Vulnerability management today is a key process in any security program and regulatory compliance framework. With the growing amount of data breaches and cost of stolen data, vulnerability management tools can no longer be considered a side dish, rather the bread and butter of a corporate security stack. But although vulnerability management programs are the cornerstone of corporate security, the number of rising attacks raises many questions about their effectiveness.
With rising vulnerabilities discovered daily, how do you know which flaws to focus on first and how many of them will truly evolve into confirmed exploits? What is equally troubling is what can be done about the shortage of people needed to patch them within a tight time frame? Does Vulnerability Management software cover all the types of exploitable vulnerabilities a hacker might use? These downsides open a floodgate of worries that are threatening to get worse.
We need a “Seeker”, not a “Scanner”
Vulnerability scanning programs offer a means of discovering dangerous static applications and OS exploitable hooks due to unpatched software. The issue with most vulnerability scanning tools is their focus on static vulnerabilities, yet the malicious hacker often targets other vulnerabilities – related to the human factor (e.g. weak passwords), security controls (e.g. AV misconfigured policies) and network controls and capabilities (e.g. the ability to relay).
The reality is that there are more groups of vulnerabilities such as opened shared folders, misconfigured firewalls, and overprivileged scripts. These vulnerabilities create a fertile ground for hackers, but oddly enough, they are beyond the scope of vulnerability scanners. As these vulnerabilities go undetected, a cybersecurity “flank” is left exposed for long periods, enabling intrusions and lateral movement to strategic data assets.
To discover these types of vulnerabilities the “vulnerability seeker” needs to probe the corporate network proactively, as a real hacker would.
Getting smarter about prioritizing vulnerabilities
The fact is organizations are drowning in a sea of vulnerabilities, many of which are false positives or practically non-critical. Almost every day, organizations are presented with yet another risk-based report on the growing tide.
Today it’s not just the sheer quantity that is overwhelming, but the way that vulnerability criticality is prioritized. Unfortunately, even the scoring methodology of the Common Vulnerability Scoring System (CVSS) does not properly account for the context and topology of each organization.
As a result, a strategy that targets only vulnerabilities with scores of CVSS 8-10 will have a good efficiency rating but will not directly relate to the threats of each specific organization. What’s more is that with so many vulnerabilities scoring 8.0 and higher, there is no way organizations can realistically fix all of them. Worse still, not all vulnerabilities are created equal. At the end of the day, only a small percentage represents an intrusion threat that could generate a negative impact on the business environment. The question is which ones are they?
Clearly, there’s a need to prioritize which vulnerabilities should be earmarked for remediation in a totally new way. The question is how?
How can automated penetration testing help?
In effect, a vulnerability scan, which is usually automated, is like walking up to a gate, checking to see if it’s unlocked and reporting about it. At best it may offer some remediation guidance, but it pretty much stops there. Complementing the process of vulnerability scanning, penetration tests not only check if the gate is unlocked, but they persistently work on exploiting any weaknesses in the structure and slip inside, in a sequence of steps, just like a hacker.
The newly advanced form of automated penetration testing initially includes vulnerability scanning, but then takes it a step further by delivering an ongoing, continuous and dynamic “scan-attack-extract” sequence. These steps ensure that vulnerabilities are prioritized based on their true breachable nature, and potential business impact.
Often referred to as ethical hacking, penetration testing exposes the attack paths leading to an organization’s most precious digital assets. By doing so, it helps the organization to prioritize and focus on attack paths leading to their crown jewels while abandoning the hundreds of attack paths and vulnerabilities that do not reach these data assets.
No one is denying the vital role that vulnerability scanners play in detecting OS and application weaknesses and reporting them. Nevertheless, vulnerability processes lack the ability to prioritize the “breach-ability” of specific vulnerabilities de facto and the potential havoc they could wreak on business.
This is where automated penetration testing comes in.
Automated penetration testing offers the next evolutionary step towards vulnerability management by providing a new way to prioritize vulnerability remediation from a hacker’s point-of-view. Automated penetration testing spotlights more types of vulnerabilities, including system, network and the human factor. Being automated and continuous, it finally enables organizations to maintain their ongoing cybersecurity posture.
Could the CISOs and their teams finally get ahead of the vulnerability sprawl? With Automated Pentesting they have a fighting chance.