Security company Positive Technologies has issued a new research report analyzing results of the company’s penetration testing1 projects carried out in the second half of 2020 and first half of 2021. In 93% of cases, an external attacker can breach an organization’s network perimeter and gain access to local network resources, and it takes an average of two days to penetrate a company’s internal network.
The study was conducted among financial organizations (29%), fuel and energy organizations (18%), government (16%), industrial (16%), IT companies (13%), and other sectors.
During the assessment of protection against external attacks, Positive Technologies experts managed to breach the network perimeter in 93% of cases. According to the company’s researchers, this figure has remained high for many years, confirming that criminals are able to breach almost any corporate infrastructure.
An attacker’s path from external networks to target systems begins with breaching the network perimeter. According to Positive Technologies researchers, on average, it takes two days to penetrate a company’s internal network. Credential compromise is the main way criminals can penetrate a corporate network (71% of companies), primarily because of simple passwords used, including for accounts used for system administration.
An attacker who has the credentials with domain administrator privileges can obtain many other credentials for lateral movement across the corporate network and access to key computers and servers.
Administration, virtualization, protection, or monitoring tools often help an intruder gain access to isolated network segments.
According to the study, most organizations have no segmentation of the network by business processes, and this allows attackers to develop several attack vectors simultaneously, and trigger several of a company’s unacceptable events.
What’s more, in 100% of companies analyzed, an insider can gain full control over the infrastructure.
Despite the fact that financial organizations are considered to be among the most protected companies, as part of the verification of unacceptable events in each of the banks we tested, our specialists managed to perform actions that could let criminals disrupt the bank’s business processes and affect the quality of the services provided. For example, they obtained access to an ATM management system, which could allow attackers to steal funds.