A recent study concluded that 93% of companies can be breached, on average, in 4 days. To make matters worse, the analysis revealed that even unskilled hackers are able to penetrate the internal networks of 3 out of 4 companies.
93% Of Companies Breached in 30 Minutes to 10 Days
Positive Technologies experts revealed how easy it is for hackers to breach an organization’s internal network. They presented the results of their study in a report that also describes the most common security issues and attack methods. Types of companies tested included finance (32%), IT (21%), fuel and energy (21%), government agencies (11%), hospitality and entertainment (7%), industry (4%), and telecoms (4%).
Their analysis showed that the local networks of 93% of companies can be accessed by unauthorized parties without much effort. Furthermore, they found that in most cases, the attack complexity was low. This means that even a hacker with only basic skills would be capable of executing such an attack. The average time for penetrating a local network was 4 days. In one case, the time needed was only 30 minutes.
77% of attack methods rely on web applications being insufficiently protected. At least one such flaw was present at 86% of companies. The other penetration methods consisted mainly of brute force attacks to crack credentials for services on the network perimeter. At 68% of companies, an attacker was able to access the internal network in just two steps.
How Positive Technologies Penetrated Internal Networks
Positive Technologies used penetration tests to assess the capabilities of companies to defend themselves against system attacks. In these tests, ethical hackers – called “pentesters” – imitate what real attackers would do. Pentesters are usually hired by companies who already have a more or less robust security system in place.
Usually these tests combine internal and external pentests. Testing that takes place from an external network, such as the internet, is called an external pentest. Conversely, in an internal pentest, attacks originate from inside the company. Typically, a pentester would test, for example, typical employee privileges, or access available to a random, unauthorized visitor.
Pentests can ascertain how effective a security system is and if a company is well prepared to fence off cyberthreats. They are not intended for the detection of specific vulnerabilities, but rather are used to reveal security flaws or, for example, to indicate whether hackers could gain access to specific business systems.
Traces of Previous Attacks in 1 Out of 6 Companies
In 1 out of every 6 companies tested, Positive Technologies found traces of previous attacks. Some had web shells on the network perimeter, others malicious links on their official sites, or valid credentials in public data dumps. This indicates that the infrastructure may already have been infiltrated by hackers in the past.
57% of vulnerabilities were related to web applications, 50% to password policy flaws, 29% had to do with vulnerable software and 25% with configuration flaws. In the case of software vulnerabilities, the flaws mostly concerned old versions of Laravel and Oracle WebLogic Server.
During their work, the pentesters also discovered six zero-day Remote Code Execution (RCE) vulnerabilities, including CVE-2019-19781 in Citrix Application Delivery Controller (ADC) and Citrix Gateway. They found additional zero-day vulnerabilities in other popular products, but details were withheld since patches are still pending.