On technology

Ethical hackers: the volume of serious risks does not decrease

17. 12. 2024

Aricoma has been involved in cybersecurity since it started its business in the first half of the 1990s. It actively examines clients' information security levels and the resilience of their technology. Clients often need to find out how secure their business perimeter is and what they need to work on. This is aided by a community of experienced penetration testers who simulate a cyber attack on a client's system. At both the network and application level, they can test the ability to withstand real-world cyberattacks from the external environment. But that's not all.

The biggest weakness in any system, at least as far as cybersecurity is concerned, is the human factor. Penetration testing can also evaluate how well a given system can withstand unauthorized interference from employees, whether intentional or unintentional.

Penetration tests help to detect flaws in the system design and architecture and identify underperforming elements. They also verify the level of assurance of confidentiality, integrity and availability of data processed by electronic systems. This contributes to the smooth running of ICT companies or organisations and their operations in general. Even greater preparedness can then be ensured by red teaming testing, which involves a comprehensive examination of not only the cyber but also the physical preparedness of systems for a cyber attack.

For the second year, Aricoma has evaluated the results of penetration testing in an analysis that vividly illustrates how companies are armed against cyber attackers. Or how they are not. Organizations of all sizes tend to be among those tested. The sobering stories of others show that without high standards of security, they may very unexpectedly find themselves unable to conduct their business for some time. In the worst-case scenario, the paralysis will end in a complete loss of reputation and the liquidation of the business. Each of the reports represents one test in the company. And each finding then a vulnerability of varying severity.

Fewer tests, yet more findings

In 2023, Aricoma's team of penetration testers produced a total of 415 reports. Although there were ten fewer reports compared to 2022, the number of findings increased by almost three hundred to 4,399. Thus, on average, there were more than ten per report. In terms of severity, while the ratio of serious to critical findings remained unchanged (12% overall), there was a one percentage point increase in the number of critical ones (3%). Up to 41% of reports contained at least one critical or high severity finding, the misuse of which could have serious consequences for the system or the organisation running it.

PT23EN.jpg

It is also interesting to look at the ratio of serious and critical findings per report by sector. Although the number of penetration tests varies by industry, this ratio indicates the extent to which individual industries are vulnerable compared to others. Aricoma analysts observed the highest ratio of findings to reports in the transportation and logistics sector, and the lowest in the healthcare and pharmaceutical sectors. The ratio of serious and critical findings per report was highest in the industry and manufacturing sector, and lowest again in healthcare and pharmaceuticals. 

Even one critical error can have devastating consequences

Although more than half of the findings in 2023 fell into the informative (8%) or low (50%) categories in terms of severity, more than a quarter were already medium severity (26%) and almost one in eight were between high severity (9%) and critical (3%). The proportions vary by a few percentage points compared to the previous year, but in the case of critical severity, and therefore imminent threat and possible paralysis of the organisation, an increase of one percentage point means a year-on-year deterioration of 50%. Critically serious vulnerabilities represent weaknesses that have been exploited during testing and have led (or may lead) to the direct compromise of the system under test. The report then classifies serious vulnerabilities as those that directly allow the system to be compromised or unavailable. These vulnerabilities have a very high probability of being exploited. And security experts believe that immediate remediation is necessary.

Not long ago, random attacks on larger companies were among the most common threats in cyberspace; today, there is a significant increase in targeted, much more sophisticated and dangerous ones, including targets among small and medium-sized businesses. Attackers have sophisticated technologies, including artificial intelligence, and precisely crafted techniques to target victims regardless of their importance or size.

This year's Aricoma penetration testing report shows that the relatively high risk of high-severity or critical vulnerabilities is not diminishing. Although the number is "only" in the single digits of one percent, it only takes one successful attack to lead to the loss of what is most valuable in an organisation - data, know-how and reputation. It turns out that smaller businesses, often the backbone of a normal functioning economy, are among the most vulnerable. And while their daily thoughts are mainly on day-to-day operations and the belief that they are out of the crosshairs of attackers, they should include the impenetrable security of their information systems in their priorities.

Red Teaming

Most organizations today view the security of their systems and data as primarily a matter of deploying appropriate technologies and practices. But in addition to scanning, which they regularly use to scan the widest possible range of devices in use, they need more sophisticated services, including penetration testing. If they want to counter the most advanced cyber threats of today and want to test the real readiness of not only their systems but also their physical environment, they need even more comprehensive testing. These are the so-called Red Teaming Operations.

These are as close to real-life situations as possible and can therefore very accurately detect critical points in the protection of systems and data of companies and institutions. The method of this testing is based on the worst of what hackers are capable of today - testers simulate attacks using state-of-the-art technologies, psychological techniques, coercion and tactics, including lies and theft. Of course, always in consultation with the organisation's management and with the sole purpose of contributing to its maximum protection.

The 2023 Penetration Testing Analysis (in CZ only) can be found here.

Not long ago, random attacks on larger companies were among the most common threats in cyberspace; today, there is a significant increase in targeted, much more sophisticated and dangerous ones, including targets among small and medium-sized businesses.

On technology From the Czech Republic Interesting people

The future of AI? ChatGPT-based language models for businesses

22. 11. 2024

Chances are, you're already familiar with it and are no stranger to the word "prompt". The use of generative AI tools has massively increased in recent months, but they can't be used everywhere. Sensitive corporate data doesn't belong in the public domain. So people are looking for ways to create protected systems that allow analysis and generation of information without data leaks. Aricoma's specialised team is working on this and has therefore also teamed up with the mathematics institute of the Brno University of Technology.
On technology From the Czech Republic Interesting people

We kept getting rid of chip production in Europe, now we struggle to get it back. But it is worth it

17. 9. 2024

"We've been carrying chip debt since the 1970s, Europe was happy to get rid of chip production because it's water and electricity-intensive. And now we're slowly and painfully catching up. At the same time, we will need more and more chips, and even more sophisticated ones than today," says Tomáš Pitner, professor at the Faculty of Informatics of Masaryk University and head of the research centre, about the situation in which the Czech Republic and Europe find themselves. But in exactly which way?
On technology From Europe Interesting people

Paula Januskiewicz: Understanding infrastructure is not the same as knowing how to attack it

31. 7. 2024

The number of cyberattacks will not decrease. Let's face it and defend ourselves. This is how one could sum up the words of Paula Januszkiewicz, a Polish cybersecurity expert who spoke this spring at Security 2024, Aricoma's annual conference about IT security trends. Januszkiewicz, whose company CQURE has four offices around the world, spoke about why companies and institutions can't resist attacks, how to get more experts, and where the industry is headed.
Other articles
We care about your privacy

We use cookie identifiers that are necessary for the functionality of the website. By clicking on the "I understand" button, you also agree to use other types of cookies for statistical traffic measurement or to customize content and target marketing according to your interests.

The consent granted in this way can be revoked at any time or set according to your preferences. In the "Cookie Settings" option, you can find more detailed information on the whole issue.

I understand Cookies settings Only necessary cookies