Why run regular security tests?
As we probably all know, information security is a broad subject and for many of us understanding the different layers that can help within this spectrum can be at times difficult. In this blog we will look at the risk and what you as a business could do about it!
Over the years when advising various organisations on the importance of regular vulnerability scanning, conversations would typically suggest that most would adopt some form of security measure including the likes of conducting a yearly manual penetration test, having a web application firewall in place (WAF) or conducting ASV PCI scanning if not a combination of the three, just to highlight a few.
What is the actual risk to your business?
The Verizon report suggests that more than 75% of attacks are actually from external sources rather than your internal disenfranchised employees. “While this goes against InfoSec folklore, the story the data consistently tells is that, when it comes to data disclosure, the attacker is not coming from inside the house. And let’s face it, no matter how big your house may be there are more folks outside it than there are inside it.” – Verizon Data Breach Investigations Report
Verizon Data Breach Investigation Report: 40% of Breaches from Web App Attacks, 5,334 total incidents (through web apps,)
908 with confirmed data disclosure. If you look at the stats they all point to the fact that external and web applications specifically is a highly likely route for a hacker to exploit.
Three common misconceptions
Performing a manual penetration test is important for most organisations, although this is not always easily accessible on a regular basis for various factors. An in-depth penetration test will certainly give you a thorough snapshot of your current vulnerabilities at that moment in time and allow you to make remediations before a hacker can breach any vulnerability that was discovered. However, in between your next penetration test how can you confirm that you do not have a major vulnerability within one of your websites?
Many organisations feel they are protected by their firewall or other forms of external ‘wrapper like’ defence. The fact is that no matter what defences you have in place you will not be un-hackable (the Dark Web Specialist Darkbeam believes that more than 98% of business have already been hacked-they just aren’t aware of it yet). And the landscape is changing every day making it impossible to be ahead of the game, to say that having a firewall will protect you unfortunately just isn’t the case. Blue chip companies will spend millions on firewalls but still have data breaches.
Now it must be mentioned that conducting your ASV PCI scanning is a crucial part of your compliance, however it is an important point to highlight the difference between PCI scanning and vulnerability scanning. If you were to swap your compliance hat with your security hat for just a moment it is fair to point out that passing your ASV PCI scan may give you a false sense of security. Your PCI scan will limit your vulnerability discovery to only find the vulnerabilities within PCI standards which may lead to exploitable vulnerabilities that would not fall within the PCI remit.
I am sure for many the above points will sound familiar, however, a key question to ask yourself, should you incorporate regular vulnerability scanning into this equation? Is it worth the extra costs? The areas highlighted can certainly raise potential security gaps but the simple answer is that without having regular checks you do not have consistent visibility on your vulnerability landscape and are potentially one step behind a hacker.
Posted in Security