According to BlackBerry Cylance research, pen tests regularly lead to the leakage of sensitive information. The company’s research team was able to find confidential information about air traffic control in a semi-public malware environment, among other things.
In the report, called “Thin Red Line: Penetration Testing Practices Examined,” the researchers tested a series of pen tests with questionable reliability, as well as the results of those tests. The report addressed a number of issues related to compliance with privacy and reliability expectations, as well as compliance with legal requirements and regulations such as the European GDPR.
Data breaches on the order of the day
A case study on an Advanced Persistant Threat (APT) is used as an illustrative example in the research report. A security company from Brazil turned out to be behind this APT. According to the study, this company played a role in an air traffic control data leak. The report states that pen tests are sometimes as dangerous as actual threats. The study also shows that the exposure of customer data in semi-public databases is common. This is shown by a test among 24 renowned companies that offer pentesting.
Many of our findings are confrontational. However, we share this research to fuel the debate, as it contributes to better training for security researchers, pen testers and their customers, says Kevin Livelli, Director Threat Intelligence at BlackBerry Cylance. We must hold ourselves responsible for providing the right support to those who need it, and in the end we must earn their trust too.
Over the past five years, there has been a huge increase in the number of parties offering offensive testing services worldwide. This ultimately leads to practices that can significantly compromise a company’s security, reports Josh Lemos, VP Research & Intelligence at BlackBerry Cylance. By publishing this report, we want security experts and their customers to think more critically about how pen testing can also have a negative impact on security. In this way, more guiding guidelines for activities such as data processing can be agreed upon, and awareness of whether or not hazardous testing practices are unintentional can also be raised.This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.