“Boxers draw the biggest advantage from their sparring partners…”
– Epictetus, 50–135 AD
It will be handed over. My chin was pushed in. My knees are bent. The bell rings and both boxers meet in the centre and circle. Red throws three jabs, Feint dumps the fourth, and Bang lands his right hand in the center blue.
This isn’t the first day of Blue, and despite his solid defense in front of the mirror, he feels pressured. But something changed for the ring. Various punches, feints, strength – not like a simulation of his coach. Is my defense strong enough to withstand this? He wonders, do I even have defense?
His coach reassures him.
The same goes for cybersecurity. Although proper architecture, policies and security measures can be excluded, the minimum gap in defense allows attackers to raise knockout punches. The only way to test your preparation is to sparr and get pressured in the ring.
The difference between practice and real battles
In boxing, there are plenty of sparring partners. Every day, fighters step into the ring to hone their skills against real enemies. However, in cybersecurity, sparring partners are more sparse. The equivalent is penetration test, but in a typical organization, a pen test occurs at most twice a quarter at most. A wide range of preparation, contract with expensive specialist agents and standardize the environment to test. As a result, security teams often end up in months without facing genuine hostile activities. They are compliant, their hands are up and their chins are shoved. But are they resilient under attack?
Rare test results
1. Drift: Slow erosion of defense
When boxers go for a few months without sparring, their intuition dulls. He becomes a victim of a concept known as “inch.” There, he has the right defensive move, but he misses it in an inch and is caught by a shot that he knows how to defend. In cybersecurity, this is similar to configuration drift. Incremental changes in the environment, it leads to new users, outdated assets, no longer attending, or gradually losses in defensive calibration. Over time, gaps appear. Not because the defense is gone, but because it fell out of alignment.
2. Undetected gap: Shadow boxing limits
Boxers and their coaches have only been gained through training so far. Shadow boxing and drills are useful, but coaches don’t call for inconspicuous mistakes. Nor can they replicate the unpredictability of an actual opponent. There are just too many things that don’t work. The only way a coach can assess his boxer’s condition is to see how he is attacked and diagnose why.
Similarly, in cybersecurity, the attack surface is vast and constantly evolving. Pentest evaluations can predict any possible attack vectors and cannot detect all vulnerabilities. The only way to reveal the gap is to repeatedly test it against actual attack scenarios.
3. Limited Test Range: Risks of Partial Tests
Coaches need to see fighters being tested against a variety of opponents. He may be fine with opponents who mainly throw headshots, but what about body punchers and counter punchers? These could be areas of improvement. If your security team only tests against certain types of threats and doesn’t extend its scope to other exploits, even passwords and false obscurity are at risk of being exposed to weak access points discovered by attackers. For example, web applications may be secure, but what about leaked credentials or suspicious API integrations?
Context is important when it comes to prioritizing revisions
Not all vulnerabilities are knockout punches. Compensating cybersecurity controls can reduce risk, so that the unique style of boxers can compensate for technical flaws. Take Muhammad Ali by textbook standards, his defense was flawed, but his athleticism and adaptability could not touch him. Similarly, Floyd Mayweather’s low front hand might seem like a weakness, but his shoulder roll has turned it into a defensive force.
In cybersecurity, vulnerability scanners often highlight dozens, if not hundreds. But not all of them matter. All IT environments are different, and high-strength CVEs can be neutralized by compensation controls such as network segmentation and strict access policies. Context is important. Because it provides for things that require immediate attention and things that do not.
High cost of rare tests
The value of testing against real enemies is nothing new. The boxers are preparing for a fight. Cybersecurity teams will conduct penetration tests to enhance their defenses. But what if a boxer had to pay tens of thousands of dollars each time he sparred? Their learning only happens in the ring – fighting – and the cost of failure is devastating.
This is a reality for many organizations. Traditional penetration testing is expensive, time-consuming and often limited in scope. As a result, many teams only test once or twice a year and do not check their defense for several months. When an attack occurs, the gaps are exposed and the cost is high.
Continuous aggressive testing
To truly strengthen their defenses, organizations must move beyond the rare annual tests. Instead, you need continuous automated testing to emulate real attacks. These tools emulate hostile activity, reveal gaps, and provide actionable insights into where security controls are tightened, how to readjust defenses, and how to provide accurate fixes for repairs. Do it all at normal frequency and without the high cost of traditional testing.
Combining automated security verification with human expertise, organizations can maintain a strong defensive attitude and adapt to evolving threats.
Visit Pentera to learn more about automated Pentesting.
Note: This article is skillfully written and contributed by William Schaffer, Senior Sales Development Officer at Pentera.
Source link
