Why Users Are a Top Threat – And Bug Bounties Fall Short

Bug-bounty programs live and die by their ability to target public-facing assets and then expose related vulnerabilities. But one asset is out of their reach, and it’s arguably the most dangerous to your network.

That asset: Your employees and network users. Yep, we said it. And yes, it’s frustrating. But it’s true. This often is an unexpected risk and one many organizations don’t take as serious as others. It’s a public-facing asset that bug-bounty programs aren’t able to target.

The threat of users – and how to address it

Users often are discounted as a public asset. The reasons are mixed, from personal bias to bug-bounty programs underselling it. But at the end of the day they’re one of the largest risks to your org. Whether it’s weak passwords, API key leaks or bad security hygiene, users regularly expose sensitive data to the world. These are almost always the most common issues that contribute to the compromise organizations’ networks.

Here’s why bug-bounty programs can’t tackle this issue:

• Lack of coordination between testers causes account lockouts and disrupts your business.
• These unknown testers get too much access to your network if they’re successful.
• Social engineering tests require a high-level of trust and coordination with testers.
• Bounty hunters are unknown actors (stranger danger!) vs. security professionals working for a trusted firm with a proven methodology.

The solution, though, is straightforward: Continuous penetration testing (CPT). That’s because with CPT, pros can constantly test your users to prevent issues and help refine your security awareness programs. To better understand the difference, read, "Bug Bounty vs. Continuous Pen Testing: Understanding the Basics."

A balanced approach to penetration testing

Web application testing is the cornerstone of offensive security operations. According to Rapid7's national exposure index in 2018, web applications are nearly three times more prevalent on the internet than any other service.

That’s splendid and compelling – until you dig deeper. Web applications often are low risk to an organization for several reasons:

• With firewalls and dynamic IP restrictions, organizations can make it difficult to successfully attack web applications.
• Modern web application frameworks are often mature enough to prevent the exploitation of the low-hanging fruit we used to see all the time.

For those reasons, focusing on web apps isn’t nearly as beneficial as focusing on your users.

A common scenario

Let’s take a look at an organization working with Sprocket’s continuous penetration testing program.

• The organization has a small attack surface, and its web applications are fairly secure.
• When we begin testing, no organizational web apps fall victim to exploitation that has significant impact. In other words, the web apps are secure.
• We then begin to password spray authentication endpoints. Within minutes we’ve guessed a user’s password and accessed a remote workspace suite provided to users. How to Defend Against Password Spraying.
• With credentials in hand, we escalate privileges and have full control of the domain within a few hours.
  
  

So let’s review ...

• With a bug-bounty program, your organization wouldn’t have seen any results, because it’s too risky to give random, unknown testers access to your network for the reasons mentioned earlier.
• But, with continuous penetration testing we can simulate real-world attackers, expose and ID authentication endpoints, test a broad range of public-facing assets and ultimately ensure your security awareness training programs are working how you intended.

Ultimately, continuous penetration testing provides more coverage and realistic testing for your network and organization. And you know who is testing your assets and when, meaning you have transparency and accountability essential when protecting your network.

If you want to learn more about continuous penetration testing, send me a note at contact@sprocketsecurity.com, any time.