The Hacker Perspective

Traceability and Technology - Traceability and Technology

April 7, 2017

By Lisa Lupo

Professional hackers can hack your system in less than 12 hours, but detecting data breaches take an average of 250 to 300 days — if they’re detected at all, according to The Black Report from the data security company Nuix. For the report, Nuix conducted a confidential survey of 70 professional hackers and penetration testers (pentester) at DEFCON, the world’s largest hacking and security conference.

Here’s what they said:

81% can identify and exfiltrate data in less than 12 hours.

88% can compromise a target in less than 12 hours.

50% change their attack methodologies with every target.

84% use social engineering as part of their attack strategy.

69% have almost never been caught in the act by security teams.

33% have never had their activities detected by their target organizations.

76% spend 1-10 hours per week researching security news and technology.

76% believe technical certifications are not a good indication of technical ability.

100% agree that once someone has accessed your data, it’s gone — like gone gone.

Among the most effective countermeasures are:

36% endpoint security

29% intrusion detection and prevention systems

10% firewalls

2% antivirus

Activities noted as extremely important in prevention are:

52% employee education

37% vulnerability scanning

30% goal-oriented penetration testing

16% employee incentives

15% bug-bounty programs

Among the least effective:

42% data hygiene and information governance

22% everything. This group said no security countermeasures can stop them; full compromise is only a matter of time.

REMEDIATION. Interestingly, even after a penetration test shows vulnerability, organizations usually only conduct limited remediation, which is generally focused on critical and high vulnerabilities. It is a statistic that exasperates pentesters, with 64% stating that their biggest frustration is that organizations don’t fix the things they know are broken.

“The  Nuix Black Report  illuminates the true nexus between attacker methodology and defensive posture; showing which countermeasures will improve security and which are a waste of money and resources,” said Chris Pogue, Nuix’s Chief Information Security Officer and co-author of the  report.

“Readers will learn what is the best spend for their security dollar and, more critically,  why,” he added.

Source: Nuix. Read the full report here.