Penetration of an organization’s local network takes as little as 5 minutes, according to a new report from Positive Technologies, one of the largest cybersecurity research firms in Europe.
Positive Technologies experts analyzed the security of corporate information systems and prepared an overview of the most common security flaws and attack methods and made recommendations for improving security in its report Penetration Testing of Corporate Information Systems.
The analysis showed that for 93 percent of companies, the pentesters succeeded in breaching the network perimeter and accessing the local network. 77 percent of attack vectors were related to insufficient protection of web applications.
Companies tested in 2019 included finance (32%), IT (21%), fuel and energy (21%), government agencies (11%), hospitality and entertainment (7%), industry (4%), and telecoms (4%). In Positive Technologies’ external pentests, experts were able to access the local network at 93 percent of tested organizations. The maximum number of penetration vectors detected at a single company was 13.
In one out of every six tested companies, Positive Technologies found traces of previous attacks, such as web shells on the network perimeter, malicious links on official sites, or valid credentials in public data dumps. This indicates that the infrastructure may have already been infiltrated by hackers.
The experts also found that penetration of a local network takes between 30 minutes to 10 days. In most cases, attack complexity was low, meaning that the attack was within the capabilities of a hacker with basic skills. At 71 percent of companies, there was at least one easy penetration vector.
At 68 percent of companies, successful attacks on web applications involved brute forcing attacks to crack credentials. If attackers bruteforce the password for at least one domain account, they can discover identifiers for other users by downloading the offline address book, which lists all email addresses of company employees.
At one of the tested organizations, Positive Technologies pentesters obtained over 9,000 email addresses using this method.
“Web applications are the most vulnerable component on the network perimeter. In 77 percent of cases, penetration vectors involved insufficient protection of web applications. To ensure protection, businesses need to perform security assessments of web applications regularly, “says Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies.
“Penetration testing is performed as a “black box” analysis without access to source code, which means businesses can leave blind spots to some issues which might not be detected using this method. Therefore, companies should use a more thorough testing method as source code analysis (white box).”