Kaspersky Lab†is announcing the analysis of penetration tests on corporate networks which reveals that three-quarters (73%) of successful perimeter breaches in 2017 were achieved using vulnerable web applications. The tests are conducted by the company’s researchers and the latest findings are summarized in a new report, “Security assessment of corporate information systems in 2017.”†
Every year,†Kaspersky Lab’s Security Services†department carries out a practical demonstration of possible attack scenarios to help organizations worldwide identify vulnerabilities in their networks and avoid financial, operational, and reputational damage. The aim of the penetration test report is to educate IT security specialists and raise awareness of relevant vulnerabilities and attack vectors against modern corporate information systems, empowering specialists to protect their organizations. The results of the 2017 research show that the overall level of protection against external attackers was assessed as ‘low’ or ‘extremely low’ for 43 percent of analyzed companies.†
In addition to web applications, another common vector for penetrating the network perimeter was attacks on publicly available management interfaces with weak or default credentials. In 29 percent of external penetration test projects, Kaspersky Lab experts successfully gained the highest privileges in the entire IT infrastructure, including administrative-level access to the most important business systems, servers, network equipment, and employee workstations, on behalf of an ‘attacker’ that had no internal knowledge of the target organization.
The information security tests in corporate internal networks were even worse. The level of protection against internal attackers was identified as low or extremely low for 93 percent of all analyzed companies. The highest privileges in the internal network were obtained in 86 percent of the analyzed companies, and for 42 percent of them, it took only two attack steps to achieve this. On average, two-to-three attack vectors were identified with which the highest privileges could be gained in each project. Once the attackers get them, they can obtain complete control over the whole network including business critical systems.
The notorious vulnerability MS17-010 widely exploited both in individual targeted attacks and by ransomware, such as†WannaCry†and NotPetya/ExPetr, was detected in 75 percent of companies that underwent internal penetration testing after information on the vulnerability was published. Some of these organizations did not update their Windows systems until seven-to-eight months after the patch was released. In general, obsolete software was identified on the network perimeter of 86 percent of the analyzed companies and in the internal networks of 80 percent of companies. Poor implementation of basic IT security processes is putting many enterprises at risk.
According to the results of the security assessment projects, web applications of government bodies occurred to be the most insecure with high-risk vulnerabilities found in each application (100%). On the other hand, e-commerce applications were found to be better protected from possible external interference with over a quarter having high-risk vulnerabilities.
“Qualitative implementation of the simple security measures like network filtering and password policy would significantly increase the security stance,” said Sergey Okhotin, senior security analyst of security services analysis at Kaspersky Lab. “For example, half of the attack vectors could have been prevented by restricting access to management interfaces.”
To improve corporate network security strategies, companies are advised to:
- Closely monitor firewall rules, web application use, and look for updates available for vulnerable software.
- Implement password policies to encourage users to create strong password that enhance network security.
- Run regular security assessments for IT-infrastructure (including applications).
- Implement a strategy for the detection of cyberattack activities at an early stage and have a plan for a prompt response.
- Organizations with well-established processes in place should also consider running Red Teaming-type tests to assess infrastructure protection and train the information security service to identify and react to attacks in real-world scenarios.
