Results from a poll taken during one of our recent webcasts illustrate how cybercrime and compliance efforts are driving significant interest in internal penetration testing.
Several weeks ago, Core Security hosted what we consider to be one of our most successful webcasts ever, and for us that’s actually saying a lot as we hold quite a few of these virtual events and we’ve had a tremendous response to them over the years..
But in the aftermath of the arrest and indictment of elite cyber-criminal Albert Gonzalez, and the public’s focus on the techniques that he and his partners employed to infiltrate and steal millions of credit card records from companies including Heartland Data Systems and Hannaford Brothers, our presentation aimed at helping people understand precisely what actions these assailants had carried out to achieve their goals clearly struck a chord and generated substantial interest.
And from what we could ascertain, a significant level of this attention was also driven by the fact that our flagship product, CORE IMPACT Pro, allows people to test for exactly the same types of SQL injection vulnerabilities that Gonzalez and his gang exploited to break into Heartland Data, as well as to replicate the escalation of privilege techniques they subsequently utilized to find their way into the company’s card account databases.
In essence you can use our product to safely recreate the actions that the cyber-criminals used to execute one of the largest electronic data thefts ever committed, or at least reported publicly. We obviously feel that’s a pretty strong value proposition, but that assumption was backed up by the more than 2,000 people who signed up to attend the presentation.
Some Hard Numbers
But the sheer interest in IMPACT Pro wasn’t the only major positive that we took away from the webcast; we also conducted some live polling during the event which reinforces the fact that many organizations are ramping up their penetration testing efforts in general, driven in part by incidents such as the Gonzalez crime spree.
Of the 850-plus attendees who participated in the poll, close to 40 percent said that they are already conducting penetration tests of some sort, with another 35 percent responding that they are planning to do so on some level in the immediate future. Whereas penetration testing was considered a process employed by only a few highly sensitive organizations just several years ago, now, only 17 percent of our attendee respondents said that they’re not expecting to put some form of testing in place at present.
For many respondents, incidents like the Gonzalez hacks and the regulatory compliance measures that result from such high-profile attacks are the impetus for expanding their penetration testing operations. Some 57 percent of those surveyed agreed that highly publicized breaches will prompt regulation that requires greater use of penetration testing. Another 30 percent said maybe. Only 13 percent said probably not.
Bringing Testing In-House
So the central question that remains is just how all of these organizations will conduct those penetration testing assessments. What we’re banking on here at Core Security, and what our customers and industry analysts have been telling us is happening, is that many organizations are discovering that it’s highly valuable to have a solution like CORE IMPACT Pro licensed in house so that they can run tests whenever they want.
Today, only 30 percent of our respondents told us that they are using internal resources to conduct testing, while just over 40 percent are still only using external consultants to do so. But these people also know that Heartland Data and Hannaford had passed their PCI security compliance audits, which included mandated third party penetration tests, and yet the companies still got thoroughly victimized.
PCI Council representatives have conceded that gaining compliance with their standard is merely attesting to achieving the proscribed level of IT security control at a single moment in time. For the mandates to work, and for companies to remain continually compliant, they’ve said, the proscribed processes need to be followed consistently, not just to attain check box compliance in the eyes of an auditor once every year.
We think that eventually most companies will use a mix of both services and products including ours to be truly comprehensive and proactive in testing the security of their operations and maintaining the most up-to-date, informed view of their overall posture and their status in regards to compliance.
The overwhelming response to programs like our Gonzalez webcast, and the raw numbers that our attendees provided, make us feel like we’re on the right track.
-Matt Hines, Chief Blogger