All corporate networks are highly vulnerable to attacks that would give hackers full control of their infrastructure, according to a Tuesday report from Positive Technologies.
The report studied 2017 audits of 22 corporate systems belonging to companies across different industries, including IT, finance, retail, and transportation. Positive Technologies researchers were able to gain full control of infrastructure on every corporate networks they attempted to compromise. Only 7% of the systems studied were moderately difficult to access, the report found.
These results indicate that penetrating a network perimeter has become easier than in the past: Researchers rated the difficulting of accessing the internal network as “trival” in 56% of the 2017 tests, compared to 27% in 2016.
SEE: Network security policy template (Tech Pro Research)
Each company had an average of two attack vectors that allowed their network to be infiltrated, according to the report. For one corporation, researchers found 10 different vectors. The oldest vulnerability found–CVE-1999-0532–dates back 18 years, the report found.
One of the most common attack vectors were corporate Wi-Fi networks. Among those tested, 40% used easy-to-guess dictionary passwords, while 75% were accessible from outside of company offices. Another 75% of Wi-Fi networks failed to enforce per-user isolation, meaning that hackers could attack personal and corporate laptops connected to the Wi-Fi network without accessing the target’s building, the report noted.
Employees also remain a security weak point for most companies studied: During the testing, 26% of employees clicked a link for a phishing website, and nearly half of those entered their credentials in a fake authentication form. One in six employees opened a fake malicious file in an email attachment, while another 12% communicated with hackers.
To gain full control over a corporate network, an attacker typically penetrates the network perimeter, and takes advantage of vulnerabilities in out-of-date OS versions, Positive Technologies analyst Leigh-Anne Galloway said in a press release. Then, they can run a special utility to collect the passwords of all OS users who are logged into those computers.
SEE: Brute force and dictionary attacks: A cheat sheet (TechRepublic)
“Gradually, system by system, the attacker continues until obtaining the password of the domain administrator,” Galloway said. “At that point, it’s game over–the attacker can burrow into the infrastructure and control critical systems while staying unnoticed.”
Companies can protect their networks by taking the following steps:
- Keep all operating systems and applications up to date
- Enforce use of strong passwords on all systems by all users, especially administrators
- Use two-factor authentication for administrators of key systems
- Don’t give administrator privileges to every employee on their computer
The big takeaways for tech leaders:
- 100% of corporate networks are highly vulnerable to insider attacks. — Positive Technologies, 2018
- Each company has an average of two attack vectors that would allow their network to be infiltrated. — Positive Technologies, 2018