3. T R E N D I N G T H R E A T S – A P R I L T O P I C
RANSOM(A)WARE-NESS
NOW, MORE THAN
EVER, IT RISK
CONCERNS HAVE
WOVEN
THEMSELVES INTO
BOARDROOM
CONVERSATIONS.
Are we prepared if we are hit with ransomware?
How much will our cybersecurity insurance plan cover?
Do we have the right products or services in place that
provide a multilevel security approach aligned with a zero
trust strategy?
You’ve heard it before, it isn’t will you get hit with a
ransomware attack, but when you will?
TRENDING THREATS
April Topic
info@intiGrow.com | www.intiGrow.com 03
4. As our work environments have shifted from office to remote,
the cyber threats have increased exponentially. According to
the Institute for Security and Technology, ransomware victims
paid out $350M in 2020 – a 311% increase over 2019.
With remote working continuing to remain a forefront for
organizations, employees are no longer confined within the
corporate networks’ perimeter. Ransomware gangs and
criminals are leveraging this vulnerability. With current foreign
relations, Russia is focused on leveraging cyber warfare if
anyone dares to interfere with their mission.
Secure internet routers with
unique passwords.
Firewalls that monitor
incoming traffic and keep out
threats.
Company devices with
additional security in place.
Increase visibility across the
enterprise.
Reduce time to breach
detection.
Reduce the complexity of your
security stack.
Avoid reputational damage
and significant financial
losses.
As a remote employee, here are
some measures you can
implement to minimize risks:
From a corporate perspective,
reducing your risks starts with
impactful conversations with the
boardroom and other key
stakeholders.
Have you had conversations
about zero trust? A zero trust
strategy contains these
benefits/outcomes:
We are happy to assist
you if you would like a
critical assessment of
your business
capabilities and a gap
analysis to plan out
your zero-trust journey.
Review of the existing topology or architecture
Prioritize initial areas for zero trust on-ramp
Develop target topology
Identity access management strategy
Privileged access management strategy
Password management strategy
Guidance on your organization's insurance renewal
At intiGrow, we pride ourselves in understanding your
organization’s specific challenges and working with key
stakeholders to implement a zero trust strategy that addresses
all your concerns and identifies the areas where your
organization needs to focus, including:
info@intiGrow.com | www.intiGrow.com 04
5. Inside IntiGrow Topic:
Manual vs Automated Pen Testing
While most companies are familiar with and conduct manual
pen tests, automated pen testing has become an option to
consider in recent years.
Let's explore the pros and cons of each.
How does automated pen
testing compare to manual?
Is one better than the other?
M A N U A L P E N T E S T I N G P R O S A N D C O N S
The top benefits of manual pen testing are that it offers flexibility and a higher likelihood of
discovering and mitigating vulnerabilities within the tested systems. Manual pen testing can find
cleverer vulnerabilities and attacks that automated tests may miss, such as blind SQL injection
attacks, logic flaws and access control vulnerabilities. A trained professional can examine the
responses of an application to such an attack in a manual pen test, potentially catching responses
that may appear legitimate to automated software but, in reality, are a problem.
Some pen tests can also only be performed manually. If a company wants to examine social
engineering preparedness, for example, manual pen testing is needed, especially when testing for
issues such as vishing. (voice phishing)
Manual pen testing can also enable more creativity when looking for flaws. A good penetration
tester will use their instincts and, based on the results, may opt to go into testing further in an
unexpected direction.
Another benefit of manual pen testing is having an expert on hand to review reports. While
automated pen testing tools also generate reports, security analysts still have to review and
remediate many of the issues detected.
The top cons of manual pen testing are cost and time. Depending on a pen test's thoroughness, it
could take weeks to get results, which isn't always ideal -- especially if major vulnerabilities exist.
Manual pen testing can also be expensive, which is why many companies do it only to fulfill
compliance and regulatory requirements. When companies can't afford an internal red team or pen
testing team, third-party service providers are normally used for testing needs -- another cost.
info@intiGrow.com | www.intiGrow.com 05
6. A U T O M A T E D P E N T E S T I N G P R O S A N D C O N S
Pen testing is complicated and expensive, so many companies
conduct tests infrequently. The benefits of less expensive and
easier access to testing via automation could change that.
Frequent automated pen testing also helps companies evaluate
their entire systems, which may get updated for example, during
rapid release cycles more often than testing occurs.
Another benefit of automated pen testing is it frees up security
analysts' time so they can focus their attention on other tasks
that may get put on hold during testing periods. Automation can
also handle repetitious tasks that aren't necessarily complicated
but are time-consuming for humans to complete. Analysts can
also now test cloud focused applications in run-time.
Another downside of automation is testing results depend on
how good the penetration tool itself is, as well as how
knowledgeable the person using it is. If the pen testing software
developer didn't do their job well, for example, then the
automated pen test is flawed and could miss critical issues.
Additionally, automated pen testing remains limited in function
and cannot be deployed for every testing scenario. Pen tests on
wireless networks, web apps and social engineering, for example,
aren't supported by most tools.
C O M B I N I N G M A N U A L A N D A U T O M A T E D P E N T E S T I N G
When it comes to choosing manual vs. automated pen
testing, it's often not a question of either/or. Rather,
automated pen testing tools should augment manual
pen testing efforts.
Another option automation has also enabled is
penetration testing as a service (PTaaS). Some
services are already available from vendors such as
NetSPI, Cobalt and Pentest People. PTaaS offerings
are a mix of manual and automated pen testing that
make it easier for companies to fulfill specific pen
testing needs, such as to satisfy compliance or
regulatory requirements.
info@intiGrow.com | www.intiGrow.com 06