cfo-nz logo
Story image

Cylance report looks into questionable pentesting practices

12 Aug 2019

BlackBerry has announced that new research from the BlackBerry Cylance Threat Intelligence Team has uncovered a trove of highly sensitive data. 

Included in the report is confidential information detailing aspects of a country’s civilian air traffic control system in a semi-public malware repository, the apparent by-product of penetration testing, one of a number of startling findings.

In Thin Red Line: Penetration Testing Practices Examined, the BlackBerry Cylance Threat Intelligence Team sheds light on a range of questionable pentesting practices, by-products and outcomes.

The report raises critical questions about the industry’s adherence to expectations of privacy and confidentiality, as well as compliance with legal and regulatory requirements, like Europe’s General Data Protection Regulation (GDPR). 

Included in the report is a case study of an advanced persistent threat (APT) like group which the research team found to be operating openly as a Brazilian security firm that is linked to the exposure of sensitive air traffic control data.

This revelation is one of a number of findings in the report that demonstrate how the line distinguishing pentesting exercises from actual threat actor behaviour has thinned. 

“Though many of our findings are uncomfortable, we are sharing this research in order to start a conversation we hope will help better educate security researchers, pentesters, and the clients they both seek to serve,” says BlackBerry Cylance threat intelligence director Kevin Livelli.

“We must hold ourselves accountable to each other and to ourselves to ensure that we remain good stewards for those who rely on our support - and be deserving of their trust.”

The research also explores the tradecraft of more than two dozen well-known companies offering pentesting services, from boutiques to blue chips, and finds the widespread exposure of client data in semi-public repositories. 

“Over the past five years the explosion of groups around the globe offering offensive testing services has led to practices that can materially compromise a company’s security posture,” says BlackBerry Cylance research and intelligence VP Josh Lemos.

“We want this report to help the security community, and the clients they serve, think more critically about how red teaming operations can impact security, agree to guiding principles for engagements such as data handling, and bring awareness to dangerous testing practices, inadvertent or not.” 

Story image
Why effective ROI messaging is critical for driving sales and adoption
ROI-focused communications can help with the approval for unbudgeted purchases and give customers the ability to proceed with two competing projects instead of choosing between them, writes Gigamon CFO Dave Arkley.More
Story image
Three keys to keep remote workforce operational: VPNs, SaaS apps, and internet health
In many ways, the COVID-19 pandemic has ushered in what is effectively the largest work-from-home experiment ever conducted in human history. For many organisations, this has brought forward plans they had for digital transformation.More
Story image
APAC contact centre application market to reach $966.5 million by 2026
Deployments of more sophisticated, cloud-based applications are expected in the more ‘mature’ markets in the region, including Australia, New Zealand, Japan, Singapore and South Korea. More
Story image
ICT trends: What to expect in 2021
It’s no secret that the large-scale transition to remote working has sent ripples through every area of ICT. The reality is, this abrupt move has impacted every business, person and household.More
Story image
Logitech: new all-in-one video bar conferencing solutions
The Rally Bar is purpose-built for mid-sized rooms, the Rally Bar Mini for small rooms, and the RoomMate computing appliance.More
Story image
Frost & Sullivan: “Massive growth” ahead for 5G enterprise market
To support future applications, enterprises should explore 5G capabilities to serve their wireless connectivity requirements, the company says.More