Over half of corporate information systems can be hacked with almost no skill necessary
Corporate information systems became more vulnerable in 2016 to attacks by external and internal intruders. Compounding the problem, implementing such attacks does not require great skill. In comparison to the prior year, the level of security of Wi-Fi networks and user awareness regarding information security significantly decreased in 2016.
These findings come from an overview of the most common vulnerabilities detected during security audits by Positive Technologies in 2016. During audits, experts simulate how actual attackers (external and internal) would try to penetrate corporate systems. This method identified a large number of protection flaws, including ones impossible to detect in any other way.
Critical vulnerabilities were detected in 47 percent of investigated corporate systems. These high-risk vulnerabilities are frequently related to configuration errors (40% of systems), errors in web application code (27% of systems), and failure to install security updates (20% of systems). Among out-of-date systems, the average age of the oldest uninstalled updates is a whopping nine years.
Bypassing the network perimeter is possible on 55 percent of systems for an intruder with minimum knowledge and skills. In most cases, an external intruder needs only two steps to penetrate the perimeter.
Common perimeter vulnerabilities include dictionary passwords, unencrypted data transfer protocols (detected on all systems), vulnerable software versions (91% of systems), as well as publicly available interfaces for remote access, equipment control, and connection to database management systems (also 91% of systems). Although web application vulnerabilities are not the largest threat, they are still dangerous: web application vulnerabilities made it possible to bypass the network perimeter on 77 percent of systems.
When acting as an external intruder our testers could gain full control over corporate infrastructure on 55 percent of systems. While As an internal intruder, they were successful on all systems. In 2015, these figures were 28 and 82 percent, respectively.
The Most common internal network vulnerabilities are flaws in network layer and data link layer protocols leading to traffic redirection and interception of information about network configuration (100% of systems).
Staff awareness of information security was extremely low in half of systems in 2016 (compared to 25% of systems in 2015). In addition, Wireless network security was also extremely poor in most cases (75%) with Every second system allowing access to LAN from Wi-Fi.
Evgeny Gnedin, Head of Information Security Analytics at Positive Technologies, commented on the audit results: "The vast majority of attacks on corporate infrastructures involve exploitation of common vulnerabilities and flaws. Companies can dramatically improve their security stance and avoid falling victim to attacks by applying basic information security rules: develop and enforce a strict password policy, minimize privileges of users and services, do not store sensitive information in cleartext, minimize the number of open network service interfaces on the network perimeter, regularly update software, and install operating system security updates."
Gnedin also noted that antivirus protection alone is not enough for maintaining high security. To protect web applications, it is necessary to use web application firewalls; in addition, security event monitoring (SIEM) solutions help to promptly detect attacks. He urges to regularly train employees and improve information security awareness, and to perform penetration testing in order to identify new attack vectors and test protection methods in a timely manner. By consistently applying all these measures, companies can ensure effective protection and justify the cost of expensive specialized security solutions.
A whitepaper detailing these findings is available here.