How easy is it to breach an organization? Pretty easy, if an analysis by security vendor Positive Technologies of penetration tests against about 30 customers last year is representative. Among the results:
–Companies were vulnerable to an average of two vectors, and in one case, as many as five;
–Reaching an internal network from the outside could typically be accomplished with well-known security vulnerabilities, without requiring exceptional skill or knowledge on the part of would-be attackers;
–Testers found that vulnerabilities in web application code were the main problem on the network perimeter in the test group. Overall, 75 per cent of successful penetrations leveraged poor protection of web resources. At half of the companies, an attacker could breach the network perimeter in just one step, most often by exploiting a vulnerability in a web application;
–Of those customers who wanted testing of Wi-Fi networks, on 63 per cent of systems weak Wi-Fi security enabled accessing resources on the local network.
Note that some customers faced only external pen tests, some internal and some both. During internal pentesting, testers were on a segment of the local network and attempted to obtain control over the system infrastructure or critical resources specified in advance by the client.
Also note the goal of these pen tests were not to find every vulnerability.
“What many of our successful pentesting attacks had in common was the presence of interfaces on the network perimeter that should not be accessible from the outside,” said Leigh-Anne Galloway, cyber security resilience lead at the Moscow-based company. “For example, an Internet-accessible video surveillance system not only allows an attacker to view video, but also to run arbitrary commands on the server. This shows how important it is to correctly delineate the network perimeter and monitor the security of every component.”
In the group studied 63 per cent of firms had critical password weaknesses, with another 19 per cent having password problems that could be rated as high under the Common Vulnerability Scoring System CVSSv3.0 standard.
Lack of updates accounted for 38 per cent of critical issues, with another 31 per cent of missing updates rated as high.
Twenty-five per cent of vulnerabilities were due to critical configuration errors, with another 50 per cent of configuration mistakes rated as high problems.
Among the report’s conclusions is that employees tend to have poor awareness of information security issues. Training, with periodic follow-up, is a must, it says.
Pentester activity rarely raises the suspicions of corporate information security departments, it adds, so actual attackers, could burrow into infrastructure and stay unnoticed for extended periods. “So protection of the network perimeter should be complemented with periodic retrospective analysis of the network to detect any previously unnoticed incidents.
“Indicators of compromise can be picked up by special solutions for deep analysis of network traffic to detect advanced persistent threats in real time and from saved traffic. These capabilities enable detecting when a hack has occurred and when a network attack is underway, such as use of malicious tools, exploitation of vulnerabilities, and attacks on domain controllers.
“By reducing the time that attackers are able to remain hidden, companies can minimize the risk of data leaks, ensureuninterrupted operation,and reduce financial losses.”
For the full report go to https://www.ptsecurity.com/ww-en/analytics/corp-vulnerabilities-2019/.