Tiny loopholes that can wreak havoc
Pentesters only need a tiny loophole to gain access to the victim's network and discover and exploit further vulnerabilities. Companies who commission pentesters understandably do not publish any information about the result of the pentest. This makes anonymized studies by pentest service providers all the more interesting, as they give an impression of the most common methods and loopholes.
Such a study has just been published by the pentest provider Rapid7. The company prepared data from 268 projects during September 2017 and June 2018 and summarized the most interesting findings. The detailed report is packed with statistics and also includes actual occurrences. Even for many seasoned security professionals these may seem like a cold awakening, the report is really worth reading. Incidentally, the success rate of the attackers was 84% for external tests and 96% from inside the network. In 7% of external and 67% of internal attacks, system-wide admin access was achieved and the network was completely compromised.
This is not surprising, of course. An attacker always has the advantage and the type of dedicated attack a pentester launches – with a lot of time for preparation and a complete team that targets all possible attack vectors – can hardly be stopped. At least companies should register the suspicious activity inside their network but unfortunately the detection rate is miserable. The study reports that attacks remain undetected if companies did not react to suspicious activity in the first 24 hours and only 30% of companies were able to do so. Large and small companies differed only marginally. Extensive budgets and large teams do not necessarily mean more security. One finding was particularly shocking: Account locking mechanisms which block access to accounts in the event of too many failed login attempts, either had no effect, did not exist in the first place or delayed the attack insignificantly. In fact, account locking only led to discovery of the attack in 3.8% of the cases.
Intriguingly, differences were found across sectors, for example who commissioned more internal and who commissioned more external tests. The technology sector was almost exclusively external, while the education sector focused exclusively on internal testing. The high-tech companies therefore seem to believe in the integrity of their employees while universities and schools do not seem to trust their pupils and students. Sensitive internal data or personal data are the highest priority among data that need to be protected and consequently, the most desirable to attack. Interestingly, pentesters have already succeeded in compromising the first cryptocurrencies.
External access to networks is mostly gained through software vulnerabilities. In 84% of the cases there were vulnerabilities in installed software that the testers could exploit. Internal attacks found a vulnerability in 96% of all cases. No single vulnerability was preferred above another, the study found a wide choice of attack vectors, depending on the environment. Aside from exploiting vulnerabilities, the attackers usually use incorrectly configured services (80% external, 96% internal), for example a server that falls back to less secure communication if requested by the client. Almost all of the tested organizations use a username/password combination for authentication. Researchers observed that successful penetration was significantly lower in a case where two-factor authentication (2FA) was used.
The researchers also reported interesting findings on passwords. Unlike password dumps in hacker forums, the pentesters harvest real live credentials. There are no obsolete, duplicate or otherwise irrelevant entries. It turns out that eight-digit passwords are the most common, often with a number at the end. If the number has four digits, 2018 and 1234 are top of the list. This unfortunately confirms statistics from the password dumps.