Penetration Testing necessary; With the rapid shifts in the landscape of attacks on the backdrop of black market hackers worth billions, if you expect to perform penetration testing you will lose.
Too many companies and organizations do only a penetration test when they need to. Often, this is because they have to comply with the regulations or someone has asked them to prove they are safe.
Most, unfortunately, only do a penetration test after they've already burned: When hackers have successfully taken their valuable data, something that cost the company much more than enough penetration tests. .
Modern penetration testing is more than just a scan. Former Chief Executive Officer Black Hat Trey Ford states, "Regulations like PCI require penetration testing at least once a year, or after any major infrastructure or code changes."
“Νομίζω ότι το πρώτο μέρος αυτής της συζήτησης θα πρέπει να αναφερθεί στο “τι ακριβώς είναι μια δοκιμή της διείσδυσης;” αναφέρει ο Ford. “Ανάλογα με ποιους μιλάτε αυτό μπορεί να περιλαμβάνει τη δοκιμή security μιας web εφαρμογής, τη σάρωση ενός δικτύου, social engineering και phishing, ασύρματες δοκιμές και άλλα.”
Problem: Attacks are evolving faster than requirements
Just five years ago, pentesting was the subject of articles in IT security journalism that debated whether or not a pentest was worthwhile. A lot has changed in a short time.
Pentesting has evolved rapidly to keep up with a black market that is full of specialized criminals, or government officials, the aggressions have gained flexibility to penetrate advanced defense defenses.
There are some automated pentesting, but for better results a team that will be better than the attackers needs something that definitely costs.
Το Pentesting είναι ο τομέας της ανάπτυξης σήμερα. Για παράδειγμα η εταιρεία security Rapid7. Θεωρείται ηγέτης στον τομέα του software και των υπηρεσιών ασφαλείας, Η Rapid7 διαθέτει μια εκτεταμένη pentesting σουίτα που περιλαμβάνει το διάσημο Metasploit ("The invader's playbook") and has a huge community of 200.000 active members.
The security company has a record of revenue and has 13 offices around the world. It boasts of 1000 companies using its products.
Diebold, Deutsche Telekom, Panasonic, Rodale, Revlon, Trader Joe, Virgin Atlantic, and many others are among the list of customers.
Metasploit Tod Beardsley's technician sees an average of 1,2 exploits being added daily to Metasploit.
Ο Beardsley εξήγησε ότι το θέμα του “πόσο συχνά” περιπλέκεται από το γεγονός ότι ορισμένες επιχειρήσεις χρειάζονται pentesters περισσότερο από άλλους. “Ορισμένες βιομηχανίες – για παράδειγμα, ο χρηματοπιστωτικός τομέας – είναι πιο οργανωμένες από τους άλλους, και πρέπει να πληρούν τις απαιτήσεις pentesting.”
However, I would like to say that any organization that manages data and is interested in keeping confidential has the responsibility to ensure the configuration of its network so that its defenses are adequate for this mission.
In addition, if a company does not want to be an unsuspecting receiver for distributing a malicious program, there should be adequate external control.
There is an anecdote released in hacking conferences, Black Hat USA and DEFCON.
According to a Rapid7 survey, spear phishing is the leading breach in 9 of the 10 targeted attacks.
[tweet_embed id = 493364883878998016]
"There are thousands of points between the external network and the internal network," Beardsley explained. Modern working life is increasingly moving from the office to the home (a laptop on a kitchen table), and there are too many risks for a company.
Home routers, for example, are not the safest. But the dangers do not stop there. The first thing one should do is "lock its DNS service, and it should require regular and regular monitoring of all DNS change processes."
"If someone acquires DNS control of a company, they will be able to control almost all e-mails.
Beardsley explained that it is difficult to categorize how important particular pentest strategies are, and why - a company should conduct a pentest more often than required (or desirable).
Leaving the logic of Rapid7 which certainly contains expedients we should think very seriously how much a breach will cost a webσελίδα, a company, a financial institution coc.
How often it depends on your own discretion and financial freedom.
The article was published on ZDNet by Violet Blue. It also contains the opinions of the author.