What Most Penetration Testers Get Wrong — Lessons from the Field

In today’s complex digital environment, a simple automated scan just doesn’t cut it. Modern cybercriminals have an abundance of channels through which they can gain access to sensitive information, ranging from software vulnerabilities to unsecured networks.

To defend against these evolving threats, businesses need a penetration testing partner who goes beyond surface-level assessments – someone capable of conducting meticulous evaluations and delivering actionable insights.

Common Mistakes Made During Penetration Tests

To uphold the standard of service we’re proud to offer our customers, we’ve identified several common oversights in penetration testing that can lead to serious consequences. Here are some key examples:

Mistake #1: Over-Reliance on Automated Tools

Automated tools are valuable assets in any penetration tester’s toolkit. However, relying solely on these tools without human input and accepting their results at face value is likely to result in missed vulnerabilities – ones that threat actors are fully prepared to exploit from the moment they’re discovered.

Article content
 
Caption: While automated tools are an incredible tool for efficient analysis, it is critical that penetration testers use their own judgment to identify hidden vulnerabilities and ensure comprehensive security assessments.

At NetAssist, we incorporate a two-step verification process for reliable results. After our tools generate an initial report, our team thoroughly reviews each finding, eliminating false positives and uncovering hidden threats that automation might overlook.

Mistake #2: Failing to Prioritize Vulnerabilities by Risk

Understanding the severity of each vulnerability is essential for effective remediation. Without proper prioritization, teams may waste time addressing low-risk issues – leaving critical vulnerabilities exposed and giving attackers an opportunity to strike.

NetAssist delivers detailed risk scoring matrices that translate technical findings into clear and practical insights, ranked by their potential impact on your business. This allows your organisation to make informed decisions and allocate resources where they matter most.

Mistake #3: Relying on a Single Test Result

In order to deliver a comprehensive penetration test, remediation must not be based on a single test result. This stems from the heightened risk of false positives and overlooked vulnerabilities, which could lead to devastating consequences if left unaddressed.

That’s why NetAssist offers unlimited retests within the agreed scope. Multiple rounds of testing ensures that remediation efforts as many vulnerabilities are fully resolved as possible – a reflection of our commitment to our client’s long-term security.

Mistake #4: Failing to Provide Regular Client Updates

Article content
 
Caption: It is important to prioritize transparency and timely updates throughout every security assessment, to ensure that there is always clear communication during a crisis.

During a security assessment, especially at a time when concerns about compromise are high, we understand that silence from your testing partner can be unsettling. That is why our team at NetAssist recognize the importance of clear, timely communication during times of crisis.

Transparency and collaboration are essential for a cyber security provider. Our team at NetAssist provide periodic status updates throughout the testing process, keeping you informed of our progress and any critical findings and ensuring your organisation is always in the loop.

Our Approach: Why Choose NetAssist?

Every organization faces unique security challenges and operates within distinct resource constraints. That’s why we don’t offer one-size-fits-all solutions; instead, for every vulnerability we identify, our internationally certified penetration testers will work closely with you to develop a customized remediation strategy that aligns with your goals and budget.

At NetAssist (M) Sdn Bhd, we aim to deliver a comprehensive, insightful, and client-focused approach that strengthens your security posture and protects your critical assets.

Contact us at [email protected] to learn how we can help you achieve your security goals today.

Linkedin

How NetAssist’s Managed SOC Takes a Proactive Approach to Cybersecurity Via Purple Teaming

In today’s increasingly dynamic threat landscape, a reactive approach to cybersecurity is no longer sufficient to combat ever-evolving cyber-attacks.

Traditional Security Operation Centres (SOCs) typically focus on monitoring, detecting, and responding to existing cyber threats — a ‘blue team’ approach of using security information and event management (SIEM) and threat intelligence.

However, cyber criminals are continually improving their malicious tactics – a trend that has only worsened with the widespread availability of generative AI. That is why NetAssist has incorporated a team solely dedicated to proactive threat hunting, a ‘red team’, into our SOC operations to better protect clients from evolving threats.

What are Red & Blue Teams?

A blue team’s primary responsibility is to defend an organisation’s assets through analysing its security posture and taking measures to address existing flaws and vulnerabilities. The team is also in charge of monitoring breaches and responding to cyber threats, as mentioned above.

In contrast, a red team focuses on offense: their efforts are funneled into simulating cyber-attacks and probing client systems for potential vulnerabilities. This allows cybersecurity teams to anticipate attacks used by cyber criminals, take actionable solutions, and patch weaknesses before they are exploited.

By incorporating both red and blue tactics into our SOC operations, NetAssist is able to proactively neutralize potential attacks to our clients. This ‘purple teaming’ approach integrates the best of blue and red team activities, and allows us to deliver a more comprehensive and robust protection in compassion to traditional SOC services.

The Benefits of Purple Teaming

In our experience, unifying red team and blue team tactics into a singular SOC powerhouse result in more effective and holistic operations – which enables us to better strengthen our client’s overall security posture.

Article content

 

A Venn-Diagram of Red Team and Blue Team responsibilities.

For example, a purple-team SOC is capable of:

⦁ Improved threat detection: The red team provides insights into potential attack vectors by cyber threats, who in turn informs the blue team’s monitoring and detection strategies. This allows the SOC to stay ahead of cybercriminal tactics and identify threats quickly.

⦁ Enhanced incident response: By understanding how attackers operate, blue teams can develop targeted incident response plans that are more effective at minimising damage.

⦁ Strengthening security defenses: Red team vulnerability assessments guide the blue team’s implementation of improved security controls, monitoring parameters, and detection configurations.

⦁ Knowledge sharing: Active collaboration and knowledge sharing between the two teams allows the organisation to build a robust foundation of threat expertise, resulting in more efficient operations over time.

We aim to empower clients to not just react to threats, but to actively prevent them. With purple teaming bridging the gap between offensive and defensive security, we are confident that our SOC services are capable of proactive threat mitigation for our clients – and it will only continue to improve as we continue to innovate on our approach.

Have further questions? Please reach out to us at [email protected] for more information.

Linkedin

Keeping cyber security costs low: How to budget in compliance with Malaysia’s Cyber Security Bill 2024

With the recent introduction of Malaysia’s Act 854, businesses who are classified under the National Critical Information Infrastructure (NCII) must comply with new regulatory requirements, impacting on their financial budget for the upcoming quarters.

Fortunately, cybersecurity does not have to be prohibitively costly. As an experienced cyber security provider, we have compiled a list of strategic best practices to help organisations achieve compliance while keeping costs low.

 

1. Ensure strong policies are in place to showcase due diligence

A well-documented cyber security policy provides clear guidelines for protecting an organization’s information systems and data from cyber threats, such as: acceptable use of company devices, access controls and authentication methods, data protection and encryption protocols, incident response measures.

Article content
A strong cybersecurity policy is an organisation’s first line of defense against digital threats.

A strong cyber security policy for your organisation offers two key benefits.

  • It sets strong ground rules for employees to follow regarding online activity. This creates accountability among staff members, and reduces the risk of falling victim to common cyber pitfalls.
  • It serves as evidence of due diligence towards regulatory bodies and Sector Leads, which may potentially mitigate penalties in the event of a security breach.

 

2. Mitigate the risk of human error through training

Human error remains one of the leading causes of security breaches. According to a 2024 survey, 66 percent of respondents among Chief Information Security Officers (CISOs) in the United States identified human error as their organization’s most significant cyber vulnerability.

As mentioned previously, a strong cyber security policy helps with mitigating human error. Many organizations also provide training for cyber security awareness for their employees, educating them on common cyber threats and how to avoid them.

Phishing campaigns, where a third-party simulates phishing attempts on employees of an organisation, are additionally conducted as a follow-up assessment on staff readiness and the effectiveness of training sessions.

 

3. Keep software up-to-date, back-up data regularly

In today’s digital age, business solution software has been incorporated into many facets of daily operations. However, failure to upkeep these digital systems and technology can expose your organisation to several cyber risks.

For example, outdated software usually leaves several vulnerabilities for cyber criminals to exploit. Software patch updates are regularly sent out to close such vulnerabilities, hence businesses must diligently keep their software up-to-date to mitigate unnecessary cyber risks.

Scheduling regular data backups is another method for organizations to protect themselves from malicious cyber criminals, as it ensures that business intelligence can be restored quickly in the event of an incident.

 

4. Outsource to licensed providers

Caption: Outsourcing cybersecurity can be an effective way to benefit from professional protection without incurring overhead costs.

Running an in-house cybersecurity team is extremely costly, as it requires hiring industry experts, setting-up and maintaining the necessary infrastructure and technology.

By working with a licensed cybersecurity service provider, especially for specialized tasks like penetration testing and surveillance, your organisation is able to enjoy the benefits of expert-level cyber security without the overhead costs of maintaining an internal team.

Cybersecurity compliance under Malaysia’s Act 854 does not have to be a financial burden. By taking inspiration from the tips we’ve listed, we are confident that businesses of every size can meet compliance requirements while keeping costs manageable.

We hope that our advice was useful in your journey toward improving your cyber security. If you have any further inquiries about Act 854 or how we can help your business, feel free to reach out to us at [email protected].

Linkedin

Data Protection: What You Need to Know About The Latest PDPA Amendments

As our nation continues to move toward rapid technology adoption, protecting the personal data of Malaysian citizens is becoming an increasing concern for policymakers.

The government has recently introduced several amendments to the Personal Data Protection Act (PDPA) 2010, which imposes several new obligations for all Malaysian businesses involved in data processing.

We urge all businesses categorised as ‘data processor’ to educate themselves promptly to avoid future legal repercussions. You can check out our breakdown of the key points that local businesses should be aware of:

 

> Penalties for noncompliance have been raised.

The maximum penalties have been increased from RM300,000 and/or imprisonment up to 2 years to RM1,000,000 and/or imprisonment up to 3 years. These penalties apply to managing directors and relevant officers.

 

> All data processors are now held accountable.

Data processors are now legally required by law to comply with the Security Principle under the PDPA. This involves taking practical steps to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction.

 

> A Data Protection Officer are required for all data processors

A new mandatory requirement has been introduced for data controllers and data processors to appoint one or more data protection officers (“DPO”) to oversee compliance with the PDPA.

 

> Reports of any suspected breach must be made to the Commissioner

The Amendment Bill imposes an obligation on data controllers to inform the Commissioner when there is reason to believe that a personal data breach has occurred; failure to do so will result in additional penalties. This applies when personal data has been compromised, hacked, or shared without authorization.

 

> Biometrics are now included under personal data.

The definition of “sensitive personal data” in the PDPA will be expanded to include “biometric data”, such as fingerprint verification, voice recognition, or facial recognition.

With these amendments to PDPA, alongside the recently enforced Act 854, it is clear that the government is pushing for stricter and more robust cyber security policies.

 

By understanding and complying with these new data breach notification requirements, Malaysian businesses can protect their reputation, minimize their financial risks, and maintain the trust they have built with customers over the years.

As the regulatory landscape evolves, staying ahead of the curve on policy will be crucial for every Malaysian business owner. For more information on staying compliant with changing policies, please reach out to [email protected].

#cybersecurity #PDPA #Act707 #Act854 #legislation

Linkedin