Embed Size (px)
Citation preview
How 16 Penetration Tests Missed A Vulnerability Which Could’ve Cost One Company Over $103 Million In PCI Fines
CASE STUDY
IN A RECENT ENHANCED RED TEAM/ADVANCED PENETRATION TEST, OUR TEAM OF TESTERS UNCOVERED A MAJOR VULNERABILITY IN A CLIENT’S NETWORK. THIS VULNERABILITY GAVE THEM ACCESS TO DATA, WHICH HAD BEEN THERE SINCE 2012. IF OUR TEAM HAD BEEN A GROUP OF HACKERS, THIS BREACH WOULD HAVE COST THE COMPANY OVER $103 MILLION IN PCI FINES ALONE.
The interesting fact about this study is that the company had been getting “penetration testing” quarterly every quarter since 2012 by various notable companies. We uncovered the information in the 4th quarter of 2016.
That is a total of 16 penetration tests by 7 different vendors that missed the vulnerability.
16 PENETRATION TESTS
How 16 Penetration Tests Missed A Vulnerability Which Could’ve Cost One Company Over $103 Million In PCI Fines | withum.com
7 DIFFERENTVENDORS
ALL MISSEDVULNERABILITY
MOST CYBER RISKSARE HIDDENSimilar to an iceberg, most vulnerabilities are hidden from automated and compliance-driven vulnerability scanning and penetration testing. Taking an enhanced red teaming approach to advanced penetration testing finds risks “below the surface” by manually emulating the aggressive actions of a hacker. The Withum Cyber approach involves human cyber operations experience, tools, tactics, and procedures at each stage of the test. It has been determined, by comparing test results for organizations that have employed multiple testing methodologies, that applying deep hands-on technical experience towards finding organization-specific vulnerabilities is a truly comprehensive way of identifying and analyzing a network’s level of security.
How Did 16 “Pen Tests” Miss This Vulnerability?
How 16 Penetration Tests Missed A Vulnerability Which Could’ve Cost One Company Over $103 Million In PCI Fines | withum.com
Because of the way they are being tested. Each penetration test prior to ours had relied heavily on automated
tools to identify vulnerabilities. The pen testing teams would run automated scans and then perform manual
tests of the results. The problem with that is automated tools only look for publicly known vulnerabilities in
systems – leaving vulnerabilities in custom applications or undiscovered “zero day” vulnerabilities unidentified.
10%Documented and easily-detected vulnerabilities
90%Organization-specific
vulnerabilities detectedonly through advanced
penetration testing
Average time it takesan organization to
identify a cyber attack
295
AN ENHANCED BLUE TEAM APPROACH TO ADVANCED PENETRATION TESTING EMULATES THE ACTIVITIES THAT ADVANCED PERSISTENT THREAT ACTORS (SUCH AS NATION-STATE THREATS OR ORGANIZED CRIME) WOULD CARRY OUT AGAINST YOUR ORGANIZATION.
Beyond a scan for vulnerabilities, this advanced level of testing takes advantage of the training, experience, and adaptability of our penetration testing specialists in finding, exploiting, and leveraging vulnerabilities to gain access and determine the impact of that access on the organization.
What Is Enhanced Teaming?
VULNERABILITY ASSESSMENT TRADITIONAL PENETRATION ENHANCED BLUE TEAMING/ADVANCED PENETRATION TESTING
SCOPING Limited Limited to scan results Comprehensive
SKILL LEVEL REQUIRED Tutorial Needed Training Required Advanced Degree
OBJECTIVE Broad scanning for information gathering
Utilize broad scanning to manually test a network for compliance driven
needs.
Uncover as many vulnerabilites as possible using the resources leveraged
by real attackers.
TECHNIQUES
Fully automated using software which identifies publicly known
vulnerabilities.
Driven by automation with penetration testers manually testing the findings uncovered by automated
scanning.
Human driven with a team of hackers focused on your network identifying
vulnerabilities unique to your network.
THREAT EMULSION None Partial Advanced Persistent Threat Emulation
REPORTINGComputer generated report with
unverified information and no determination of business impact.
Computer generated report which is verified by penetration tester
reducing the amount of false positives.
Narrative report with actionable remediation steps and verified
intelligence determining the business impact of all findings.
It is important to understand the difference in the complexity and depth of testing levels, and why WITHUM CYBER uses an enhanced red team approach to penetration testing.
Key Learnings
There is a vast difference in definitions of “penetration testing.” Make sure you understand the difference in the level of testing you are receiving.
ONE TWO
As cybercrime continues to grow and being an increasing threat, you must start to conduct more comprehensive testing in order to truly remain secure and build your cyber resilience.
THREE FOUR
Becoming a “want to know” organization and proactively looking for threats and vulnerabilities is imperative.
An enhanced blue teaming approach to penetration testing is the only way to uncover organization specific vulnerabilities.
How 16 Penetration Tests Missed A Vulnerability Which Could’ve Cost One Company Over $103 Million In PCI Fines | withum.com
10101001001010010010100101010010100100000100101001010100101010010101010100101010010101010010101001010001001000010010010100100010010010101000001001001010101001001010100101001010101001001001001010010101001010010100101010100101001010010101001010000010
