Blog

Tightening Up Security Increases Costs of Attackers

penetration testing

A study by a security and penetration testing company named Synack suggests that companies that focus on using automated measures to continuously test security and conduct penetration testing nearly doubles the cost of attackers to find exploitable vulnerabilities in the system.

The report shows some good indicators, one being that, over the period of 2 years (2016-2018), the average number of times the penetration testing teams had to investigate an asset to find a vulnerability increased by 112% – more than twice as much as before. Also, the average severity level of vulnerabilities declined to a Common Vulnerability Scoring System (CVSS) score of 5.95 in 2018 from 6.41 in 2016. It’s obvious, given these results, that companies that make security a part of their development and operations strengthen their systems.

What this means is that systems are no longer an easy catch. You just don’t enter a system and make it your hostage that easily. Attackers would need much more effort, resources, and time to find exploitable vulnerabilities.

Data suggests that security measures taken by companies don’t go unrewarded. For example, companies that continuously tested their security by automating the testing process had a 43% higher measure of security using Synack proprietary metric. 63% of the companies were able to remediate vulnerabilities within three months. These companies were from different industry verticals such as education, state and local government, retailers, e-commerce companies, etc.

Companies deserve to be appreciated for being on their toes and taking proactive security measures such as testing for vulnerabilities, remediating them, and making necessary changes in the organizational culture to ensure an improved security posture. The results are, hence, a mirror-image of their efforts.

Synack is not the only security and penetration testing company to realize the impact of incorporating security in your processes against breaches and compromises. HackerOne, a bug-bounty management provider, pointed out four large breaches where attackers exposed serious vulnerabilities that could’ve been prevented from being exploited by bounty programs. HackerOne mentioned the infamous British Airways breach that led to a loss of approx. $230 million. The company noted that it was a JavaScript vulnerability that led to the compromise. It asserted that attackers used third-party JavaScript vulnerability to gain access, which carries a value between $5,000-$10,000.

Another annual research named “Cost of Cybercrime Study” conducted by Ponemon Institute and sponsored by Accenture found that costs associated with breaches can be reduced by leveraging four main technologies:

  • User and cyber behavior analytics
  • Advance identity and access management
  • Machine learning and artificial intelligence
  • Security intelligence and threat sharing

The report also states that the main driving force behind the rise in containment costs is the increasing sophistication and complexity of cyberattacks. Another mentioned factor is regulatory and compliance requirements.

As you may have noticed, most of these reports allocated a significant portion of their reports to promote their own services, directly or indirectly. Just as HackerOne, a bug-bounty management provider, emphasized how bounty programs could have prevented a major breach, Synack promoted its proprietary security metric – a single number that attempts to combine data on the theoretical cost to that attacker, how efficiently Synack remediates vulnerabilities and the severity of vulnerabilities found by the red teams of the company.

According to the research, the manufacturing sector has the highest median attacker resistance score of 69 out of 100 and states continuous testing as the primary reason for higher scores. Continuous testing turned out to be the reason for higher scores for most of the industries mentioned in the report. But strengthening the security systems poses a unique problem, you now have a better class of enemies. And to counter the challenges these enemies face, organizations need to adopt a more proactive approach to secure their infrastructure. 

On the other hand, the technology sector had a much higher threshold of application security, which results in a higher average time required to find a vulnerability. 

Conclusion

And that is the point. You cannot just have a meeting with your potential hackers and talk them out of attacking your system. You have to create obstacles for them. Obstacles that are hard, costly, and require tremendous effort. This will minimize the chances of a breach and ensure that all the weak points are covered. To make it costly for hackers to attack your system, you need to make sure that finding a vulnerability in your system takes a very long time. Because the higher that time is, the higher the cost is to the attacker. This makes the target less attractive.