Trying to solve security problems using products alone is a mistake companies make over and over again.
So said Tyrone Erasmus, managing consultant at MWR InfoSecurity SA, in an open Twitter interview with ITWeb on Monday.
Erasmus will give a presentation on offensive security and pentesting at ITWeb Security Summit 2015 later this month.
Pentesting, short for penetration testing, is the practice of testing a computer system or network for vulnerabilities a hacker could exploit.
"There is no substitute for a human performing security hardening," said Erasmus, explaining that while automated scans for security vulnerabilities have been developed, they work using known signatures and patterns. Some flaws cannot be transformed into a pattern, and sometimes scanners don't have the signature for more obscure technologies used in hacking.
A combination of automated and manual testing for security flaws yields the best results, he commented.
However, sometimes pentesters become stuck in their habits to the point of failing to properly emulate real attackers, Erasmus noted. Every pentester should "do their homework" thoroughly about new attack techniques and trends.
Furthermore, if companies had a heightened awareness of attack techniques and actively worked to block them, finding security flaws would become a lot more difficult, Erasmus noted.
Despite growing fears of mobile-related cyber attacks, Erasmus noted "there is quite a small return on investment when targeting an organisation through mobile devices," adding that mobile attacks are more effective against individuals than their organisations.
Yet companies' biggest security risk may be more ubiquitous than mobile devices. For the majority of companies, said Erasmus, social engineering - whereby hackers trick employees into giving them the information they need, for example in phishing attacks - is still the easiest route in.
Share