In a new report published today by Framingham-based Positive Technologies, researchers find that criminals can hack a company in as little as 30 minutes.
FOR IMMEDIATE RELEASE / PRURGENT
Framingham, MA (August 12, 2020) -- Positive Technologies experts have analyzed the security of corporate information systems, prepared an overview of the most common security flaws and attack methods and made recommendations for improving security in its report, Penetration Testing of Corporate Information Systems. The analysis showed that for 93 percent of companies, the pentesters succeeded in breaching the network perimeter and accessing the local network. 77 percent of attack vectors were related to insufficient protection of web applications.
Companies tested in 2019 included finance (32%), IT (21%), fuel and energy (21%), government agencies (11%), hospitality and entertainment (7%), industry (4%), and telecoms (4%). In Positive Technologies’ external pentests, experts were able to access the local network at 93 percent of tested organizations. The maximum number of penetration vectors detected at a single company was 13. In one out of every six tested companies, Positive Technologies found traces of previous attacks, such as web shells on the network perimeter, malicious links on official sites, or valid credentials in public data dumps. This indicates that the infrastructure may have already been infiltrated by hackers.
The experts also found that penetration of a local network takes between 30 minutes to 10 days. In most cases, attack complexity was low, meaning that the attack was within the capabilities of a hacker with basic skills. At 71 percent of companies, there was at least one easy penetration vector.
At 68 percent of companies, successful attacks on web applications involved brute forcing attacks to crack credentials. If attackers bruteforce the password for at least one domain account, they can discover identifiers for other users by downloading the offline address book, which lists all email addresses of company employees. At one of the tested organizations, Positive Technologies pentesters obtained over 9,000 email addresses using this method.
“Web applications are the most vulnerable component on the network perimeter,” said Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies. “In 77 percent of cases, penetration vectors involved insufficient protection of web applications. To ensure protection, businesses need to perform security assessments of web applications regularly. Penetration testing is performed as a "black box" analysis without access to source code, which means businesses can leave blind spots to some issues which might not be detected using this method. Therefore, companies should use a more thorough testing method such as source code analysis (white box). For proactive security, we recommend using a web application firewall to prevent exploitation of vulnerabilities, even ones that have not been detected yet.”
The testing relied heavily on exploitation of known software vulnerabilities, for example in old versions of Laravel and Oracle WebLogic Server, which allowed access to the local network at 39 percent of companies. In addition, the pentesters discovered six zero-day Remote Code Execution (RCE) vulnerabilities, including CVE-2019-19781 in Citrix Application Delivery Controller (ADC) and Citrix Gateway.
Positive Technologies recommends installing OS security updates and the latest versions of the software in a timely manner and ensuring that software containing known vulnerabilities do not appear on the network perimeter.
About Positive Technologies
For 18 years, Positive Technologies has created innovative solutions for information security. We develop products and services to detect, verify, and neutralize the real-world business risks associated with corporate IT infrastructure. Our technologies are backed by years of research experience and the expertise of world-class cybersecurity experts. Over 2,000 companies in 30 countries trust us to keep them safe. Follow us on social media (LinkedIn, Twitter) and the News section at ptsecurity.com.
CONTOS DUNNE COMMUNICATIONS