As I’ve pointed out before, the greatest threat to cyber security that organizations face today is the cybersecurity industry itself. I’ve long noticed that every business advisory firm in the country is now offering “penetration testing”, even as a critical industry talent shortage points to that not being possible. All you have to do now is buy a $2000 license for a vulnerability scanning tool, send an employee to a two-week training, and BOOM you have a “penetration tester.”
My initial thought was that this phenomenon is an intentional, unscrupulous business practice--one that sees the lack of knowledge on the client’s part and exploits trust to sell them something, even if the service provided is inadequate. However, after some conversations at a convention a few weeks ago, my eyes have been opened to a new reality: these vulnerability scanners masquerading as penetration testers 100% believe their own marketing hype.
Over the course of conversations with some others at this conference, we tried to explain that most of our clients do vulnerability scanning through their own IT department, so we manually test every node to find the overwhelming majority of all flaws that scanning tools do not. One “penetration tester” proudly proclaimed that “We do something like that too. We don’t even launch the scanner until day 3, and we have some very large clients where tests can last almost two weeks.” What they are doing is little more than a rudimentary IT asset inventory followed by a vulnerability scan and a manual verification of the scan results. This is all well and good if the client knows they are getting something that they could probably do themselves, but the client is not getting value if they believe they are being sold a comprehensive penetration test. The real danger here is that not only the client--but also their security provider--believes this! With the availability of basic scanning tools and two-week training courses, the cybersecurity industry has become flooded with people worthy of nothing more than a participation trophy.
Let me put some things bluntly for those of you interested in the penetration testing market:
- If a vulnerability scanning tool is being used by your penetration testing provider, you will not find anything that is not publicly disclosed, and are missing the vast majority of ways that real threat groups will move through your network.
- For the cost of a vulnerability scanning tool license, typically between $2000-$4000, - your IT shop can run their own vulnerability scan as often as you would like.
- If you are an organization of any size at all, and your penetration test is taking less than a few weeks, you are not getting anything close to a true penetration test.
- If your Penetration Test involves one person that shows up on site with a laptop, you are not getting anything close to a penetration test.
It seems like every day we are seeing another significant breach involving a major company. I think the explanation is simple here when you look at what the cybersecurity industry has become: too many over-confident, yet under-qualified, people selling magic beans and telling organizations they are secure as a result. In reality, the services provided by such firms only provide information about a small subset of vulnerabilities. A complete lack of sophistication has crept across the cybersecurity market, and client industries are starting to suffer the consequences.
The reality is that security is a never ending process. Be wary of anyone selling you a magic potion. Ensure you understand exactly what you are getting when you purchase security services and tools.
For weekly insights into cybersecurity, please sign up here: