Penetration testing has long been a widely-used practice by organizations to test their attack surfaces for vulnerabilities. Rob Gurzeev, CEO & co-founder, CyCognito discusses why most cybersecurity professionals believe that penetration testing isn’t sufficient enough to fully assess a company’s overall security posture.
Is Penetration Testing (Pen Testing) delivering what organizations expect from it? According to a new study surveying IT and security professionals at organizations with 3,000 or more employees, the short answer to that question is no. Â
The study found pen testing fails spectacularly in its two main goals: measuring security posture (70% of respondents) and preventing breaches (69% of respondents). That is because pen testing is limited in scope, is not done frequently enough, takes too long, and costs too much. That leaves organizations that depend on pen testing for security dangerously vulnerable.
The study, The Failed Practice of Penetration Testing, was commissioned by CyCognito and conducted by Informa Tech, the organization behind industry analyst firm Omdia, the Black Hat and Interop events, and InformationWeek and Light Reading. The research found that pen tests ignore huge parts of an organization’s attack surface, leaving the back door wide open for attackers and effectively rendering the entire process of pen testing ineffective.Â
60% of survey respondents reported that pen testing provides “limited test coverage†or leaves “too many blind spots.†Another 47% are concerned that testing “looks only at known assets, rather than discovering previously unknown assets.†Add to that the fact that only 38% said they test more than half of their attack surface annually and it becomes clear that pen testing, given its lack of coverage, is essentially the same as locking just the front door of a house before leaving and expecting that the open back door and windows won’t present an attractive target for attackers.Â
Learn More: How to Scale Cybersecurity as Your Startup’s Attack Surface Evolves
Fixing Security Gaps With Pen Testing
Attackers will target the easiest and the most lucrative access points like that open window above the desk with a new-model laptop or that blind spot in the network that is not covered by pen tests, yet leads to the server hosting confidential client data. So, pen testing less than half of the attack surface and fixing any security gaps in that limited area does nothing to change or improve the overall security posture or discover how well protected from compromise the organization is.Â
Like most security testing, pen tests leave blind spots because the starting, and often ending, point is known assets. Sometimes a previously unknown asset will surface but, most of the time, pen testing is focused only on those parts of the attack surface that the security team directing the testing already knows about. These known assets may well harbor risks that, when uncovered by the testing, create a perception that the testing finds the majority of deficiencies. Of course, identifying these things is valuable, but they can mislead organizations into having a false sense of security.Â
Protecting and Securing a Modern IT EcosystemÂ
Digital transformation initiatives, the move to the cloud and hybrid work environments mean that a significant portion of an organization’s attack surface is not known to the security or IT teams. Sure, it may seem natural that unknown elements are not specified as part of a pen test or any other test; after all, they are not known, so how can they be identified for the tester? The reality is that truly protecting and securing a modern IT ecosystem is predicated on the identification and assessment of previously unknown elements. Evaluating security posture has to involve a combination of known and unknown assets.
Aside from an overly narrow “scope,†another reported pen testing inadequacy is the infrequent, point-in-time nature of tests and the length of time it takes to conduct tests and get results. 52% of respondents report that frequency of pen testing was a top concern. 45% conduct penetration tests just once or twice annually, and 27% do it once a quarter. With broad adoption of agile development methodologies, the hyper-connected nature of our networks and growing demand for always accessible data in the cloud, point-in-time, infrequent testing cannot keep pace with the demands of securing these ever-changing IT environments. Â
Contributing to the infrequent cadence of penetration testing is the fact that it is expensive, both in terms of cost outlay for the testing and in terms of the personnel cost of arranging and preparing for the tests. The vast majority of respondents, 78% reported they would utilize pen tests more if it wasn’t for the expensive nature of the approach.
Learn More: Data Scraping Is on the Rise: Here’s How to Mitigate the Damage
Are Organizations Future-Ready?
Does the research mean there is no place for pen testing? No, penetration testing is still required in order to comply with several security standards and regulations and can surface some types of risk in specifically scoped areas of an attack surface. Having highly skilled practitioners conduct pen tests lets creative and experienced experts assess security—but it is incomplete and should not be relied on as the only or main way of assessing security posture and attack readiness.Â
Defending the modern IT ecosystem against attackers requires that organizations nearly continuously discover their entire attack surface and test it at scale. The research demonstrates that’s not something organizations can do with penetration testing. While pen tests may have their place in the security team’s arsenal, they are not very good at the things organizations want them to do, and likely leave businesses overly confident and overly exposed.
Let us know if you liked this article or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!