A recent survey of 70 professional hackers and penetration testers found that 60% of them take a maximum of just six hours to compromise a target. The research titled The Black Report, was done at the 2016 Black Hat USA and Defcon by Australian technology company Nuix.
Penetration testers try to break into the network of the client organization and then provide advice on how they can secure those networks, one of the things KnowBe4's Chief Hacking Officer does through his (separate) company Mitnick Security with a 100% success rate.
When the 70 hackers were queried about how often they encountered systems they could not crack, 9% said this never happened. But 53% said "sometimes", 22% "rarely", and 16% "often" faced this issue.
40% said phishing was their favorite method to get into a system
Asked about the use of social engineering, 43% of the group said they used it "sometimes" to gain access and only 16% did not use it at all, and 40% said phishing was their favorite method to get into a system. No wonder, as hacking a human is by far the easiest way to get into a network.
Regarding using vulnerability scanners to detect potential entry methods, 40% said they used this method "sometimes", but 60% said they used open-source tools to hack and custom tools were used by just over 20%.
A third of the pen testers said their presence was never detected by the security team at the organization they were testing. Only 2% were detected more than half of the time, while another third were always detected.
After a compromise, exfiltration of data took 20% of them less than two hours, another 29% took anything from two to six hours to get the good out, while about another 20% took more than 12 hours.
Only 2% of the hackers found anti-virus software an obstruction
Only 2% of the hackers found anti-virus software an obstruction to compromising systems. The biggest hurdle was endpoint security which 36% found to be an effective countermeasure to their plans; another 29% cited intrusion detection and prevention systems.
Advice for Company Boards: There Is A Return On Investment
When they survey asked what main message they had for the boards of companies that were penetrated, 25% of the hackers said the boards should realize that it was a matter of when, not if, a company was hacked, and about the same percentage stated boards should realize that there was a return on investment for security and it was not a waste of time or money. To add to that, 10% said boards should be aware that the ability to detect an attack was much more important than being able to deflect one. The full report can be downloaded here.
Whitepaper Download: Forrester Total Economic Impact Study
KnowBe4 recently commissioned Forrester to conduct a Total Economic Impact™ (TEI) study, examining the potential Return on Investment (ROI) enterprises might realize by implementing the KnowBe4 Security Awareness Training and Simulated Phishing Platform.
The resulting research paper assesses the performance of the KnowBe4 Platform. How does 127% ROI with a one-month payback sound?
At the end of the study, you will have a framework to evaluate the ROI of the KnowBe4 Security Awareness Training and Simulated Phishing Platform on your organization, and how you can leverage your end-users as your last line of defense using KnowBe4.
The value of KnowBe4 goes beyond ROI. Download the study here
