Beginning in 2011, SecureState's Attack & Defense professionals began collecting attack vector data from all of the external and internal penetration tests that we have performed for our clients. External penetration tests are focused on an organization’s external internet perimeter and assets, while an internal penetration test focuses on an organization’s internal network. Typically, an external penetration test simulates an external attacker out on the Internet, while an internal penetration test simulates an insider, rogue employee or backdoor malware that has access to the organization’s internal network.
In this report, SecureState experts utilize their research from conducting hundreds of penetration tests in multiple industries to identify the top five attack vectors (also known as methods of compromise) that our penetration testers use during our assessments.These attack vectors are utilized by an attacker to exploit vulnerabilities in order to achieve a specific goal. For the majority of attackers, this goal is accessing some form of sensitive information or data sets. It is important for organizations to review these attack vectors to see where they stand in regards to defensive controls if an attacker targets them.This will help an organization to think proactively about building an overarching security program.