Penetration tests find most firms vulnerable via multiple vectors, including well-known security bugs and perimeter Wi-Fi weaknesses
Penetration testers at a computer security firm were able to breach 92 percent of their corporate clients, with companies on average vulnerable via two vectors, the firm said.
London-based Positive Technologies said most companies were vulnerable to well-known security flaws that required no special skill to exploit, and that it was able to gain full control of every system that underwent internal penetration testing.
The UK’s National Cyber Security Centre (NCSC) has repeatedly warned of the dangers posed by the hacking of the country’s critical infrastructure, including industrial control systems.
Positive’s clients included companies in the industrial, financial, and transport sectors, the firm said in its new Penetration Testing of Corporate Information Systems: Statistics and Findings report.
The failure to apply patches left many systems open to attack using well-known flaws, with Positive finding a 19-year-old flaw in one system – CVE-1999-0024, which affects the DNS server software BIND.
On the network perimeter, the most common issues were vulnerabilities in web application code, with 75 percent of successful penetration vectors leveraging poor protection of web resources.
At half of the companies tested an attacker was able to breach the network perimeter in just one step, usually by exploiting a web application vulnerability, Positive said.
The company said the issue was a result of the growing complexity of web applications, which makes coding errors more likely.
“These errors are frequently found during penetration testing, but by far the best way to find them is white-box testing with analysis of source code,” said Positive cyber security resilience lead Leigh-Anne Galloway in a statement. “Fixing vulnerabilities after the fact usually involves changing the code, which requires a lot of time.”
At 87 percent of tested clients, the firm’s Wi-Fi networks were accessible from outside the premises, such as from a nearby cafe, parking lot or public waiting area, exposing the internal network.
On 63 percent of systems, weak Wi-Fi security allowed resources on the local network to be accessed, including failure to encrypt Wi-Fi traffic or the use of weak Wi-Fi authentication protocols.
Other attacks included brute force attacks against the internal network and vulnerability to social engineering, Positive said.
The “vast majority” of tested companies were vulnerable via multiple vectors – two an average, and up to five.
Controlling the perimeter
Positive said many of the successful test attacks made use of the presence of interfaces at the perimeter that should not be accessible from the outside, such as an internet-accessible video surveillance system that provided an attacker with the ability not only to view videos, but also to run malicious code on the server.
“This shows how important it is to correctly delineate the network perimeter and monitor the security of every component,” Galloway said.
She recommended that companies minimise the number of services at the network perimeter and ensure that sensitive information such as access credentials and address books are not available publicly.