pixel_dreams - Fotolia

Security audits reveal poor state of corporate cyber defences

Critical vulnerabilities detected in 47% of corporate systems investigated in security audits by Positive Technologies

Most corporate networks can be compromised by relatively simple hacking techniques, a review of 2016 security audits has shown.

Some of these techniques require very little skill and can be completed in just two steps on average, according to a whitepaper on corporate vulnerabilities by Positive Technologies.

The findings are consistent with views expressed by former hackers Cal Leeming and Darren Martyn, who told Computer Weekly in April 2017 that even large and well-resourced enterprises leave themselves open to attack by failing in several key basic areas of cyber defence.

The security audits by Positive Technologies, which simulate how actual attackers would try to penetrate corporate systems, identified a large number of protection flaws.

Critical vulnerabilities were detected in 47% of investigated corporate systems. These high-risk vulnerabilities are frequently related to configuration errors (40%), errors in web application code (27%), and failure to install security updates (20%).

Poor software security updating or patching processes were highlighted in the wake of the WannaCry global ransomware attacks that exploited Microsoft software vulnerabilities for which the software supplier had already issued patches.

Among out-of-date systems identified in the security audits, the average age of the oldest uninstalled updates is a nine years, according to the whitepaper.

The oldest vulnerability found (CVE-1999-0024) was published more than 17 years ago and relates to DNS server support for recursive queries. A malicious user could exploit this vulnerability to conduct denial of service (DoS) attacks, the whitepaper said.

The security audit review found that common perimeter vulnerabilities include dictionary passwords, unencrypted data transfer protocols (100%), vulnerable software versions (91%) as well as publicly available interfaces for remote access, equipment control, and connection to database management systems (91%).

Read more about security vulnerabilities

Although web application vulnerabilities are not the largest threat, they are still dangerous, the review showed, with web application vulnerabilities making it possible to bypass the network perimeter on 77% of corporate systems tested. 

When acting as an external intruder, testers were able to gain full control over corporate infrastructure on 55% of systems, and while acting as an internal intruder, testers were successful on all systems – up from 28% and 82%, respectively, in 2015.

The most common internal network vulnerabilities found on all systems tested are flaws in network layer and data link layer protocols, leading to traffic redirection and interception of information about network configuration.

Staff awareness of information security was extremely low in half of systems in 2016, compared with 25% of systems in 2015, the whitepaper said. Also, wireless network security was also extremely poor in most cases (75%), with every second system allowing access to the local area network (LAN) from Wi-Fi.

“The vast majority of attacks on corporate infrastructures involve exploitation of common vulnerabilities and flaws,” said Evgeny Gnedin, head of information security analytics at Positive Technologies.

“Companies can dramatically improve their security stance and avoid falling victim to attacks by applying basic information security rules.”

The rules that Gnedin recommends all organisations to follow are:

  • Develop and enforce a strict password policy.
  • Minimise privileges of users and services.
  • Do not store sensitive information in cleartext.
  • Minimise the number of open network service interfaces on the network perimeter.
  • Regularly update software, and install operating system security updates.
  • Protect or disable unneeded protocols.
  • Segment networks.

Gnedin also noted that antivirus protection alone is not enough to maintain high security. “To protect web applications, it is necessary to use web application firewalls [WAFs], and security event monitoring [Siem] systems help to detect attacks promptly,” he said.

Gnedin also urged organisations to train employees regularly to improve information security awareness, and to perform penetration testing to identify new attack vectors and test protection methods in a timely manner.

“By consistently applying all these measures, companies can ensure effective protection and justify the cost of expensive specialised security systems,” he said.

Read more on Hackers and cybercrime prevention