In external penetration testing for corporate clients, Positive Technologies succeeded in breaching the network perimeter at 92 percent of companies
Full control of the infrastructure was obtained on every system attempted in internal penetration testing.
In external penetration testing undertaken for corporate clients in industrial, financial, and transport verticals in 2018, Positive Technologies found that, at the vast majority of companies, there were multiple vectors in which an attacker could reach the internal network. As described in a new report, Penetration Testing of Corporate Information Systems: Statistics and Findings, companies were vulnerable to an average of two vectors, and in one case, as many as five. Reaching an internal network from the outside can typically be accomplished with well-known security vulnerabilities, without requiring exceptional skill or knowledge on the part of would-be attackers.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies commented: "What many of our successful pentesting attacks had in common was the presence of interfaces on the network perimeter that should not be accessible from the outside. For example, an Internet-accessible video surveillance system not only allows an attacker to view video, but also to run arbitrary commands on the server. This shows how important it is to correctly delineate the network perimeter and monitor the security of every component."
On how companies can reduce their risk profile, she added: "We recommend minimizing the number of services on the network perimeter. In addition, ensure that sensitive information—such as access credentials, corporate address books, and the like—is not available publicly. For monitoring the effectiveness of protection measures, we urge companies to undergo penetration testing on a regular basis."
Testers found that vulnerabilities in web application code are the main problem on the network perimeter. Overall, 75 percent of successful penetration vectors leveraged poor protection of web resources. At half of companies, an attacker can breach the network perimeter in just one step, most often by exploiting a vulnerability in a web application.
Galloway described the risks associated with web applications: "As a web application grows in complexity and number of features, there is a higher chance of a coding error by developers, and this is where an attacker can slip through. These errors are frequently found during penetration testing, but by far the best way to find them is white-box testing with analysis of source code. Fixing vulnerabilities after the fact usually involves changing the code, which requires a lot of time. To avoid downtime and disruption, we recommend installing a web application firewall to prevent exploitation of vulnerabilities while fixes are pending, as well as to protect from new and zero-day vulnerabilities."
Vulnerabilities on internal systems
Full control of infrastructure was obtained on all tested systems in internal pentesting. In addition, the testers obtained access to critical resources such as ICS equipment, SWIFT transfers, and ATM management. The most common successful attack vectors against internal networks included:
- Brute force attacks against the internal network - using dictionary passwords to break into an account. Since credentials are shared between computers, the attacker can then move laterally from one host to another.
- Failure to install updates - especially those fixing critical vulnerabilities. On internal infrastructure, vulnerable OS versions were the most frequent, and were found on 44 percent of tested systems.
- Vulnerability to social engineering - which emulated a phishing attack on the company. Specially crafted emails with attachments or web links were sent to employees. Results showed that one out of three employees risked running malware on a work computer, one out of seven engaged in dialog with an imposter and disclosed sensitive information, and one out of ten entered account credentials in a fake authentication form.
- Vulnerability in Wi-Fi networks - a key vector for threats against internal corporate infrastructure. At 87 percent of tested clients, Wi-Fi networks were accessible from outside of client premises, such as from a nearby cafe, parking lot, or public waiting area. On 63 percent of systems, weak Wi-Fi security enabled accessing resources on the local network.
For a complete copy of the report, please visit https://www.ptsecurity.com/ww-en/analytics/corp-vulnerabilities-2019/.