Up to 55% of large organizations have such severe flaws in their IT security perimeter that a hacker could gain full control of their entire network via the Internet. That’s the finding of detailed penetration tests carried out by Positive Technologies, a leading supplier of vulnerability assessment, compliance management and threat analysis solutions.
Nine in ten of the enterprise-level systems studied by Positive Technologies during 2013 were susceptible to some form of perimeter breach, and in 82% of cases a hacker would only need a low level of skill to gain access.
For 40% of the organizations, the breach vector was weak passwords, including dictionary passwords used to secure highly-privileged administrator accounts in over a third of the networks. Meanwhile web application vulnerabilities such as SQL injection were found in 93% of the systems we studied and were serious enough to grant full access to one in three corporate networks.
100% Vulnerable to Internal Attack
All of the organizations tested were at high risk of attack from within. When given the credentials of a member of staff with the most basic security clearance, our testers were able to escalate the user’s privileges and gain unauthorized access to critical systems in every network we studied.
In half of our tests, we needed only basic computing skills to mount an attack from within, implying that even non-technical employees could pose a threat to security. When the full range of attack vectors was employed by our specialists, they were able to exploit low privilege credentials to take full control over 71% of the networks we studied.
Once again, weak passwords were the most common vulnerability, affecting 92% of the systems we studied. But 67% of systems demonstrated other weaknesses such as filtration flaws and service protocol protection issues that can enable hijacking, redirection of traffic and the storing of unencrypted sensitive data.
Social Engineering Puts Two Thirds of Firms At Risk
Meanwhile, 66% of the organizations we tested were at risk because their own staff lacked awareness of typical social engineering techniques. More than 20% of employees who were sent one of our simulated phishing emails attempted to follow a link, enter their credentials or open an attachment.
The Positive Technologies study included 14 large-scale penetration tests in several countries carried out during 2013. The enterprises analyzed ranged from oil and gas producers and banks to government agencies, software manufacturers and telecommunications firms. We have excluded the results of several other tests where we were asked to perform only a partial analysis of an organization’s network as it was felt these results were not representative of overall security levels.
Click here to get the full report