From 2013 to 2014, there was an increase in the vulnerability of the information systems of large enterprises. In about 60% of system attacks, the network perimeters were penetrated via web application vulnerabilities. Additionally in 2014, there was decreased awareness among employees regarding security issues, as they were more likely to follow unverified links and open files attached to e-mails from unknown sources.
These findings are outlined in detail in Positive Technologies’ 2014 penetration testing results publication and contrast significantly from the 2013 findings. The penetration testing simulates a hacker attack and provides a more realistic assessment than traditional auditing techniques alone.
The penetration testing data used in this article is drawn from testing the information systems of 18 large public and private companies. The firms are comprised of Fortune Global 500 firms and include some of the largest Russian firms in terms of volume of products produced annually, as ranked by Expert RA. More than half of the enterprises had multiple international subsidiaries and most systems had hundreds of active hosts available at the network perimeter. The majority of the firms operate in the manufacturing, banking and IT sectors.
In 2014, 94% of systems in the penetration testing study contained vulnerabilities that allowed testers to gain full control over some critical resources — Active Directory, ERP, e-mail, or network equipment control systems. In 67% of cases, an external attacker could gain full control over the most critical resources and in 27% of cases gaining access to the intranet user segment was enough to facilitate full control over the critical resource.
In both 2013 and 2014, almost all the systems had high-severity vulnerabilities and most of these critical vulnerabilities related to configuration flaws. However in 2014, most systems, 78%, had critical vulnerabilities related to outdated software updates, worse than the 2013 results of about 50%. The average age of the most outdated patch was 73 months, compared to just 32 months in 2013. In three systems, MS08-067 (CVE-2008-4250), a 6-year-old critical vulnerability widely used by both hackers and the Conficker network worm, was still in use.
Additionally in 2014, almost every information system, 89%, had vulnerabilities related to web application code errors and more than half of the companies, 61%, had high-severity vulnerabilities.
Security Perimeter Flaws
In 73% of systems, an outside attacker accessing the network from the Internet could access intranet hosts without using social engineering. When combining the use of intranet hosts with social engineering outside access to the system was gained in 87% of cases. In 2014, a low-qualified attacker could successfully attack 61% of systems, compared to just 46% in 2013.
Penetrating the perimeter in 2014, as in 2013, required exploitation of, on average, only two vulnerabilities However, one vulnerability was enough to penetrate more than half of the systems (6 out of 11) in 2014. Additionally, in 60% of all cases the penetration vector is based on web application code vulnerabilities. For example, SQL Injection appears in 67% of systems, and unrestricted file upload in 40%.
The most common vulnerabilities at the network perimeter are:
- Network equipment and server control interfaces available from the Internet, rising from 82% to 93% from 2013 to 2014.
- Dictionary passwords, including default and empty passwords — 87%. Also note that 67% of all systems used dictionary IDs and passwords as administrator IDs and passwords at the perimeter. Both of these factors increase the likelihood that an attacked could access the intranet.
By contrast, Heartbleed and Shellshock vulnerabilities, both of which garnered media scrutiny in 2014, have not been widely used in hacks, as the coverage encouraged most large companies to install updates to protect against them. Nevertheless, one company in this study did have an unfixed Heartbleed vulnerability that allowed attackers to obtain many customers’ credentials.
Gaining access to the company intranet is often the first step for an external attacker to gain access to critical resources. The 2014 report demonstrates that after gaining full control over critical resources in 80% of systems, the hacker would have been able to penetrate the network perimeter.
Intranet Security Flaws
Positive Technologies also considered the attack vectors of an internal hacker. The results of a hack by an employee located in the user segment of the network resulted in unauthorized access privileges leading to full control over information infrastructure in 78% of cases and access to critical resources such as banking and ERP systems in all the cases.
In 56% of cases, a low skilled attacker is able to access critical resources. Complicated attacks, requiring a high skill level to coordinate, were not necessary to access critical resources in 2014. By contrast, in 2013 they were required to penetrate 17% of systems. On average, an internal attacker needed to exploit three different vulnerabilities to gain control over critical resources in 2014, worse than the 2013 results in which an attacker had to exploit an average of five vulnerabilities.
Weak passwords are still the most common intranet security vulnerability detected in all the systems studied. Every system had weak administrator passwords, more than half of them were only six characters long.
The second most common intranet vulnerability is insufficient security on privileged accounts, a problem found in 88% of systems in 2014. In the case of the privileged accounts attack, the hacker can use high privileges to access the domain on behalf of an unknown account due to architecture flaws in the Kerberos protocol, an attack that is hard to detect.
Lack of Staff Awareness
As part of the penetration testing IS awareness checks were carried out among the system users. The results were based on the most common hacker methods — emailing messages containing an attachment or with a link embedded. The penetration testing monitored the number of links opened and files downloaded, as well as the number of credentials entered, to simulate a phishing scam.
From 2013 to 2014, staff vigilance about these types of attacks decreased significantly. In 2014, staff at 67% of companies whose systems were tested showed low or extremely low awareness level, and the others were estimated as \”below average\”. In particular, the number of users who followed the link increased from 11% to 20% and those who entered credentials in the phishing simulation quadrupled to 15%.
The results of the penetration testing presented in this article argue for improved security measures. Key areas include password policy, web application security, regular security updates, and privileged account security and user awareness. Additionally regular security audits of information systems and penetration testing both internal and external are recommended.
To access the full report please see: www.ptsecurity.com/upload/ptcom/PT_Pentalytic_2015_ENG.PDF