CISO Play Calling. PHOTO: Cybersecurity Magazine.

Why CISOs Are Calling Offensive Plays

BreachLock’s Annual Penetration Testing Intelligence Report, 2022 (free download) explains

Charlie Osborne

London – Jul. 8, 2022

Research has found that a single fix is often enough to take care of some of the most critical vulnerabilities in enterprise software today.

When considering the question of security in the enterprise, companies tend to focus on defense. However, according to BreachLock CEO Seemant Sehgal, when executives ask if their networks are secure, “the reality should be the exact opposite.”

An offensive lens is just as important as maintaining an adequate defense against cyberattacks, or arguably, even more so.

Offensive security solutions in the enterprise aren’t built for seeking out targets or for conducting illegal activities. Instead, CISOs must understand that offensive solutions are developed to mimic an attacker’s mindset and can be invaluable in resolving security problems before cybercriminals exploit them.

Key offensive security areas executives can no longer ignore are red team exercises and penetration tests, which Sehgal says should “become an industry norm.”

To show the potential return on investment (ROI) of applying offensive security techniques to every investment, BreachLock, a Pen Testing as a Service (PTaaS) enterprise platform, released its first Annual Penetration Testing Intelligence Report in June.

The report is comprised of data points collected from more than 8,000 security tests performed between Jan. 2021 and Dec. 2021. Organizations included in the research range from SMBs with fewer than 20 employees to large enterprise companies.

According to BreachLock, due to more firms migrating their resources to the web, sensitive data exposure and app injection vulnerabilities made up over 35 percent of the report’s critical findings, followed by 15 percent of critical security threats caused by privilege escalation in applications.

The OWASP Top 10 is a guide for developers and web application security that highlights the most critical security issues impacting application security today. BreachLock’s research says that the root cause of 30 percent of Top 10 vulnerabilities detected, including SQL injections and Cross-Site scripting (XSS) flaws, was down to one thing: a lack of input sanitization implemented by organizations.

XSS flaws account for over 50 percent of the high severity vulnerabilities documented.

“One fix can remediate over 30 percent of the critical vulnerabilities and over 50 percent of the high vulnerabilities in web applications,” the report says.

According to the researchers, enterprise apps are not implementing robust client and server-side validation checks, making the potential attack surface larger than it needs to be.

“Developers often take the ‘deny list’ approach to data validation over the ‘allow list’ approach, which leads to new data exploiting the cross-site scripting vulnerabilities,” the researchers note. “This also highlights one of the looming problems with remediating findings — remediation controls often only plug the symptoms of the vulnerability without identifying the root cause and fixing the finding holistically.”

In total, 18 percent of high-risk findings relate to HSTS. HTTP Strict Transport Security (HSTS) is a policy directive to handle web connections. However, when HSTS is not implemented correctly, this can allow Man-in-The-Middle (MiTM) attacks, cookie hijacking, and covert surveillance to take place.

Clickjacking, too, is a common high-risk security problem impacting the enterprise today. While often used in run-of-the-mill malware and phishing campaigns, in an enterprise setting, clickjacking could be used in Business Email Compromise (BEC) scams, whaling, cryptojacking, and targeted attacks.

Finding a critical or high-risk vulnerability is only part of the problem in a security audit. On average, it takes an organization 46 days to remediate a critical bug and 80 days for high-risk issues: a scenario the researchers call “a disaster waiting to happen if not fixed before an attacker finds them.”

“There is a common saying in the cybersecurity world — cybersecurity is a shared responsibility; thus, we all need to come together to solve it to make the digital world a safer place,” BreachLock says. “Organizations of every size, industry, and region need to understand security should be included as a KPI in all roles and functions of a digital business to ensure a smooth and secured digital business.”

Charlie Osborne is a journalist covering security for ZDNet. Her work also appears on TechRepublic, Cybercrime Magazine, and other media outlets. 

Go here to read all of Charlie’s Cybercrime Magazine articles. 

Sponsored by BreachLock

Affordable, Smarter and Scalable Cyber Security Testing

BreachLock™ offers a SaaS platform that enables our clients to request and receive a comprehensive penetration test with a few clicks.

Our unique approach makes use of manual as well as automated vulnerability discovery methods aligned with industry best practices.

We execute in-depth manual penetration testing and provide you with both offline and online reports. We retest your fixes and certify you for executing a Penetration Test. This is followed up with monthly automated scanning delivered via the BreachLock platform. Throughout this process, you have access to the platform and our security experts who will help you find, fix, and prevent the next cyber breach.

Find out why penetration testing with BreachLock™ is the leading choice for startups, SMBs, and enterprises around the world.

BreachLock has offices in The Netherlands, London, New York City, and Wilmington, Del.