One common aspect for chess and cyber “ethical hacking” (aka Penetration Testing) is a degree of mastership. Becoming a chess grandmaster takes years of practice, to play against the best and win against the best.
However - while the “move space” on an 8x8 chessboard and six types of pieces count millions of combinations, the hacking “move space” over an enterprise’s attack surface for an average hacker is 10 orders of magnitude larger.
To overcome this challenge in every enterprise in the world requires using something that can play like a chess player over 100,000 boards concurrently.
It’s the Era of Automated Pen-testing.
If we try and think of old-world physical processes and techniques as a means to handle today’s cyber-crime we come to a point of ridicule. We need to question ourselves on the way we deal with cyber security from the floor to rafters.
Credential theft, social engineering, and cracking remain the prime avenues through which threat actors gain unauthorized access (yes, ‘hacking;) to services, data, and digital assets. While a minimum 8-character length with a capital letter, number, and special character MAY be a “safe” password, it is often not the case and can be cracked faster than it took to grab a car stereo in the 90’s.
Passwords need to not just meet minimum requirements but should be constantly challenged - as adversaries would do. Password hash cracking should be made a common security validation daily routine- that’s the only way to know.
Every year, new vulnerabilities are revealed. Some of which get exploited and add to the global 'threat inflation'.
The count for 2020 reached 4,168 high-risk vulnerabilities, 10,710 medium risk vulnerabilities, and 2,569 low-risk vulnerabilities, for a total of 17,447 recorded vulnerabilities, exceeding the total set in 2019.
So we don't need a fortune teller to tell us that this trend will continue into 2021. We need to think about what is fundamentally wrong with our Vulnerability Management practice and why, despite our investments, we're continuing to be more vulnerable. The answer lies in the way we prioritize these vulnerabilities - we can't deal with thousands of critical and high-risk vulnerabilities - we need to know which of them are actually exploitable and focus just on those. It's possible.