Cybersecurity is an ever-evolving game of cat and mouse between hackers and security professionals tasked with the responsibility of protecting information held in public and private networks alike. While there are a plethora of both well-established and startup companies that are churning out more advanced security products by the day as part of an effort to neutralize cyber criminals and the treasure trove of resources at their disposal, very few people stop to gauge what professional hackers themselves truly feel are the best security measures to have in place or which safeguards pose the most problems for them.
Australia-based cybersecurity firm Nuix is looking to help executives rethink their cybersecurity roadmap and recently introduced a first of its kind report entitled, “The Black Report.” The report is based on a survey conducted by the company of network penetration testers, or pentesters for short, at Black Hat USA and DEFCON 24 last year.
Among some of the key findings of the report include:
- 81 percent of those surveyed said they could identify and exfiltrate an organization’s data in less than 12 hours.
- 88 percent of respondents claimed they could compromise a target in less than 12 hours
- 84 percent said they used social engineering as part of their attack strategy
- 50 percent of respondents changed their attack methodologies with every target
- 69 percent of pentesters said that security teams almost never caught them in the act
- And, 100 percent of those surveyed agreed that once someone has accessed an organization’s data that it’s gone for good.
The report’s findings confirmed what many security experts like Chris Pogue, chief information security officer at Nuix, have known for some time but had no hard data to back it up until now.
“I can’t really say that I’m surprised because these are the sort of things that, having been in the industry for 18 years, I thought were real but what was good about it is that we were able to finally quantify what we believed to be true for so many years,” Pogue says. “All security practitioners sort of metaphorically think this is happening or that is happening and this (report) solidifies it because we have empirical data to show that this is the overwhelming consensus of a group that is on the frontlines of this every day.”
Even basic measures that many people believe to be good cybersecurity practice seem to do little to thwart or deter seasoned hackers. For example, 42 percent of those surveyed believed that data hygiene and information governance were the least impactful use of security dollars. Hackers were also split on the importance of employee education – widely regarded as one of the most important tools in defending against cyber criminals – as just over half (52 percent) of those surveyed said they believed it was an extremely important countermeasure.
While some may have a tendency to shrug the findings of the report off as merely braggadocio, Pogue says that for pentesters, their work isn’t merely a job but a way of life and that they live, eat and breathe cybersecurity. The report also backs that up as it found that 76 percent of respondents spent between 1 to 10 hours a week researching security news and technology, while another 22 percent said that they spent over 10 hours a week doing so.
“It’s not like they show up at 9 a.m. and leave at 5 p.m. and that’s the end of it. The ones that are good are good because they put in a lot of time and it becomes a part of what they do and who they are,” he adds. “Among any human being there is a propensity for self-exaggeration, but I think for the most part these folks are dedicated to their crafts, they are security purists and they honestly want to see things get better and improve.”
To show just how annoyed pentesters are with the cybersecurity posture of most companies today, 64 percent of those surveyed said their biggest frustration was that organizations didn’t fix the things they knew were broken. They also said that 75 percent of the time, organizations only conduct limited remediation after a penetration test, usually focused on critical and high vulnerabilities.
Perhaps the biggest reason why companies remain so vulnerable is due to the shortage of qualified cybersecurity personnel in the workforce. One report estimates that there will be between 1 to 2 million unfilled cybersecurity jobs globally by 2019. However, it may be that the education level and certifications employers are seeking for cybersecurity personnel are simply not a good barometer of whether candidates are truly qualified for these roles.
While more than 60 percent of survey respondents in “The Black Report” were educated at the college level or above and 35 percent held three or more technical certifications, the overwhelming majority of them felt that education held little value. In fact, 75 percent of respondents did not believe having technical certifications were an accurate indicator of ability.
“There are a lot of companies that want to hire… but then, at the same time, you don’t have an explosion of people. You may have a lot of people who are doing system administration work or are coming out of college and want to do the work professionally but they don’t have any real depth of experience,” Pogue explains. “What happens is either organizations don’t hire or end up hiring someone who is perhaps lower skilled or has less experience than they would like because they have to put someone in the role.”
Pogue says the biggest takeaway from the report for organizations should be that in addition to paying so much attention to themselves and the frameworks and countermeasures they have in place, to also examine the other side of the coin and what folks in the pentester community are doing and seek their feedback.
“Only a very small percentage of people have paid attention to the pentesters and have sought their counsel and guidance. These are the guys and gals that know how to circumvent your security controls,” he says. “How can you possibly mount any sort of meaningful defense when you’re not working closely with the people whose job it is to break your defense and then tell you how to fix them?”
Click here for more information or download a full copy of the report.
