Many clients ask us to assess their internal network for vulnerabilities on an annual basis. When a client commissions an internal penetration test for the first time, it is reasonable to expect that the final report will contain 30 to 40 vulnerabilities. The client then has a year to remediate the vulnerabilities in their network. At first glance, one might assume that by the next test, most of those vulnerabilities will be fixed and the report will be much shorter.
Unfortunately, this is often not the case. Most vulnerabilities still remain, and the overall security level has only improved slightly. In this blog post, we want to examine why this often happens and what organizations can do to get the maximum value out of a penetration test.
Lack of Resources
One of the most common reasons is probably this: the IT department is already fully occupied with day-to-day operations. There are no additional resources available to deal with the pentest results, whether in terms of time or budget.
We also often hear statements like: “This system will be decommissioned or replaced soon anyway, so it is no longer worth the effort.” But that state can often last for years, which is more than enough time for an attacker.
Similar arguments include statements such as: “Our ERP system from the last millennium still requires legacy protocol XY, so we cannot disable it.” Such legacy issues often hold back IT security measures.
Organizations should recognize how important these IT security measures are. Of course, providing additional resources and replacing legacy systems involves investment. However, IT security should not be viewed merely as a cost center, but as a central component of a company’s continued economic viability.
In the event of a successful cyberattack, companies often come to a standstill for weeks. Depending on the organization, this can mean revenue losses of several million euros. For some companies, it can even lead to insolvency.
Missing Validation
Another frequent issue is that the client actually believed the vulnerability had already been remediated. This can often happen, for example, with vulnerabilities that require a Group Policy Object (GPO) in Active Directory to be configured as part of the fix. If not all systems are covered by the GPO, the vulnerability has only been remediated partially.
Through manual verification, the client could then determine that the vulnerability still exists. If that does not happen, it may remain unresolved until the next pentest.
The Human Factor
Another real issue is the organization’s own employees. IT security measures often fail because users do not cooperate. For example, users may resist the introduction of two-factor authentication because it adds effort, or they may not make an effort to choose secure passwords.
However, a higher level of security does not always have to come with reduced convenience. For example, a well-managed passkey authentication rollout can provide both a higher level of security and more user convenience than traditional password-based authentication. On closer inspection, it is often possible to identify areas in different processes where friction for users can be removed without compromising security.
Conclusion
It should be obvious that simply conducting a penetration test does not make an organization more secure, because the real work only begins after the results have been presented, when it is time to remediate the identified vulnerabilities. In practice, however, organizations are confronted with various typical problems in doing so. We hope we have been able to present approaches that help you get the maximum value out of your pentest.
We are also happy to provide consulting support during the remediation phase. For this purpose, we offer our Assistant module, which allows you to consult with us as needed in order to clarify implementation details and receive additional recommendations.