Positive Technologies experts have analyzed the security of corporate information systems and prepared an overview of the most common security flaws and attack methods and made recommendations for improving security in its report Penetration Testing of Corporate Information Systems.1 The analysis showed that for 93 percent of companies, the pentesters succeeded in breaching the network perimeter and accessing the local network. 77 percent of attack vectors were related to insufficient protection of web applications.
Companies tested in 2019 included finance (32%), IT (21%), fuel and energy (21%), government agencies (11%), hospitality and entertainment (7%), industry (4%), and telecoms (4%). In Positive Technologies’ external pentests, experts were able to access the local network at 93 percent of tested organizations. The maximum number of penetration vectors detected at a single company was 13. In one out of every six tested companies, Positive Technologies found traces of previous attacks, such as web shells on the network perimeter, malicious links on official sites, or valid credentials in public data dumps. This indicates that the infrastructure may have already been infiltrated by hackers.
The experts also found that penetration of a local network takes between 30 minutes to 10 days. In most cases, attack complexity was low, meaning that the attack was within the capabilities of a hacker with basic skills. At 71 percent of companies, there was at least one easy penetration vector.
At 68 percent of companies, successful attacks on web applications involved brute forcing attacks to crack credentials. If attackers bruteforce the password for at least one domain account, they can discover identifiers for other users by downloading the offline address book, which lists all email addresses of company employees. At one of the tested organizations, Positive Technologies pentesters obtained over 9,000 email addresses using this method.
"Web applications are the most vulnerable component on the network perimeter," says Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies. "In 77 percent of cases, penetration vectors involved insufficient protection of web applications. To ensure protection, businesses need to perform security assessments of web applications regularly. Penetration testing is performed as a "black box" analysis without access to source code, which means businesses can leave blind spots to some issues which might not be detected using this method. Therefore, companies should use a more thorough testing method as source code analysis (white box). For proactive security, we recommend using a web application firewall to prevent exploitation of vulnerabilities, even ones that have not been detected yet."
The testing relied heavily on exploitation of known software vulnerabilities, for example in old versions of Laravel and Oracle WebLogic Server, which allowed access to the local network at 39 percent of companies. In addition, the pentesters discovered six zero-day Remote Code Execution (RCE) vulnerabilities, including CVE-2019-19781 in Citrix Application Delivery Controller (ADC) and Citrix Gateway.
Positive Technologies recommends installing OS security updates and the latest versions of the software in a timely manner and ensuring that software containing known vulnerabilities do not appear on the network perimeter.
- The report is based on 28 external pentests performed in 2019 for clients consenting to use of such data for statistical purposes. For accurate and objective results, Positive Technologies only used the most informative projects.