Penetration testing is growing in prominence.
Instead of defend, defend, defend against unseen attacks that could come from anywhere, a different view is needed: Look from the outside and see how you can infiltrate systems and find where the weaknesses may lie. It follows the viewpoint of being able to think like your enemy in order to predict where they might strike and anticipate their tactics.
Here are some of the top trends in penetration testing that are of relevance to storage industry professionals.
1. Audits of backup and storage systems
Penetration testing used to leave storage and backup systems largely alone.
Back-end systems, after all, were off attackers’ radar. Cybercriminals were more interested in firewalls, endpoints, and the periphery of the IT infrastructure. That may have been the case a while ago, but it is no longer the case.
Yet, storage systems are often riddled with vulnerabilities, as few in IT pay much attention to them. A study by Continuity Software found that storage systems often have high-priority patches undeployed. Hackers have become wise to this. They are finding a way in more and more by looking for storage and backup system weaknesses.
“Leading auditors have started to evaluate the security of storage and backup,” said Doron Pinhas, CTO, Continuity.
“As well as increased pressure from auditors on the need for penetration testing of these systems, it is also becoming a mandatory requirement of insurers.”
2. Mainframe security neglecting pen testing
It isn’t commonly realized that mainframes still house a vast amount of organizational data.
Financial services and telecom, for example, run billions of transactions through these systems. Hence, that data needs to be given the highest level of security.
The perception has long been that mainframes are highly secure. Over the last few years, though, that perception has shifted toward seeing that mainframes must be secured like any other server.
John McKenny, SVP and GM, intelligent Z optimization and transformation at BMC, said that mainframe organizations are often more reactive than proactive when it comes to security.
“There is a tendency for organizations to fall behind on penetration testing as they are focused on fighting other security fires,” McKenny said.
“The findings of the most recent mainframe survey from BMC show that security and compliance are top priorities, yet the volume of organizations performing penetration testing is down compared to a year ago as companies prioritize prevention, detection, and inclusion in enterprise-wide security.”
This is especially concerning given that 80% of respondents indicated they found vulnerable user accounts in security audits — a prime target for bad actors to leverage and gain access to sensitive information. Just like any other server, mainframes need routine penetration testing performed by experts to ensure businesses aren’t leaving the keys to their most sensitive data unguarded.
“Penetration testing is a practice that should be routinely performed to uncover where mainframes are vulnerable to an attack and where steps should be taken to better secure the platform,” McKenny said.
3. Point-in-time testing
Pete Deros, director offensive cybersecurity at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory and assessment services, has spotted a decline in point-in-time pen testing or conducting a pen test once a month or once a year.
In parallel, continuous pen testing options are rising in popularity especially at the CISO and above level. In 2022, he said, organizations began to reap the benefits of regular web application penetration testing.
“Successful AppSec initiatives are continuous and no longer point-in-time activities,” Deros said.
Results from Coalfire’s ”Penetration Risk Report” revealed that organizations that run testing programs for at least three years saw reduced high-severity findings by 25%. The report also details:
- Continued use of phishing as a primary vector for initial access
- Increase in spear phishing via social media
- An increase in multiple low to mid-level rated vulnerabilities being leveraged to gain access to systems vs. single high or critical rated vulnerabilities
- Increased demand from executive leadership teams to see a measurable return on investment on cybersecurity spending (something point in time testing has a difficult time providing).
4. Shadow pen testing
With supply chain attacks rising, and enterprises tracing breaches to weaknesses at customer, supplier, and partner systems, some have taken to conducting shadow pen testing.
They hire specialized companies to conduct pen test audits on externally facing partner resources. The process may include an in-depth search for IP addresses and ports inside their networks that may be communicating with suspect hosts. In other cases, businesses may go as far as scanning the dark web looking for any leakage of sensitive information.
“Testing entities run the pen tests and present the results to service providers and businesses,” said Howard Taylor, CISO, Radware.
“As they are guilty until proven innocent, they must address all the findings, including a myriad of false positives, that result from conducting tests without the full context of the environment.”