People are always mystified by how hackers break into major networks like Target, Hannaford, Sony, (government networks included), etc. They always seem to be under the impression that hackers have some elite level of skill. The truth is that it doesn’t take any skill to break into most networks because they aren’t actually protected. Most network owners don’t care about security because they don’t perceive the threat as real. They suffer from the “it won’t ever happen to me” syndrome.
As a genuine penetration testing company we take on dozens of new opportunities per month. Amazingly, roughly 80% of businesses that request services don’t want quality security testing, they want a simple check in the compliance box. They perceive quality security testing as an unnecessary and costly annoyance that stands in the way of new revenue. These businesses test because they are required to, not because they want to. These requirements stem from partners, customers, and regulations that include but are not limited to PCI-DSS, HIPAA, etc.
Unfortunately these requirements make the problem worse rather than better. For example, while PCI requires merchants to receive penetration tests it completely fails to provide any effective or realistic baseline against which to measure the test results. This is also true of HIPAA and other third party testing requirements. To put this into perspective, if the National Institute of Justice set their V50 or V0 standards in the same manner then it would be adequate and acceptable to test bulletproof vests with squirt guns. Some might argue that poor testing is better than nothing but we’d disagree. Testing at less than realistic levels of threat does nothing to prevent the real threat from penetrating.
Shoddy testing requirements and a general false […]