In external penetration testing undertaken for corporate clients in industrial, financial, and transport verticals in 2018, Positive Technologies found that, at the vast majority of companies, there were multiple vectors in which an attacker could reach the internal network.
As described in a new report, ‘Penetration Testing of Corporate Information Systems: Statistics and Findings’, companies were vulnerable to an average of two vectors, and in one case, as many as five. Reaching an internal network from the outside can typically be accomplished with well-known security vulnerabilities, without requiring exceptional skill or knowledge on the part of would-be attackers.
Testers found that vulnerabilities in web application code are the main problem on the network perimeter. Overall, 75 percent of successful penetration vectors leveraged poor protection of web resources. At half of companies, an attacker can breach the network perimeter in just one step, most often by exploiting a vulnerability in a web application.
Vulnerabilities on internal systems
Full control of infrastructure was obtained on all tested systems in internal pentesting. In addition, the testers obtained access to critical resources such as ICS equipment, SWIFT transfers, and ATM management. The most common successful attack vectors against internal networks included:
- Brute force attacks against the internal network - using dictionary passwords to break into an account. Since credentials are shared between computers, the attacker can then move laterally from one host to another.
- Failure to install updates - especially those fixing critical vulnerabilities. On internal infrastructure, vulnerable OS versions were the most frequent, and were found on 44 percent of tested systems.
- Vulnerability to social engineering - which emulated a phishing attack on the company. Specially crafted emails with attachments or web links were sent to employees. Results showed that one out of three employees risked running malware on a work computer, one out of seven engaged in dialog with an imposter and disclosed sensitive information, and one out of ten entered account credentials in a fake authentication form.
- Vulnerability in Wi-Fi networks - a key vector for threats against internal corporate infrastructure. At 87 percent of tested clients, Wi-Fi networks were accessible from outside of client premises, such as from a nearby cafe, parking lot, or public waiting area. On 63 percent of systems, weak Wi-Fi security enabled accessing resources on the local network.