In the face of distributed work and fast-evolving ransomware, businesses must now contend with an unprecedented threat landscape. If they are to uphold their responsibilities to their clients, they must manage their security resources with more care and attention than ever before.
That’s where penetration testing comes into play. As a discipline, it forms one of the pillars of an effective cybersecurity strategy. However, it’s also particularly dependent on technology.
As 2022 gets underway, it’s the perfect time to evaluate the tech currently shaping the future of pentesting, and how it will continue to do so going forward.
Multi-Factor Authentication (MFA) will become more common
Business systems are often most vulnerable at the point of access, and weak passwords remain a leading cause of data breaches across multiple sectors.
To counter this, organizations are rolling out multi-factor authentication, adding a much-needed layer of security to mission-critical assets—and an extra safeguard against poor password hygiene.
From a pentesting perspective, this creates both opportunity and complexity. It’s imperative that you put any new MFA tools through the paces, probing for imperfections and oversights in both the tools themselves and their implementation. Consider, for instance, if exposure may occur through a stolen device or a spoofed authentication message and how this might be prevented.
Even in scenarios where your business has successfully deployed Single-Sign-On (SSO), it’s highly advisable to use a password manager, for small teams especially. This ensures that your business isn’t under threat from employees that reuse passwords from personal accounts without creating a barrier to productivity. As with MFA, pentesters must also rigorously scrutinize both password managers and their implementation.
Blockchain-based tech will raise the stakes for security
Crypto is on a trajectory towards the mainstream, and it isn’t going to stop anytime soon.
Although the blockchain tech that forms the foundation of Bitcoin and its ilk is built around the principles of security and decentralization—and though there are myriad applications for blockchain in cybersecurity—it’s important to remember that this doesn’t mean it’s immune to being hacked.
Nor does it mean that cryptocurrency and security go hand-in-hand.
Take the rise of non-fungible tokens (NFTs) for example. They’re set to be adopted by a raft of major corporations this year and beyond, yet they are also susceptible to theft and could become the next primary focus of cybercriminals.
For pentesting, an understanding of the core technology will become exponentially more important in the coming months and years. This is true whether your business adopts crypto for customers or leverages blockchain to protect assets and data.
Artificial intelligence (AI) will create even more disruption
Businesses have been offloading all sorts of workloads to AI-driven technologies for some time now, and this trend will only gather pace over the next 12 months.
The prospects for cutting staffing costs and accelerating productivity make AI solutions appealing. Yet many businesses forget that machine learning is at its best when supported by human intelligence and oversight.
Practitioners of penetration testing will have to get used to the idea of catering to enterprise clients that are falling deeper and deeper down the AI rabbit hole and consider how this influences the security systems and strategies they put in place.
If AI resources are compromised, for example, the biggest issue may be detection. Organizations must be empowered to know when malicious third parties are subverting AI, or else this could go on indefinitely.
And although artificial intelligence can greatly empower one’s cybersecurity, forming a sort of ‘digital immune system’ around critical assets, it’s important to remember that you are not the only one with access to AI—criminals can leverage it too.
Remote work will remain relevant
In 2020, the pandemic forced the world to adapt to a new landscape. Now, two years later, businesses have grown more used to the policies and systems they originally rushed to implement. However, this does not eliminate the real security risks of remote work—nor the significant challenges it represents for pentesting.
Pentesters must contend with vastly increased attack surfaces while also ensuring that the systems through which remote employees access business assets cannot also be used by criminals. Client-side penetration tests may be necessary, and testers must remain constantly vigilant against the dangers of unsecured home networks.