New research from Positive Technologies has shed light on how easy it is for hackers to breach organizations’ local networks by exploiting known software vulnerabilities.
To compile its new Penetration Testing of Corporate Information Systems report, the firm’s experts performed external pentests on organizations in the finance, IT, fuel and energy, government, hospitality, entertainment and telecommunications industries.
In its tests, Positive Technologies was able to access the local network at 93 percent of tested organizations with the maximum number of penetration vectors detected at a single company being 13. Furthermore, in one out of every six tested companies, it found traces of previous attacks such as web shells on the network perimeter, malicious links on official sites or valid credentials in public data dumps, indicating that the infrastructure may have already been infiltrated by hackers.
The firm’s experts also found that penetration of a local network usually takes between 30 minutes and 10 days. However, in most cases, attack complexity was low which means that the attack was well within the capabilities of even a hacker with just basic skills.
Positive Technologies’ research also found that brute force attacks were an effective way to crack credentials when launching attacks on web applications at 68 percent of the companies its team performed external pentests on.
If an attacker is able to successfully brute force the password for at least one domain account, they can discover identifiers for other users by downloading the offline address book which contains all of the email addresses for a company’s employees. In fact, at one of the tested organizations, the firm’s pentesters obtained over 9,000 email addresses using this method.
Head of research and analytics at Positive Technologies, Ekaterina Kilyusheva provided further insight on how organizations can perform their own penetration tests in a press release, saying:
“Web applications are the most vulnerable component on the network perimeter. In 77 percent of cases, penetration vectors involved insufficient protection of web applications. To ensure protection, businesses need to perform security assessments of web applications regularly. Penetration testing is performed as a “black box” analysis without access to source code, which means businesses can leave blind spots to some issues which might not be detected using this method. Therefore, companies should use a more thorough testing method as source code analysis (white box). For proactive security, we recommend using a web application firewall to prevent exploitation of vulnerabilities, even ones that have not been detected yet.”