November 13, 2019

Last Updated on January 19, 2024

One of the challenges of my job is about once every five weeks or so our marketing director shakes me down for a blog topic. If I don’t have one in mind he tries to brainstorm with me. “What’s going on in your practice that’s new or interesting?” he always asks.
You might think conducting penetration testing and vulnerability assessments would make an exciting reality TV show. On the contrary, notwithstanding occasional surprises it’s pretty mundane: we probe for vulnerabilities and we find them.
Most of the time we uncover well-known issues that our clients’ IT staff should have patched, tried to patch and thought they did patch. Only they missed some spots.

“Like stitching up a patient after abdominal surgery, “missing some spots” isn’t good enough in patch management.”

Like stitching up a patient after abdominal surgery, “missing some spots” isn’t good enough in patch management. It leaves holes that hackers will readily find and infiltrate.
For example, the Windows operating system vulnerability exploited by the devastating WannaCry ransomware attack of May 2017 was patched by Microsoft before WannaCry was even unleashed. But many, many organizations failed to implement the patch in time.
Two years later, the malware is still circulating and I still find that vulnerability frequently—maybe not across all 40 systems in the client’s environment, but on 3 or 4. One is all it takes…
Where many patch management programs fall short is on checking and verifying that patches have been correctly and consistently applied and are active on all systems. If the patch didn’t work, you need to come up with a method for fixing that.
Likewise, the point of a pen test or vulnerability assessment is so you can remediate the vulnerabilities once they’re revealed. They shouldn’t still be there a year later when we do the client’s next annual pen test. Yet they often are.
If a managed service provider (MSP) manages all or part of your IT environment, they can participate in the readout call where we discuss results so they are aware of what they need to remediate.
If you think your organization could benefit from a vulnerability assessment or penetration test, contact Pivot Point Security. We are an industry leader in this space. If you’re not sure what kind of testing you need, we can point you in the right direction.