NowSecure recently partnered with Coalfire to contribute mobile risk data to the cybersecurity advisory company’s 4th Annual Penetration Risk Report. The report findings reveal the importance of continuous testing in vulnerability management combined with human-based testing to reduce risk.
The most successful vulnerability and risk management programs are no longer focused on point-in-time schedules but are instead deployed continuously, or at the very least, with more granular frequency. Monitoring and testing take place in real-time, all the time. Results show that organizations embracing this strategy and running best-practice testing programs over the last three years saw high-severity risk factors reduced by a remarkable 25%.
The Coalfire report reflects the results of more than 3,100 penetration tests from nearly 1,600 client engagements in the technology, financial services, healthcare and retail sectors. We analyzed both enterprise and cloud service providers’ internal and external attack vectors, application development and mobile app security, social engineering and phishing and framework-specific findings. Data was segmented by industry and company size based on revenues (“large” being over $1 billion, “medium” between $100 million and $1 billion, and “small” below $100 million).
Over time, the Coalfire research shows that cyber risk significantly shifts every year based on company size, vertical market, and a variety of other factors including increasing cloud migration, proliferation of remote workers, more distributed operations, far-flung supply chains, etc. Due to a surge of highly publicized breaches, the recent overemphasis on external risk has had the negative effect of allowing internal threats to persist. This creates points of weakness that increase the potential for internal “blast radius” catastrophes from the growing legions of sophisticated domestic hackers and nation-state attackers.
Though the top-performing vulnerability management programs are now mostly automated, the best of the best employ a hybrid of continuous integration with at least some level of traditional human-based pen testing, applied alongside a perpetual offensive security and/or red team operations regimen.
Why the Human Factor?
Platform-enabled solutions are clearly the wave of the future, but over-reliance on the promise of automation can create new vulnerabilities. Perhaps one of the most significant trends reflected in our research is enterprise acceleration toward prioritized risk management strategies. With more exposed attack surfaces and supply chains, it has become impractical to think in terms of eliminating risk, and the most successful security programs are establishing a hierarchy of vulnerabilities prioritized through the lens of human experience and intuition. Knowing an organization’s inherent risk profile, threat landscape, risk appetite, and effectively managing security operations with this knowledge requires human intelligence-driven security programs and pen testing.
Tools-based monitoring may uncover known and documented vulnerabilities. But human-based testing is more likely to discover new vulnerabilities, unearth more unknowns, and leverage new and more creative exploitation techniques for older vulnerabilities that tools can’t always achieve consistently. This applies especially to out-of-date software implementations which represent some of the most significant vulnerability challenges, particularly in healthcare and financial services.
Our recommendations for financial services security teams are to continue to follow tech’s lead with tools and solutions for mitigation and defensive posture monitoring.
Dramatic Improvements in Financial Services
We’ve seen a lot of change in the last four years of pen test research, and one of the most dramatic has been the financial services sector’s overall improvements in vulnerability risk management. High-risk factors were a low 8% for FinServ; however, NowSecure found that high-risk levels for mobile apps was 37%, indicating that financial services mobile apps are performing far worse than web or desktop apps.
Much of financial services IT and security ops are handled out of central headquarters, with less technically skilled staff spread thin across multiple locations and often thousands of digital endpoints. There remains all manner of security challenges with payments, trades, personal privacy, diagnostic file management, and the handling of sensitive information. Almost all of it remains tethered to legacy systems that interface within hybrid IT environments and with workloads spinning up and down in the cloud, seasonally and in concert with financial reporting periods.
Overall, FinServ is picking up the pen testing pace, and is running almost neck and neck with the tech sector, the proverbial leader in maturing cyber posture.
Financial services’ reliance on entrenched network backbones has kept them a step behind, but our research shows they’ve made great strides. However, much like their tech counterparts, FinServ internals are still soft and vulnerable.
- Security misconfigurations, out-of-date software and patching issues are top vulnerabilities
- Financial services companies are also becoming more concerned about potential brand and reputation damage – this mean lots of financial data security scanning on the perimeter (external and apps)
- Pervasive attacks on the external continue to shift focus away from internal
Our recommendations for financial services security teams are to continue to follow tech’s lead with tools and solutions for mitigation and defensive posture monitoring.
- Prioritize vulnerability management programs
- Adopt more disciplined patching (watch out for unpatchable legacy software)
- Integrate more continuous testing, both automated and human-driven
The biggest difference when compared to tech is financial services’ and other verticals’ persistent dependence on legacy systems. These companies are slower to move to newer systems and services, so issues with out-of-date software, encryption, and patching are more common, and carry higher consequences. Fear of cascading vulnerabilities while working with uptime-sensitive businesses is on the rise and on the radar.
Solution: Smarter Testing
With high-risk vulnerabilities nearly cut in half since Coalfire started compiling our data four years ago, the large enterprise has been getting smarter about external threats – but they are falling behind on internal vulnerabilities. Smaller businesses are doing a better job balancing internal and external risks; however, mid-size companies struggle in the face of complex hybrid environments, heavy compliance demands, and extensive supply chains expanding their attack surfaces.
The good news: a prioritized vulnerability management approach is taking place across organizations of all sizes, and across all vectors – external, internal, and applications – which is clearly resulting in reducing the highest risk vulnerabilities. The tech sector, cloud service providers and now financial services are leading the way. The problem is that bad actors have the luxury of time and are finding ways to turn low- and medium-risk vulnerabilities into high-risk disasters.
Security testing is moving away from point-in-time, check-the-box cycles to continuous, enterprise-wide risk assessments using real-time dashboards for effective monitoring and oversight. These are powerful positive trends, and Coalfire has validated that institutional intelligence that informs cloud-enabled methodologies is the favored strategy on the long road to a cyber-secure future. With the right mix of technology, human intuition, and perpetual testing cadence, we can apply the best-practice solutions to the problems we’re all trying to solve.
