03-11-21 | Blog Post
The initial development and use of pentesting was from the early 1960s to the 1980s by several branches of the US military. From the 1970s to the 1990s, big tech and the scientific community became involved in developing advanced internet security with pentesting as a primary tool. (Dan Farmer; Sun Microsystems and Wietse Venema; Eindhoven University; “Improving the security of your site by breaking into it.”) The 2000’s saw the formalization of best practices for penetration testing by the Open Web Application Security Project. (OWASP) That brings us up to today’s booming $1.7B penetration testing market, a service that can significantly improve security and reduce risk.
Are Pentesting Tools Always Used for Good?
CSO magazine boils pentesting down to its most significant value: “Penetration testing (or pentesting) is a simulated cyber-attack where professional ethical hackers break into corporate networks to find weaknesses … before attackers do.” The article goes onto define the “Top pentesting tools.” The idea of using “tools” in the legitimate pentesting effort provides for an interesting question: are these tools always and only used to ethically find vulnerabilities in security and systems? As this 2018 ZDNet/cnet article points out, tools used for legitimate pentesting purposes, like PowerShell Empire and others, are also used by cybercriminals for nefarious activities.
The Potential Impact of Pentesting tools on Your Network
Examining a pentesting tool recently in the news- Endgame, defined by endgame.readthedocs.io as “An AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account’s resources with a rogue AWS account – or share the resources with the entire Internet.” The Stack website dives deeper into the recent news about the Endgame as- “A lead security engineer at a software bluechip has open sourced a powerfully useful tool designed to help users shore up their cloud security. The freely available tool lets users identify insecure AWS resources, then backdoor exposed account’s resources to demonstrate how easy it is to get cloud security wrong — and help fix it.” Gigazine news site takes a different approach to this same news: “how you can easily hack AWS resources using Endgame.” This may be of concern to some in the IT and networking community due to the potential for misconfigured resources and compromised security. The article goes onto say that the location of this open-sourced tool “Endgame repository was [quickly] deleted” but tech bulletin boards still have chatter sharing concern that Endgame remains archived and available.
So, What Now?
There are many pentesting tools available online that are used primarily for legitimate and ethical security and penetration testing purposes. The call of the darkside is strong though. Today there are unethical users of certain pentesting tools, as well as many hackers that build their own tools, which threaten the security and operations of your network every hour of everyday. If you have concern about these recent pentesting events, Otava recommends:
Conclusion
Achieving sufficient security assurances in the cloud is possible, but it is not guaranteed. Just like any other IT project, you have to do your homework and in the case of security, it is better to be safe than sorry. Sometimes even the most helpful cyber-tools can create vulnerabilities when used for nefarious purposes. Make sure you have the conversations with your cloud provider to assure the best possible security for your business and information. Still nervous about the security of your cloud? Otava can help! Consider our secure, compliant cloud solutions managed by a team of experts trained in the latest security best practices. Call 877-740-5028 or contact us to learn more.
Additional information:
PCI DSS 3.0: Complete List of Newly Added Requirements
The new PCI DSS 3.0 document contains a number of clarifications, additional guidance and evolving requirements, according to how the PCI SSC refers to the changes.
Top 5 Tips for Cloud Computing Security
Are you hesitant about adopting additional cloud computing services into your IT infrastructure? You are not alone. Data security is the leading concern for IT professionals when it comes to cloud computing.
Cloud-based cybercrime: Is there hope?
While there is much news about the heightened risk of cybercrime and the increased sophistication of cyberattacks, the basics of employee cyber-hygiene, in partnership with the intelligent use of cloud services and best in class cloud provider security, creates a partnership that improves your business security and lowers your cyber-risk profile.