A Nuix study of DEFCON pen testers shows that the usual security controls are of little use against a determined intruder. Lamar Bailey, Sr. Director, Security R&D at Tripwire points out the weaknesses of the research.
Lamar Bailey, Sr. Director, Security R&D at Tripwire:
“Pentesters are a valuable resource to evaluate the security stance of an application, system, or network. However, it is worth noting that this survey only asked people who are paid to break into systems and get hired based on how good they are, so of course they are going to brag and probably stretch the truth some. All their engagements are under NDAs so there is no way to verify any of these claims. I do not doubt that they can get into many networks in under 12 hours but it is not because “usual security controls are of little use”, it is because foundational security controls are not being used correctly or the target’s security processes are inadequate.
The article mentions the pentesters are using free open source tools and exploits. This shows they are not relying on some super-secret zero-day bought from an uber hacker in the depths of the darkweb. If it is in a public tool then there is a publically known vulnerability associated with it so a good vulnerability management product would have detection for this vulnerability. Patch the vulnerability and you close the hole, the attacker cannot get in that way, end of story. A good IPS device should detect and block any known attempts to exploits many of these vulnerabilities and using file integrity monitoring, change controls, and log management products will alert on any suspicious activity on the systems during and after the attack. Only talking about a firewall as the “usual security controls” is an extremely narrow and misleading focus.
Over the last few years there have been many reports detailing that the majority of successful attacks are due to unpatched known vulnerabilities. Investing in foundational security controls and developing a security policy that is adhered to is the best defense.”
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Experts Insight On US Pipeline Shut After Cyberattack
Most Active Commenters
Recent Comments
“Cybersecurity Awareness Month’s new evergreen theme "Secure Our World” is…
“Avoid storing data on personal devices: A crucial but often overlooked…
“I recommend a new nuance to passwords that isn’t often…
“In my role overseeing cloud environments and incident response, I'm…
“Cybersecurity Awareness Month serves as a reminder to confront the…