When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Pen Testing Indicates Security Postures Are Becoming Worse
Chris Swagler | April 5th, 2023
Companies are vulnerable to phishing and data exfiltration attacks because they lack website protections, Sender Policy Framework (SPF) records, and DNSSEC configurations and having annual pen testing can help companies’ security posture. The average company’s risk score has increased in the last year as companies fail to adapt to data exfiltration techniques and appropriately protect Web applications. Companies’ effective data-exfiltration risk went from an average score of 30 from the previous year to 44 out of 100 (with 100 signifying the highest posture) in 2022, which shows an increase in the overall risk of data compromise, according to a cybersecurity company’s rankings, which analyzed data from 1 million pen testings, including 1.7 million hours of offensive cybersecurity pen testing within its production environments. The cybersecurity company explained in its 2022 State of Cybersecurity Effectiveness report that numerous persistent problems are increasing risk.
The Importance of Pen Testing
Even though numerous companies improved their adoption and adherence to network and group policies, threat operators are evolving to circumvent such protections. The fundamentals continue to lag as the cybersecurity company discovered four of the top ten CVEs in clients’ environments were over two years old. They include the high-severity WinVerifyTrust signature validation vulnerability (CVE-2013-2900), which allows malicious executables to bypass security checks, and a Microsoft Office memory corruption vulnerability (CVE-2018-0798).
The good news is that the data collected from the security assessments show that companies have improved their risk scores for malware detection across major platforms, and Web gateways are blocking numerous attacks. Companies must treat cybersecurity like any other business process by regularly checking controls. A CFO would never allow the books to be closed except for a year, but the systems that store all the money as data are only checked out during an annual pen testing, which needs to change. It occurs against the backdrop of companies increasingly focusing on security their entire attack surface, strengthening resiliency to cyberattacks, and preventing information systems disruption. Cybersecurity services and products that decrease complexity have grown in popularity. At the same time, larger technology companies have entered the fray, including Microsoft’s August announcement of Defender External Attack Surface Management and IBM’s June acquisition of ASM startup Randori.
The cybersecurity company’s analysis of a year of offensive cybersecurity pen testing revealed that cloud and email provide fertile sandboxes for threat operators.
To avoid email attachment filters and other security technologies, threat operators have switched some components of their attacks away from popular file-sharing services, including Dropbox and Box, and toward more generic cloud infrastructure, including Amazon and Azure. Companies have a more difficult time limiting data from major, trusted service providers, the backbone for numerous large cloud services and websites. The metrics are applied to attempts to remove data from companies that need to be considered managed. With the increase comes less control over preventing companies’ confidential, personally identifiable, and other controlled data from being withdrawn from companies in unauthorized ways. Attacking users through their browsers in a drive-by breach situation, archiving and exfiltrating data, and transferring that data to cloud accounts, including AWS or Azure, were the most successful strategies used by simulated threat operators in a cybersecurity company’s research.
A lack of security for fundamental IT infrastructure was involved in almost half of the top 10 exposures discovered by pen testing. The simulations revealed that common flaws included failing to recognize phishing domains, failing to configure DNSSEC, and lacking two technologies that can assist in blocking email-based attacks, Domian-based Message Authentication, Reporting, and Conformance (DMARC) and Sender Policy Framework (SPF). Companies have been slow in implementing critical email security and integrity technologies, including DMARC, SPF, and a technology, Domain Keys Identified Mail (DKIM), which can prevent phishing success and brand fraud. Even though companies using DMARC, DKIM, and SPF records can protect against email-based attacks, the technology standards are only effective if both sides of an exchange use them. Companies must recognize that email defenses are a team sport and start implementing their part of the processes so others are safer. One advantage is that when more companies implement the processes, others become safer. Different industries have different strengths and weaknesses. The education and hospitality industries had the highest risk of data exfiltration; however, the technology industry had the lowest protection against the most immediate threats. Web application firewall protection was below average in both technology and government organizations.
With threat operators targeting companies with weak security postures and vulnerable to cyberattacks, it’s important to remain ahead of the current threat landscape and adapt to cybercriminals’ data exfiltration techniques. At SpearTip, our penetration testing will assess companies’ external and internal security controls. Our assessors simulate attacks from the public internet and simulate attacks from an internal perspective, probing all internal systems for vulnerabilities. After testing is complete, we provide recommendations to enable their business to harden its overall security posture and give an understanding of what critical systems and data are vulnerable. SpearTip’s Penetration Testing, conducted by cyber counterintelligence professionals, is designed to exploit vulnerabilities in companies’ environments and reveal to their organizations how an intrusion might occur. Our cyber counterintelligence experts wage war against companies’ networks in various tests from varying perspectives to challenge all aspects of their security posture. We will gain a comprehensive view of companies’ network vulnerabilities so they can be remediated before being discovered by threat actors.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
ShadowSpear Platform
Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
ShadowSpear Demo
Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.
