Cybersecurity staff are being asked to conduct more pen tests – but this still might not be enough
The rapid shift to a work-from-home model caused by the Covid-19 pandemic has ramped up penetration testing in enterprise environments, but questions remain over whether or not current test rates go far enough.
The second annual Penetration Testing survey, published on Thursday by HelpSystems’ Core Security, includes insight provided by 300 cybersecurity professionals to better understand the current role penetration tester teams play in securing enterprise systems.
Penetration testing may be conducted for reasons including vulnerability management, security posture and hygiene checks, risk analysis, and for compliance purposes.
“While it may seem like a large, expensive undertaking, penetration testing can be done on any scale or budget,” the survey notes.
“For example, pen tests don’t have to cover the entire infrastructure, but can instead be strategically scoped to focus on the most critical systems.
The majority of respondents surveyed – 39% – still only conduct pen tests once or twice a year. A further 16% said tests were conducted on a quarterly basis, and 11%, 9%, and 10% of respondents perform a pen test of some form on a monthly, weekly, or daily basis, respectively.
However, due to Covid-19 and the increased attack surface caused by a rapid transition to work from home setups, more emphasis is now beginning to be placed on pen tests – and network security in particular is on the radar.
According to the study, 45% of respondents are placing a greater emphasis on network security tests due to the current state of work. In addition, organizations are asking cybersecurity teams to expand the scope of their penetration tests in 38% of cases.
Cybersecurity teams are also being asked to examine web applications more frequently, according to 36% of those surveyed, and both social engineering and phishing attack vectors are being taken more seriously, claimed 31% of respondents.
Barriers to robust penetration testing programs, however, remain. Survey respondents said that executive acceptance, finding enough skilled staff, and ensuring others actually act on the cybersecurity and risk data a test reveals are persistent, ongoing challenges.
The report found that 71% of organizations deemed penetration testing to be “important” but only 44% of cybersecurity staff surveyed were “confident” in their company’s security posture.
According to those surveyed, 80% are most concerned about misconfigurations – which could include insecure servers or access control problems – followed by phishing, lax passwords, and orphaned accounts.
In total, 15% of respondents still say they never conduct penetration testing. A lack of executive sponsorship was cited by 49%, 44% said staff shortages were to blame, and 44% said low organizational maturity were reasons for this security failure.
Core Security noted that penetration testing can not only provide short-term value by unmasking serious security issues, but can also bolster long-term cybersecurity programs, if frequent tests are permitting, to act as a “guide” for overall strategies.