Comments
Vulnerability analysis and penetration testing (VAPT) is the bedrock for cyber security. How can one fix problems if one does not know what the problem is? Ignorance is no bliss when it comes to cyber security.
One estimate of annual cost of cybercrime to global economy ranges from $375 billion to $575 billion. That’s a lot of money. Pity then that many companies undertake VAPT as an eye wash for ISO 270001, to secure for themselves a compliance certificate. IT vendors/IT Consultants are usually tasked with undertaking VAPT, and these firms in turn outsource it further to so called specialists, sometimes without the clients’ knowledge.
Deeply technical Vulnerability testing is deeply technical issue. When one is faced with situations such as advanced persistent threats (APT) and zero-day vulnerabilities; it needs to be borne in mind that businesses are up against highly skilled and creative hackers. Such attackers typically belong to organised criminal groups, mafia groups, Black Hat hacker groups or state-backed groups.
APT attack happens when committed adversaries persistently utilise advanced technologies to compromise targets. Extremely hazardous Zero-Day exploits (vulnerabilities found by hackers and never reported to security vendors) are found in operating systems, application software, browsers’ such as Chrome, Firefox, antivirus software, firewall, and internal application software.
On an average, 20 zero-day vulnerabilities exist in any given server. Zero-days have the greatest amount of success and damage rates and least probability of detection by firewalls/IDS/AV’s etc.
The lack of seriousness with respect to VAPT also extends to the “purchasers” of such services.
Businesses are not fully equipped to understand the complexities of VAPT. One has heard of instances where a firm sought to dictate the nature of a test, the date, time and even the server and port/s to be tested.
All this fussiness may be relevant when it comes to a haircut, but not in the context of a VAPT. Hackers, of course, are famous for not following any rules whatsoever and thumbing their noses even at hyperactive cyber defences, leave alone amateurish ones.
The crux of the whole problem appears to lack of senior management involvement in a VAPT or a similar exercise. This matter that cannot be left to systems administrators or developers who are better equipped to remediate the security issues than discovering vulnerabilities.
The lack of senior management attention is often seen in the nature of testing firms recruited to undertake the assignment. Inferior manpower (tool runners abound), no post-exploitation skills, no access to ultra critical zero-day exploits, no APT ‘War Gaming’ skills, no real white hat hackers on board with practical experience (only people with some theoretical knowledge), limited skills on network analysis — these are some of the downsides of testing firms normally used.
Businesses need to address such issues by ensuring senior level, even board level involvement in cyber security. Further their cyber security vendor selection process needs to be more precise and demanding. Vendors need to have very deep domain knowledge, years of penetration testing experience, sophisticated tools, access of hundreds of zero-day exploits, and staffed by established and well networked bug bounty hunters and white hat hackers.
The writer is Founder, Cyber Security & Privacy Foundation
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.