• An analysis of penetration tests conducted by Kaspersky Lab researchers on corporate networks during 2017 reveals that three-quarters (73%) of successful perimeter breaches were achieved using vulnerable web applications. The findings are summarized in a new report, ‘Security assessment of corporate information systems in 2017’.
Each IT infrastructure is unique, and the most dangerous attacks are specially planned to take into account the vulnerabilities of a particular organization. Every year, Kaspersky Lab’s Security Services department carries out a practical demonstration of possible attack scenarios to help organizations worldwide identify vulnerabilities in their networks and avoid financial, operational and reputational damage. The aim of the annual penetration test report is to make IT security specialists aware of relevant vulnerabilities and attack vectors against modern corporate information systems, and thereby strengthen their organization’s protection.
The results of the 2017 research show that the overall level of protection against external attackers was assessed as low or extremely low for 43% of analyzed companies. 73% of successful external attacks on the network perimeters of organizations in 2017 were achieved using vulnerable web applications. Another common vector for penetrating the network perimeter was an attack on publicly available management interfaces with weak or default credentials. In 29% of external penetration test projects, Kaspersky Lab experts successfully gained the highest privileges in the entire IT infrastructure, including administrative-level access to the most important business systems, servers, network equipment, and employee workstations, on behalf of an ‘attacker’ that had no internal knowledge of the target organization and located in the Internet.
The information security situation in companies’ internal networks was even worse. The level of protection against internal attackers was identified as low or extremely low for 93% of all analyzed companies. The highest privileges in the internal network were obtained in 86% of the analyzed companies; and for 42% of them it took only two attack steps to achieve this. On average, two to three attack vectors were identified with which the highest privileges could be gained in each project. Once the attackers get them, they can obtain complete control over the whole network including business critical systems.
The notorious vulnerability MS17-010 widely exploited both in individual targeted attacks and by ransomware such as WannaCry and NotPetya/ExPetr was detected in 75% of companies that underwent internal penetration testing after information on the vulnerability was published. Some of these organizations did not update their Windows systems even after 7-8 months after patch release. In general, obsolete software was identified on the network perimeter of 86% of the analyzed companies and in the internal networks of 80% of companies, demonstrating that unfortunately due to poor implementation of basic IT security processes many enterprises may become easy targets for attackers.
According to the results of the security assessment projects, web applications of government bodies occurred to be the most insecure, with high-risk vulnerabilities found in each application (100%). By contrast, e-commerce applications are better protected from possible external interference. Only a bit over a quarter has high-risk vulnerabilities, which makes them the most protected ones.
“Qualitative implementation of the simple security measures like network filtering and password policy would significantly increase the security stance. For example, half of the attack vectors could have been prevented by restricting access to management interfaces.” – said Sergey Okhotin, Senior Security Analyst of Security Services Analysis, Kaspersky Lab.
To improve the security stances, companies are advised to :
- Pay special attention to web application security, timely updates of vulnerable software, password protection and firewall rules.
- Run regular security assessments for IT-infrastructure (including applications).
- Ensure that information security incidents are detected as early as possible. Timely detection of threat actor activities at the early stages of an attack and a prompt response may help prevent or substantially mitigate the damage caused. Mature organizations where well-established processes are in place for security assessment, vulnerability management and detection of information security incidents, may want to consider running Red Teaming-type tests. Such tests help check how well infrastructures are protected against highly skilled attackers operating with maximum stealth, as well as help train the information security service to identify attacks and react to them in real-world conditions.