Rapid 7 Pen Tests Reveal Alarming Password Fails, Frequent Vulnerabilities
… blackmail in that the ransom is less than the legal penalties so that victims will pay in an attempt to avoid legal woes.
Now for the Good News
Network segmentation at its most basic level, between internal and external networks, appears to be working. Specifically, the pen testers found:
- Externally based engagements only gained internal LAN access 21% of the time.
- Under 3% of web application-specific engagements led to a total site-wide compromise.
- Over 70% of web applications were hosted somewhere other than the client’s data center, which complicates an attack from a compromised web application.
But as MSSP Insider reported earlier, some VPNs aren’t so private anymore, and police-friendly laws around the globe are increasing security risks.
Moral of the Pen Testers’ Story
Old security issues remain far from conquered. Security providers dare not divert their attention away from them. But the attack vector also is growing, spreading like a cancer into niches and corners where they are least expected. And attackers constantly are changing their methods to fool even the most advanced security protocols.
Pen testing remains an excellent way to discover vulnerabilities and other problems; however, even human pen testing will give way to machine learning and automation soon. It’s necessary to manage the sheer scale of old and new risks.
But what of the white hats? What then will they hack in the name of security? Probably AI. Man versus machine will be the ultimate pen-testing battle.
- Page 1
- Page 2