What Most Penetration Testers Get Wrong — Lessons from the Field

In today’s complex digital environment, a simple automated scan just doesn’t cut it. Modern cybercriminals have an abundance of channels through which they can gain access to sensitive information, ranging from software vulnerabilities to unsecured networks.

To defend against these evolving threats, businesses need a penetration testing partner who goes beyond surface-level assessments – someone capable of conducting meticulous evaluations and delivering actionable insights.

Common Mistakes Made During Penetration Tests

To uphold the standard of service we’re proud to offer our customers, we’ve identified several common oversights in penetration testing that can lead to serious consequences. Here are some key examples:

Mistake #1: Over-Reliance on Automated Tools

Automated tools are valuable assets in any penetration tester’s toolkit. However, relying solely on these tools without human input and accepting their results at face value is likely to result in missed vulnerabilities – ones that threat actors are fully prepared to exploit from the moment they’re discovered.

Article content
 
Caption: While automated tools are an incredible tool for efficient analysis, it is critical that penetration testers use their own judgment to identify hidden vulnerabilities and ensure comprehensive security assessments.

At NetAssist, we incorporate a two-step verification process for reliable results. After our tools generate an initial report, our team thoroughly reviews each finding, eliminating false positives and uncovering hidden threats that automation might overlook.

Mistake #2: Failing to Prioritize Vulnerabilities by Risk

Understanding the severity of each vulnerability is essential for effective remediation. Without proper prioritization, teams may waste time addressing low-risk issues – leaving critical vulnerabilities exposed and giving attackers an opportunity to strike.

NetAssist delivers detailed risk scoring matrices that translate technical findings into clear and practical insights, ranked by their potential impact on your business. This allows your organisation to make informed decisions and allocate resources where they matter most.

Mistake #3: Relying on a Single Test Result

In order to deliver a comprehensive penetration test, remediation must not be based on a single test result. This stems from the heightened risk of false positives and overlooked vulnerabilities, which could lead to devastating consequences if left unaddressed.

That’s why NetAssist offers unlimited retests within the agreed scope. Multiple rounds of testing ensures that remediation efforts as many vulnerabilities are fully resolved as possible – a reflection of our commitment to our client’s long-term security.

Mistake #4: Failing to Provide Regular Client Updates

Article content
 
Caption: It is important to prioritize transparency and timely updates throughout every security assessment, to ensure that there is always clear communication during a crisis.

During a security assessment, especially at a time when concerns about compromise are high, we understand that silence from your testing partner can be unsettling. That is why our team at NetAssist recognize the importance of clear, timely communication during times of crisis.

Transparency and collaboration are essential for a cyber security provider. Our team at NetAssist provide periodic status updates throughout the testing process, keeping you informed of our progress and any critical findings and ensuring your organisation is always in the loop.

Our Approach: Why Choose NetAssist?

Every organization faces unique security challenges and operates within distinct resource constraints. That’s why we don’t offer one-size-fits-all solutions; instead, for every vulnerability we identify, our internationally certified penetration testers will work closely with you to develop a customized remediation strategy that aligns with your goals and budget.

At NetAssist (M) Sdn Bhd, we aim to deliver a comprehensive, insightful, and client-focused approach that strengthens your security posture and protects your critical assets.

Contact us at [email protected] to learn how we can help you achieve your security goals today.

Linkedin

How NetAssist’s Managed SOC Takes a Proactive Approach to Cybersecurity Via Purple Teaming

In today’s increasingly dynamic threat landscape, a reactive approach to cybersecurity is no longer sufficient to combat ever-evolving cyber-attacks.

Traditional Security Operation Centres (SOCs) typically focus on monitoring, detecting, and responding to existing cyber threats — a ‘blue team’ approach of using security information and event management (SIEM) and threat intelligence.

However, cyber criminals are continually improving their malicious tactics – a trend that has only worsened with the widespread availability of generative AI. That is why NetAssist has incorporated a team solely dedicated to proactive threat hunting, a ‘red team’, into our SOC operations to better protect clients from evolving threats.

What are Red & Blue Teams?

A blue team’s primary responsibility is to defend an organisation’s assets through analysing its security posture and taking measures to address existing flaws and vulnerabilities. The team is also in charge of monitoring breaches and responding to cyber threats, as mentioned above.

In contrast, a red team focuses on offense: their efforts are funneled into simulating cyber-attacks and probing client systems for potential vulnerabilities. This allows cybersecurity teams to anticipate attacks used by cyber criminals, take actionable solutions, and patch weaknesses before they are exploited.

By incorporating both red and blue tactics into our SOC operations, NetAssist is able to proactively neutralize potential attacks to our clients. This ‘purple teaming’ approach integrates the best of blue and red team activities, and allows us to deliver a more comprehensive and robust protection in compassion to traditional SOC services.

The Benefits of Purple Teaming

In our experience, unifying red team and blue team tactics into a singular SOC powerhouse result in more effective and holistic operations – which enables us to better strengthen our client’s overall security posture.

Article content

 

A Venn-Diagram of Red Team and Blue Team responsibilities.

For example, a purple-team SOC is capable of:

⦁ Improved threat detection: The red team provides insights into potential attack vectors by cyber threats, who in turn informs the blue team’s monitoring and detection strategies. This allows the SOC to stay ahead of cybercriminal tactics and identify threats quickly.

⦁ Enhanced incident response: By understanding how attackers operate, blue teams can develop targeted incident response plans that are more effective at minimising damage.

⦁ Strengthening security defenses: Red team vulnerability assessments guide the blue team’s implementation of improved security controls, monitoring parameters, and detection configurations.

⦁ Knowledge sharing: Active collaboration and knowledge sharing between the two teams allows the organisation to build a robust foundation of threat expertise, resulting in more efficient operations over time.

We aim to empower clients to not just react to threats, but to actively prevent them. With purple teaming bridging the gap between offensive and defensive security, we are confident that our SOC services are capable of proactive threat mitigation for our clients – and it will only continue to improve as we continue to innovate on our approach.

Have further questions? Please reach out to us at [email protected] for more information.

Linkedin

Keeping cyber security costs low: How to budget in compliance with Malaysia’s Cyber Security Bill 2024

With the recent introduction of Malaysia’s Act 854, businesses who are classified under the National Critical Information Infrastructure (NCII) must comply with new regulatory requirements, impacting on their financial budget for the upcoming quarters.

Fortunately, cybersecurity does not have to be prohibitively costly. As an experienced cyber security provider, we have compiled a list of strategic best practices to help organisations achieve compliance while keeping costs low.

 

1. Ensure strong policies are in place to showcase due diligence

A well-documented cyber security policy provides clear guidelines for protecting an organization’s information systems and data from cyber threats, such as: acceptable use of company devices, access controls and authentication methods, data protection and encryption protocols, incident response measures.

Article content
A strong cybersecurity policy is an organisation’s first line of defense against digital threats.

A strong cyber security policy for your organisation offers two key benefits.

  • It sets strong ground rules for employees to follow regarding online activity. This creates accountability among staff members, and reduces the risk of falling victim to common cyber pitfalls.
  • It serves as evidence of due diligence towards regulatory bodies and Sector Leads, which may potentially mitigate penalties in the event of a security breach.

 

2. Mitigate the risk of human error through training

Human error remains one of the leading causes of security breaches. According to a 2024 survey, 66 percent of respondents among Chief Information Security Officers (CISOs) in the United States identified human error as their organization’s most significant cyber vulnerability.

As mentioned previously, a strong cyber security policy helps with mitigating human error. Many organizations also provide training for cyber security awareness for their employees, educating them on common cyber threats and how to avoid them.

Phishing campaigns, where a third-party simulates phishing attempts on employees of an organisation, are additionally conducted as a follow-up assessment on staff readiness and the effectiveness of training sessions.

 

3. Keep software up-to-date, back-up data regularly

In today’s digital age, business solution software has been incorporated into many facets of daily operations. However, failure to upkeep these digital systems and technology can expose your organisation to several cyber risks.

For example, outdated software usually leaves several vulnerabilities for cyber criminals to exploit. Software patch updates are regularly sent out to close such vulnerabilities, hence businesses must diligently keep their software up-to-date to mitigate unnecessary cyber risks.

Scheduling regular data backups is another method for organizations to protect themselves from malicious cyber criminals, as it ensures that business intelligence can be restored quickly in the event of an incident.

 

4. Outsource to licensed providers

Caption: Outsourcing cybersecurity can be an effective way to benefit from professional protection without incurring overhead costs.

Running an in-house cybersecurity team is extremely costly, as it requires hiring industry experts, setting-up and maintaining the necessary infrastructure and technology.

By working with a licensed cybersecurity service provider, especially for specialized tasks like penetration testing and surveillance, your organisation is able to enjoy the benefits of expert-level cyber security without the overhead costs of maintaining an internal team.

Cybersecurity compliance under Malaysia’s Act 854 does not have to be a financial burden. By taking inspiration from the tips we’ve listed, we are confident that businesses of every size can meet compliance requirements while keeping costs manageable.

We hope that our advice was useful in your journey toward improving your cyber security. If you have any further inquiries about Act 854 or how we can help your business, feel free to reach out to us at [email protected].

Linkedin

Data Protection: What You Need to Know About The Latest PDPA Amendments

As our nation continues to move toward rapid technology adoption, protecting the personal data of Malaysian citizens is becoming an increasing concern for policymakers.

The government has recently introduced several amendments to the Personal Data Protection Act (PDPA) 2010, which imposes several new obligations for all Malaysian businesses involved in data processing.

We urge all businesses categorised as ‘data processor’ to educate themselves promptly to avoid future legal repercussions. You can check out our breakdown of the key points that local businesses should be aware of:

 

> Penalties for noncompliance have been raised.

The maximum penalties have been increased from RM300,000 and/or imprisonment up to 2 years to RM1,000,000 and/or imprisonment up to 3 years. These penalties apply to managing directors and relevant officers.

 

> All data processors are now held accountable.

Data processors are now legally required by law to comply with the Security Principle under the PDPA. This involves taking practical steps to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction.

 

> A Data Protection Officer are required for all data processors

A new mandatory requirement has been introduced for data controllers and data processors to appoint one or more data protection officers (“DPO”) to oversee compliance with the PDPA.

 

> Reports of any suspected breach must be made to the Commissioner

The Amendment Bill imposes an obligation on data controllers to inform the Commissioner when there is reason to believe that a personal data breach has occurred; failure to do so will result in additional penalties. This applies when personal data has been compromised, hacked, or shared without authorization.

 

> Biometrics are now included under personal data.

The definition of “sensitive personal data” in the PDPA will be expanded to include “biometric data”, such as fingerprint verification, voice recognition, or facial recognition.

With these amendments to PDPA, alongside the recently enforced Act 854, it is clear that the government is pushing for stricter and more robust cyber security policies.

 

By understanding and complying with these new data breach notification requirements, Malaysian businesses can protect their reputation, minimize their financial risks, and maintain the trust they have built with customers over the years.

As the regulatory landscape evolves, staying ahead of the curve on policy will be crucial for every Malaysian business owner. For more information on staying compliant with changing policies, please reach out to [email protected].

#cybersecurity #PDPA #Act707 #Act854 #legislation

Linkedin

The Digital Shield: Why a Robust Cybersecurity Policy is Your Organization’s Best Defense

The differences between Cyber Security Policy and IT Policy within an organization:

  1. Cyber Security Policy: Purpose: A cyber security policy provides guidance to an organization’s employees on how to act to protect sensitive information and defend against cyber threats. Coverage: IT Security: It defines rules and procedures for safeguarding the organization against cyber threats. Email Security: Specifies acceptable use of corporate email systems to prevent spam, phishing, and malware. BYOD (Bring Your Own Device): Establishes rules for personal devices used for work, ensuring security requirements are met. Components: Acceptable Use of Corporate Assets Incident Response Plans Business Continuity Strategies Regulatory Compliance Plans Impact: Helps protect the organization, reduces risk, and enables effective incident response.
  2. IT Policy: Purpose: An IT policy focuses on secure practices related to the organization’s information technology systems. Coverage: Servers Networks Systems Processing Information Components: Secure Policies for IT Infrastructure System Usage Guidelines Access Control Rules Data Protection Measures Impact: Ensures proper functioning, security, and compliance of IT assets.

In summary, while both policies contribute to organizational security, the cyber security policy specifically addresses cyber threats, while the IT policyencompasses broader aspects of information technology.

Please contact us at [email protected] should you like to know more.

Linkedin

Navigating Malaysia’s Cyber Security Act 2024: My Suggestions of Guide for NCII Entities

Malaysia’s Cyber Security Act 2024 (Act 854) has significantly elevated the cybersecurity standards for National Critical Information Infrastructure (NCII) entities. To ensure compliance and safeguard sensitive information, organizations must implement robust cybersecurity policies. This article provides a comprehensive guide to designing and implementing effective cybersecurity policies aligned with Act 854.

3 Key Steps to Designing Effective Cybersecurity Policies:

1. Comprehensive Risk Assessment

  • Identify Critical Assets: Determine the organization’s most valuable assets, including systems, data, and infrastructure.
  • Assess Threats and Vulnerabilities: Conduct a thorough risk assessment to identify potential threats like cyberattacks, data breaches, and insider threats.
  • Prioritize Risks: Rank risks based on their potential impact and likelihood of occurrence.

2. Policy Development and Implementation

  • Policy Framework: Establish a comprehensive cybersecurity policy framework that covers all aspects of information security, including: Access Control: Implement strong access controls to limit unauthorized access to sensitive systems and data. Data Protection: Develop policies to protect sensitive data, including data classification, encryption, and secure data handling practices. Incident Response: Create a detailed incident response plan to effectively respond to security breaches. Business Continuity and Disaster Recovery: Implement measures to ensure business continuity and minimize downtime in the event of a cyberattack.
  • Employee Awareness and Training: Conduct regular cybersecurity awareness training to educate employees about best practices, such as: Strong password hygiene Phishing and social engineering awareness Secure remote work practices Data handling and privacy

3. Continuous Monitoring and Improvement

  • Security Monitoring: Implement robust security monitoring tools to detect and respond to threats in real-time.
  • Regular Reviews and Updates: Conduct periodic reviews of cybersecurity policies and procedures to ensure they remain effective and aligned with evolving threats.
  • Incident Response Testing: Conduct regular incident response simulations to assess the organization’s preparedness and identify areas for improvement.

Compliance with Act 854

To ensure compliance with Act 854, NCII entities need to:

  • Appoint Information Security Officers in charge: Designate a CISO responsible for overseeing cybersecurity strategy and compliance and at least 2 office at working levels.
  • Conduct Regular Cybersecurity Assessments: Perform regular assessments to identify vulnerabilities and potential threats.
  • Implement Strong Access Controls: Enforce strong access controls to protect sensitive information.
  • Data Protection and Privacy: Implement measures to protect personal data and comply with data protection regulations.
  • Incident Response and Reporting: Establish effective incident response procedures and promptly report security breaches to relevant authorities.
  • Cybersecurity Awareness and Training: Conduct regular cybersecurity awareness training for employees.

Conclusion

By following these guidelines and adhering to the requirements of Act 854, NCII entities can significantly enhance their cybersecurity posture and protect their critical infrastructure. Remember, cybersecurity is an ongoing process that requires continuous vigilance and adaptation to evolving threats.

Linkedin

Log It All: The Cornerstone of Effective Cybersecurity

In today’s complex digital landscape, the importance of comprehensive logging cannot be overstated. Logs serve as the digital equivalent of a black box recorder, providing invaluable insights into system behavior, user activities, and potential security incidents. Despite this, a startling number of organizations remain vulnerable due to inadequate logging practices.

The Silent Threat: Undetected Breaches

Recently, NetAssist did our own study of 117 organizations and we found out that a staggering 73% of organizations that suffered a data breach were unable to detect the compromise until it was too late. This alarming statistic underscores the critical role of effective logging in incident response. By meticulously recording system activities, organizations can identify suspicious patterns, detect anomalies, and respond swiftly to threats.

Moreover, the average time to detect a data breach is said to be more than 108days, according to some survey we gathered. This extended detection window provides ample opportunity for attackers to escalate privileges, exfiltrate data, and cause significant damage. Comprehensive logging can significantly reduce this timeframe by enabling early detection and containment.

The Challenges of Comprehensive Logging

Implementing a robust logging strategy is often hindered by various challenges. Resource constraints, including a shortage of skilled cybersecurity personnel, budget limitations, and technological complexities, can impede progress. Additionally, the sheer volume of log data generated by modern IT environments can overwhelm organizations, making it difficult to extract meaningful insights.

Our own survey found that 54% of organizations struggle with log management due to lack of skilled personnel, while almost half of then cite budget constraints as a major obstacle. Furthermore, the average organization generates more than 2 terabytes of log data per month, making it challenging to store, analyze, and retain this information effectively.

Building a Strong Foundation for Cybersecurity

To address these challenges and build a resilient security posture, organizations must prioritize comprehensive logging. Here are some essential steps:

  • Identify Critical Assets: Determine which devices and applications are most critical to your business operations. Prioritize logging for these systems to ensure maximum protection.
  • Centralized Log Management: Consolidate logs from various sources into a centralized platform for efficient analysis and correlation.
  • Data Retention: Establish appropriate log retention policies to balance compliance requirements, incident investigation needs, and storage costs.
  • Log Analysis and Monitoring: Implement advanced analytics tools to detect anomalies, identify potential threats, and generate actionable alerts.
  • Incident Response Playbooks: Develop detailed playbooks outlining steps to be taken in response to different types of security incidents.
  • Leverage Managed Security Services: Partner with a reputable managed security services provider (MSSP) to offload the burden of log management, analysis, and incident response.

The Power of Partnership

By entrusting log management to an MSSP, organizations can benefit from specialized expertise, advanced technology, and round-the-clock monitoring. MSSPs can help optimize log retention policies, develop robust detection rules, and provide expert incident response capabilities.

In conclusion, comprehensive logging is an indispensable component of a proactive cybersecurity strategy. By addressing the challenges and investing in the right solutions, organizations can significantly enhance their ability to detect, investigate, and respond to cyber threats. Partnering with a managed security services provider can be a game-changer in this endeavor.

NetAssist is committed to helping organizations build a strong security foundation through comprehensive logging solutions. Contact us at [email protected]today to learn more about how we can protect your business.

Linkedin