The Difference between 'Good' and 'Best' in Cybersecurity!

My compliments if you’ve decided to perform a Penetration Test (Pen-Test) on your infrastructure, web applications, mobile apps, or software code; it demonstrates your awareness for, and commitment to, cybersecurity, and the digital security of the important business and personal data you are holding.

Bravo! Keep up the good work! 

Don’t get me wrong, a Pen-Test is always good when you know exactly which device, infrastructure, network component, web-app, mobile app, IP-address (URL) etc., within the organization needs to be assessed, and why – possibly because there has been a security incident, or your own tests have shown multiple security flaws; it might also be because your organization needs to adhere to new regulations, or it’s required by an insurance company.  

However, the issue with a Pen-Test is that it only increases the organization’s cyber resilience for a short period of time. This might be a serious issue when some unwanted agent attacks you. When the Pen-Test is done and the project is finished, other new vulnerabilities might arise the next day. Besides this, a Pen-Test is  mainly focused on the IT domain and don’t cover (or sometimes only partly cover) the OT and IoT domains. This means that there could be several ‘blind spots’ (vulnerabilities in the OT and IoT systems) that won’t be detected, and which can then be used by hackers to access the organization’s network.

Technically, after every update on a system, the whole tech stack should be tested and audited again, which makes repetitive Pen-Testing very costly. In other words, a Pen-Test is an ‘expensive snapshot’ of the current situation that could be out of date 24 hours after it took place. This means, that the OT/IoT attack surface (attack surface = possible entry vectors for hackers) of the Pen-Tested organization is not optimally covered, which could leave blind spots open to hackers, and a hacker needs only one ‘blind spot’ to access your organization…

To counter these blind spots, organizations should embrace continuous security monitoring of the complete OT/IT/IoT infrastructure. Not only the ‘continuous’ element is important here, but also the OT and IoT elements are essential in this security monitoring. The continuous element is important for the simple reason that the organization’s infrastructure is constantly changing, new vulnerabilities arise, systems break down, devices are being repaired or replaced, people make mistakes that can cause system errors and hackers are attacking all the time looking to exploit these vulnerabilities/weaknesses.

Our infrastructure is constantly changing and therefore needs to be monitored continuously. This monitoring does not only apply to IT systems, but also to OT and IoT systems, because these systems also might contain vulnerabilities or break down that need to be repaired or replaced. On top of this, the number of cyberattacks against these systems has increased significantly in the last decade, because hackers are aware that these OT and IoT systems were never developed to be ‘secure-by-design’ and as they are directly or indirectly connected to the internet, they are a very attractive target.

To increase your organization’s cyber resilience, which is required by the NIS2 Directive, the first step is to know what digital assets you have, how they are connected and which vulnerabilities they contain. Because you cannot protect what you cannot see, total visibility is key: You need to know all your assets, your networks, devices, web/mobile apps, API’s legacy/shadow IT, unpatched systems, endpoints, and all the existing vulnerabilities they pose at any time.

Continuous monitoring provides you exactly with this capability, especially when the (managed) Security Operations Center (SOC) covers the OT and IoT domains as well. This monitoring is not ‘a moment in time’ or ‘snapshot’ of the current security situation but provides a 24/7 insight on what’s happening within the organization. This not only apply to attacks from outside the organization’s digital boundaries, but also applies to system misconfigurations and missed updates.

In summary, a Pen-Test is still a useful tool, but it doesn’t provide you the required cyber resilience. A Pen-Test is good, but if you want to be ‘the best’, continuous IT/OT/IoT monitoring is needed. In today’s challenging and complex cyber security world, it’s near impossible to become optimally cyber resilient without continuous visibility on your complete OT/IT/IoT infrastructure.

So, what about the cybersecurity of your organization? Is it ‘just good’ or do you want to be ‘the best’?