Top Penetration Testing Trends in 2022

Penetration testing is growing in prominence. 

Instead of defend, defend, defend against unseen attacks that could come from anywhere, a different view is needed: Look from the outside and see how you can infiltrate systems and find where the weaknesses may lie. It follows the viewpoint of being able to think like your enemy in order to predict where they might strike and anticipate their tactics. 

Here are some of the top trends in penetration testing that are of relevance to storage industry professionals.

1. Audits of backup and storage systems 

Penetration testing used to leave storage and backup systems largely alone. 

Back-end systems, after all, were off attackers’ radar. Cybercriminals were more interested in firewalls, endpoints, and the periphery of the IT infrastructure. That may have been the case a while ago, but it is no longer the case. 

Yet, storage systems are often riddled with vulnerabilities, as few in IT pay much attention to them. A study by Continuity Software found that storage systems often have high-priority patches undeployed. Hackers have become wise to this. They are finding a way in more and more by looking for storage and backup system weaknesses.  

“Leading auditors have started to evaluate the security of storage and backup,” said Doron Pinhas, CTO, Continuity

“As well as increased pressure from auditors on the need for penetration testing of these systems, it is also becoming a mandatory requirement of insurers.” 

2. Mainframe security neglecting pen testing

It isn’t commonly realized that mainframes still house a vast amount of organizational data. 

Financial services and telecom, for example, run billions of transactions through these systems. Hence, that data needs to be given the highest level of security. 

The perception has long been that mainframes are highly secure. Over the last few years, though, that perception has shifted toward seeing that mainframes must be secured like any other server. 

John McKenny, SVP and GM, intelligent Z optimization and transformation at BMC, said that mainframe organizations are often more reactive than proactive when it comes to security. 

“There is a tendency for organizations to fall behind on penetration testing as they are focused on fighting other security fires,” McKenny said. 

“The findings of the most recent mainframe survey from BMC show that security and compliance are top priorities, yet the volume of organizations performing penetration testing is down compared to a year ago as companies prioritize prevention, detection, and inclusion in enterprise-wide security.” 

This is especially concerning given that 80% of respondents indicated they found vulnerable user accounts in security audits — a prime target for bad actors to leverage and gain access to sensitive information. Just like any other server, mainframes need routine penetration testing performed by experts to ensure businesses aren’t leaving the keys to their most sensitive data unguarded.

“Penetration testing is a practice that should be routinely performed to uncover where mainframes are vulnerable to an attack and where steps should be taken to better secure the platform,” McKenny said. 

3. Point-in-time testing 

Pete Deros, director offensive cybersecurity at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory and assessment services, has spotted a decline in point-in-time pen testing or conducting a pen test once a month or once a year. 

In parallel, continuous pen testing options are rising in popularity especially at the CISO and above level. In 2022, he said, organizations began to reap the benefits of regular web application penetration testing. 

“Successful AppSec initiatives are continuous and no longer point-in-time activities,” Deros said. 

Results from Coalfire’s ”Penetration Risk Report” revealed that organizations that run testing programs for at least three years saw reduced high-severity findings by 25%. The report also details: 

  • Continued use of phishing as a primary vector for initial access
  • Increase in spear phishing via social media
  • An increase in multiple low to mid-level rated vulnerabilities being leveraged to gain access to systems vs. single high or critical rated vulnerabilities
  • Increased demand from executive leadership teams to see a measurable return on investment on cybersecurity spending (something point in time testing has a difficult time providing). 

4. Shadow pen testing 

With supply chain attacks rising, and enterprises tracing breaches to weaknesses at customer, supplier, and partner systems, some have taken to conducting shadow pen testing. 

They hire specialized companies to conduct pen test audits on externally facing partner resources. The process may include an in-depth search for IP addresses and ports inside their networks that may be communicating with suspect hosts. In other cases, businesses may go as far as scanning the dark web looking for any leakage of sensitive information. 

“Testing entities run the pen tests and present the results to service providers and businesses,” said Howard Taylor, CISO, Radware

“As they are guilty until proven innocent, they must address all the findings, including a myriad of false positives, that result from conducting tests without the full context of the environment.” 

Drew Robb
Drew Robb
Drew Robb has been a full-time professional writer and editor for more than twenty years. He currently works freelance for a number of IT publications, including eSecurity Planet and CIO Insight. He is also the editor-in-chief of an international engineering magazine.

Latest Articles

5 Top Security Assessment Trends in 2022

Think about the amount of information that is available today. It amounts to hundreds of zettabytes.  Yet, the bulk of security attention is aimed at...

5 Top Network Segmentation Trends in 2022

Storage has always used architectures that split large amounts of something into smaller segments.  There are disks, drives, partitions, physical and logical volumes, and logical...

5 Top Data Classification Trends in 2022

Data classification is an essential aspect of the storage of enterprise data.  In addition to helping organizations manage and search their data repositories, data classification...