The crucial role of vulnerability assessments and penetration testing

In this article, we look at some examples of how a proactive approach to security testing can have a resounding impact on well-publicised data breaches.

1. The Equifax data breach of 2017

In 2017, Equifax, a leading credit bureau, experienced a massive data breach exposing the personal information of 147 million individuals. The root cause was an unpatched vulnerability in the Apache Struts web application framework - a flaw that was publicly known and had a patch available months before the breach.

Proactive security measures that work:

• Routine security assessments: routine assessments would likely have flagged the unpatched Apache Struts vulnerability in Equifax’s network, highlighting the need for timely updates and potentially preventing the breach.

• Shift-left: Integrating security earlier in the development lifecycle could have flagged the Apache Struts vulnerability before deployment. Software Composition Analysis (SCA) tools such as OWASP Dependency Track provide teams with visibility into their supply chain and flag vulnerable or high-risk dependencies based on factors such as age or project health.

2. The Target Corporation breach

In 2013, Target, a major U.S. retailer, suffered a breach resulting in the theft of credit and debit card information from approximately 40 million customers. Attackers gained access through network credentials stolen from a third-party vendor and exploited weaknesses in Target's security to move laterally within the network.​

The time for heightened security assessments:

• Beyond standard assessments: a standard security assessment may have missed the complex, chained attack on Target, but a comprehensive penetration test simulating real-world attack vectors could have revealed weaknesses in vendor management and internal network security, helping to prevent the breach.

3. The SolarWinds Orion compromise

The SolarWinds breach was a sophisticated, long-undetected supply chain attack affecting numerous U.S. government agencies and private organisations. Attackers compromised the software build environment of SolarWinds' Orion product, inserting a malicious backdoor into software subsequent updates.

The importance of assumed compromise testing:

• Limitations of traditional testing: In this case, even a full penetration test might not have detected this type of attack known as a deeply embedded advanced persistent threat (APT). The attackers operated with a level of stealth and heightened sophistication that might surpass typical penetration test simulations.

• The role of assumed compromise testing: This scenario underscores the necessity of an 'assumed compromise' approach. As such, organisations must operate under the assumption that a breach could occur or has already occurred and focus on rapid detection, response, and mitigation strategies. Regular assumed compromise testing combined with robust incident response planning can facilitate quicker identification and containment of breaches, mitigating their impact.

Related Insight

What is threat modelling and why your business needs it

How do you actually threat model and why is it such a critical practice in modern software development?

These examples illustrate the layered nature of cyber security. Regular security assessments are essential for identifying and addressing known weaknesses, penetration testing simulates real-world attacks to uncover complex vulnerabilities and assumed compromise testing prepares organisations for the eventuality of a breach. Each layer plays a critical role in forming a sound security strategy and emphasises the importance of a multifaceted approach when building cyber resilience.

At Instil, we collaborate with clients to develop bespoke infrastructure testing methodologies designed to elevate your security posture. For organisations at a more mature stage of the security lifecycle, our goal is to rigorously test existing mechanisms, identify areas of weakness, blind spots and potential avenues of attack. Whether you're a large organisation with a dedicated internal security team or a smaller entity needing to secure your infrastructure, we’re here as your guides in achieving your security goals.