The Hidden Costs of Neglecting Penetration Testing: 5 Real-World Examples

post thumb
Penetration Testing
by John Svazic/ on 18 Oct 2024

The Hidden Costs of Neglecting Penetration Testing: 5 Real-World Examples

The average cost of a cyber attack is about 4.4 million dollars.

In 2023, over 300 million individuals were affected by cyber-attacks worldwide.

Most cyber-attacks have major consequences. But in our work as penetration testers at EliteSec, we’ve found a major lack of preparation. One of the main factors is a lack of penetration testing.

That’s why we wrote this article detailing the hidden costs of neglecting pen tests, with examples of how some real-life cyber attacks could have been addressed with more thorough penetration testing.

The Unintended Cost of Neglecting Penetration Testing

Many companies have a reactive approach to cyber security and penetration tests fall pretty low on their to-do list. It’s only once an attack happens, either to them or to someone else in their industry, that they finally start thinking about taking extensive security measures.

But of course, this reactiveness creates several vulnerabilities:

You Become More Vulnerable to Cyber Threats

Let’s start with the most general case first. A lack of penetration testing will simply increase the chances of cyber attacks. Regular pen testing will keep you abreast of weaknesses in your security posture so that you can fix them. And unlike a vulnerability scan, penetration testers will try to uncover new tactics to hack into your system, so they’ll put you ahead of the curve when it comes to trending threats.

The result can be a number of operational disruptions and legal fees, both of which hurt your bottom line.

Penetration testing also allows you to practice incident response. It’s a simulation of what a real attack would look like, and that will go a long way to helping your team react quickly and effectively in the event of a real attack.

Security testing is essential to any online-facing business

Financial Impact

As we mentioned earlier, it’s fairly widely recognized that a data breach could cost you upwards of 4 million dollars.

This obviously depends on the size of your company, but the aftermath will prove costly. You’ll need to dole out money to cover forensic investigations into the extent of the damage. Moreover, you will likely need to hire lawyers to extricate you from the mess.

And if that wasn’t enough, the hit in reputation and loss of customers will impact your bottom line.

Your Reputation Suffers As Customer Trust Decreases

Aside from the immediate financial losses from losing clients, you’ll also find that a decreased reputation can have very negative downstream effects. Imagine that a client stays with you and 1 year later you need to raise your prices. The fact that they suffered from your security breach might cause them to see less value in your service, and consequently, they’ll be more likely to leave you. Not to mention, customer acquisition costs will rise for the exact same reason.

You Get Shut Down Due To Lack of Regulatory Compliance

In several industries, including finance, health, and government, you must adhere to strict regulations that require you to conduct penetration tests. Sometimes, they require you to test multiple times per year.

If you don’t show proof of having carried these tests out, you will likely face hefty fines and obstacles to your business operations. And of course, many customers who do their due diligence will ask about penetration testing too. Especially at the enterprise level.

You Have A False Sense Of Security

What’s the second-best way to feel good about your security posture?

Arguably, it’s to ignore it altogether. After all, the point of a penetration test is to identify weaknesses. But if you don’t know your weaknesses, you end up feeling a lot better about yourself. It’s hard to fear something when it’s not even on your radar.

Of course, that false sense of security can turn into arrogance. Did you know that 75% of cyber attacks start with an email? Training your employees to handle email phishing tactics is a significant component of a penetration test. That way, you keep your team alert.

You Suffer From a Competitive Disadvantage

Of course, downstream of all the discussion about damage to your brand is also a comparison between you and your competitors. For example, if security is critical to your offerings like it is for Fintech firms, then having an attack on your record will be a significant black mark. Making up for that against other companies will require you to be twice as vocal and proactive about cybersecurity as everyone else. So in the long run, avoiding a pen test will cost you more.

You could see it as a competitive advantage that everyone gains except you.

5 Cyber Attacks That Might Have Been Prevented With Penetration Testing

Equifax

As one of the world’s largest credit agencies, the Equifax hack made waves in 2017 when around 147 million individuals were affected. They hold valuable financial information, so the hack was particularly devastating both for Equifax’s customers and for Equifax itself.

Without a doubt, this is the type of company that a hacker would see potential in. Think of all the personal financial data!

How Equifax Got Exploited

Let’s run you through the timeline a little bit.

Back in March 2017, there was a vulnerability discovered in Apache Struts, a development framework that Equifax was running on its public servers. Fast-forward to mid-May and the Equifax hack happened because they failed to address the issue.

If this seems like a really simple mistake, that’s because it was. Even a novice hacker would have been able to exploit such an obvious issue. Both the issue and the patch have been publicly known since March 2017. Not to mention, the exploit happened on a public-facing server.

Where Pen Testing Might Have Helped

Interestingly, the process that the hacker likely used to identify vulnerabilities and exploit them is very similar to the white-hat tactics we use in pen testing.

More than likely, they used a vulnerability scanning tool like nmap to discover which ports and services were open. Then, they would have probed for software and researched it to figure out which version was being used. At that moment, the hacker would likely have discovered Equifax was using an old version of Apache Struts.

Had Equifax conducted a comprehensive penetration test once in a while, this would all have been part and parcel of the process. A pen tester would have immediately updated to the new version of Apache Struts with the patch. And in case anyone was in doubt, they would have been able to demonstrate all the side effects too.

The Final Outcome

According to the FTC, the final settlement between Equifax and its customers was around $425 million for all those who were affected.

And when you consider that nearly half the population of the United States had their data affected by the breach. That figure actually seems quite low. Note that there were further costs, such as paying off regulatory fines and rebuilding security infrastructure.

Imagine trying to do business when 1 out of every 2 people knows that you’ve exposed their data somehow. It would definitely be a bit tougher to convince people to trust you.

Yahoo

Can one of the largest search engines on the internet get hacked? Yes, it can.

From 2013-2014, Yahoo suffered from several data breaches which wound up affecting 3.5 billion different user accounts. Given how much information is handled on the platform, particularly via email, it was a prime target for a cyber attack.

How Yahoo Got Exploited

The number of accounts threatened was massive. The first attack happened in 2013 with 3 billion accounts affected and the second was in 2014 with 500 million accounts reached.

By the way, the origin of this attack was a single phishing click. Just one misstep sent all the dominoes tumbling. It’s an intimidating proposition for any company to consider.

So, how did that link get clicked on in the first place? It turns out that Yahoo didn’t adequately train their employees to avoid phishing attacks. We can guess that this employee’s knowledge of cybersecurity best practices was close to nil. And that’s on Yahoo for not focusing on education.

Where Pen Testing Might Have Helped

Social engineering is always a valuable tactic in a penetration tester’s arsenal. So aside from running complex programmatic attacks, pen testers will also use their creativity to get your users to do the things a nefarious actor would want.

In this case, a pen tester would have been able to detect Yahoo’s employee’s lack of education merely by conducting a phishing attack of their own. It’s a pretty common way for pen testers to evaluate your team’s preparedness. After the fact, the tester can recommend the best course of action. It usually involves them sitting down with your team for a couple hours once in a while and teaching them tips on how to manage their data effectively.

The Final Outcome

The impact on Yahoo was swift and drastic. Immediately following the first hack, they lost around 350 million dollars in the valuation of their stock. Moreover, they were later forced to pay out $117.5 million as part of a settlement to a class-action lawsuit brought forth to them. And if that wasn’t enough, the SEC fined them $35 million to boot.

Even down the line, Verizon had significant trouble acquiring Yahoo in 2017 due to the fallout of the attack. So if you’re considering selling your company in the future, you should pay attention to your security today.

Target

Target is one of the largest chain stores in the US, but after their hack in 2013, their profits fell by almost 50% in Q4 of that year. The hack affected around 41 million customers.

Since they’re such a large company, it’s no shock that Target processes millions of different customer interactions every day. And a large portion of them, even back in 2013, happened online. That’s what made them such a ripe… Target.

How Target Got Exploited

In this case, the attack was pretty sophisticated. Target got hacked in a 3rd party vendor attack.

Target’s HVAC vendor, Fazio Mechanical Services, had access to some of Target’s credentials. Cyber attackers leveraged phishing to obtain these credentials. The fault didn’t lie completely in Target’s hands.

Where Pen Testing Might Have Helped

As you can see, large companies have many attack surfaces. Fazio is hardly the only partner on their roster. More than likely, they have hundreds of partners they’re working with.

In penetration testing, part of our job is to take stock of every single attack vector possible. That includes listing 3rd party vendors (also known as subprocessors) and pen testing their software as well.

In fact, many regulations, including GDPR, require you to list all your subprocessors and potentially document whether you tested them. Situations like these are part of the motivation behind this.

So in this case, we would have focused mostly on “lateral movement” between different software in order to detect this type of attack. As professionals, this is part of our standard testing process, but it’s something that an IT department that doesn’t have familiarity with pen testing techniques might overlook.

The Final Outcome

As we mentioned earlier, the main financial outcome was that Target’s profits temporarily saw a massive dip. Things worsened further as their stock price fell 9% in the 2 months following the disclosure of the breach.

On the bright side, they only lost about 30 million dollars in settlements after class-action lawsuits. And Target is mostly still thriving as a brand today. Their exploit seems like a minor hiccup now in the grand scheme of things.

Adobe

Back in 2013, Adobe was the victim of a breach that affected 38 million of its users. While they aren’t transacting as much as the other companies we mentioned, they’re still holding sensitive data. After all, customers enter payment info, passwords, and personal information like addresses. It’s quite the bounty for a hacker.

How Adobe Got Exploited

It was a sophisticated attack. Hackers used the standard phishing tactic first. After sending phishing emails to various Adobe employees, they downloaded malware onto their computers.

Once the hackers deployed the malware, they were able to exfiltrate data from Adobe’s customers. Names, email addresses, credit card info, and encrypted passwords were all in play. Quite the disaster for all involved.

However, the story doesn’t end here. The hackers also took this chance to download Adobe’s source code for their popular software such as Acrobat, ColdFusion, and Photoshop. Think about the valuable intellectual property that was now no longer entirely theirs. It’s not unlikely that hackers could be eyeing your unique processes too, not just customer data.

Where Pen Testing Might Have Helped

Once again, a pen test would have helped uncover the employees' lack of cybersecurity savvy. But that’s not all. Pen testing would have a look at the ability of malware to move laterally throughout Adobe’s systems so that a strategy could be developed to clamp down on its spread.

Furthermore, a pen test would have investigated Adobe’s code repositories to see how they could best be secured against such lateral attacks. It’s good to institute extra barriers.

Pen testing helps you uncover vulnerabilities

The Final Outcome

It’s little surprise that customers filed several class-action lawsuits. However, in total, they only amounted to a few million dollars.

The damage to their reputation was quite severe in the short run. But as we all know, Adobe is still a thriving company today. However, many larger customers with more sensitive info might think twice about working with their software from now on.

Marriott

Marriott is one of the world’s largest hotel chains. As they accommodate millions of guests every year, there are a lot of online bookings with personal details to be recorded. Beyond payment data, this can also include passport info.

Over the course of 4 years (2014-2018), cyber attackers repeatedly broke into Marriott’s guest reservation system and stole data. This case study is a bit of a lesson in complacency.

How Marriott Got Exploited

Basically, Marriott’s guest reservation system (called Starwood) was ripe for attack. Somehow, an unauthorized party found a backdoor and gained access to the system.

The issue was that the Starwood system was not native to Marriott’s network. Rather, they had acquired it a couple of years beforehand and had not brought its security up to standard with everything else.

Where Pen Testing Might Have Helped

Whenever one company acquires another, there is a mountain of tasks to be accomplished. For executives, a penetration test to verify that the new company’s software is secure might seem like a minor concern. However, major company transitions are one of the most critical times to consider penetration testing. It goes to show that there are many appropriate occasions for pen tests, not just over a set period.

What’s also clear to us is that because the attack dragged on for 4 years, it seems that Marriott’s cyber security team did not find it necessary to test the new software. As always, heightened awareness and taking inventory of critical software throughout the organization is a must.

The Final Outcome

We have an estimate for the full cost of the cyber attack and it’s not pretty. AIR Worldwide, a risk modeling firm, reported that the losses could range between 200 and 600 million dollars. That’s a huge dent in an industry with thinner margins than most.

You can also imagine that during that era (2014-2018) we saw the emergence of short-term rental platforms like Airbnb, directly at the expense of hotel chains like Marriott. Did this security breach influence people to stay away from their favourite hotels? We don’t have any data, but it’s clear that Marriott suffered from extensive reputational damage and loss of market share to Airbnb.

Don’t Follow In These Companies' Footsteps

In your position, you have the responsibility to take care of everyone touched by your company, from employees to vendors to customers. Each of them has a role to play in a cyber attack, and you need to make sure that you provide:

  • Education to your employees
  • Due diligence when evaluating the security of your vendors and collaborators
  • Peace of mind for your customers

In hindsight, all the cyber attacks we mentioned in this article were extremely avoidable. Your main enemy is carelessness. When done properly, proactive cybersecurity costs a lot less than an attack.

If you care about protecting your digital assets, why not sit down and discuss your security posture with us at EliteSec? We understand just how complex data can get and we’re willing to sort it all out with you over a free 30-minute call.

comments powered by Disqus