On January 31, NetSPI Director of Research Nick Landers was featured in the SecurityWeek article called Cyber Insights 2023 | Artificial Intelligence. Read the preview below or view it online.
SecurityWeek Cyber Insights 2023 | Artificial Intelligence – The pace of artificial intelligence (AI) adoption is increasing throughout industry and society. This is because governments, civil organizations and industry all recognize greater efficiency and lower costs available from the use of AI-generated automation. The process is irreversible.
What is still unknown is the degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool for beneficial improvement. That day is coming and will begin to emerge from 2023.
The changing nature of AI (from anomaly detection to automated response)
Over the last decade, security teams have largely used AI for anomaly detection; that is, to detect indications of compromise, presence of malware, or active adversarial activity within the systems they are charged to defend. This has primarily been passive detection, with responsibility for response in the hands of human threat analysts and responders. This is changing. Limited resources which will worsen in the expected economic downturn and possible recession of 2023 is driving a need for more automated responses. For now, this is largely limited to the simple automatic isolation of compromised devices; but more widespread automated AI-triggered responses are inevitable.
Failure in AI is generally caused by an inadequate data lake from which to learn. The obvious solution for this is to increase the size of the data lake. But when the subject is human behavior, that effectively means an increased lake of personal data and for AI, this means a massively increased lake more like an ocean of personal data. In most legitimate occasions, this data will be anonymized but as we know, it is very difficult to fully anonymize personal information.
“Privacy is often overlooked when thinking about model training,” comments Nick Landers, director of research at NetSPI, “but data cannot be completely anonymized without destroying its value to machine learning (ML). In other words, models already contain broad swaths of private data that might be extracted as part of an attack.” As the use of AI grows, so will the threats against it increase in 2023.
On January 31, NetSPI Managing Director Chad Peterson was featured in the SecurityWeek article called Cyber Insights 2023 | Attack Surface Management. Read the preview below or view it online.
SecurityWeek Cyber Insights 2023 | Attack Surface Management – Attack surface management (ASM) is an approach for delivering cybersecurity. IBM describes the attack surface as “the sum of vulnerabilities, pathways or methods – sometimes called attack vectors – that hackers can use to gain unauthorized access to the network or sensitive data, or to carry out a cyberattack.”
ASM requires “the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface. Unlike other cybersecurity disciplines, ASM is conducted entirely from a hacker’s perspective, rather than the perspective of the defender. It identifies targets and assesses risks based on the opportunities they present to a malicious attacker.”
ASM is consequently predicated on total visibility of assets, vulnerabilities, and exploits.
Management is the key word in ASM
The complexity of the modern infrastructure makes the complete elimination of threats an impossible task. ASM is not about the elimination of all threats, but the reduction of threat to an acceptable level. It’s a question of risk management.
Chad Peterson, MD at NetSPI, believes the nature and effectiveness of pentesting will evolve over 2023, “The attack surface has become more fluid, so you have to be able to scan for new assets and entry points continuously,” he says. “In 2023, organizations will combine traditional pentesting, which in many cases will still be required for regulatory needs, with the proactive approach of more continuous assessment of their attack surface. The result will be better awareness of the attack surface and more comprehensive traditional pentesting as there is more information about the true attack surface.”
On January 31, NetSPI Scott Sutherland, VP of Research, and Norman Kromberg, CISO, were featured in the SecurityWeek article called Cyber Insights 2023: Cyberinsurance. Read the preview below or view it online.
SecurityWeek Cyber Insights 2023 | Cyberinsurance – Cyberinsurance emerged into the mainstream in 2020. In 2021 it found its sums were wrong over ransomware and it had to increase premiums dramatically. In 2022, Russia invaded Ukraine with the potential for more serious and more costly global nation state cyberattacks – and Lloyds of London announced a stronger and more clear war exclusions clause.
Higher premiums and wider exclusions are the primary methods for insurance to balance its books – and it is already having to use both. The question for 2023 and beyond is whether the cyberinsurance industry can make a profit without destroying its market. But one thing is certain: a mainstream, funds rich business like insurance will not easily relinquish a market from which it can profit.
It has a third tool, which has not yet been fully unleashed: prerequisites for cover.
The Lloyd’s war exclusion clause and other difficulties
The Lloyd’s exclusion clause dates to the NotPetya incident of 2017. In some cases, insurers refused to pay out on related claims. Josephine Wolff, an associate professor of cybersecurity policy at Fletcher, Tufts, has written a history of cyberinsurance titled Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks.
“Merck and Mondelez, sued their insurers for denying claims related to the attack on the grounds that it was excluded from coverage as a hostile or warlike action because it was perpetrated by a national government,” she explains. However, an initial ruling in late 2021, unsealed in January 2022, indicated that if insurers wanted to exclude state-sponsored attacks from their coverage they must write exclusions stating that explicitly, rather than relying on boilerplate war exclusions. Merck was granted summary judgment on its claim for $1.4 billion.
The Russia/Ukraine kinetic war has caused a massively increased expectation of nation state-inspired cyberattacks against Europe, the US, NATO, and other west-leaning nations. Lloyds rapidly responded with an expanded, but cyberinsurance-centric, war exclusion clause excluding state-sponsored cyberattacks that will kick in from March 2023.
2023 is a watershed moment for cyberinsurance. It will not abandon what promises to be a massive market – but clearly it cannot continue with its makeshift approach of simply increasing both premiums and exclusions to balance the books indefinitely.
Nevertheless, the expansion of ‘prerequisites’ would be a major – and probably inevitable – evolution in the development of cyberinsurance. Cyberinsurance began as a relatively simple gap-filler. The industry recognized that standard business insurance didn’t explicitly cover against cyber risks, and cyberinsurance evolved to fill that gap. In the beginning, there was no intention to impose cybersecurity conditions on the insured, beyond perhaps a few non-specific basics such as having MFA installed.
But now, comments Scott Sutherland, VP of research at NetSPI, “Insurance company security testing standards will evolve.” It’s been done before, and PCIDSS is the classic example. The payment card industry, explains Sutherland, “observed the personal/business risk associated with insufficient security controls and the key stakeholders combined forces to build policies, standards, and testing procedures that could help reduce that risk in a manageable way for their respective industries.”
He continued, “My guess and hope for 2023, is that the major cyber insurance companies start talking about developing a unified standard for qualifying for cyber insurance. Hopefully, that will bring more qualified security testers into that market which can help drive down the price of assessments and reduce the guesswork/risk being taken on by the cyber insurance companies. While there are undoubtedly more cyber insurance companies than card brands, I think it would work in the best interest of the major players to start serious discussions around the issue and potential solutions.”
There is no silver bullet for cybersecurity. Breaches will continue and will continue to rise in cost and severity – and the insurance industry will continue to balance its books through increasing premiums, exclusions, and insurance refusals. The best that can be hoped for from insurers increasing security requirements is that, as Norman Kromberg, CISO at NetSPI suggests, “Cyber Insurance will become a leading driver for investment in security and IT controls.”
Amidst a year of record growth and momentum, NetSPI is recognized again for its leadership and culture.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management, has been named one of the top workplaces in the U.S. by Energage, a leading provider of technology-based employee engagement tools. Winners are chosen based on an anonymous third-party employee survey that measures several aspects of workplace culture, including alignment, execution, and connection.
“We’re proud to be recognized as a top workplace for the second year in a row,” said Aaron Shilts, CEO of NetSPI. “Every employee has contributed to our record growth this year, continuing to drive results as we expand. Our strong culture remains key to what makes NetSPI a great place to work.”
This Top Workplace recognition follows a year of record growth and momentum for the company including the hiring of more than 230 people, and promotion of over 170 employees, namely Norman Kromberg to CISO. This, in addition to a number of new product innovations, led to a 58% organic revenue growth throughout the fiscal year.
“In a year of record growth, we’re particularly proud of the growth amongst NetSPI employees,” said Heather Crosley, Vice President of People Operations at NetSPI. “Our employees continue to be committed to collaboration, and creating a culture of excellence and belonging.”
Top Workplaces USA celebrates organizations with 150 or more employees that have built great cultures. While more than 42,000 organizations were invited to participate, just over 1,200 organizations have been honored with the Top Workplaces USA award this year.
For more information about joining NetSPI’s growing team, please visit www.netspi.com.
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – penetration testing as a service, attack surface management, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers and e-commerce companies, and 50 percent of the Fortune® 50. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, Twitter, and LinkedIn.
Making the world a better place to work together.™
Energage is a purpose-driven company that helps organizations turn employee feedback into useful business intelligence and credible employer recognition through Top Workplaces. Built on 14 years of culture research and the results from 23 million employees surveyed across more than 70, 000 organizations, Energage delivers the most accurate competitive benchmark available. With access to a unique combination of patented analytic tools and expert guidance, Energage customers lead the competition with an engaged workforce and an opportunity to gain recognition for their people-first approach to culture. For more information or to nominate your organization, visit Energage or Workplaces.
Type “pentesting” into GitHub, and you’ll find nearly 9,000 repository results.
Finding the right penetration testing tools can be a daunting task, given the sheer number of both open source and commercial options available. Using the right tool for the right objective – from capturing and manipulating HTTP traffic to finding SQL injection during web application pentests – can make a significant impact during assessments.
To help narrow your search parameters, we surveyed our team of 200+ global pentesters to identify the 12 must-have pentesting tools of the moment. Drumroll please…
It combines a top-class proxy, web vulnerability scanner, and an extensive ecosystem of extensions making it invaluable for performing penetration tests. BurpSuite provides a great level of control for users to uncover and exploit vulnerabilities while scanning for common web application flaws.
“I have used this tool nearly every day for over ten years. I have performed SQL Injections, server-side request forgeries, authentication/authorization bypasses, cross-site scripting, Java deserialization attacks, various code injections and remote code executions, and more.”
– Eric Gruber, Director, Attack Surface Management
“I use this tool for every pentest I do! For one test, I was able to intercept a file upload request and inject a malicious DTD to exploit server-side request forgery.”
– Karin Knapp, Security Consultant II
NMAP (Network Mapper) is a popular pentesting tool used to assess networks for open ports and vulnerabilities. It has been around for many years, amassing a great deal of community support, excellent documentation, and expansive functionality. NetSPI’s global pentesting team uses it extensively in Attack Surface Management.
“We use it all the time in Attack Surface Management to identify open ports on our clients’ attack surfaces. This is the first step in exploiting a large majority of vulnerabilities.”
Behind the scenes, Resolve is also a penetration testing workbench for our services team and select clients that purchase a subscription.
From a workbench perspective, it’s a one-stop shop for NetSPI pentesting assessments: it houses checklists, allows our consultants to communicate with clients, stores documents, and is a central platform to document findings.
Resolve’s checklists and finding templates help our pentesters be more consistent with their documentation and help in organizing a methodical and thorough testing process, a key reason why our consultants nominated it as a top tool.
The platform saves hours, even days, by taking the output from tools and sorting and correlating the findings. In addition, it can track findings and detections over time, which has enabled NetSPI to build out a large vulnerability repository with thousands of instructions for validating findings.
“Resolve takes care of 95% of the reporting process for me, so I can spend more time actually helping the client and doing my job.”
– Cameron Geehr, Managing Consultant
“…Compared to other companies I have worked at, Resolve at least halves the amount of time spent reporting, allowing for more time to be spent performing testing.”
CrackMapExec is a versatile pentesting tool used to perform various post-exploitation techniques from a single user-interface. NetSPI pentesters have used this tool to execute pass-the-hash attacks, credential dumping, password spraying, and more – often resulting in administrative compromise.
“It is actively developed and is a framework that allows execution of multiple techniques and interaction with multiple common services.”
While Browser Dev Tools are a built-in feature in all modern browsers intended to allow developers to debug their web applications, it can also be leveraged by penetration testers. Dev Tools’ availability in modern browsers like Safari, Chrome, and Firefox makes it one of the most foundational and accessible means of application security testing.
Dev Tools allow penetration testers to view and manipulate all client-side scripts, cookies, and other web elements. It can also come in handy when looking for hidden fields and other potentially sensitive data. It’s ability to inspect and manipulate the contents of a given web page within the context of a browser makes it a great resource for anything from debugging to viewing network traffic without an available intercepting proxy.
“Some applications insecurely configure user permissions on the client-side. In cases like this, an attacker can modify client-side code to elevate their permissions in the application.”
The Metasploit exploitation framework provides all the functionality a pentester might need, including scanning networks and targets, launching exploits, receiving shells, and even performing post-exploitation. With its open-source nature and constantly evolving feature set, Metasploit is a top penetration testing tool because it allows testers to leverage exploits to demonstrate the full impact of security vulnerabilities.
NetSPI Security Consultant James Maguire used Metasploit to compromise a windows domain and demonstrate the risks of missing security patches and password reuse to the client.
He shared, “Using Metasploit, I scanned the network for hosts missing the infamous MS17-010 (EternalBlue) patch.” He found three servers missing the patch, picked one, and launched the exploit using Metasploit. According to James, “The exploit was successful, and I got a Meterpreter shell. Meterpreter is a special attack payload available to Metasploit users and has several useful post-exploitation features and modules. I used one of my favorite modules (Mimikatz) to recover cleartext credentials from the victim server.” While reviewing the credentials, he discovered one of the accounts had domain admin privileges, and with that, he was able to deliver valuable penetration test results with ease.
“I was able to use Metasploit to compromise a windows domain and demonstrate the risks of missing security patches and password reuse to the client.”
SQLmap is an open-source project that tests for SQL injection vulnerabilities in web application requests. If found, it will also identify the type and location of the injection. It provides testers with an easy-to-use tool to interact with the vulnerability to enumerate data from the application’s database.
SQLmap is a favorite among NetSPI’s consultants because SQL injection can be a very tedious finding to verify and determine its impact. SQLmap speeds up that process, thereby speeding up reporting.
NetSPI Security Consultant II Josiah Kohlmeyer explains, “When we find a SQL injection vulnerability, one of the ways to verify the finding is by enumerating the database version or database name. If the database name was ‘dev-database’, manually enumerating that requires us to hand-write SQL statements to brute-force determine each letter of the name one letter at a time.” When using SQLmap, pentesters can supply SQLmap the command “–current-db” and the tool will complete the enumeration and provide a database name in 30-60 seconds instead of the 15-30 minutes it would take to do manually.
“I’ve found SQL injection on several web application assessments, and I’ve always used SQLmap to verify the finding. Clients are always surprised to see I have information that should only be internally known.”
Known as the “C# toolset for raw Kerberos interaction and abuses,” Rubeus made the cut for its flexibility and power in Kerberos abuse.
Released in 2018, Rubeus allows for Kerberos interaction and abuse due to misconfigurations of Active Directory objects. It allows an attacker to request valid Ticket Granting Tickets (TGT) and Ticket Granting Services (TGS) for accounts configured with an SPN, and inject those Kerberos tickets into memory, processes, or to a file to authenticate on the domain.
NetSPI consultants have leveraged Rubeus to execute Kerberoasting, ASREProasting, pass-the-ticket, pass-the-hash, golden ticket, silver ticket, and diamond ticket attacks.
“Rubeus implements almost all of the known Kerberos attacks and is extremely flexible in how it works. There is no ONE thing out there that could replace Rubeus if it was somehow removed from history.”
– Derek Wilson, Senior Security Consultant
“After guessing a weak user account password, I used Rubeus to request all domain user account hashes with a Service Principal Name configured with RC4 encryption. I sent the hashes to a password cracker and cracked a domain admin password.”
Developed by NetSPI’s very own VP of Research Karl Fosaaen, MicroBurst is a PowerShell toolkit that allows for various attacks on Azure Services.
It houses all the attack automation scripts useful in Azure Cloud Pentesting and includes functions for anonymous enumeration, authenticated attacks, auditing configurations, and performing post-exploitation actions.
The information gathering tools are especially useful, and the password dumping function “Get-AzPasswords” has proven to be a crucial component of many successful exploitation campaigns to dump Key Vaults, Automation Accounts, and other credentials to escalate privileges in an Azure subscription.
In this webinar, Karl leverages Get-AzPasswords to automate the collection of passwords stored in Azure. Additionally, MicroBurst can also be used for Azure subdomain enumeration as seen in this demo by Day Johnson.
BloodHound allows you to scan an Active Directory (AD) domain and display privilege escalation and lateral movement paths in a graph. This is incredibly useful for blue and red teams to discover and block these attack paths.
It provides a visual map of the AD environment which makes it easier to identify relationships between objects and discover attack paths.
NetSPI Senior Security Consultant Sam Bogart found that a client had unintentionally granted the “Domain Users” group high privileges by directly modifying the domain ACL. Another client had one computer on the domain where “Domain Users” were in the administrator’s group and a Domain Admin was logged in.
In both examples, Sam used BloodHound to display these paths for privilege escalation and provide a full attack path from a compromised account to “Domain Admin.”
“I was on a test with a network that was pretty hardened: no missing patches and no man-in-the-middle opportunities. It was looking pretty grim. But thanks to BloodHound, I was able to find a misconfigured DACL that allowed me to escalate from a standard Domain User to Domain Admin in two steps.”
– Cameron Geehr, Managing Consultant
“BloodHound offers unrivaled insight into Active Directory misconfigurations that could lead to lateral movement and privilege escalation.”
SAML Raider is a Burp Suite extension for testing SAML infrastructures.
It contains two core features: a SAML message editor to manipulate SAML messages and an X.509 certificate manager. Our security consultants find value in SAML Raider because of the ease at which it allows you to read the SAML message and manipulate it for an attack – specifically for XML signature wrapping attacks and XML external entity injection attacks.
Every time NetSPI Senior Security Consultant Aussan Saad-Ali sees SAML authentication he checks with SAML Raider to see if a XSW or XXE attack is possible. Check out this how to article to learn how to accomplish this.
“The ease that it allows you to read the SAML message and manipulate it for an attack makes it valuable to me, especially how it facilitates the different type of attack scenarios such as XML signature wrapping attack and XML external entity injection attack.”
Impacket is a collection of modules (known as Python classes) primarily used by developers when working on network protocols.
It can be used during all phases of network penetration testing. Impacket performs a wide range of activities with its more than 50 features – from exploiting known vulnerabilities to carrying out Man in the Middle (MiTM) attacks and and fetching Windows secrets.
“During one of my projects, I was able to capture NTLMv2 hashes on the internal network. It was not possible to crack the hashes to get the password, so I used Impacket ntlmrelayx.py and was able to relay them to get local admin access to the workstation.”
– Ruchit Patel, Senior Security Consultant
Which tools are you or your team using to uncover security flaws?
These 12 tools will help increase pentest efficiency and identify unique attack paths – ultimately to ensure more thorough security testing and support faster remediation.
Looking for a resourceful team to pentest your applications, networks, cloud platforms, IoT devices, blockchain implementations, and beyond? Explore NetSPI’s full suite of penetration testing services.
A special thank you to everyone who participated in this article:
On January 26, NetSPI Managing Director Chad Peterson was featured in the VMBlog article called Data Privacy Day 2023: Tips and Views from Top Industry Experts. Read the preview below or view it online.
Data Privacy Day, an international “holiday” that occurs each year on January 28, was created to raise awareness and promote privacy and data protection best practices. Data Privacy Day began in the United States and Canada in January of 2008. It is an extension of Data Protection Day in Europe, which commemorates the January 28, 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.
Two years ago, the National Cybersecurity Alliance (NCA) expanded Data Privacy Day beyond just January 28th, and instead, many have chosen to celebrate it all week long. And they did so because your data is simply that important!
Data Privacy Day’s educational initiative originally focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking. In addition to its educational initiative, Data Privacy Day promotes events and activities that stimulate the development of technology tools that promote individual control over personally identifiable information; encourage compliance with privacy laws and regulations; and create dialogues among stakeholders interested in advancing data protection and privacy.
With this in mind, VMblog has compiled some detailed perspectives, as well as some tips for better protection of sensitive corporate data, from a few industry experts ahead of Data Privacy Day 2023.
“Several privacy regulations (GDPR, HIPAA, FERPA, CPRA) are in place to protect data from being exposed to unintended recipients, however the increasingly sophisticated threat landscape means the focus in 2023 and beyond must be on on how to ensure that an environment remains in a state of security. The proliferation of social engineering attacks such as vishing and deepfakes makes employees and consumers particularly vulnerable to hackers, making the need for security education more and more important. By conducting regular penetration testing, an organization can check that they have successfully remedied known issues and identify any new concerns due to new equipment, configuration changes, or even missed patches on software or hardware.”
Following momentous year of global expansion and technology advancements, offensive security leader announces innovation group and strategic appointments.
Minneapolis, MN – NetSPI, the leader in enterprise penetration testing and attack surface management, today announced a record fiscal year, achieving 58% organic revenue growth in 2022. The growth is attributed to the company’s strategic expansion into Europe, Middle East, and Africa (EMEA), and an enhanced portfolio of offensive security offerings.
“Over the past year, NetSPI has challenged the status quo in the cybersecurity market, pushing the envelope to deliver new, enhanced, continuous offensive security solutions – and the industry has taken note,” said Aaron Shilts, CEO of NetSPI. “As we forge ahead in 2023, our team will continue to innovate to improve the security posture of organizations worldwide, powered by our customer-first approach to security.”
Introducing NetSPI Labs, an Innovation Incubator for the Security Community
Building on its recent momentum, NetSPI has formalized NetSPI Labs, a dedicated innovation group designed to deliver industry research to the security community and develop new solutions for the cybersecurity and vulnerability management challenges organizations face.
NetSPI has appointed three Vice Presidents of Research, Karl Fosaaen, Nick Landers, and Scott Sutherland, to lead NetSPI Labs. They bring decades of experience in security testing, product and service line development, and adversarial research.
“NetSPI Labs is a game-changer for the industry. This innovation engine will enhance cross team collaboration to identify the white space in offensive security, and how NetSPI can best deliver on unmet needs,” said Charles Horton, Chief Operating Officer at NetSPI. “The team will share resources and research with the security community, furthering industry collaboration to stay one step ahead of adversaries.”
NetSPI Appoints Norman Kromberg as Chief Information Security Officer
NetSPI also announced the appointment of Norman Kromberg as its Chief Information Security Officer (CISO). In this role, he will oversee the company’s security operations and architecture.
Kromberg brings more than 30 years of experience in cybersecurity, information assurance, risk management, and software quality and compliance, previously holding security leadership positions at companies such as SouthernCarlson, Optiv, and ACI Worldwide. He also brings knowledge of the company’s business processes from his prior role as a Managing Director at NetSPI.
“It is a pivotal time for NetSPI, as the company continues its rapid growth and innovates at accelerated speeds,” said Kromberg. “Security is paramount to NetSPI; it is in its DNA. This role further showcases the company’s commitment to staying ahead of bad actors and securing our clients. I’m excited for this next chapter with the company.”
For more information about NetSPI or to join NetSPI’s growing team, please visit www.netspi.com.
NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – penetration testing as a service, attack surface management, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers and e-commerce companies, and 50 percent of the Fortune® top 50. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, Twitter, and LinkedIn.
While some teenagers play Call of Duty® with their friends, there are others more inclined to explore the dark side of the internet.
According to the Kaiser Family Foundation, children and teens ages 8-18 now spend 7.5 hours in front of a screen each day on average. And today, access to illicit content is more prevalent than ever through availability of resources, forums, and inquisitive thinking.
From vulnerability exposure to financial gain, teenagers, as tech natives, pose a huge risk to cybersecurity and are becoming more sophisticated in the type of hacks and attacks they attempt.
Just in the past year, there have been numerous major breaches that were led by young cyber adversaries. Bloomberg reported that a string of high-profile hacks against technology companies, including Microsoft and Nvidia, have been traced backed to a 16-year-old living at his mother’s house near Oxford, England. They allegedly belong to the notorious Lapsus$ hacking group. In September 2022, the City of London Police revealed that a 17-year-old had been arrested on suspicion of involvement in the recent cyberattacks targeting both Uber and Rockstar Games, according to reporting by Security Week.
With the ever-growing prevalence of online gaming among teens, most children will be aware of ‘hackers’, even if it is within the context of a game. This opens the door to actively challenging systems, motivated to affect grades, create havoc, or derive financial gain and research into more serious hacking.
Even a basic search of how to hack will result in the discovery of some incredibly dangerous resources that could allow even untrained and inexperienced teenagers to cause issues. For only £7 a month, there are ethical hacking training program subscriptions that will teach users to properly utilise and understand those resources. With the amount of free time and growing independence during this stage of life, it is easy to upskill to a worrying and threatening level within a year.
Teenagers with an interest in hacking will often arrive at online forums where criminal hackers discuss their exploits and teach others how to achieve the same outcomes. We face a situation with the internet giving young adults knowledge and skills to cause damage, with little direction, governance, or consequence. It is no surprise that so many end up on the wrong side of the law.
What can be done?
Unfortunately, there are few meaningful outlets for skilled teens at the time of writing. Teens are considered too young to start building a career from their skills. Online “capture the flag” exercises can be fun, but rarely mirror real-world ethical hacking, or penetration testing. Bug bounty programs are equally unhelpful, as successful bug bounty hunters tend to be extremely experienced. Even talented teens are unlikely to find their curiosity satiated by these outlets alone.
Naturally, they seek other opportunities to test their skills. Proof-of-Concept (POC) code for new vulnerabilities, known as “Zero Days”, can be tempting. Once a POC exists on the internet it’s a race against time for system owners to patch their systems or be hacked (see: Log4Shell).
Some POCs are “point and click”, taking only a few seconds to execute a sophisticated attack in a world where information is king. Stolen databases are worth good money to the right buyer. Even where teens may not knowingly steal and sell data from systems they successfully hack, just attempting to access a computer system without authorisation represents a breach of the Computer Misuse Act 1990. The maximum sentence for convictions under this legislation is life imprisonment.
Despite this, there seems to be a perception that people caught hacking are given government jobs rather than a criminal record, but that is rarely the case. Instead, those with a chequered past are more likely to face frequent rejection by employers in a demanding cybersecurity industry.
More needs to be done to get people on the right path from a young age. The cybersecurity industry, together with the national government, need to guide the next generation of cybersecurity professionals.
The introduction of nationally recognised certifications specifically for young people could be a great place to start. This would expose children to a positive path before they use their skills for nefarious purposes. Particularly talented young people could then progress to the certifications used by industry professionals, providing a structured path for continued development. Ultimately, people with the right skills and motivations will be welcomed into the industry to utilise their skills for good – whilst getting paid well to do so.
On January 23, NetSPI’s Chad Peterson was featured in the Enterprise Security Tech article called Enterprise Security Tech: Experts Share How Data Privacy Has Evolved, What We’re Missing, and What’s to Come. Read the preview below or view it online.
Data privacy is essential for maintaining trust in institutions that collect and use personal information. Without strong data privacy protections in place, individuals may not feel comfortable sharing their information, which can harm innovation and progress.
Data Privacy Week raises awareness about the importance of data privacy and the protection of personal information. During this week, individuals, organizations, and governments come together to promote education and best practices for protecting personal data. We heard from data privacy experts from across the industry on how data privacy has evolved, what we’re missing, and what could be on the horizon.
Chad Peterson, Managing Director, NetSPI
Several privacy regulations (GDPR, HIPAA, FERPA, CPRA) are in place to protect data from being exposed to unintended recipients, however the increasingly sophisticated threat landscape means the focus in 2023 and beyond must be on on how to ensure that an environment remains in a state of security. The proliferation of social engineering attacks such as vishing and deepfakes makes employees and consumers particularly vulnerable to hackers, making the need for security education more and more important. By conducting regular penetration testing, an organization can check that they have successfully remedied known issues and identify any new concerns due to new equipment, configuration changes, or even missed patches on software or hardware.
On January 16, NetSPI was featured in the CRN article called 10 Hot Cybersecurity Companies You Should Watch In 2023. Read the preview below or view it online.
These 10 companies across segments such as security analytics, cloud security and application security have been on our radar in a big way at CRN, thanks to their strong momentum and channel commitment.
We chose these vendors because they’ve clearly got major traction, based upon recent funding rounds (raised in a very un-ideal funding environment); notable product launches; acquisitions of innovative startups; or other big moves. These cybersecurity product companies are also making significant investments into working with channel partners, and have made solution providers a pivotal or even dominant part of how they reach and service customers.
In short, these 10 cybersecurity companies have been on our radar in a big way at CRN, and we think they should be on yours, too. They span sectors of the security market from application security and cloud security, to security analytics and confidential computing, to offerings in the categories of MDR (managed detection and response) and XDR (extended detection and response).
What follows are our picks for 10 hot cybersecurity companies you should watch in 2023.
In October, NetSPI, a provider of penetration testing services and attack surface management capabilities, pulled in a $410 million funding round for uses including the expansion of its channel program. While NetSPI CEO Aaron Shilts told CRN at the time that less than 10 percent of its revenue was derived from work with the channel, the company is determined to boost its channel-driven sales, including through the recent hiring of a new channel chief and launch of a new partner program.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.