Most firms have software security vulnerability

Only 16% of companies investigated are clear of software vulnerabilities that external cyber attackers could use to gain access to their IT systems, a study by security firm Rapid 7 has found.

This figure drops to just 4% for internal penetration tests, according to the firm’s latest Under the hoodie report, based on 268 penetration tests over nine months to June 2018.

The study was aimed at discovering the most common weaknesses in modern enterprises to identify the most prevalent cyber threats to inform cyber defence strategies.

The study noted that while most people would expect to see a preponderance of cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection (SQLi) vulnerabilities, since these are most commonly associated with external-facing web applications, this was not the case.

“Penetration testers reported encountering ‘some other vulnerability’ more than 32% of the time, usually (56%) in combination with at least one of the other more specific vulnerability categories,” the report said.

Another key finding of the study was that in 80% of the cases, pen testers were able to abuse at least one network misconfiguration, which rose to 96% of cases in internal tests.

Although penetration testers, like cyber attackers, rely on the homogenous character of corporate networks, using tried-and-true commodity exploits that are effective nearly everywhere, the report said there was often an additional, custom component to penetrating a client’s network.

The pen testers found that in 53% of their investigations, they were able to discover at least one set of credentials which would enable them to access IT systems undetected.  

While passwords are widely recognised as being an ineffective security control without the use of two-factor authentication (2FA), the study revealed that 2FA was present and effective in only 15% of all engagements.

Where pen testers were able to take advantage of a network or wireless network connection, they were even able to capture log-in data from users in 86% of cases. 

In 28% of cases, pen testers were able to gain full administrative control over the network of the target organisation, with the figure rising to 67% for internal pen tests.

The report underlined the importance of “solid” network segmentation, noting that if attackers were unable to traverse logical boundaries between environments, it would be extremely difficult to make use of any stolen workstation credentials to escalate to domain-wide administrative privileges.

“Even if a powerful service account has been compromised, if there’s no route between targets, the pen tester [attacker] must effectively start over again with another foothold in the network,” the report said.

With reference to “powerful” service accounts, the report also noted that a principle of least privilege could help contain the damage suffered by losing control of that service account.

“IT administrators should review the actual permission requirements for service accounts and devise a non-root, non-administrator account permission scheme that allows the service just enough privilege to perform its intended function,” the report said.

The report also highlighted the importance of a “robust” vulnerability and patch management capability. “Many user systems today are configured by default to check for and apply software patches automatically, but some organisations are reluctant to employ the same strategy to business-critical servers.

“While a patching routine may not necessarily be technically automatic for these systems, it’s imperative that IT and security organisations work together to ensure that patches are rolled out as quickly and seamlessly as practicable,” the report said.

The report also recommended engendering a security culture so that every user on the network shares responsibility for keeping company systems and data safe.

“Training users to spot phishing campaigns, social engineering operations and other relatively low-tech attack techniques goes a long way to extending the security team’s vision and reach,” the report said.