In a recent report, Rapid7 found that two thirds of penetration test engagements were not discovered at all by the organization being tested. The detection rates were nearly identical between large and small organizations and among different industries. This would be a great concern. Unlike pen tests which were short-term, rapid-fire and sometimes loud, real attacks were usually long-term, slow and quiet. This meant if organizations could not detect a penetration test, it would be impossible to detect real cyber attacks. Part of the problem was that organizations couldn’t or didn’t track their event logs daily. Penetration testing was gradually evolving. Bug bounty programs were rising and tended to shape the nature of some pen testing. Many organizations with bug bounty programs, especially technology companies including Facebook, Yahoo!, Google, Reddit, Square and Microsoft, were shifting focus to more focused and challenging engagements.
Link: http://www.darkreading.com/vulnerabilities—threats/hacking-the-penetration-test-/d/d-id/1328105
Hi Mengqi,
Thank you for the post. This also seems very interesting to me. That’s a pretty high percentage of organizations (67% out of 128 ) were unable to detect that their system is compromised during a pen test. It’ll be interesting to know which were successful at detecting it.
Penetration testing must neither be a one-time effort nor should it be occasionally. Pen-testing should be regarded as a long-term business commitment by organizations of all sizes. New forms of vulnerabilities are discovered almost every day. Therefore, one of the best ways to minimize the chances of being hacked are to follow news, keep employees aware, train employees against social engineering, and of course pen-test as regularly.