Horizon3.ai: Penetration testing capacity doubled due to NIS2
- Bild-Infos
- Download
· Increased demand for penetration testing ahead of the imminent entry into force of NIS2
· Dennis Weyel, Head of Europe: “Companies recognise that a penetration test is the best proof of compliance”. A penetration test is a simulated cyberattack on a company's own computer network.
· Horizon3.ai operates NodeZero, one of the world's recognised penetration testing platforms, in the EU.
Frankfurt am Main, October 9 2024 – Cyber security firm Horizon3.ai has reportedly doubled its penetration testing capacity in Europe. According to Horizon3.AI Europe GmbH, based in Frankfurt am Main, the company is expanding its services in response to a surge in demand following the imminent implementation of the Network & Information Security (NIS2) regulation in the European Union. "From our many conversations with customers, it is clear that a lot of organisations have only recently realised that a penetration test is the best and probably legally the only way to provide binding proof of compliance with NIS2," says Dennis Weyel, International Technical Director responsible for Europe at Horizon3.ai.
In a penetration test (industry jargon "pentest"), the company's own computer network is deliberately attacked on behalf of the company to assess its cyber resilience. "One can imagine a pentest as a large-scale and highly sophisticated cyberattack, but unlike a real attack by criminals, the company has it under control," explains Dennis Weyel regarding the approach. Horizon3.ai operates one of the world's most comprehensive pentesting platforms, NodeZero, at its location in Frankfurt, which is made available to organisations and public institutions through partners known as Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs).
Through the expanded NodeZero capabilities, both IT networks on-site in companies (on-premise) and configurations in common cloud environments like AWS or Azure can undergo a security assessment, reports Horizon3.ai. The provider has introduced its own solution called "NodeZero Cloud Pentesting" shortly before the NIS2 obligation comes into effect, which helps companies identify and remediate complex exploitable vulnerabilities and hidden attack paths in their cloud environments.
ECB as a Pioneer for Pentesting in Europe
In Europe, the concept of pentesting has been significantly advanced by the European Central Bank (ECB) for the financial sector. This year, the ECB is subjecting over 100 banks in the EU to a penetration test, which it refers to as a "stress test for cyber resilience." With the announced EU directive NIS2, which is set to come into effect soon, the concept of penetration testing as the ultimate assessment of cyber resilience is being expanded beyond the financial sector to numerous other industries classified as Critical Infrastructures (KRITIS). The affected sectors include energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, manufacturing, production and distribution of chemicals, food production, processing and distribution, production and manufacturing of medical devices, machinery and vehicles, as well as electrical/electronic devices, digital providers, and research.
NIS2 not only affects the critical infrastructure (KRITIS) companies themselves but also their suppliers, customers, and other business partners. Dennis Weyel notes, "The demand for pentesting has dramatically increased not only in the EU but also in North America and Asia, because many companies based there count EU-based companies among their clients as part of international supply chains. Any attack on a business partner can directly impact all connected companies."
A Pentest as a Litmus Test for Cyber Resilience
According to Horizon3.ai, during a penetration test using NodeZero, all connected devices, machines, and systems are enumerated, then checked for security vulnerabilities. “Outdated software in devices outside the core network is one of the most common entry points for cybercriminals,” says Dennis Weyel. He cites examples such as cash registers, surveillance cameras, printers, CNC machines, manufacturing robots, and building automation. Following the principle that “a chain is only as strong as its weakest link,” NodeZero examines all these components as part of a penetration test to ensure a seamless security chain and to point out vulnerabilities that should be addressed as quickly as possible, for example through a software update.
According to the platform operator, a penetration test using NodeZero not only uncovers technical vulnerabilities but also human weaknesses that jeopardise the security of the corporate network. Horizon3.ai claims to rely on social engineering for this purpose, for example, checking whether security-related passwords can be derived from employees’ social media activities. “If an employee combines the name of their pet, which they regularly post about, with their own birth date to create a password, then the security of the corporate network is not in good shape,” gives Dennis Weyel as an example, adding: “NodeZero identifies such human security risks during a simulated attack that would never be detected through the mere use of defensive software.”
The International Technical Director responsible for Europe at Horizon3.ai explains the difference between offence and defence in this context: “In most companies, dozens of programs are running to fend off cyberattacks, and that’s a good thing. However, it is equally necessary to regularly check, through penetration tests, how well this defensive software actually holds up against different attack scenarios. This litmus test for cyber resilience is mandated by NIS2.” In the case of phishing, one of the most common attack forms using social engineering, where an employee is lured into clicking a toxic link, NodeZero aids in subsequent containment by helping organisations minimise the permissions that an individual employee has in the corporate network to what is necessary for their job. Therefore, if a single account is hacked, the attackers still cannot access the entire network.
Dennis Weyel draws a connection to politics: “EU bureaucracy may seem exaggerated in many areas, but with NIS2, the EU has established a level of security that is undoubtedly urgently needed, as it turns attack scenarios into the ultimate test of cyber resilience. In this case, politics is indeed ahead of the economy, as the current rush for NodeZero can only be explained by the urgent backlog in many companies.”
Horizon3.ai gives priority to companies that belong to the KRITIS core group, such as hospitals or energy suppliers. "We have set up a fast lane for critical infrastructure operators," says Dennis Weyel. He gives two examples to illustrate the prioritisation: "A cyberattack on a hospital, for example, could be a matter of life and death. A widespread power outage could potentially affect thousands of households."
Establish a Monthly Pentesting Routine
According to its own statements, Horizon3.ai has prepared for a further expansion of the NodeZero capabilities. The platform operator does not fear overcapacity. "A test per month is certainly not excessive considering that over 1,600 new vulnerabilities are uncovered monthly in Europe, with almost a third being classified as critical or high risk," says Dennis Weyel, providing a benchmark for NIS2 compliance*. His personal recommendation: one test run per week. He points to statistics showing that more than 60 new potential entry points for cybercriminals are discovered daily.
Since NodeZero conducts all security checks autonomously from the cloud, the personnel and financial costs for the companies being audited are low, he points out. “Every medium-sized company can and should subject its cyber resilience to a penetration test at least as regularly as it pays the monthly rent for its office space,” recommends Dennis Weyel, “because the consequences of neglect can be equally serious: without rent, the company loses its home base as a foundation for functioning business operations; in the event of a cyberattack, its technical and organisational functionality, including all operational processes, data, and business secrets, are at risk. Additionally, there is personal responsibility all the way up to the board of directors or management, not only with regard to state agencies in terms of NIS2 compliance but also to shareholders, business partners, and, in the event of data theft, customers.”
* https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024
About Horizon3.ai: Horizon3.ai's NodeZero™ Autonomous Security Platform offers integrated threat detection, autonomous pentesting, third-party risk management, and comprehensive governance, risk, and compliance (GRC) insights. It enhances organisational security by proactively identifying and remediating exploitable vulnerabilities, while strategically deploying deception and threat detection through NodeZero Tripwires™. Founded in 2019 by former industry leaders and U.S. National Security veterans, Horizon3.ai is at the forefront of cybersecurity innovation. Request a free demonstration at: www.horizon3.ai. Follow Us: Horizon3.ai: LinkedIn and on X, formerly known as Twitter.
Trademark notice : NodeZero is a trademark of Horizon3.ai
Further information: Horizon3.AI Europe GmbH, Sebastian-Kneipp-Str. 41, 60439 Frankfurt am Main, Web: www.horizon3.ai
Media Contact: euromarcom public relations GmbH, Web: www.euromarcom.de, Email: team@euromarcom.de
- - - -