The Importance of Regular Penetration Testing for Cloud Security: What is the cost of deprioritisation?
In the ever-evolving landscape of cybersecurity, cloud computing has become the backbone of modern businesses. The agility, scalability, and cost-effectiveness of cloud services have revolutionised the way organisations operate. However, this digital transformation has also introduced new and complex security challenges. Maintaining security is a challenge for all businesses operating directly or indirectly in the digital sphere. In Australia alone the number of significant, reported data breaches for the last 5 years are as follows:
- 2023: 44 incidents to date (projecting 55 to 60 total incidents for the year)
- 2022: 72 incidents
- 2021: 50 incidents
- 2020: 90 incidents
- 2019: 87 incidents
- 2018: 32 incidents
On average over the last 6 years, including the projected count for 2023, there are 60-65 significant, reported data breaches. The compiled list, found at Webber Insurance: List of Data Breaches in Australia, focuses on large and publicly visible organisations and businesses. Small to medium sized businesses are not directly reported on in the list, so it would not be unreasonable to assume the actual number of Australian businesses and organisations impacted by a security event in the last 5+ years would be a factor larger than what is listed above.
It is staggering to read the details, depth and the names of the impacted businesses affected by security breaches. It would almost be easier to map the number of individual Australians not impacted by data concerns than to list out those directly and or indirectly impacted by a security event. The incidents are not limited to sectors or business types and unfortunately for their customers, many of the services are critical accounts everyday Australians need to maintain.
Another great read is the Australian Cyber Security Centre (ACSC) Annual Cyber Threat Report, depending on the interests of the reader. The report delivers keen insights into the impact of threats and events for Australian businesses. Again the numbers presented are concerning for any business executive. The latest reports indicate an average cost of over 64K AUD per security incident for Australian businesses. The report breaks down the average cost in 2021 to 2022 to:
- Small Business (1 to 20 employees): $39,555 per event
- Medium Business (20 to 199 employees): $88,407 per event
- Large Business (200+ employees): $62,233 per event
The report includes reporting and internal security practice caveats on the above data. The 2021 figures in the report only includes businesses that experienced financial loss as a result of the security breach and does not include businesses who experienced a security incident but without direct financial costs. This is a difficult factor to measure, but even without a direct cost impact to an organisation, there is the potential loss of opportunity costs if customer sentiment is diminished or industry reputation is tarnished. There is no easy way to effectively measure the complete cost of a security breach, but the numbers listed above indicate that it can put a business, especially smaller business, under significant financial strain.
To be fair to Australians, this is not a “down-under” issue, with governments and businesses being impacted all around the world. Another interesting article is the Ekran Top 10 Known Cyber Security Incidents. An important word in the article title is “known”. It would be very safe to assume, based on previous behaviour, governments and large businesses would prefer to not report where they can to maintain trust and share prices. A significant security breach will have an immediate negative impact on share pricing for both the affected business and a positive impact for their nearest direct competitors.
There are a number of other great online resources to help stay up to date on the latest cyber security threats, you can refer to the following resources:
- Digital Transformation Hub: They provide insights into recent trends in the cyber security landscape, including threats to organisations and not-for-profits.
- eSecurityPlanet: They offer a list of nine good resources that will keep you informed about current security threats.
- business.gov.au: They provide access to up-to-date information on cyber security issues and how to deal with them.
- Australian Cyber Security Magazine: covers the broad domain of cyber security displaying the latest news as well as through provoking articles from leading cyber security professionals.
So what do all the numbers and “sky is falling” predictions mean?
The primary takeaway should be that security events happen, and they happen to everyone. We see listed in the various data/security breach lists large companies that generate billions in revenue per year, companies that specialise in or have a focus on security and data, companies with system and security teams larger than many small to medium businesses. As a small to medium sized business owner, one would ask themselves, if the large players are being breached, how am I ever supposed to survive?
The most critical concern with cyber security is to be prepared. If you deal with client or financial data, or you rely on your reputation to trade you must invest in preparedness and have a plan in the event of a worst case scenario. A critical piece of the puzzle is penetration testing. If you do not know your weaknesses or potential points of entry, online and offline, then any investment you make may be a waste of time, resources and funds.
Penetration testing, often referred to as “pen testing” or “ethical hacking,” is a proactive security assessment technique. It simulates real-world cyberattacks to identify vulnerabilities within an organisation’s IT infrastructure, applications, and networks. The primary goal of penetration testing is to discover weaknesses before malicious actors exploit them.
In the context of cloud security, penetration testing involves assessing the security controls and configurations of cloud-based services, infrastructure, and applications. It aims to pinpoint potential weaknesses that could lead to data breaches, service disruptions, or unauthorised access. Regular penetration testing is the lynchpin of a robust cybersecurity strategy, especially in cloud environments where the attack surface is vast and dynamic.
Know your weakness, counteract and or fix your weaknesses and undertake regular review and improvement. Create a plan to maintain and monitor online and offline access, and prepare a clear and transparent plan for quickly addressing the situation should the worst case occur. Most organisations now leverage the cloud in some aspect of their business. Penetration testing for cloud security is a critical component of being prepared. There are a number of key considerations when leveraging penetration testing for your organisation.
- Identifying Vulnerabilities: One of the fundamental reasons to conduct regular penetration testing in cloud security is to identify vulnerabilities. Cloud environments are complex, often involving a myriad of services, configurations, and interconnected components. These complexities can lead to misconfigurations or overlooked security gaps, leaving organisations exposed to risks. Penetration testing helps uncover these vulnerabilities, providing organisations with actionable insights to strengthen their security posture.
- Assessing Cloud Provider Security: Many organisations rely on third-party cloud providers like Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). While these providers offer robust security measures, the shared responsibility model means that customers are responsible for securing their own data and configurations within the cloud environment. Penetration testing allows organisations to assess whether their cloud providers’ security controls are effective and whether any additional security measures are necessary.
- Adapting to Evolving Threats: Cyber threats are constantly evolving. Attackers employ new tactics and techniques to exploit vulnerabilities. Regular penetration testing helps organisations stay ahead of these threats by testing their defences against the latest attack vectors. It enables organisations to adapt their security strategies to mitigate emerging risks effectively.
- Meeting Compliance Requirements: Many industries and regulatory bodies require organisations to adhere to specific cybersecurity standards and compliance regulations. Regular penetration testing is often a mandatory requirement to demonstrate due diligence in maintaining the security of sensitive data. It helps organisations meet compliance obligations, avoid penalties, and build trust with customers and partners.
- Enhancing Incident Response Preparedness: In the unfortunate event of a security breach, incident response is crucial to minimise damage and recover quickly. Penetration testing not only helps identify vulnerabilities but also provides an opportunity to test and improve incident response plans. Organisations can evaluate how well they detect, respond to, and mitigate security incidents within their cloud environments.
- There are numerous issues experienced with cloud storage that are unearthed and monitored using penetration testing. There are also a number of very common vulnerabilities that penetration testers frequently encounter during their assessments.
- Misconfigurations: are among the most prevalent and critical vulnerabilities in cloud environments. These errors can lead to unintended exposure of sensitive data or unauthorised access to resources. Common misconfigurations include improperly configured access controls, overly permissive permissions, and unpatched software.
- Inadequate Identity and Access Management (IAM)L: Improperly managed user identities and access permissions pose a significant risk. Weak password policies, lack of multi-factor authentication (MFA), and excessive permissions granted to users can result in unauthorised access. Penetration testers often find weaknesses in IAM policies that need to be addressed.
- Data Exposure and Leakage: Data is a valuable asset, and its exposure or leakage can be disastrous for an organisation. Penetration testers often discover data storage containers, databases, or file repositories that are inadvertently exposed to the internet due to misconfigurations. Sensitive data, such as customer records or intellectual property, can be at risk.
Insecure APIs: Application Programming Interfaces (APIs) are essential for cloud services’ functionality and integration. However, insecure APIs can become an entry point for attackers. Vulnerabilities in API endpoints, insufficient authentication, or lack of rate limiting can lead to API-related security breaches.- Insufficient Logging and Monitoring: Without proper logging and monitoring, it becomes challenging to detect and respond to security incidents promptly. Penetration testers often identify gaps in an organisation’s ability to monitor and analyse logs, leaving them unaware of potential threats until it’s too late.
- Outdated Software and Dependencies: Using outdated software or unpatched dependencies can introduce vulnerabilities into a cloud environment. Attackers may exploit known vulnerabilities to gain access or compromise systems. Regular updates and vulnerability assessments are essential to address this issue.
- Phishing and Social Engineering: Penetration testers often assess an organisation’s susceptibility to phishing attacks and social engineering tactics. They may craft convincing phishing emails or simulate social engineering scenarios to evaluate employees’ security awareness and responsiveness.
- Insider Threats: Insider threats, whether intentional or accidental, are a significant concern. Penetration testers may attempt to exploit internal access privileges or assess how well an organisation detects and mitigates insider threats within its cloud environment.
- DDoS Vulnerabilities: Distributed Denial of Service (DDoS) attacks can disrupt cloud services, causing downtime and financial losses. Penetration testers may assess an organisation’s resilience to DDoS attacks and evaluate the effectiveness of mitigation measures.
To answer the question posed in the article title, immeasurable. The direct cost of a security breach could financially ruin an organisation, or the slow bleed of lost business following a poorly handled security event could spell the end for an impacted business. Conversely an organisation could get lucky and have little impact. As any great athlete will tell you, luck is just a simple way of explaining years of training and preparation culminating at the right moment. Much like good security practices.
Regular penetration testing is a cornerstone of effective cloud security. It helps organisations identify vulnerabilities, assess cloud provider security, adapt to evolving threats, meet compliance requirements, and enhance incident response preparedness. By understanding and addressing common vulnerabilities such as misconfigurations, inadequate IAM, data exposure, and insecure APIs, organisations can significantly reduce their risk of falling victim to cyberattacks in the cloud.
In an era where data is the lifeblood of businesses, prioritising cloud security through penetration testing is not just advisable, it’s imperative to safeguarding the future of an organisation. Organisations can mitigate some of the above factors by having internal resources monitoring and maintaining components of their digital framework. A good tech lead will welcome and probably insist on regularly engaging external resources to provide an additional set of eyes to ensure all systems are strong enough to repel a concerted attempt to attack the business. Creating a worst case scenario plan of action and leveraging security professional businesses to help strategise, plan, and pen test your organisation is a cost all businesses should welcome as readily as investing in swipe cards, door locks, and paper shredders.
Keep your customers confident that the data they have shared with your organisation is safe, by undertaking best practice security strategies and reporting on the outcomes from robust internal and external security testing programs.