16 common types of cyberattacks and how to prevent them



mobile penetration testing :: Article Creator

The Evolution Of Cybersecurity: From Traditional Penetration Testing To PTaaS And CTEM

Eoin Keary Founder & CEO of Edgescan, an enterprise CTEM (Continuous Testing and Exposure Management platform) used by Fortune 500's.

getty

On the ever-evolving treadmill of cybersecurity, organizations must continuously adapt to emerging threats and vulnerabilities coupled with new technologies, frameworks and tech paradigms.

Traditional penetration testing, while valuable, is no longer sufficient to maintain a robust security posture. The shift toward penetration testing as a service (PTaaS) and continuous threat exposure management (CTEM) represents a significant advancement in proactive security measures. Let's explore why transitioning from traditional penetration testing to PTaaS and CTEM is crucial for maintaining a secure posture and keeping pace with change.

Traditional Penetration Testing: Strengths And Limitations

Penetration testing, commonly known as "pen testing," involves ethical hackers simulating cyberattacks on an organization's systems to identify vulnerabilities. This process provides a snapshot of the security posture at a specific point in time, highlighting weaknesses that could be exploited by malicious actors. Traditional penetration testing has been instrumental in uncovering critical vulnerabilities and helping organizations prioritize their security efforts.

However, traditional pen testing has several limitations. First, it is typically conducted periodically, such as annually or biannually, leaving significant gaps between assessments (a.K.A. Exposure window). During these intervals, new vulnerabilities can emerge and existing ones can be exploited. Additionally, traditional pen testing is resource-intensive, requiring skilled professionals and substantial time to conduct thorough assessments. This can make it challenging and costly for organizations to perform frequent tests, especially as the complexity of IT environments grows.

The Emergence Of PTaaS

PTaaS addresses many of the limitations associated with traditional pen testing. PTaaS leverages automation, cloud infrastructure and continuous monitoring to provide ongoing security assessments. This approach ensures that vulnerabilities are identified and addressed in real time, reducing the window of opportunity for attackers.

One of the key advantages of PTaaS is its scalability. By utilizing cloud-based platforms, organizations can conduct penetration tests more frequently and efficiently. Automated tools perform initial scans and identify common vulnerabilities, while human experts focus on more complex and nuanced assessments such as business logic and contextual weaknesses. This combination of automation and human expertise enhances the overall effectiveness of the testing process.

Moreover, PTaaS offers greater flexibility and accessibility. Organizations can request tests on-demand, without the need for extensive planning and scheduling. This agility is particularly valuable in dynamic environments where new applications and systems are constantly being deployed. PTaaS platforms also provide detailed reports and actionable insights, enabling organizations to prioritize remediation efforts based on validated and prioritized data.

Continuous Threat Exposure Management (CTEM)

While PTaaS enhances the frequency and efficiency of penetration testing, CTEM takes a more holistic approach to cybersecurity. CTEM involves the continuous assessment and management of an organization's threat exposure, integrating various security practices and technologies to provide comprehensive protection.

The Benefits Of PTaaS And CTEM And How To Embrace This Approach

Transitioning to PTaaS and CTEM offers several significant benefits:

• Continuous Visibility And Assessment: Unlike traditional pen testing, which provides a point-in-time assessment, PTaaS and CTEM offer continuous monitoring. This ensures that vulnerabilities are identified and addressed promptly, reducing the risk of exploitation. This includes attack surface management (ASM), which in effect provides continuous visibility of an organization's landscape.

• Scalability And Efficiency: PTaaS leverages automation to conduct frequent and efficient tests. This scalability is essential for organizations with large and complex IT environments. All discovered vulnerabilities should undergo validation and risk rating in order to assist with prioritization and minimize false positives. The PTaaS approach also can reduce costs significantly.

• Proactive Security Posture: CTEM's approach ensures that organizations are always aware of their exposures and can initiate proactive measures to mitigate discovered risks. This reduces the likelihood of successful attacks and enhances overall situational awareness and resilience. Continuous assessment and visibility are key in an ever-changing environment.

• Improved Resource Allocation: By providing accurate intelligence and prioritizing vulnerabilities, PTaaS and CTEM enable organizations to allocate their security resources more effectively. This ensures that critical issues are addressed promptly while less severe vulnerabilities are managed appropriately. "We can't fix all the vulnerabilities, but we can certainly address the ones that matter." It's normal to expect a 20% to 50% reduction in resources required compared to traditional approaches.

• Regulatory Compliance: Many industries are subject to stringent regulatory compliance requirements regarding cyber and data security. PTaaS and CTEM help organizations meet these requirements by providing continuous, documented evidence of their security posture and assessment frequency including the ability to measure and report improvement and areas of concern and focus.

Getting Started

Embracing the value of PTaaS and employing a CTEM approach is not difficult. Knowing what benefits continuous automation brings is key, but it's also important to understand what human touch points are required to achieve full coverage since automation is not a silver bullet.

• Consider mapping your landscape (attack surface management). Remember: We can't secure what we can't see.

• Set up a recurring scanning cycle based on the mapped landscape and analyze results. Endpoints, APIs and web applications all should be assessed.

• Validate and prioritize all vulnerability data based on the exploitability of vulnerabilities and criticality of systems being assessed.

• Assist development in mobilizing and remediation by delivering a list of accurate vulnerabilities and reasons why they need to be addressed. Track remediation efforts and self-imposed SLAs, if any.

• Focus PTaaS efforts initially on systems that have a high vulnerability density and systems that are considered "AAA" to the business. Preferably, PTaaS vulnerability intelligence, scheduling and vulnerability life cycle management should be in a unified solution to deliver good visibility.

Conclusion

The shift from traditional penetration testing to PTaaS and CTEM is essential for maintaining a secure posture in today's "wild west" internet. PTaaS enhances the frequency, efficiency and scalability of penetration testing, while CTEM provides a comprehensive framework for continuous visibility and threat exposure management.

Together, these approaches enable organizations to proactively identify and mitigate vulnerabilities, ensuring robust protection against evolving cyber threats. By embracing PTaaS and CTEM, organizations can achieve increased resilience and adaptive security posture, safeguard their digital assets and maintain trust and compliance with stakeholders and auditors.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


CompTIA Bolsters Penetration Testing Certification

CompTIA recently upgraded its PenTest+ certification program to educate professionals on cybersecurity penetration testing with training for artificial intelligence (AI), scanning and analysis, and vulnerability management, among other things.

PenTest+ certification training now includes access to a hackable website that provides live targets and vulnerabilities for cybersecurity professionals to identify and mitigate real-world threats, according to CompTIA. The certification course will validate that cybersecurity professionals have knowledge and skills in "penetration testing, vulnerability assessment, mitigation, reporting, and other responsibilities that proactively protect cybersecurity resources," CompTIA said in a statement.

Cybersecurity penetration testing, or pen testing, involves a security assessment in which a security professional acts like a malicious hacker would and simulates a cyberattack on a computer system or network to identify potential vulnerabilities. This lets organizations then proactively address the vulnerability or weakness and fix them before an actual attack occurs. Using the same tools and techniques as hackers lets security professionals find exploitable weaknesses in the system.

CompTIA's State of Cybersecurity 2025 report found that 56% of firms plan to invest in training for the security workforce and 42% will offer cybersecurity certifications to "establish core concepts and extend skillsets into emerging focus areas."

"Penetration testing is among the most impactful steps a company can take to strengthen its cybersecurity readiness," said Thomas Reilly, chief product officer at CompTIA, in a statement. "It increases their ability to fight the growing landscape of cyber threats, attacks, and vulnerabilities, and contributes to ensuring regulatory compliance."

PenTest+ will help cybersecurity professionals demonstrate their competency of current trends, prove they are up-to-date on the latest trends, and show they can perform hands-on tasks. According to CompTIA, professionals completing the PenTest+ certification course will learn the following skills:

  • Engagement management: Provides updated techniques emphasizing scoping and organizational/customer requirements, governance, risk and compliance concepts, reporting, communication, remediation recommendations, and demonstrating an ethical hacking mindset.
  • Attacks and exploits: Includes new techniques to analyze targets, select the best approach, and perform network attacks, wireless attacks, application-based attacks, and cloud attacks as well as AI attacks and scripting automation.
  • Reconnaissance and enumeration: Offers expanded coverage of information gathering, enumeration, and passive/active reconnaissance, with the goal of conducting inventory—which includes identifying scripts and explaining use cases of various scripting languages.
  • Vulnerability discovery and analysis: Features updated skills that cover vulnerability scanning tools, analysis, management, and physical security weaknesses.
  • Post-exploitation and lateral movement: Focuses on maintaining persistence, lateral movement, staging, exfiltration and post-exploitation, including clean up and restoration activities.

    • The PenTest+ exam features a maximum of 90 performance-based and multiple-choice questions and runs 165 minutes. Testers must receive a score of 750 or higher to pass the certification test. CompTIA recommends professionals taking the certification course and exam also have Network+ and/or Security+ certifications or equivalent knowledge, and three to four years of experience in a penetration testing job role. Pricing for the exam has yet to be determined.

    Read more from Network World's careers section:


    Ethical Hacking: How To Hire A White Hat Hacker For Penetration Testing

    Any business that isn't doing penetration testing to identify and address vulnerabilities in its IT environment should get started — fast.

    It's easier than ever for malicious hackers to breach an organization's network. There are many tools available today to automate the exploitation of remote hosts, so the bad guys don't need as many skills or have to work as hard to get at what they want, says Maninder Pal Singh, executive director of the cybersecurity technical certification body EC-Council Global Services. These days, a main goal for them is to target data that can be monetized.

    It's difficult to breach up-to-date and appropriately configured operating systems running on servers equipped with state-of-the-art firewalls, intrusion detection and prevention systems, he says. But trouble lurks when companies regularly develop new applications and customize existing ones, especially without following such practices as Secure Software Development Life Cycle or conducting security reviews when technology is added or altered.

    "This could result in unfixed vulnerabilities that are used by attackers to break into the network," Singh says. "Using the applications as the entry point, the hackers can gain access to the servers and network."

    What Is Penetration Testing?

    A penetration test, or pen-test, allows organizations to discover the weak spots in their IT systems before a malicious actors does. Once the initial vulnerabilities are exploited, the testers use those as a pivot point to expand their access on the target network and try to gain access to higher-level privileges. The goal is to show an organization its vulnerabilities and then provide concrete advice on how to remediate them. 

    Mark Lachinet, a security solutions manager at CDW, explains in a blog post the company's Comprehensive Security Assessment service, in which its white hat hackers use the same tools and techniques deployed by cybercriminals against organizations' network. "The difference is that we're the good guys, and we use the information we discover during this penetration test to help you improve your network security," he says. "You get all the lessons learned that normally result from a security breach without actually experiencing the breach itself."

    According to Lachinet, organizations often discover that they have devices that lack proper security controls and fall outside of normal management practices. He also notes that organizations are usually surprised by how high up inside organizations testers can get by using social engineering tactics. And usually, organizations ask to have their own cybersecurity teams observe the testing. 

    Penetration testing can help organizations "avoid the debilitating costs of a breach and prioritize security spending," as CDW notes. 

    Best Practices for Hiring a White Hat Hackers

    Using penetration testers, sometimes called white hat hackers or ethical hackers, to look for vulnerabilities helps to avoid costs and other damages to a business when systems or data are compromised and the breach is disclosed, says Joel Snyder, senior partner at IT consulting firm Opus One.

    Another advantage of hiring independent penetration testers is that they bring objectivity to the table, which internal developers, designers or IT security may not be able to do. "It's good to have an independent group that stands back to hold up the mirror," says John McCumber, director of cybersecurity advocacy at (ISC)² , a nonprofit membership association for information security leaders.

    But it's important to be careful when hiring a white hat hacker. Many companies bill themselves as offering penetration testing services but aren't truly expert at it. Such companies often hire inexperienced semiprofessionals — think college kid with a laptop — who don't have the skills to go deep into penetration testing. They may catch some obvious mistakes but not fundamental errors like coding vulnerabilities, says Snyder.

    Here are some best practices for making good choices when hiring white hat hacker contractors:

  • Decide on the appropriate type of penetration testing. White box or black box tester? With the latter, the contractor receives only the information that an attacker could figure out based on publicly available information. A hacker performing a black box test may receive nothing more than a URL. In a white box test, the hacker receives far more information — not only the URL of the app but maybe copies of the source code and other information an external attacker is not likely to possess. Black box penetration testing may mirror a more realistic scenario, Snyder says, but white box testing helps the contractor do deeper testing and deliver greater insight into critical vulnerabilities. White box testing also better prepares a business against internal attacks, such as from a current or former employee.
  • Get recommendations from trusted sources and real-world evidence of the white hat hacker's expertise. Staff developers at most businesses have probably worked at other companies that used effective penetration testing services, so ask them for suggestions, Snyder says. When interviewing potential contractors, ask for past customer references. "Some of their customers may forbid them to disclose their names," he says, but if they've done penetration testing more than 10 times they should have at least a few clients willing to talk about their experiences. "If they don't, they're not a good choice," he says.
  • Choose a contractor that has something to lose if it performs poor service. There are a lot of tiny operators in the penetration testing world, and many of them are relatively inexpensive, but it's best to hire a company with assets and a reputation to protect, Snyder says. Insisting on a signed confidentiality agreement ensures that the contractor will not use any data it might get in the course of testing, except for the benefit of the client.
    • Look for Ethical Hacker Certifications from White Hat Hackers

    There are a number of organizations that provide certifications in ethical hacking. While some argue that certification matters less than a demonstrated track record of success, many agree that certification is a worthy thing for businesses to look for when selecting a penetration testing provider.

    At (ISC)², the certification methodology ensures that individuals gain a broad understanding of information security protection, says McCumber. It requires that individuals complete a complex and costly process to achieve certification that meets American National Standards Institute requirements. "We use this to assure that those who get certifications have shown us that they have the necessary knowledge, skills and abilities," he says. "We consider the Systems Security Certified Practitioner (SSCP) a key certification for professional penetration testers."

    There are ways to access deep cybersecurity expertise using managed services, too. CDW, for instance, offers Threat Check, which uses automated technology to watch for malicious network traffic and detect infected clients and botnets, then lets businesses leverage the support of CDW's experienced engineers and solution architects. They can advise customers about issues, including which network, policy and software changes can be made to better protect organizations from cyberattacks and device breaches.

    What Should a White Hat Hacker Look for in a Penetration Test?

    Once the choice is made, the next step is to clarify the testing parameters.

    Whatever a business decides about its approach to finding and fixing vulnerabilities, and the resources it will use to do that, there's one thing to always remember: "Systems evolve, connections are added or deleted, environments change," says McCumber. "This is a recurring process."

  • Define the boundaries of the engagement. "The scope has to be well defined. Exclusions (types of attacks not to be performed) should be clearly called out," says Singh.
  • Consider contracts carefully. A penetration testing contractor with lots of experience may require a liability release, Snyder notes. That can include the provision that if the network goes dark as a result of the penetration testing, it's the client's problem. "Think about that and make sure you negotiate that," he says. Singh adds, "The contract has to cover applicable risks through clauses like confidentiality." Another good idea is for payments to be tied to levels of effort — make sure to include the stipulation that the job isn't done when the first vulnerability is found, says Snyder.
  • Agree on the format of the final report. Advise contractors of expectations — for example, that they include in the report "the steps required to reperform testing and screen shots for 'proof of concept' along with the standard observations, risk rating and recommendations," says Singh.

    • Whatever a business decides about its approach to finding and fixing vulnerabilities, and the resources it will use to do that, there's one thing to always remember: "Systems evolve, connections are added or deleted, environments change," says McCumber. "This is a recurring process.





    Comments

    Post a Comment

    Popular posts from this blog

    7 Ways to Remove an External USB Drive in Windows 11 - MUO - MakeUseOf

    Image
    Many users utilize USB flash drives (sticks) to store files and transfer them between PCs. Of course, you can always remove such drives from USB ports without ejecting them first. However, you might corrupt data on your USB stick if you don't safely remove it. To forestall potential file corruption, you should eject USB sticks and external hard drives. There are numerous ways you can select to eject a USB flash drive before removing it. Here are several alternative methods for safely removing USB drives on Windows 11 PCs. 1. How to Eject an External USB Drive via the System Tray Windows 11's system tray displays a Safely Remove Hardware and Eject Media icon whenever you've inserted a USB stick or other external hard drive. Right-click that icon to open a context menu for it, which includes an Eject option. Select the Eject option there, and proceed to remove the drive when the Safely Remove Hardware icon has disappeared. ...
    Read more

    ZLUDA v2 Released For Drop-In CUDA On Intel Graphics - Phoronix

    Image
    One of many interesting and original open-source projects to be started in 2020 was ZLUDA, an open-spurce drop-in CUDA implementation for Intel graphics. ZLUDA - developed independent of Intel and NVIDIA - is built atop Intel's oneAPI Level Zero interface (hence the name, ZLUDA) and allows for unmodified CUDA applications to run on Intel UHD/Xe Graphics hardware with near-native performance. Well, that's the goal at least but with the initial ZLUDA release were a number of support limitations. Out today is ZLUDA Version 2 that has been focused on ensuring it works well with the Geekbench CUDA test cases as an interesting stressor for CUDA on Intel graphics. Additionally, the Microsoft Windows support for ZLUDA has been improved while continuing to provide first-rate Linux support. ZLUDA Version 2 implements more host-side functions, a number of bugs have been fixed, I/O performance improvements, support for creating traces of CUDA kernel executions, and other enhancements for...
    Read more

    SPECapc for Solidworks 2020 benchmark adds new GUI; CPU and 2D drafting tests - Graphic Speak

    Image
    By Bob Cramblitt The new SPECapc for Solidworks 2020 benchmark includes 10 models and 50 tests exercising a full range of graphics, CPU, and storage functionality. SPEC's Application Performance Characterization (SPECapc) project group has released new performance evaluation software for workstations running Solidworks 2020. Major new features in the new SPECapc for Solidworks 2020 benchmark include: Testing under the new Solidworks 2020 enhanced graphics interface. Two new CPU tests for file conversion and simulation. New tests that exercise the 2D drafting mode within Solidworks. A still image from the new simulation tests within the SPECapc for Solidworks 2020 benchmark. Comprehensive performance testing The SPECapc for Solidworks 2020 benchmark includes 10 models and 50 tests exercising a full range of graphics, CPU and storage functionality. Model sizes range from 392 MB to 2.3 GB in memory.  The following models are included in the benchmark: Audi R8 (car)—7...
    Read more