors

      Good grief! I am very grateful that I have not had a similar experience with pen testers. My Rules of Engagement were explicit in what was allowed and what was off-limits. It also explicitly asserted my right to prosecute if the tester violated the RoEs. I've found pen tests are usually more effective if they have a limited scope (evaluate our perimeter security/network security/app server security), rather than inviting the tester to go on a (potentially damaging) fishing expedition.

      1. Anonymous Coward
        Anonymous Coward

        Re: Pen testers are not risk assessors

        My Rules of Engagement were explicit in what was allowed and what was off-limits.

        Sitting on the sidelines, it would seem to me that if you want proper pentesting, there are NO rules. The people who want to access your data certainly won't be abiding by them.

        1. Anonymous Coward
          Anonymous Coward

          Re: Pen testers are not risk assessors

          Sitting on the sidelines, it would seem to me that if you want proper pentesting, there are NO rules.

          That's not pentesting, That's red-teaming

          Including social engineering in the redteaming engagement is especially enjoyable. The war stories I've heard from our consultants. But can't repeat, unfortunately.

          1. Claptrap314 Silver badge

            Re: Pen testers are not risk assessors

            Even red teaming has rules. The best military Red Teamer the US had resigned in protest in response to the rules that the Navy was forcing on him.

            More to the point, pentesting & red teaming almost certainly DO have rules against, for instance, personal enrichment, as well as NDRs. I recently read in these comments that an auto manufacturer commissioned a red team to try to take down a production line. (They succeeded.) That is a rule--only take down that specific line.

    3. Claptrap314 Silver badge

      Re: Pen testers are not risk assessors

      In every pursuit, there are competent, moral actors, and there are the incompetents and the charlatans. We regularly see people dumping on devops and agile here because of the later. Occasionally the cops. Twenty years ago, the term "software engineer" got the same treatment. Pen testing is no different.

      The nature of pen testing is such that caveat emptor is ALWAYS going to be a major issue. Research the organization you are considering, and run away if red flags pop up.

      1. Anonymous Coward
        Anonymous Coward

        Re: Pen testers are not risk assessors

        My most impressive idiotic finding wasn't from a pentest, but a build review. Imaged the system, handed over for a 3rd party build review.

        Came back with 4 Linux kernel vulns (one serious) that weren't patched.

        Unfortunately, whilst I may be a shit-hot sysadm (or not), seeing into the future I don't do yet.

        All 4 vulns were announced and mitigated after the date that the system was imaged for the build review.

        Oh how we laughed.

    4. Anonymous Coward
      Anonymous Coward

      Re: Pen testers are not risk assessors

      It really depends on how you engage with them...pen testing is not like a timer you just set and forget.

      I believe in testing the tester so we watch as testers move through our infastructure...not always easy but always worth doing.

      There is nothing like telling a pen tester's sales droid they've missed something to keep them on their toes.

  2. Scott Broukell
    Megaphone

    It's almost like these companies are saying why should we expend effort/funds to combat something that hasn't caused us any problems as yet? I mean think of the shareholder dividends and bonuses first, then we'll make a spend on the cleanup if something should ever happen, right? A bit like an airline saying that there was absolutely no need for seat belts, life rafts or oxygen masks etc, because flying was so wonderful and safe! Well, we are all up in the air aboard the internet, all of us; your customers, your board members, as well as any miscreants, so safetly and security need to be a principle IT concern all of the time!

    1. GnuTzu

      "we are all up in the air aboard the internet"

      Nice analogy. To further it, a company is not a single air plane; it's more like an air line. It's not a matter of whether there will be loss of data assets; it's a matter of when.

  3. Scott Broukell

    Internet Cannibals

    (sorry, me again)

    Remember when the internet was young and both it and networking were all one lovely easy to manage level playing field? But, as time has gone by, that initial flat security landscape has now morphed into one of potential nightmares at every turn! I can't help feeling that the one constant, presenting a most serious and difficult challenge throughout, has been, and continues to be, us - the human meat bags, sandwiched as we are between the two buns of white and black hats, tingling with the sensations of security sales-pitch relish, in the highly processed burger of bytes. However, the reward centres of the human brain, which drive much of our apparent rationality, frequently blinker us with rose-tinted visions. In the good old days a signal went from A to B, via C and D, C and D were considered benign and the risk of a third party intercepting data was virtually nil, yeah! So now the burger still tastes good and we yearn after the yumminess, but, without heading much, if any, of the growing dietary information that tells us to ease up on consumption and take time-out with some tasty security-salad instead. No fast food outlet in the world is what it was thirty or more years ago and the same can be said of our connected world today. But our brains continue to seek the same, if not more, rewards from it. So if you, or your company, or you customers, haven't got a taste for fresh salad, then there is probably little that can be done for you I am afraid. Human nature is what it is, developed over thousands of years, but it is questionable as to whether or not it is currently suited to such connectivity.

    1. Stevie

      Re: Internet Cannibals

      OBBOT:DR

      (One Big Block Of Text: Didn't Read)

  4. deadlockvictim

    OBBOT:DR — Auto-Paragraph

    A suggestion for El Reg — Auto-Paragraph

    For those lost in possible incoherent rage or those who generate large blocks of text that most daunting indeed to read:

    For every block of text between 500 and 1000 characters as bounded by a line-feed and/or a carriage-return, insert in either a line-feed or carriage-return (or both) after the first occurring sentence-ending phrase (like '. '). Repeat as necessary.

    1. Anonymous Coward
      Anonymous Coward

      Re: OBBOT:DR — Auto-Paragraph

      That is a nice clever technical solution, but I prefer a more low-tech solution: if someone can’t be bothered taking the time to write properly, then I can’t be bothered reading them.

  5. Sir Runcible Spoon

    Network Complexity

    Over the last few years I've been involved in projects which are starting to bring together multiple security products under one 'support' umbrella - in an area that's secured from the rest of the environment and locked down tight.

    This is the future of network security (well, it's the present for some people, just not the majority).

    I foresee a boom in holistic security products that provide both remediation and incident response capabilities, along with risk/threat analysis/monitoring (both real time and forensic).

    Right now it's actually quite difficult to cobble all these things together into a single platform from which to conduct your security operations as it involves multiple vendors and suppliers etc. - it can get pretty complex once you start taking everything into account, especially for a large corporate with high value assets spread over the globe.

    However, it *is* starting to happen, which means there will be a demand for more integrated solutions that don't require as much design effort to get right. And no, it doesn't involve AI anywhere (unless you are referring to some of the managers I've had to work with).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like