By Lisa Lupo
Professional hackers can hack your system in less than 12 hours, but detecting data breaches take an average of 250 to 300 days — if they’re detected at all, according to The Black Report from the data security company Nuix. For the report, Nuix conducted a confidential survey of 70 professional hackers and penetration testers (pentester) at DEFCON, the world’s largest hacking and security conference.
Here’s what they said:
81% can identify and exfiltrate data in less than 12 hours.
88% can compromise a target in less than 12 hours.
50% change their attack methodologies with every target.
84% use social engineering as part of their attack strategy.
69% have almost never been caught in the act by security teams.
33% have never had their activities detected by their target organizations.
76% spend 1-10 hours per week researching security news and technology.
76% believe technical certifications are not a good indication of technical ability.
100% agree that once someone has accessed your data, it’s gone — like gone gone.
Among the most effective countermeasures are:
36% endpoint security
29% intrusion detection and prevention systems
Activities noted as extremely important in prevention are:
52% employee education
37% vulnerability scanning
30% goal-oriented penetration testing
16% employee incentives
15% bug-bounty programs
Among the least effective:
42% data hygiene and information governance
22% everything. This group said no security countermeasures can stop them; full compromise is only a matter of time.
REMEDIATION. Interestingly, even after a penetration test shows vulnerability, organizations usually only conduct limited remediation, which is generally focused on critical and high vulnerabilities. It is a statistic that exasperates pentesters, with 64% stating that their biggest frustration is that organizations don’t fix the things they know are broken.
“The Nuix Black Report illuminates the true nexus between attacker methodology and defensive posture; showing which countermeasures will improve security and which are a waste of money and resources,” said Chris Pogue, Nuix’s Chief Information Security Officer and co-author of the report.
“Readers will learn what is the best spend for their security dollar and, more critically, why,” he added.