An analysis of penetration tests conducted by Kaspersky Lab researchers on corporate networks during 2017 reveals that three-quarters (73%) of successful perimeter breaches were achieved using vulnerable web applications.
The findings are summarised in a new report, Security assessment of corporate information systems in 2017.
Each IT infrastructure is unique, and the most dangerous attacks are specially planned to take into account the vulnerabilities of a particular organisation. Every year, Kaspersky Lab’s Security Services department carries out a practical demonstration of possible attack scenarios to help organisations worldwide identify vulnerabilities in their networks and avoid financial, operational and reputational damage. The aim of the annual penetration test report is to make IT security specialists aware of relevant vulnerabilities and attack vectors against modern corporate information systems, and thereby strengthen their organisation’s protection.
The results of the 2017 research show that the overall level of protection against external attackers was assessed as low or extremely low for 43% of analysed companies. A massive 73% of successful external attacks on the network perimeters of organisations in 2017 were achieved using vulnerable web applications.
Another common vector for penetrating the network perimeter was an attack on publicly available management interfaces with weak or default credentials. In 29% of external penetration test projects, Kaspersky Lab experts successfully gained the highest privileges in the entire IT infrastructure, including administrative-level access to the most important business systems, servers, network equipment, and employee workstations, on behalf of an ‘attacker’ that had no internal knowledge of the target organisation and located in the Internet.
The information security situation in companies’ internal networks was even worse. The level of protection against internal attackers was identified as low or extremely low for 93% of all analysed companies. The highest privileges in the internal network were obtained in 86% of the analysed companies; and for 42% of them it took only two attack steps to achieve this.
On average, two to three attack vectors were identified with which the highest privileges could be gained in each project. Once the attackers get them, they can obtain complete control over the whole network including business critical systems.
The notorious vulnerability MS17-010 widely exploited both in individual targeted attacks and by ransomware such as WannaCry and NotPetya/ExPetr was detected in 75% of companies that underwent internal penetration testing after information on the vulnerability was published. Some of these organisations did not update their Windows systems even seven or eight months after patch release.
In general, obsolete software was identified on the network perimeter of 86% of the analysed companies and in the internal networks of 80% of companies, demonstrating that unfortunately due to poor implementation of basic IT security processes many enterprises may become easy targets for attackers.
According to the results of the security assessment projects, web applications of government bodies occurred to be the most insecure, with high-risk vulnerabilities found in each application (100%).
By contrast, e-commerce applications are better protected from possible external interference. Only a little more than a quarter has high-risk vulnerabilities, which makes them the most protected ones.
“Qualitative implementation of the simple security measures like network filtering and password policy would significantly increase the security stance. For example, half of the attack vectors could have been prevented by restricting access to management interfaces,” says Sergey Okhotin, senior security analyst: security services analysis at Kaspersky Lab.