Security News > 2021 > April > Penetration testing leaving organizations with too many blind spots
While organizations invest significantly and rely heavily on penetration testing for security, the widely used approach doesn't accurately measure their overall security posture or breach readiness - the top two stated goals among security and IT professionals.
The research, conducted by Informa Tech, surveyed enterprises with 3,000 or more employees and found that 70 percent of organizations perform penetration tests as a way to measure their security posture and 69 percent to prevent breaches, yet only 38 percent test more than half of their attack surface annually.
The research shows that when using penetration testing as a security practice organizations lack visibility over their internet-exposed assets, resulting in blind spots that are vulnerable to exploits and compromise.
Penetration testing and blind spots It's common for organizations with 3,000 employees or more to have upwards of 10,000 internet-connected assets, however 36 percent of survey respondents said that only 100 or fewer assets are covered by pen tests; 58 percent said 1,000 or fewer assets are covered by pen tests.
60 percent report that they are concerned pen testing gives them limited coverage or leaves them with too many blind spots.
"Security tests should tell organizations what attackers are able to see and exploit so that defenders can prevent breaches. But when companies are only able to see assets they already know about, test just a portion of their attack surface, and do that only a few times per year, preventing breaches isn't possible. So, the biggest takeaway from this report is that what organizations want or are hoping to achieve through pen testing versus what they actually are accomplishing are two very different things," said Rob Gurzeev, CEO of CyCognito.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/lF-j1fCdzLA/