Cyber leaders say penetration testing is not foolproof

May 4, 2021

Research shows that while organizations invest significantly and rely heavily on penetration testing for security, the widely used approach doesn’t accurately measure their overall security posture or breach readiness — the top two stated goals among security and IT professionals. The research, conducted by Informa Tech and commissioned by CyCognito, surveyed enterprises with 3,000 or more employees and found that 70% of organizations perform penetration tests as a way to measure their security posture and 69% to prevent breaches, yet only 38% test more than half of their attack surface annually.

Many organizations are conducting penetration tests to detect and mitigate threats yet remain dangerously vulnerable. CyCognito’s research shows that when using penetration testing as a security practice organizations lack visibility over their Internet-exposed assets, resulting in blind spots that are vulnerable to exploits and compromise. Just as locking the front door of a house but leaving the back door and windows unlocked creates an attractive target, attackers will naturally focus on those IT assets organizations leave untested.

Key findings include:

It’s common for organizations with 3,000 employees or more to have upwards of 10,000 internet-connected assets, however 36% of survey respondents said that only 100 or fewer assets are covered by pen tests; 58% said 1,000 or fewer assets are covered by pen tests.
60% report that they are concerned pen testing gives them limited coverage or leaves them with too many blind spots
47% say that pen testing detects only known assets and not new or unknown ones
45% of respondents conduct pen tests only once or twice per year and 27% do it once per quarter, which is woefully inadequate given the fast pace of threat evolution and how quickly infrastructure/applications change .
79% believe that pen tests are costly. 78% would utilize pen tests on more apps if the costs were lower.
It takes 71% of respondents anywhere from one week to one month to conduct a penetration test. Then, more than 26% have to wait between one to two weeks to get test results, and 13% wait even longer than that.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.