In a report published today summarizing its penetration testing activity for the year 2018, cyber-security firm Positive Technologies claimed that its researchers breached external perimeters and gained access to companies' internal networks in 92 percent of all penetration tests carried out last year.
The company put most of these successful tests on vulnerabilities in the source code of externally-facing web applications, which were deemed the most vulnerable component in companies' IT infrastructure.
It said that the poor protection of these web resources accounted for 75 percent of all penetration vectors its experts found and used to gain access to the tested companies' internal networks.
Further, at half of the companies, they breached the network perimeter and escalated access to an internal network in just one step.
Once inside companies' networks, pentesters had no problem escalating access to other internal computers and servers, and in some cases even obtained access to critical resources such as ICS equipment, SWIFT money transfer systems, and ATM controls.
For escalating access while on a company's internal networks, Positive Technologies said its experts used basic techniques like brute-forcing account passwords, exploiting old vulnerabilities in unpatched systems, social engineering techniques such as phishing, and vulnerabilities in WiFi networks.
But vulnerabilities in WiFi networks also served as a vector for breaching companies from the outside, not just escalating access on the inside.
"At 87 percent of tested clients, Wi-Fi networks were accessible from outside of client premises, such as from a nearby cafe, parking lot, or public waiting area," which technically exposed a company's internal network to any nearby attacker.
"On 63 percent of systems, weak Wi-Fi security enabled accessing resources on the local network," the company said today in its report. By weak Wi-Fi security, researchers are referring to companies that failed to encrypt WiFi traffic or implemented WiFi authentication using weak protocols such as WPA2/PSK or WPA/EAP.
But no companies had perfect defenses. So even if they used firewalls to protect web applications, strong WiFi authentication, strong & unique passwords resistant to brute-force attacks, or if they trained employees to recognize phishing emails, there was always the issue with unpatched systems that left at least one door open to attackers.
- 5 ways to enforce company security (TechRepublic)
- Data breaches can sucker-punch you. Prepare to fight back (CNET)
For example, Positive Technologies says that the oldest vulnerability they found in a company's IT infrastructure was 19-years-old --CVE-1999-0024, a flaw affecting BIND, a widely used DNS server software.
More details are available in Positive Technologies' report, which was compiled following penetration tests carried out by security researchers from Positive Technologies at 33 companies active in the industrial, financial, and transport verticals.
More security coverage:
- Digital sign systems allowed hacker access through default passwords
- Details published about vulnerabilities in popular building access system
- Scammer groups are exploiting Gmail 'dot accounts' for online fraud
- Japanese government plans to hack into citizens' IoT devices
- EU orders recall of children's smartwatch over severe privacy concerns
- Ransomware warning: A global attack could cause $200bn in damage
- Cyber security is 'greatest concern' at Senate threats hearing CNET
- Phishing and spearphishing: A cheat sheet for business professionals TechRepublic