Positive Technologies found in a recent study that criminals with few skills can hack a company in less than 30 minutes.
Despite cybersecurity efforts, bad actors continue to find ways to hack businesses. Consequently, security efforts are focused on how to prevent these destructive breaches. Penetration testers (pentesters) were successful in breaching the network perimeter and accessing the local networks of 93% of companies, according to a recent report from the security information company Positive Technologies.
Pentesters are ethical hackers, hired by a company, who mimic the actions of criminal hackers, and look for and find the areas of vulnerability within the company's security. Given the assignment, it's best served when the client has a security system already in place.
Testing an external network, such as the internet, is called an external pentest. Pentesters try to find as many ways as they can to penetrate the local network, and the combination of external-and-internal network breaches represent 58% of hacks, and external alone, 19%.
Comparatively, in an internal pentest, attacks (23%) originate from inside the company, by testing, for example, typical employee privileges or with the physical access available to a random visitor. An internal pentest can determine the highest level of privileges an attacker can obtain.
SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic)
Pentesters offer an expert's opinion and analysis of the effectiveness of their clients' security system, as well as cyber threat preparedness.
One-sixth of pentestered companies revealed traces of previous attacks. While the average time to penetrate a local network was four days, pentesters found it could be done in as little as 30 minutes. But in the majority of cases, the successful attacks lacked much complexity, and pentesters said the attack was within the purview of a hacker with "middling" skills.
Only 7% of systems tested were adequate enough to withstand any breaches, but 25% were hacked in a single step, 43% in two steps, and 25% in three to six steps.
The testing revealed some alarming vulnerabilities, including the fact that at 71% of companies, even an unskilled hacker was able to penetrate the internal network.
Another revelation was that 77% of breaches were related to insufficient protection of web applications, and pentesters discovered at least one vector at 86% of companies. A penetration vector, the report explained, refers to a method that explores the weaknesses which allowed the breach in a network perimeter.
Pentesters were able to breach 77% of businesses through web application protection vulnerabilities, 15% through brute forcing credentials used for accessing DBMS, 6% brute forcing credentials for remote access services, and 1% each through brute forcing domain-user credentials with software vulnerabilities exploitation, as well as with software vulnerabilities exploitation as well as bruteforcing credentials for the FTP server.
Risk-level of detection is 57% for web application vulnerabilities, 50% for password policy flaws, 29% vulnerable software, 25% configuration flaw.
Perform security assessments of web applications regularly.
Penetration testing is performed as a "black box" without access to source code, so some issues may not be detected.
Use tests for source-code analysis (white box); it detects the most issues.
Repairs can take significant time.
Issues may also appear in third-party software (app's vulnerable until that third party releases a patch.
Protect the network perimeter with a web application firewall (WAF) to prevent exploitation of vulnerabilities.
Ensure interfaces open for connection actually need to be available to all internet users.
Regularly inventory internet-accessible resources.
Install OS security updates ASAP.
Install latest versions of apps ASAP.
Be sure software with known vulnerabilities is not on the corporate network perimeter.
Regularly conduct penetration testing.
Unsurprisingly, pentesters are most popular in the finance field, with 32% of companies who want to protect their money matters. There's a tie for second place, 21% for both IT as well as fuel and energy.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)