I have a friend who manages a large financial investment company based in NJ and each year, sometimes twice a year, he brings in a team of pen testers to run a test and check the box for security regulations. When I told him that my company automated pen testing (PT) in software for corporations to run at will, he said, “We already do regular vulnerability assessment (VA) scans; why would I need to do the same with PT? And it’s so expensive!”

Firstly, I told him, when you receive the list of vulnerabilities from the VA report, what do you do with it? VA identifies thousands of vulnerabilities. It does not tell you the potential impact of those in terms of breaches in your particular environment and does not show you the hacker’s “attack vector” that weaves vulnerability exploits like beads on a fuze string to create a disastrous attack vector.

And when it comes to cost, I added, when PT is done by software and doesn’t require expense expert hour billing, you’re in a completely different ball game of economics. The cost of another pentest run is marginal.

My friend’s eyes widened and he confessed to the reality that vulnerabilities are discovered at a pace much higher than the pace of remediation and that even maintaining the critical updates of the primary components in their network does not make his sleep sound at night.

“You got my attention, so how does your software work?” he asked.

I explained that pentesting in its essence is a multi-step approach in which each vulnerability is attempted until you get to the achievement — stealing info, encrypting info or disrupting applications/services. Pen testing takes the vulnerability (CVSS) scoring system to the next level by determining the most critical attack vectors. This leads to threat-based prioritization that is contextualized to the tested environment. At the end of the day in order to protect your company’s “crown jewels” and focus your cybersecurity resources on remediation, it’s crucial to know the cyber-path of the potential “burglars”.

My friend said, “To tell you the truth, you had me at ‘automated’ in your automated pentesting pitch.

By Arik Liberzon, Founder of Pcysys

To find out more about Pcysys automated pen testing click on the link below:

www.click26.co.uk/pcysys

Is It A Cyber-Attack Or An Act Of War?

Is It A Cyber-Attack Or An Act Of War?

Zurich refuses to foot NotPetya ransomware clean-up bill – and claims it's 'an act of war'. Snack company client disagrees, sues for $100mUS snack food giant Mondelez is suing its insurance company for $100m after its claim for cleaning up a massive NotPetya...

How To Identify A Phishing Email – 5 Simple Steps

How To Identify A Phishing Email – 5 Simple Steps

You’ve received an email. As no phishing filter can keep out 100% of all phishing attacks, there’s a chance the email could be malicious – no matter what it looks like. How do you check whether or not the email is a phishing attack? Step 1: Is the email expected? When...

Click 26

Registered office:

Wellesley House
204 London Road
Waterlooville
Hampshire
PO7 7AN
Company Registration: 07108413

VAT Number: GB183595274

 

 

© 2018 Click 26 Ltd.

Contact:

team@click26.co.uk

+44 (0)3300 417126

Legals:

Office address:

The Gatehouse
Marsh Farm
Milford
Surrey
GU8 5AE