Technology

• Google has announced the best 10 apps of 2024
• There's a mixture of free and paid-for services
• Some of the streaming services aren't what we'd pick

Google has crowned its best apps of 2024 – the Android apps it believes are the crème de la crème of the Play Store's software catalog.

They cover a wide range of use cases (though there are three streaming services) and are worth checking out if you're looking for tools to make your life a little easier in areas ranging from managing your health to finding new friends.

Without further ado, these are Google's favorite apps of the year.

1. Best app overall: Partiful

Partiful is the self described “ultimate tool to create, manage, and share events.” You can use it to create engaging event pages and invites as you’d expect, but guests can use the app not only to RSVP but to add comments and photos from the event.

With extra added tools like the ability to make polls, send party-wide messages, and ask guests to help chip in to cover costs it looks like a one-stop shop for your party planning needs – and just the sort of thing my partner and I have been looking for to help with our wedding planning.

2. Best multi-device app: Max

Clearly the folks at Google are fans of The Penguin, as the Max streaming service has been labelled as the best multi-device app.

Whether you're streaming on a phone tablet or Google TV, the best Max shows and best Max movies are all fantastic, even if for us it isn't the best streaming service of 2024 – Netflix takes that crown.

3. Best for Personal Growth: UpStudy – Camera Math Solver

AI tools can now scan your math equations and help you solve them, and while it makes your homework a breeze you won’t understand the subject any better than you did before. That’s where UpStudy hopes to come in.

Rather than telling you the solution, UpStudy will give you a step-by-step explanation so that you can actually understand the problems. What’s more you can firm up your knowledge with quizzes on topics across mathematics, chemistry, physics and biology.

4. Best for Fun: Mila by Camilla Lorentzen

(Image credit: Mila)

This fitness app looks to offer an engaging accessible workouts, letting you choose a routine to suit your mood and ability across yoga, HIIT, strength, cardio and more. If you’ve been struggling to stay motivated with other workout programs this could be the one you’ve been looking for

The only thing to note is while there is a 7-day free trial you'll need to pay to keep using Mila after that, with a subscription costing $9.99 / £7.99 a month or $99.99 / £79.99 a year.

5. Best Everyday Essential: MacroFactor – Macro Tracker

Tracking food, be it for calorie counting or when you’re trying to gain muscle, can be a challenge. MacroFactor aims to make this easier with easy food scanning, weekly check-ins to help you stay on track, and a “unique coaching algorithm” which apparently adapts to your metabolism to offer you a personalized macro program.

Like Mila above this tool offers a short free trial, but then it’s a paid service at $11.99 / £9.49 per month or $71.99 / £71.99 per year.

6. Best Hidden Gem: Timeleft

(Image credit: Shutterstock / Ground Picture)

Timeleft looks like an interesting one for people who are new to a city and want to build a group of friends, or who want to expand their social circle where they already live. Timeleft sorts its users into weekly six person groups who meet up each Wednesday at 8pm at a random restaurant for dinner. When you sign up you complete a personality test, with the app then promising to book you a table with people it thinks you’ll click with.

You’ll be served information on the group before you arrive, and a batch of ice-breakers to help you settle in for an evening together, and when you leave you can rate your guests to judge the apps’ matches and reach out the people for 1:1 chats if you’d like to organize a non-Timeleft dinner.

Just note that it’s not available in every city, and it's also not for picky eaters, as you can't choose your restaurant.

7. Best for Large Screens: Infinite Painter

Whether you’ve got a tablet or foldable phone – like the Galaxy Z Fold 6 or Google Pixel 9 Pro Fold – Google thinks the best Android app for you will be Infinite Paper – a robust drawing tool for digital artists.

It features on our best drawing apps of 2024, so we agree that it’s a solid pick for mobile creatives. It has free and paid tiers too, so you can try it before you commit to paying for it.

8. Best for Watches: Baby Daybook – Newborn Tracker

(Image credit: Baby Daybook)

If you’re stressed about tracking your new baby’s schedule – when they sleep and eat, outdoors time, and everything else a baby needs – Baby Daybook pitches itself as your perfect tracker. There's a free version, though if you pay to go premium you unlock useful tools like the ability to share your schedule with other users.

9. Best for Google TV: Peacock TV: Stream TV & Movies

Another streaming service has made it onto the list with Peacock TV. Amid the noise of the best streaming services it’s easy to miss a few, but Peacock is home to several gems like horror series Hysteria and mystery thriller Found, as well as better-known NBCUniversal content like Parks and Recreation, Ted, and The Traitors.

Again, it’s not among our picks for the best streaming services out there, but Peacock’s selection of shows and films could make it a great pick for you.

10. Best for Cars: PBS KIDS Video

(Image credit: PBS)

The last app of the list, and the last streaming service. This safe, educational platform is jam- packed with PBS content for children, including over 600 full episodes that you can watch whenever you want – you can even download them to view offline – including fan favorites like Sesame Street and Curious George.

Content can be viewed in English or Spanish, but this app is unfortunately only available in the US due to licensing restrictions.

You might also like

• Android phones are copying the iPhone 16 camera button
• The best mobile phones for photography
• Android 16 is coming sooner than we thought

• Samsung has announced a new kind of telephoto camera design
• It helps telephoto cameras combine bright apertures with slim designs
• This is particularly beneficial for low-light portrait photos

The world's best camera phones have improved their telephoto cameras greatly in the past few years, but Samsung has just revealed a new technology that could boost their performance while keeping its phones acceptably slim.

Announced in a blog post on Samsung's Semiconductor website (spotted by Android Authority), the so-called 'ALoP' technology reshuffles the layout of Samsung's current periscope camera design.

The main benefit is creating space for lenses with brighter maximum apertures (which theoretically means less noise in low light) without increasing the size of the camera bump. Currently, the lenses inside Samsung's 'folded' telephoto camera module sit vertically in line with the phone's body. The downside of this setup is that adding a wider lens makes the camera bump thicker.

Instead, the 'ALoP' (or 'All Lenses on Prism') system places the lenses horizontally (much like a traditional camera lens) to the rear of the phone, with the prism then reflecting that light up to the camera sensor. This means a wider, brighter lens could be added without making the phone feel like a ridiculous Energizer phone.

Still, while that is a promising development, we shouldn't expect physics-busting miracles. Samsung says the 'ALoP' system creates enough room for an f/2.58 aperture at a focal length of 80mm.

That's a 3x telephoto camera and a fairly bright one at that, beating the f/2.8 aperture of Apple's 77mm telephoto in the iPhone 15, but still well short of the finest f/1.2 portrait lenses seen on the best professional cameras. Still, as Samsung says, the system would still promise "low-noise portrait images in night shots", which is one of the most popular photographic genres for smartphones.

Room for two periscopes?

Samsung's new 'ALoP' system promises to take up much less space inside a smartphone, leaving room for other camera optics or components. (Image credit: Samsung)

Given the apparent space savings of Samsung's 'ALoP' design, a more radical improvement could be the inclusion of two periscope telephoto cameras in a future Galaxy phone.

Earlier this year, the Oppo Find X7 Ultra became the first phone to offer dual periscope cameras – and while the Samsung Galaxy S25 Ultra is expected to pack in both a 3x telephoto and 5x telephoto, this new design could create enough space for some even more impressive optics.

There's a strong argument that a good 3x telephoto camera is more useful for most people than the 5x or 10x options we've seen in recent years. A 3x lens has a focal length that's somewhere in the 75mm-80mm range, which is where a lot of pros shoot portraits – the focal length creates natural bokeh while still being relatively flattering to subjects.

So if Samsung can improve the quality of its 3x periscope systems with this new 'ALoP' system, while leaving enough room for the inclusion of those longer 5x or 10x telephoto cameras, it could create a well-rounded camera phone with few weaknesses.

Samsung calls ALoP a "future telephoto camera solution" with no hints of an expected launch date, but the publication of the info suggests we could see it in a 2025 phone.

You might also like

• The Samsung Galaxy Camera at 10: why I'd love to see this lost classic reborn
• Samsung Galaxy S24 Ultra's 5x zoom camera is not the disaster I thought it would be
• Samsung Galaxy S25 Ultra – 5 of the biggest expected upgrades

One person has died in connection with the outbreak, the CDC says.

• Jen Easterly will vacate her post as Director of CISA before Trump comes into office
• The future of CISA is uncertain under Trump, who has criticized the department in the past
• There's no news yet on Easterly's successor

The Director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, is set to vacate her post before President Trump returns to office on January 20 2025, throwing the future of the agency into doubt.

CISA is responsible for critical infrastructure protection and improving the US government’s protections against cybercriminals and state actors, who are increasingly targeting American agencies in order to exfiltrate data and disrupt services.

Easterly held a number of security positions before taking the post as Director of CISA, such as senior director for counterterrorism on the National Security Council and Global Head of Cybersecurity for Morgan Stanley. Her departure leaves the fate of the agency uncertain.

Slash and burn

Given the number of eyebrow-raising proposed cabinet appointees by the Ppresident-elect, it's difficult to predict who might fill the position in 2025 and beyond.

CISA was created during Trump’s first term, but his consistent commitment to deregulation could limit the agency’s ability to enforce compliance with cybersecurity standards.

Following the narrow senate election win for the Republican party, senator Rand Paul is set to take over as chair of the Senate Homeland Security and Governmental Affairs committee, which will oversee CISA. Paul, a staunch libertarian and critic of CISA, previously accused the agency of infringing on free speech as part of its effort to counter digital disinformation.

Trump is likely to boost military spending in his second term, but most other agencies face seriously slashed budgets in the coming years. Although under the defense umbrella, cybersecurity will likely be amongst those to lose out on funding.

Governments across the globe are facing a dramatic surge in cyberattacks, with Government organizations seeing a 236% increase in malware attacks, so cybersecurity will be a key consideration for the foreseeable future.

Via NextGov

You might also like

• Take a look at our pick of the endpoint protection software
• Hackers are spreading QR code malware through...the post?
• Check out our choices for best malware removal software around

Google Lens will also show you reviews from other customers, so you can make "confident" shopping decisions.

Let's debunk the worst home safety misconceptions that too many homeowners still fall for.

I always thought I was into big, bold smartwatches. Then I met the new Apple Watch.

• Some users have spotted YouTube Music's 2024 Recap in the streaming service
• A user shared screenshots to Reddit, suggesting that this year's music roundup could come earlier
• There's still been no word from Spotify on when Wrapped 2024 will drop

It’s getting to that time of year when music enthusiasts are patiently waiting for their yearly roundups from the best music streaming services and, as usual, details of Spotify Wrapped 2024 are very much hush-hush. However a few lucky YouTube Music subscribers have already spotted its 2024 music recap, which could point to an early release date and beat Spotify to the punch.

While YouTube and Google have yet to make an official announcement, Android Authority first reported that YouTube Music’s 2024 Recap seems to have been rolled out to very few lucky users - one of whom shared with the YouTube Music subreddit. In the Reddit post, the user attached two images (see below) with one showing their top five artists and tracks of the year, as well as their total minutes listened, and the other with their top five albums of the year.

Got my yearly recap from r/YoutubeMusic

Since YouTube Music took a different approach with its yearly recaps in 2022, the music streaming service has always looked to the end of November for its official launch date, landing on November 29 in 2022 and November 30 in 2023. Therefore, we’re still about a week and a half off, but by the looks of its early drop for some subscribers it could be that YouTube Music will treat us to an early annual music roundup.

What does this mean for Spotify Wrapped 2024?

There’s no doubt that Spotify Wrapped is one of the most recognized yearly recaps out of Apple Music, Tidal, and YouTube Music. But as far as its launch date goes, or even the features it may include, Spotify thrives off of the ambiguity and speculation about Wrapped. We still don’t know exactly when it will drop (my guess is the first week of December), but hopefully Spotify has seen that YouTube Music is teasing its yearly recap and will start to drop more hints.

You might also like

• Spotify makes it clear: it cares more about video podcasts than launching its long-awaited lossless HiFi tier
• I changed this one small Spotify feature and it made my music sound dramatically better
• My top 5 tips to make more of your Spotify playlists – and trust me, I'm a playlist obsessive

Count on appearances from Roman Reigns, John Cena, CM Punk and a few surprises.

Listening to your own voice saying words you’ve never said before is an unsettling experience, but in the AI future which we’re living through right now in 2024, it’s almost unsurprising. Of course, AI can now clone your voice and make it sound just like you! It’s almost expected, isn’t it?

What is surprising, to me at least, is how easy it is to do. You can access an AI voice cloner for free online, and clone your voice, then get it to say anything you want in just a few minutes. The training takes just 30 seconds, then you’re good to go. There are no real security checks or restrictions on what you can do with that voice once you’ve trained it either. So, you could make it swear, or threaten somebody. There seem to be hardly any guardrails.

Who's that voice?

If you type in ‘AI Voice Cloner’ into a Google search bar you’ll be spoiled for choice. A lot of the voice cloners require you to sign up for a monthly fee before they will clone your voice, but quite a few of them have a free option. I tried a few of the free choices and some of them, despite promising unparalleled accuracy, produced a robotic version of my voice that was going to fool nobody. No, I had a higher goal in mind: I wanted to produce a clone of my voice that would fool my wife.

I eventually settled on Speechify to clone my voice, since it combined ease of use, full access to the voice cloner, and a 30-second training time. Once you’ve made a free account on Speechify you simply talk to your microphone for 30 seconds or longer to train your AI voice. Once you’ve done that you can type in some text and hit the Generate button to hear the words spoken back to you in your own voice.

If you're concerned about security, Speechify has a pretty detailed privacy statement, and it does say that it will never sell your information and is committed to protecting the privacy of your data. So, your uploaded voice should be for only you to use.

I thought what I created was pretty convincing, but I needed to see what my wife thought. I crept up behind her and played a sample clip of ‘me’ and… well ok, she laughed because she could tell it was coming out of my MacBook’s speakers, but she was impressed. "Actually”, she said, “I think it sounds like you, but better”.

And that is the benefit of cloning your voice. It doesn’t make mistakes when it talks. There are no ‘ums’ and ‘ahs’ and it gets everything right the first time. If I think about how many times I’ve had to record and re-record the intros to my podcasts because I couldn’t get it quite right, I can see an obvious application for an AI voice cloner. But that’s also a danger in AI voice cloning because you can get the fake voice to say just about anything.

Daisy, the AI granny, was an AI voice created to trap scammers into long and fruitless phone calls. (Image credit: O2 Virgin Media) Voices from the beyond

While scams that involve stealing your voice are one level of concern, the security implications have ramifications that go even beyond the grave. Recently the legendary late British talk show host, Michael Parkinson, surprised everybody by announcing that he was launching a new podcast called Virtually Parkinson. Thanks to the miracles of AI his voice would be interviewing people in real time once again. In Parkinson’s case, his estate is fully behind the podcast, but what if permission has not been given?

David Attenborough, the grandfather of the BBC’s natural history programming recently expressed unease at an AI version of his voice, describing it as "disturbing". We live in an age where AI can create podcasts without any human interaction and even AI sports presenters are starting to appear. So, in a way, we shouldn’t be surprised that it’s so easy for AI to clone our voices, but the implications could be profound.

With AI giving celebrities (or rather, their estates) the option to continue working long after they have shuffled off this mortal coil, the future for both celebrities and individuals suddenly seems very uncertain.

You might also like...

• AI and automation "could cause IT service desks to go extinct"
• Daisy the AI grandma is here to answer calls from scammers and waste their time
• Rising AI threats are making firms turn back to human intelligence

The company long considered developing a branded TV but switched efforts to a set-top box.

• Security researchers discover ad campaign for a piece of fake software
• Software was advertised as an AI-powered photo and video editor
• In reality, it was distributing the AMOS and Lumma Stealer malware

Hackers are hiding infostealers and other malware behind fake AI-powered photo and video editors, experts have claimed.

A cybersecurity researcher alias g0njxa found a socail media advertising campaign promoting the malware, posing as a fake editor called EditPro, and propped up an accompanying website editproai[dot]pro.

Then, they created deepfake videos of Presidents Trump and Biden enjoying ice cream together, and used them in ads posted on social media sites such as X. The fake editors were built for both Windows and macOS, but anyone who falls for the trick and downloads the program, will end up installing either Lumma Stealer or AMOS.

Lumma and AMOS

Lumma Stealer is a malware-as-a-service (MaaS) tool designed to steal sensitive information, including login credentials, cookies, browsing history, credit card data, and cryptocurrency wallet details.

The malware employs sophisticated techniques like process injection and encrypted communications with command-and-control servers, making it challenging to detect and mitigate. It has been active since 2022, with frequent updates enhancing its evasion and data theft strategies.

AMOS, short for Attack Management and Operations System, is a platform that enables threat actors to manage malware campaigns with minimal technical skills. It acts as a command-and-control (C2) system, and provides tools for deploying malware, managing infected systems, and exfiltrating stolen data.

It is typically used to coordinate large-scale attacks, automating many aspects of the cybercriminal workflow.

If you downloaded the fake EditPro software, assume that all of your passwords, and sensitive information stored on the device, are compromised. As such, make sure to first remove any traces of the malware from the computer, before updating all passwords and other sensitive data. Enable 2FA wherever possible, and move your cryptos and NFTs to a new wallet with a new seed phrase.

Via BleepingComputer

You might also like

• Lumma Stealer malware linked as project fixes in GitHub comments
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

I love a good bargain, but mega sales events aren't all they're cracked up to be.

Sending money via Zelle is easy, but there are limits to how much you can send.

• Equinix Metal will no longer be sold from June 30, 2026
• Performance, security and stability updates will be prioritized until then
• Market dominance by established hyperscalers makes it hard to compete

Equinix has confirmed it will discontinue its bare-metal infrastructure-as-a-service (IaaS) platform from June 2026.

The decision to ax Equinix Metal was communicated to customers in a letter from Chief Business Officer Jon Lin and Chief Sales Officer Mike Campbell, giving a warning period of more than 18 months.

New features are no longer being prioritized for Equinix Metal, however the company promises to continue delivering performance, security and stability features until it is sunsetted.

Equinix Metal given 2026 end-of-life date

Equinix’s bare-metal service is a fairly recent addition to the company’s portfolio. It came about after the company acquired hosting company packet for $100 million, but will have only been available for a period of around six years once it gets discontinued on June 30, 2026.

Besides continuing to offer the relevant updates, Equinix is also offering to support customers in transitioning to alternative solutions, including collocation, managed and third-party services.

The service has been launched to allow businesses to deploy x86 and Arm servers within Equinix’s data centers, however CFO Keith Taylor suggested that Metal accounts for just 1.25% of the company’s revenue, which ultimately led to the decision to end support for the product.

The company confirmed: “Equinix is moving towards the end-of-life for our bare metal as a service product as we focus on the growth and acceleration of parts of our business, like colocation, interconnection, and hyperscale.”

More broadly, in October 2024 Equinix signed a joint venture deal to raise $15 billion to build xScale data centers for hyperscaler clients in a nod to the surging demand for AI-driven workloads.

The decision to retreat from the market is also a reflection of the highly competitive landscape, dominated primarily by hyperscalers like Amazon Web Services, Microsoft Azure and Google Cloud.

You might also like

• We’ve listed all the best cloud computing services
• IBM will now rent you a cloud-ready bare metal setup
• Check out our roundup of the best servers for small businesses

This 15W-watt charger pad normally costs $70, but this deal saves you $50 just in time for the holiday season.

The most iconic microphone on Twitch just got a lot better.

• T-Mobile has joined the list of Salt Typhoon victims
• Salt Typhoon has been heavily targeting the telecommunications sector
• No evidence has been found to suggest customer data access

T-Mobile has joined the growing list of US telecom operators who have been breached by Salt Typhoon.

The company confirmed in a statement to the Wall Street Journal that while a breach had occurred, there was no evidence to suggest the attackers had accessed or exfiltrated any customer data.

“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information. We will continue to monitor this closely, working with industry peers and the relevant authorities,” the company said in its statement.

Salt Typhoon continues attack

Salt Typhoon has been conducting a broad attack against US and Canadian telecommunications companies and internet service providers in what is thought to be a critical infrastructure mapping and espionage campaign.

The FBI recently confirmed the group had successfully gained access to networks and private communications of members of the US government.

The US government has also issued a warning through the Consumer Financial Protection Bureau (CFPB) for its workers to avoid using personal cell phones for work purposes, stating, “While there is no evidence that CFPB has been targeted by this unauthorized access, I ask for your compliance with these directives so we reduce the risk that we will be compromised.”

In a further statement to BleepingComputer, T-Mobile added, “Due to our security controls, network structure and diligent monitoring and response we have seen no significant impacts to T-Mobile systems or data. We have no evidence of access or exfiltration of any customer or other sensitive information as other companies may have experienced.”

The group is widely recognized as a Chinese state-sponsored threat actor and the campaign is thought to be a mapping and vulnerability hunting campaign for future attacks.

Other telecommunications companies affected by the same campaign include AT&T, Lumen Technologies, and Verizon, with the attackers potentially having access to customer data and networks for several months. A network used by US authorities to submit requests pursuant to court orders was also breached.

A roundup of T-Mobile breaches by BleepingComputer puts this as the ninth since 2019, with the company suffering a number of data leaks, attacks and extortion attempts.

You might also like

• Take a look at the best malware removal
• These are the best endpoint protection services
• Security pros tell us how they are infiltrating cybercriminal networks and striking back from within

"We have a problem here..." said the voice on the phone. Our customer hired us to test their computer systems for vulnerabilities…and we had just found a big one.

Our testing had uncovered a serious bug in the customer's firewall. This bug crashed the network, knocking the whole company offline. The bug was similar to the recent CrowdStrike flaw, but on a vastly smaller scale.

After a tense 30 minutes, we got the customer’s network back online. Our customer was appalled that in years testing, nobody thought to attack the firewall protecting the network. We did. Because that is what a black hat hacker might do.

Penetration testing, or "white hat” hacking, attempts to exploit weaknesses in systems, applications, or networks to determine how vulnerable the organization is to a data breach. The idea is for the “white hat” hackers (good guys) to find the flaws before “black hat” hackers (bad guys) do. For our customer, the test revealed a serious flaw in their network that they patched quickly, preventing another disaster.

Penetration testing is a vital part of building a secure environment, but it is not without risks. I did “white hat hacking” for years. Before you hire a penetration tester, here are some important issues to consider.

Risk is unavoidable

It is impossible to predict how systems may react to penetration testing. As was the case with our customer, an unknow flaw or misconfiguration can lead to catastrophic results.

Skilled penetration testers usually can anticipate such issues. However, even the best white hats are imperfect. It is better to discover these flaws during a controlled test, then during a data breach. While performing tests, keep IT support staff available to respond to disruptions. Furthermore, do not be alarmed if your penetration testing provider asks you to sign an agreement that releases them from any liability due to testing. The whole point of a test is to see what breaks. It is unreasonable to expect a penetration testing provider to shoulder the expense and liability of an outage or data loss due to testing.

Hacking the void

Black hat hackers will attack anything and everything they can. Consequently, penetration tests must test everything. If parts of your network are excluded or systems are turned off, testers cannot assess their security. If you cannot test everything, then define a generous sample set that encompasses every possible type of system, application, and network you control. Likewise, testers cannot test something they cannot access. Testers will need access to all parts of the network to make the tests valid.

Path of least resistance

Black hats will generally follow the path of least resistance to break into systems. This means they will use well-known vulnerabilities they are confident they can exploit. Some hackers are still using ancient vulnerabilities, such as SQL injection, which date back to 1995. They use these because they work. It is uncommon for black hats to use unknown or “zero-day” exploits. These are reserved for high-value targets, such as government, military, or critical infrastructure.

It is not feasible for white hats to test every possible way to exploit a system. Rather, they should focus on a broad set of commonly used exploits. Lastly, not every vulnerability is dangerous. A good white hat hacker will rank vulnerabilities based on how easily they are to exploit. Exotic or complex attacks may be interesting, but they consume time and can distract your team from the more mundane, and more likely to be exploited, vulnerabilities.

Skill matters

Most white hats use a broad set of tools for testing. While automated and AI tools can speed up the process, they are no replacement for skilled hackers with extensive IT knowledge and an understanding of human behavior. Before hiring a penetration testing company, validate the team's experience, ensuring senior members have at least five years of specific penetration testing experience. Be careful with testing providers that assign only junior or contracted testers.

Change testers regularly

While it is good to build relationships with testing providers, change companies annually to avoid complacency. Use a pool of three to five companies and rotate among them. Different companies have different skill sets. For example, my company was exceptionally skilled with attacking infrastructure, which is how we found the firewall bug mentioned at the beginning of this article.

Beware of "gotcha” testing

A "gotcha test" focuses exclusively on breaking into the environment rather than assessing overall security. These tests will focus on a single exploit path and can miss many other exploitable avenues. A good testing company will conduct both a systemic assessment and a focused "black hat" style break-in.

Third party traps

One of the most significant areas of weakness is third party applications or systems. Wordpress servers, for example, tend to be full of vulnerabilities due to the widespread use of third party plugins that do not undergo rigorous security testing.

Unfortunately, some vendors may specifically prohibit you from testing their systems. This can present a massive set vulnerabilities you cannot detect or defend against. Require third party vendors to either provide you with proof that they conducted their own independent penetration tests or permit you to perform testing with your own vendor(s).

Social engineering has limitations

Social engineering tests trick employees into divulging confidential information through fake phone calls or phishing emails. These tests are overwhelmingly successful, because people are inherently trusting.

Rather than random tests, perform targeted phishing tests to evaluate if employees follow security policies. If users fail a social engineering test, focus on education not admonishment.

Time is the enemy

Time is the ultimate constraint for any penetration tester. There are only so many hours in an engagement. Consequently, testers must use their time efficiently. This means automating as much as possible, so they can focus their attention on the more nuanced vulnerabilities. Black hats, on the other hand, do not have time restrictions. They can take weeks, months, or even years to break in. This inherently creates an unequal arrangement. It is unreasonable to expect penetration testers to devote unlimited time or effort into a test. This would make the testing outlandishly expensive.

Fixing falls on you

Penetration tests do not typically fix discovered vulnerabilities; that task falls to your internal teams or a contractor. Allocate resources to address issues after the test.

Think systemically

Avoid fixing vulnerabilities individually. Implement systemic improvements across the organization. Most vulnerabilities can be remediated through automated software and OS patching. For misconfigurations, standardize system deployment and management. For mission critical systems, you may want to consider emerging technologies like Moving Target Defense, which creates a dynamic, constantly updating environment that is extremely difficult to exploit.

Conclusion

Penetration testing is essential for any organization. It is better to have an white hat hacker find a vulnerability before black hat does. However, no security control or technology is perfect. Flaws are inherent in any complex system. Even the best security products, practices, and people can fail. The technologies you use are not as important as how you manage, monitor, and test those technologies.

Lastly, it is important to remember that black hats do not follow rules, policies, or org charts. They will break anything to get your data. For security to be effective, you need to think like a black hat hacker, and test everything. Especially the systems you believe are safe.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

This amp modeling pedal delivers the same sonic quality as its highly regarded older Brother at a fraction of the price.