The latest 'Black Report' from Nuix has been published, surveying hacker method and motivation. The headline takeaway being that "71 percent of hackers say they can breach the perimeter of a target within 10 hours" and 100 percent within 15."
Understanding who took part in this research helps determine how trustworthy, from a real-world perspective, their responses are. Hackers, penetration testers and incident responders were questioned. Nuix argues that a "legal statement of work" is the primary difference between a malicious hacker and a skilled pen tester, and respondents completed surveys anonymously during the week of Black Hat, Bsides Vegas and DEFCON.
More than half of those taking part did so using paper forms for 'absolute' anonymity. The make-up of the survey respondents by type is harder to determine. Nuix does suggest that the 21 percent who did not identify as hackers were "more than likely incident responders" but dividing the remainder between malicious hackers and pen testers is harder to accomplish. That said, 35 percent of those questioned said they were motivated by "entertainment value or the lulz" which doesn't sound like professional pen testers talking.
Delving beyond respondent profiles and hacker tales, you arrive at the section of the report entitled 'Attacks and Targets' which is where some of the more interesting statistics can be found. Across all industries, 71 percent of respondents believed they could breach the target perimeter within 10 hours which rises to 100 percent given 15 hours. The candy bar nature of organisational security posture, where things are crunchy on the outside but much chewier in the middle, is exposed by some 54 percent of respondents saying they could locate target data within five hours.
When it came to favoured attack methodologies, network-based attack (28 percent) and social engineering (27 percent) were clear pack leaders. Open source tools and exploit kits led the way as far as tools were concerned, although only 12 percent of attackers said they never use social engineering of some kind. Most (62 percent) of social engineers favoured phishing, with a physical approach way back on 22 percent and only 16 percent tried some kind of telephone scamming.
Almost three-quarters of those asked said they could cover their tracks completely within the space of thirty minutes. However, there is a danger of Mandy Rice-Davies Applies (well they would say that) to much of this. The report also suggests that "93 percent of hackers said that after a penetration test, the client would most commonly not fix some or all of the vulnerabilities identified by the testers."
SC Media UK reached out the penetration testing community itself, to ask why this might be and what can be done to improve post-testing response. "Vulnerabilities are generally difficult for the average Joe to understand" Tom B, Red Team leader at ThinkMarble pointed out, continuing "as penetration testers we tend to score vulnerabilities based on metrics such as ease of exploit, prevalence, impact to confidentiality etc, and all this information is then squashed into a number out of ten or a high, medium or low rating to make the report more boardroom friendly."
Tom admits that not only is a lot of information lost in this process, but so is some of the impact. "Yes fix the critical vulnerabilities first" he concludes "but don't ignore the lows or mediums, they are still vulnerabilities and can still be utilised by attackers."
Daniel Follenfant, managing consultant, penetration testing, Consulting Services at NTT Security told SC Media that he doesn't think there is a failing as such. While agreeing that in some cases the business context of a technical finding isn't always translated correctly to highlight the impact to the business, Follenfant insists that "the inevitable goal of the test is to provide a client with evidence as to whether their system has technical vulnerabilities that need addressing, a client can then chose to fix them or not; the important part is that they are now aware that they exist."
When it comes to making that decision, everything from the criticality of the target system and the maturity of the organisation, through to the risk appetite of the system owners will come into play. The danger, according to Redscan CTO Andy Kays, is that some companies treat pen testing as a tick box exercise in preparation for an upcoming audit. "Since many regulations only care about medium risks and above" Kays says "low-level vulnerabilities often get ignored."
And then there's the fact that when the risk presented by a vulnerability is deemed insufficient to justify the cost of remediation, many organisations will simply ignore it. "Remediation of vulnerabilities should be risk-based" argues Kays "it's not enough for business to know that they have exposures and where; they must also understand the cost, effort, and risks associated with achieving effective resolution."