In a cybersecurity strategy, identifying weaknesses in one’s IT infrastructure is a critical step in putting adequate protection in place. Typically, this involves two activities that are similar in some ways, but actually distinct: vulnerability assessment and penetration testing. Especially the former, operations that need to be scheduled and managed regularly, so as to increase the possibility of coping with the evolution in attacks, even by 2024 always in full swing.
In a nutshell, one can frame vulnerability assessment activities as those aimed precisely at identifying vulnerabilities in the systems under one’s control or somehow connected to one’s IT infrastructure. Based on the related results, one can then set up penetration tests to understand how they might be exploited. In practice, these are two phases that are often related but not interchangeable with each other, where the latter uses the results of the former
Two steps toward the same goal
Moreover, while vulnerability assessment is an operation that is essentially transparent to the end user and with a certain degree of freedom in that it does not usually interfere with normal operations, penetration testing can efinitely have a greater impact and requires more careful planning. n the former case we are generally talking about automated tools, while in the latter manual intervention is often required, leading to actual ethical hacks useful for testing one’s infrastructure in a real-world scenario. In the most extreme cases, without precise agreement on when and how.
The result is a wealth of information that can tell whether cand how to take action pto strengthen IT defenses. Often, the results of penetration tests are in turn used to identify new weaknesses and provide guidance for re-performing the vulnerability assessment.
Also to keep in mind, the associated costs. While vulnerability research can fit seamlessly into the schedule of regular activities, actual simulation of attacks must be handled more carefully. On the one hand, tools updated on new information that emerges in the interval between one test and the next can be exploited several times. On the other hand, an intervention that is certainly more costly, if only because it requires the intervention of highly trained personnel, with potential repercussions on productivity and the risk of a potentially damaging impact on IT systems.
A challenge without limits
To better understand the importance of these activities, it is interesting to take a look at the market. According to the most recent Clusit Report, attacks considered severe on a global scale grew by 12 percent in 2023 compared to 2022 averaging 232 per month. In 81% of cases the severity was rated as high or critical.
In Italy, the situation is in some ways even more worrying. Last year 11% of the global serious attacks mapped went to target (it was 7.6% in 2022), a total of 310. A 65% growth over 2022. More than half, 56%, had consequences of critical or high severity. Broadening the look to the last five years, over 47% occurred in 2023.
2024 Priorities
For those conducting vulnerability assessment and penetration testing, it is also important to know which modalities are most exploited, if only to know what to defend against. For 2024, the scenario will remain largely still dominated by ransomware. As easy to predict, however, in a more evolved form. Indeed, the trend also referred to as double extortion is gaining ground. In practice, in order to increase the pressure and obtain the ransom, one is not limited to just encrypting data, but adds the threat of disclosure.
The practice of Zero-Day attacks also remains high.. The goal of cyber criminals in this case is to identify vulnerabilities not yet known to the software manufacturer itself and therefore not detected by a vulnerability assessment. Situations that are less frequent than ransomware, which is usually the protagonist of large-scale attacks, but certainly much more dangerous.
Where, on the other hand, the scenario is just beginning is that of Artificial Intelligence. Some examples of possible attacks have already been seen. Starting with the creation of malware that is mutable and therefore more difficult to recognize, or more personalized, therefore credible, phishing emails and messages, or real deceptive chatbots.
Finally, cyber criminals are not giving up even in the face of more demanding two- or multi-factor authentication procedures. Indeed, a fight against so-called fatigue attacks, the result of the combination of malicious proxy servers, new social engineering techniques and serial repeated attempts in search of the winning combination,is also to be put in the pipeline.