Infosec pros spend big bucks every year attempting to better secure their networks and assets. But if a new vendor report on penetration tests and scans of customers is accurate, they’re not doing a good job of it.
“Protection of corporate systems from internal attackers is rather poor,” says the report by Positive Technologies released today. It was compiled from tests and assessments of 48 companies conducted last year.
Almost every security assessment performed by during 2017 showed multiple vulnerabilities and security flaws, says the report, which allow an attacker to perform a full compromise of the entire corporate infrastructure, obtain access to sensitive information, or perform Denial of Service attacks.
In fact, compared to 2016 it was easier to get past network perimeter defences. Two years ago pen testers rated the difficulty of accessing customer LAN resources as “trivial” in 27 per cent of tests. Last year they said 56 per cent of networks they were hired to break into were trivial.
Think about these numbers:
–in 68 per cent of cases it was possible to penetrate the network perimeter and access the LAN;
–penetration testers with the login of an ordinary employee were always able from there to get full control over company infrastructure;
–in test mailings 26 per cent of employees clicked links to phishing websites, of which almost half entered their credentials in a fake authentication form;
–in 75 per cent of cases pen tester attacks on wireless networks resulted in access to the corporate intranet and sensitive information, such as domain user accounts.
One way to interpret the numbers is that Positive Technologies has very skilled pen testers. Another way is that CISOs aren’t doing a very good job. Consider that
–common vectors for intranet penetration is still bruteforcing accounts through weak passwords. It worked in 44 per cent of tests;
–automated scanning of network perimeters showed 31 per cent of companies were at risk of infection by WannaCry encryption malware;
–among corporate systems tested between April 14 and December 31, 60 per cent contained the MS17-010 vulnerability, also known as the ExternalBlue remote exploit of Windows server message block (SMB). This was patched March 14, 2017, a month before pen testers started looking for it. Exploiting this vulnerability was one of the most common ways Positive Technologies pen testers got into systems;
–28 percent of successful attacks exploited web application vulnerabilities;
–in 16 percent of cases, a tester accessed intranet resources by exploiting vulnerabilities in obsolete software versions, including CMS platforms.
The top five common vulnerabilities on the network perimeter were use of insecure data protocols (81 per cent of tested systems), vulnerable software versions (75 per cent), remote access, equipment control,and DBMS connection interfaces available online (69 per cent), storage of sensitive data in cleartext or available to the public (56 per cent) and use of dictionary passwords (50 per cent).
Separately, 26 companies took up Positive Technologies’ offer of free external perimeter scanning for vulnerabilities. Fifteen per cent of the vulnerabilities found were critical, including CVE-2016-6515 in OpenSSH, where inadequate length passwords allow remote attackers to perform Denial of Service attacks; and CVE-2016-10010 vulnerability in OpenSSH, which in this case allows using another exploit to escalate local privileges.
By the way, the stats show that 20 per cent of privileged users used the password “admin,” while 45 per cent of them used what the testers say was an easy to guess keyboard combination (such as adjoining letters or numbers).
The report makes a number of recommendations including
–prevent use of dictionary and other easy-to-guess passwords; develop and enforce strict password policies;
— ensure additional protection of privileged accounts (such as domain administrator accounts). Two-factor authentication is a good practice;
–dump all versions of Windows before v.8.1, and add all privileged domain users to the Protected Users group on all privileged user workstations and on
all hosts to which privileged accounts connect;
–assess the security of wireless networks. Scrutinize the authentication methods in use and enable isolation of access point users;
–regularly train employees on information security awareness and verify employee knowledge on an ongoing basis.