Penetration testers share common security failings that leave companies vulnerable to attack.
Hackers can gain access to the internal networks of corporations by exploiting two security failings in as little as 30 minutes.
Ethical hackers and cybersecurity researchers at Positive Technologies perform penetration testing against organisations in a wide variety of sectors, but find common security vulnerabilities across all industries. The findings have been detailed in a new report, Penetration Testing of Corporate Information Systems.
The report, based on anonymised data from real organisations that have had their networks tested, said that for 71% of companies, there’s at least one obvious weakness that could provide malicious outsiders with entry into the network.
One of the most common security issues is weak passwords, allowing hackers to gain access to accounts by using brute-force attacks. Cracking the password of one account shouldn’t be enough to gain full access to an internal network, but in many cases, it just takes this and the ability to exploit known vulnerabilities to gain further access to systems.
“The problem lies in the low levels of protection even for large organizations. Attack vectors are based primarily on exploiting known security flaws. This means that companies do not follow basic information security rules,” Ekaterina Kilyusheva, head of information security analytics at Positive Technologies, told ZDNet.
In addition to weak passwords, over two-thirds of organisations are using vulnerable versions of software that hasn’t received the required security updates, leaving it open to being exploited.
“An attacker can quickly gain access to an internal network if a web application contains a known vulnerability for which a public exploit exists,” Kilyusheva explains.
For example, in one instance, ethical hackers were about to use a brute-force attack to access a remote desktop application – something that has become more commonly used due to the increase in working from home in 2020.
The user didn’t have access to many applications, but by opening a mapping application, the security testers were able to gain access to the Windows Explorer processes and command lines, allowing the ability to execute commands on the operating system and gain more access.
In a third of penetration exercises, researchers were able to gain access to the internals of the corporate network by combining the brute forcing and software vulnerabilities. In this instance, attacks could be protected against by ensuring the use of strong passwords and any applications being used having security patches applied, so they can’t be exploited in attacks.
In these examples, the networks were being accessed by ethical hackers as part of security testing, but cyber criminals are looking to exploit these vulnerabilities – and could use them to gain access to vast swathes of corporate networks.
The average time it took ethical hackers to get to the internal network was four days, but in one case it was possible in just thirty minutes.
“An attacker can develop an attack on critical business systems, for example, financial systems, gain access to computers of top managers, or conduct an attack on a company’s customers or partners. In addition, hackers can sell the obtained access on the darknet to other criminals to conduct attacks – for example, ransomware,” said Kilyusheva.
However, by following some common security procedures, such as not using weak passwords, applying multi-factor authentication and ensuring the network is patched with software updates, it’s possible for organisations to protect themselves against many forms of attempted cyberattacks.