Skip to main content

Can’t fix, won’t fix, don’t fix: Is it time for businesses to rethink how they action pen test results?

(Image credit: Image Credit: Startup Stock Photos / Pixabay)

According to a recent report (opens in new tab) from software firm, Nuix, 93 percent of ethical hackers said that following a penetration test, most clients would not fix some or all of the vulnerabilities identified. To many, this is an alarming statistic, but how surprising are findings like this and how concerned should we be? 

Penetration testing, the process of an ethical hacker seeking to identify and exploit vulnerabilities across networks, systems and applications, is vital for assessing the effectiveness of businesses’ cyber security. But what is it that is preventing organisations from fully embracing the resulting recommendations of an assessment? Cost? Lack of time or subject expertise?

Whatever the reasons, organisations cannot afford to view penetration testing as a tick box exercise. How should they mitigate the fact some vulnerabilities can’t be fixed, won’t be fixed, and in some instances, actually shouldn’t be fixed? 

Can’t fix

First and foremost, we have to accept that some security vulnerabilities simply cannot be remediated. Vulnerabilities may be an inherent part of a product or its intended functionality. A good example is a system connected to specialist hardware, such as medical or industrial equipment, where the hardware vendor only supports a specific operating system version. In other instances, there may be exposures which don’t have a remediating patch from the vendor, leaving organisations powerless to directly address the risk. 

Won’t fix 

There are also vulnerabilities that could be fixed in theory but for various reasons aren’t. Where a risk presented by a vulnerability is not sufficient to justify the cost and effort of remediation, some organisations will simply ignore it, particularly if in-house IT resources are stretched. 

The likelihood of a company acting on the results of a pen test may also depend on their motivation for seeking one in the first place. Some organisations will solely view an assessment as a way to achieve compliance and since many standards only mandate the remediation of high-level risks, low-level exposures can often be disregarded. 

Don’t fix

It may come as a surprise but some vulnerabilities may not need to be fixed at all. Flaws that, in isolation, may be considered high risk, can often be mitigated by other controls. For instance, unpatched systems may be protected by other methods such as network separation and blocking inbound and outbound internet connections. 

In some instances, fixes can be perceived to do more harm than good. The reason that many organisations have avoided addressing the Spectre/Meltdown vulnerabilities is because of widespread accounts of patches causing CPU performance and stability issues.

The need to keep business critical systems available for long periods of time may also limit the option to update them regularly. This is one of the reasons that the Wannacry ransomware was able to spread so quickly through the NHS.

Other common factors prohibiting risk remediation

The examples above cover the majority of common reasons why tackling vulnerabilities highlighted by penetration testing is not always clear cut. However, there are other factors influencing why vulnerabilities that could and should be fixed are sometimes ignored.

A common mistake that many companies make when commissioning a penetration test is to only budget for the assessment itself, not the associated remediation effort. They are then left in the uncomfortable position of leaving vulnerabilities unresolved, knowing that they could be exploited by a malicious attacker at any point.

There’s also the perennial issue of complex vulnerabilities being confused, misinterpreted or miscommunicated during the process. Pen testers will commonly score vulnerabilities based on metrics such as ease of exploitation, prevalence and impact to confidentiality. This is designed to help ensure that risks are widely understood but in instances where risk and technical findings aren’t properly explained, some stakeholders across an organisation may struggle to gauge the potential impact to the business.  If threats and vulnernerabilities can’t be communicated properly to the highest decision makers within a business then exposures are more likely to remain unaddressed.

How to get the most benefit from a pen test 

To get the most value from a penetration test, organisations should strive, as far as possible, to act upon all the ensuing recommendations. In an ideal world, every vulnerability should be fixed but as that’s not always feasible, mitigating controls, such as network monitoring and improving employee education, need to be considered. Decommissioning and replacing any out-of-date systems is also advisable.

Remediation should always be risk based. Businesses need to assess where they allocate their resources in order to achieve the best possible results. This means working closely with pen testers to identify vulnerabilities which should be addressed and balancing this information with the cost, effort and risks associated with achieving effective resolution. Without this context businesses might otherwise focus time and money in the wrong areas.

To help facilitate remediation, organisations should always check that pen tests conducted by an external contractor include an in-depth written report that not only outlines all vulnerabilities identified but any associated risks and actions.

Preparing adequate resources and processes to act upon the results of a pen test is also essential. As well as giving the testing team access to all security and information systems staff, businesses should also make it clear who is responsible for maintaining particular assets should any problems be identified.  As a matter of good practice, organisations should also seek to nominate a main point of contact responsible for liaison with the testing team throughout the assessment process.

Commissioning regular assessments to identify new, as well as assess known, risks is also highly recommended. The tools, tactics and procedures used by criminal adversaries evolve quickly so vulnerabilities deemed low risk one year may be considered high the next.

Penetration testing is a hugely important part of every organisation’s cyber security. Business that recognise this, approach a pen test engagement with the right expectations and identify a partner that understands the latest threats and is capable of supporting long term security goals will ultimately achieve the best return. 

Mark Nicholls, Director of Cyber Security at Redscan (opens in new tab) 

Image Credit: Startup Stock Photos / Pixabay

Mark is one of the UK's most qualified IT security professionals. With extensive experience of delivering cyber assessment services, Mark is responsible for Redscan’s offensive and defensive capabilities.