Why run regular security tests?
As we probably all know, information security is a broad subject and for many of us understanding the different layers that can help within this spectrum can be at times difficult. In this article, we look at the risk and what your business could do about it!
Over the years when advising various organisations on the performance of their applications, we have always emphasized the importance of keeping systems updated and regular vulnerability scanning. Conversations would typically suggest that most should adopt some consistent and repeatable form of security measures, including the likes of maintaining system updates, conducting regular penetration testing, payment card testing, and having a Web Application Firewall (WAF) in place, just to highlight a few.
What is the actual risk to your business?
A Verizon Data Breach Investigations Report report suggests that more than 75% of attacks are actually from external sources rather than internal, possibly disenfranchised, employees.
“While this goes against InfoSec folklore, the story the data consistently tells is that, when it comes to data disclosure, the attacker is not coming from inside the house. And let’s face it, no matter how big your house maybe there are more folks outside it than there are inside it.”
The report goes on to reveal that 40% of breaches are from Web Application attacks, with 5,334 total incidents reported through web apps, and 908 with confirmed data disclosure. A look at these statistics points to the fact that external vectors, and web applications specifically, is a highly likely route for a hacker to exploit.
Three points on automated scanned misconceptions
- Performing a manual penetration test is important for most organisations, although this is not always easily accessible on a regular basis for various factors. An in-depth penetration test will certainly give you a thorough snapshot of your current vulnerabilities at that moment in time and allow you to make remediations before a hacker can breach any vulnerability that was discovered. However, in between your next penetration test how can you confirm that you do not have a major vulnerability within one of your websites?
- Many organisations feel they are protected by their firewall or other forms of external ‘wrapper like’ defence. The fact is that no matter what defences you have in place you will not be un-hackable (the Dark Web Specialist Darkbeam believes that more than 98% of business have already been hacked – they just aren’t aware of it yet). And the landscape is changing every day making it impossible to be ahead of the game, to say that having a firewall will protect you unfortunately just isn’t the case. Blue chip companies will spend millions on firewalls but continue to have data breaches.
- Now it must be mentioned that conducting automated scanning is a crucial part of your compliance, however, it is an important point to highlight the difference between Payment Card Industry scanning and vulnerability scanning. If you were to swap your compliance hat with your security hat for just a moment it is fair to point out that passing a PCI scan may give you a false sense of security. A PCI scan will limit your vulnerability discovery to only find the vulnerabilities within PCI standards which may lead to exploitable vulnerabilities that would not fall within the PCI remit.
While some of these points will sound familiar, a key question is to ask yourself, should you incorporate regular vulnerability scanning into this equation? Is it worth the extra costs? The areas highlighted can certainly raise potential security gaps but the simple answer is that without having regular checks you do not have consistent visibility on your vulnerability landscape and are potentially one step behind a hacker. If you would like more information on how Scapa Technologies, in partnership with AppCheck, is helping businesses across the world run regular vulnerability assessments please get in touch with us