CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

Transcription

1 CASE STUDY How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

2 IN A RECENT ENHANCED RED TEAM/ADVANCED PENETRATION TEST, OUR TEAM OF TESTERS UNCOVERED A MAJOR VULNERABILITY IN A CLIENT S NETWORK. THIS VULNERABILITY GAVE THEM ACCESS TO DATA, WHICH HAD BEEN THERE SINCE IF OUR TEAM HAD BEEN A GROUP OF HACKERS, THIS BREACH WOULD HAVE COST THE COMPANY OVER $103 MILLION IN PCI FINES ALONE. The interesting fact about this study is that the company had been getting penetration testing quarterly every quarter since 2012 by various notable companies. We uncovered the information in the 4th quarter of That is a total of 16 penetration tests by 7 different vendors that missed the vulnerability. 16 PENETRATION TESTS 7 DIFFERENT VENDORS ALL MISSED VULNERABILITY How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines withum.com

3 How Did 16 Pen Tests Miss This Vulnerability? Because of the way they are being tested. Each penetration test prior to ours had relied heavily on automated tools to identify vulnerabilities. The pen testing teams would run automated scans and then perform manual tests of the results. The problem with that is automated tools only look for publicly known vulnerabilities in systems leaving vulnerabilities in custom applications or undiscovered zero day vulnerabilities unidentified. 10% Documented and easily-detected vulnerabilities MOST CYBER RISKS ARE HIDDEN 295 Average time it takes an organization to identify a cyber attack 90% Organization-specific vulnerabilities detected only through advanced penetration testing Similar to an iceberg, most vulnerabilities are hidden from automated and compliance-driven vulnerability scanning and penetration testing. Taking an enhanced red teaming approach to advanced penetration testing finds risks below the surface by manually emulating the aggressive actions of a hacker. The Withum Cyber approach involves human cyber operations experience, tools, tactics, and procedures at each stage of the test. It has been determined, by comparing test results for organizations that have employed multiple testing methodologies, that applying deep hands-on technical experience towards finding organizationspecific vulnerabilities is a truly comprehensive way of identifying and analyzing a network s level of security. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines withum.com

4 What Is Enhanced Teaming? AN ENHANCED BLUE TEAM APPROACH TO ADVANCED PENETRATION TESTING EMULATES THE ACTIVITIES THAT ADVANCED PERSISTENT THREAT ACTORS (SUCH AS NATION-STATE THREATS OR ORGANIZED CRIME) WOULD CARRY OUT AGAINST YOUR ORGANIZATION. Beyond a scan for vulnerabilities, this advanced level of testing takes advantage of the training, experience, and adaptability of our penetration testing specialists in finding, exploiting, and leveraging vulnerabilities to gain access and determine the impact of that access on the organization. VULNERABILITY ASSESSMENT TRADITIONAL PENETRATION ENHANCED BLUE TEAMING/ ADVANCED PENETRATION TESTING SCOPING Limited Limited to scan results Comprehensive SKILL LEVEL REQUIRED Tutorial Needed Training Required Advanced Degree OBJECTIVE Broad scanning for information gathering Utilize broad scanning to manually test a network for compliance driven needs. Uncover as many vulnerabilites as possible using the resources leveraged by real attackers. TECHNIQUES Fully automated using software which identifies publicly known vulnerabilities. Driven by automation with penetration testers manually testing the findings uncovered by automated scanning. Human driven with a team of hackers focused on your network identifying vulnerabilities unique to your network. THREAT EMULSION None Partial Advanced Persistent Threat Emulation REPORTING Computer generated report with unverified information and no determination of business impact. Computer generated report which is verified by penetration tester reducing the amount of false positives. Narrative report with actionable remediation steps and verified intelligence determining the business impact of all findings. It is important to understand the difference in the complexity and depth of testing levels, and why WITHUM CYBER uses an enhanced red team approach to penetration testing.

5 Key Learnings ONE TWO There is a vast difference in definitions of penetration testing. Make sure you understand the difference in the level of testing you are receiving. As cybercrime continues to grow and being an increasing threat, you must start to conduct more comprehensive testing in order to truly remain secure and build your cyber resilience THREE FOUR Becoming a want to know organization and proactively looking for threats and vulnerabilities is imperative. An enhanced blue teaming approach to penetration testing is the only way to uncover organization specific vulnerabilities. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines withum.com

6