If you are relying on software to prevent a compromise from occuring, you have to assume that attackers don’t know about it or don’t think it is worth their while to investigate it.
Speaking to Infosecurity, Andrew Nanson, CTO at CORVID and former cyber security specialist for both NATO and GCHQ, he said that most technology won’t alert you to false positives, but you need a team of experts to detect them. “If you ignore all false positive alerts, it also means that you are ignoring the alert to a present attacker,” he said.
“What is the point of having a technology if you are not going to investigate the initial attackers, bearing in mind they are improving their techniques and approaches? You cannot prevent them from getting in –this is why prevention is the direction in which we are going from an industry perspective.”
Nanson said that it is about keeping your defences as evolved as possible in order to identify what attackers are doing. Assume everything is compromised and keep searching, and never assume an attacker is anything other than subtle and intelligent.
We moved on to penetration testing, as he said that if a company relies upon an annual pen test to protect them, then that will not do.
“It might tick a couple of compliance boxes, but it is not going to detect anything. How is log aggregation going to detect anything? It’s not, as you cannot identify the correct logs to detect it.
“A pen test tells you about your vulnerabilities but doesn’t tell you that you are compromised, and as a pen test tells me where my vulnerabilities are today, but even if I am hugely vulnerable it doesn’t make me compromised.
“Most people have seen the CPNI instructions on applying patches and as long as you apply patches and do best practise, then there is not much else you can do in regard to what a pen test tells you.”
Nanson claimed that what an organisation cares about most is if they are going to be compromised, as they will not care if they have a million vulnerabilities if they will not be exploited. “So if you cannot tell me if I am going to be compromised tomorrow, why have it? Surely you have the pen test when you have everything else in place,” he said.
“You need to have health assessments to know if you have been compromised and if you don’t know that, what is the point?”
Nanson said that he would love to see a pen test company that underwrites the risk and says ‘if you get our pen test and we don’t find any vulnerabilities, we will guarantee your security for a period of time’. However he believed that this cannot be done and if that cannot be provided, a pen test is basically a lifestyle rule.
“I know some good pen testers who can work without Nessus, Nmap, Metasploit and those of sorts of technologies, and it is funny when you tell a pen tester that they can do a test but not allowed to use those technologies – some just crumble. You can do it yourself with low cost options to determine your vulnerabilities,” he said.
“But it is a confusion to us that people spend so much on technology but they don’t measure the effectiveness on it. How effective are they at preventing and detecting the attacks from happening?”
Nanson was swift to point out that he does appreciate the work that pen testers do, but the problem is that pen testing has not evolved to mitigate those threats that are operating now.
“Ten years ago the scale of compromise of IT systems was not the same as it is now, and the scale of compromise at this point that is commercially available means you don’t need to know about security to run an exploit kit, and pen testing has not kept pace with it,” he said. “Meanwhile, CISOs understand it they don’t know what to do to manage the risk.”
Listen to a live discussion on "Why Pen Testing is Broken" next Wednesday at 3pm GMT in the Infosecurity Magazine Virtual Conference. More details here