Fortra recently published its 2024 Penetration Testing Report, which delivers crucial insights into how organizations are employing proactive security measures to fortify their defenses before threats materialize.
This comprehensive report, now in its fifth year, not only tracks trends and challenges but also provides an ongoing evaluation of penetration testing practices. In the interest of getting some more insight on this report, I had a quick Q&A with Chris Reffkin, Chief Security & Risk Officer at Fortra who provided these comments:
62% of respondents said lack of resources to act on findings/perform remediation was a challenge. What advice do you have for organizations with this issue?
Leaders need to understand the “so what” and “what’s the risk” relative to the findings of any security assessment. Not all findings are created equal, including all critical or high issues. Leaders need to translate those key findings into business mission and objective terminology. This will help articulate the risks to business leaders, so they understand the impact of not addressing such findings.
66% of respondents said lack of patching was a big security risk for them. Why does this issue continue to exist and how can pen testing help mitigate this risk?
The challenge of foundational security is not to be underestimated. A robust patch management program with operational considerations is a complex task. With thousands of assets, virtual or physical, and applications, organizations need to orchestrate business processes and other external dependencies to be patched at least monthly. Pen testing can be a valuable tool in this process, helping to concentrate limited resources on making iterative improvements and demonstrating the impact of potential gaps in patch management processes. By tying pen testing results to business objectives and specific control elements like patch management, organizations can drive significant improvements.
How can pen testing, red teaming and security awareness training help prevent phishing threats?
No control or process can prevent phishing threats, although there are several that can help you prepare. Security awareness training will help with high-level employee performance monitoring relative to phishing awareness. Pen testing will assist with broad control analysis of potential vulnerabilities or weak points throughout the environment. Red teaming will help answer the question of what happens after someone clicks the phishing link – a real work simulation of a sophisticated and targeted attack.
What are the cost-effective ways to approach pen testing?
Pen testing cost management comes down to scope and clear expectations on the use of results. One way to manage cost is to set a schedule of testing based on your organization’s risk assessment and cycle through different environments or specific systems based on risk to the organization. To effectively manage costs and achieve manageable results for remediation purposes, it’s more effective to cycle through a focused scope rather than hoping to cover everything with one substantial assessment once a year.
You can have a look at the report here.
Like this:
Like Loading...
Related
This entry was posted on May 30, 2024 at 8:59 am and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Exclusive Insights from Fortra’s 2024 Penetration Testing Report
Fortra recently published its 2024 Penetration Testing Report, which delivers crucial insights into how organizations are employing proactive security measures to fortify their defenses before threats materialize.
This comprehensive report, now in its fifth year, not only tracks trends and challenges but also provides an ongoing evaluation of penetration testing practices. In the interest of getting some more insight on this report, I had a quick Q&A with Chris Reffkin, Chief Security & Risk Officer at Fortra who provided these comments:
62% of respondents said lack of resources to act on findings/perform remediation was a challenge. What advice do you have for organizations with this issue?
Leaders need to understand the “so what” and “what’s the risk” relative to the findings of any security assessment. Not all findings are created equal, including all critical or high issues. Leaders need to translate those key findings into business mission and objective terminology. This will help articulate the risks to business leaders, so they understand the impact of not addressing such findings.
66% of respondents said lack of patching was a big security risk for them. Why does this issue continue to exist and how can pen testing help mitigate this risk?
The challenge of foundational security is not to be underestimated. A robust patch management program with operational considerations is a complex task. With thousands of assets, virtual or physical, and applications, organizations need to orchestrate business processes and other external dependencies to be patched at least monthly. Pen testing can be a valuable tool in this process, helping to concentrate limited resources on making iterative improvements and demonstrating the impact of potential gaps in patch management processes. By tying pen testing results to business objectives and specific control elements like patch management, organizations can drive significant improvements.
How can pen testing, red teaming and security awareness training help prevent phishing threats?
No control or process can prevent phishing threats, although there are several that can help you prepare. Security awareness training will help with high-level employee performance monitoring relative to phishing awareness. Pen testing will assist with broad control analysis of potential vulnerabilities or weak points throughout the environment. Red teaming will help answer the question of what happens after someone clicks the phishing link – a real work simulation of a sophisticated and targeted attack.
What are the cost-effective ways to approach pen testing?
Pen testing cost management comes down to scope and clear expectations on the use of results. One way to manage cost is to set a schedule of testing based on your organization’s risk assessment and cycle through different environments or specific systems based on risk to the organization. To effectively manage costs and achieve manageable results for remediation purposes, it’s more effective to cycle through a focused scope rather than hoping to cover everything with one substantial assessment once a year.
You can have a look at the report here.
Share this:
Like this:
Related
This entry was posted on May 30, 2024 at 8:59 am and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.