Confessions of an Ex-Pen Tester: Fear & Data in Pen Testing
Penetration tests can scare the hell out of you. If you let pen testers go full-scope - with phishing, social engineering, and physical attacks - they'll find a way in. Once they do, you can prepare to be afraid: of being a breach target, of reputation loss, and of hemorrhaging millions of dollars.
I should know - I legally hacked into dozens of Fortune 500 companies in my days as a penetration tester. Given the choice, I'd choose the path of least resistance, which was always the human. I used a lot of methods to gain root, but my most reliable attack was running a phishing campaign. I almost always got in. From there, I'd compromise systems, hack boxes, and then grab the glorious Domain Admin creds.
I always dreaded the questions clients asked next: "How do we fix our human vulnerability?" We never had great answers, because penetration tests are most effective for revealing what happens when a vulnerable system is compromised - not giving insight into breadth or depth. Pen testers will generally just suggest security awareness before moving on.
Security awareness isn't the answer: Fixing the problem is the answer. So how do you fix your human security problem? Through data - specifically by collecting, analyzing, and acting on data.
Pen testing is better at making you afraid than providing actionable fixes. This led me to envision a solution that can identify, quantify, and fix human security problems. By gathering risk information from multiple sources, verifying it, and then directly fixing problems, you create a full-circle solution.
What's the lesson? Penetration testing can show badly you're screwed. But only a data-centric approach to mitigate human risk can fix your security problems.