itb-au logo
Story image

Cylance report looks into questionable pentesting practices

12 Aug 2019

BlackBerry has announced that new research from the BlackBerry Cylance Threat Intelligence Team has uncovered a trove of highly sensitive data. 

Included in the report is confidential information detailing aspects of a country’s civilian air traffic control system in a semi-public malware repository, the apparent by-product of penetration testing, one of a number of startling findings.

In Thin Red Line: Penetration Testing Practices Examined, the BlackBerry Cylance Threat Intelligence Team sheds light on a range of questionable pentesting practices, by-products and outcomes.

The report raises critical questions about the industry’s adherence to expectations of privacy and confidentiality, as well as compliance with legal and regulatory requirements, like Europe’s General Data Protection Regulation (GDPR). 

Included in the report is a case study of an advanced persistent threat (APT) like group which the research team found to be operating openly as a Brazilian security firm that is linked to the exposure of sensitive air traffic control data.

This revelation is one of a number of findings in the report that demonstrate how the line distinguishing pentesting exercises from actual threat actor behaviour has thinned. 

“Though many of our findings are uncomfortable, we are sharing this research in order to start a conversation we hope will help better educate security researchers, pentesters, and the clients they both seek to serve,” says BlackBerry Cylance threat intelligence director Kevin Livelli.

“We must hold ourselves accountable to each other and to ourselves to ensure that we remain good stewards for those who rely on our support - and be deserving of their trust.”

The research also explores the tradecraft of more than two dozen well-known companies offering pentesting services, from boutiques to blue chips, and finds the widespread exposure of client data in semi-public repositories. 

“Over the past five years the explosion of groups around the globe offering offensive testing services has led to practices that can materially compromise a company’s security posture,” says BlackBerry Cylance research and intelligence VP Josh Lemos.

“We want this report to help the security community, and the clients they serve, think more critically about how red teaming operations can impact security, agree to guiding principles for engagements such as data handling, and bring awareness to dangerous testing practices, inadvertent or not.” 

Story image
Work from home demand sees Australian PC market flourish
“The commercial market saw huge demand as businesses, government, and students all moved to working from home and online learning."More
Link image
Get twice the collaboration power with GoTo & Microsoft Teams
GoTo and Microsoft Teams are a winning collaborative combination that simply works better when they’re together. Find out more about how they work here.More
Story image
Gartner: Security leaders must balance risk, trust and opportunity
Security and risk leaders must focus on balancing risk, trust and opportunity to help maintain the ability of their organisations to function.More
Story image
Australian construction companies more dependent on data than ever, study finds
The Australian construction industry is increasingly turning to digital technologies, and as a result data is becoming more important than ever, to the point companies would change software providers in order to gain better control of it.More
Story image
Blue Prism extends human-to-digital worker collaboration with new Interact capability
Blue Prism Interact is a human-to-digital worker collaboration capability that enables employees to team up with digital workers to initiate, instruct, verify, receive, and authorise a variety of business processes through the digital workforce.More
Story image
Fortinet SOARs to new heights of protection on the wings of AI & automation
Jon McGettigan, Fortinet A/NZ Regional Director, talks about SOAR (security orchestration, automation and response) and explains that effective SOAR starts with your security policy.More