Pentesters breach 92 percent of companies, report claims

Failure to protect web apps with firewalls, failure to patch systems, and the use of insecure WiFi networks deemed primary causes.
Written by Catalin Cimpanu, Contributor

In a report published today summarizing its penetration testing activity for the year 2018, cyber-security firm Positive Technologies claimed that its researchers breached external perimeters and gained access to companies' internal networks in 92 percent of all penetration tests carried out last year.

Also: Online security 101: Tips for protecting your privacy

The company put most of these successful tests on vulnerabilities in the source code of externally-facing web applications, which were deemed the most vulnerable component in companies' IT infrastructure.

It said that the poor protection of these web resources accounted for 75 percent of all penetration vectors its experts found and used to gain access to the tested companies' internal networks.

Further, at half of the companies, they breached the network perimeter and escalated access to an internal network in just one step.

Once inside companies' networks, pentesters had no problem escalating access to other internal computers and servers, and in some cases even obtained access to critical resources such as ICS equipment, SWIFT money transfer systems, and ATM controls.

For escalating access while on a company's internal networks, Positive Technologies said its experts used basic techniques like brute-forcing account passwords, exploiting old vulnerabilities in unpatched systems, social engineering techniques such as phishing, and vulnerabilities in WiFi networks.

But vulnerabilities in WiFi networks also served as a vector for breaching companies from the outside, not just escalating access on the inside.

"At 87 percent of tested clients, Wi-Fi networks were accessible from outside of client premises, such as from a nearby cafe, parking lot, or public waiting area," which technically exposed a company's internal network to any nearby attacker.

"On 63 percent of systems, weak Wi-Fi security enabled accessing resources on the local network," the company said today in its report. By weak Wi-Fi security, researchers are referring to companies that failed to encrypt WiFi traffic or implemented WiFi authentication using weak protocols such as WPA2/PSK or WPA/EAP.

But no companies had perfect defenses. So even if they used firewalls to protect web applications, strong WiFi authentication, strong & unique passwords resistant to brute-force attacks, or if they trained employees to recognize phishing emails, there was always the issue with unpatched systems that left at least one door open to attackers.

Must read

For example, Positive Technologies says that the oldest vulnerability they found in a company's IT infrastructure was 19-years-old --CVE-1999-0024, a flaw affecting BIND, a widely used DNS server software.

More details are available in Positive Technologies' report, which was compiled following penetration tests carried out by security researchers from Positive Technologies at 33 companies active in the industrial, financial, and transport verticals.

Cybercrime and malware, 2019 predictions

More security coverage:

Editorial standards