Penetration Risk Report Makes the Case for Continuous Testing
There was some very good news in Coalfire’s 4th Annual Penetration Risk Report. Most notable was that high-risk vulnerabilities have been cut almost in half since 2018 when we first began reporting our pen testing research derived from thousands of direct client engagements. Also of note, the large cloud service providers have successfully reduced their highest level risk exposures by more than one-third in the last two years alone. Key industry sectors – financial services and healthcare in particular – have come to rely heavily on the hyperscale CSPs to operationalize their digital backbones, and their AMIGO cloud partners are absolutely crushing it when it comes to helping their clients reduce high-level risk.
However, though we see the data as optimistic evidence of cyber maturity, it is most definitely not a confident victory to be celebrated. There is no time for complacency — to the contrary, the report exposes reasons for growing apprehension across both internal and external attack vectors.
Adversaries exploit time-bound testing cadences
Despite gains in preventing a breach before it happens, certain vulnerabilities like misconfigurations, out-of-date software, and patching issues can become mission-critical as they become easier to exploit over shorter timeframes. Today’s sophisticated bad actors and adversarial nation-states are not hemmed in by time constraints so they can leverage weak spots in companies that employ point-in-time testing regimens.
Organizations may be getting smarter about defending against high-risk external threats – the kind that make the headlines every day – but they fall behind on internal vulnerabilities. Coalfire’s year-over-year data shows that threat vectors shift over time based on company size, vertical market, and other factors. But the recent focus on external risk means that what are perceived as lower risk internal threats are allowed to persist, thus increasing the potential for “blast radius” devastation inside the enterprise.
Though the data confirms that companies are generally better at managing the higher risk vulnerabilities in their enterprises, there is a greater number of less obvious risks to replace them. In response, Coalfire is focusing on continuous testing models, and devoting more research and development toward medium- and lower-risk vulnerabilities. Here’s why:
- Given unlimited time and lack of a "rules of engagement," a vulnerability rated as medium or low can serve as a foothold to a malicious actor. In fact, a larger number of low- and medium-risk vulnerabilities can be worse than a single high-risk vulnerability. The difference between a medium- and high-risk vulnerability is often the amount of time it takes to successfully leverage the vulnerability to gain an exploit opportunity. Bad actors are quickly closing that time gap, and point-in-time testing is becoming less effective in mitigating this trend. By continuing to rely heavily on point-in-time testing year after year, the overall cybersecurity industry has missed an opportunity to get ahead of the bad guys with innovative defenses.
- Advanced persistent threat (APT) actors have all the time in the world to view and take advantage low-rated vulnerabilities – the result is lower risks turning into higher risks faster.
Coalfire’s vulnerability ratings consider many factors including ease of use, time to execute, impact on affected systems, and more. Bad actors will leverage their time advantage to exploit every one of these factors no matter how we categorize them. A perpetual testing model helps to see what the real threat vectors are by discerning how an APT would leverage the most obscure and unknown vulnerability, and how they could blow it up to affect critical systems and gain access to sensitive customer and supplier data with nefarious intent.
The shift to perpetual pen testing
Point-in-time pen testing no longer provides the greatest 'security value per dollar' as the threat landscape constantly (and often quickly) changes. The 'point-in-time' model must evolve into clients and consultants working together to develop programs that span longer periods of time with on-going attack surface analysis, threat modeling and attack simulation that are supported by sophisticated platforms and human-led testing. Such a holistic approach should result in consistent increases in a company's overall security posture. Our research revealed some more good news: AppSec programs that have run continuous testing initiatives for the last three years have reduced high-severity vulnerabilities by 25%. It’s clear what needs to be done, and we’re doing it.
In the move to the cloud, we’ve come a long way from simply defending the perimeters of the data center. For organizations of all sizes and across all industry sectors, Coalfire’s report brings home the point that a prioritized risk management methodology and increasing testing cadence are now essential elements to successful enterprise security.
While penetration testing effectively manages high-risk vulnerabilities, the point-in-time nature of pen testing leaves exploitable gaps. Shifting to ongoing testing cadences is a better vulnerability management strategy overall.
- Adversaries can work around point-in-time testing strategies and use testing gaps to find and exploit weak spots
- The point-in-time testing model is outdated and unable to keep pace with bad actors
- Companies who utilize a continuous, human-led testing approach see reductions in high-risk vulnerabilities