Tod Beardsley, research director, at the cyber security and pen testing company Rapid7, offers lessons from more than 250 penetration tests.
One of the things Rapid7 is known for in the cybersecurity world is the amount of penetration testing we do for our clients. We do a lot — and it’s a great way to expose weaknesses in an organisation’s cyber defences in a safe and controlled way. Last year, we collected the results of over 250 penetration tests performed by Rapid7 consultants, which were mainly focused on carrying out external tests, where we posed as malicious hackers armed with just the internet to gain entry to our clients’ networks and systems. The result? We were able to exploit at least one in-production vulnerability in 84pc of engagements. And for those clients where we did have the chance to conduct internal pen testing (through using their Wi-Fi or gaining access to their building), that figure rose to 94pc.
It’s difficult to conduct all these tests without noticing a few trends. When it comes to cybersecurity, most organisations are generally doing the same things, and so in the spirit of sharing to help organisations improve, here’s what we learned.
Businesses are finally taking the insider threat more seriously.
In 2017, only 21pc of our pen testing engagements were purely focused on the internal side of things, whereas in 2018, that figure rose to 32pc. Clearly, organisations face a greater number of external threats than internal ones. But we’ve always argued that internal defences should get the attention they need because the consequences of employee actions — whether malicious or otherwise — can often go unnoticed for months because very few technologies flag what a legitimate employee is doing on a network when they log in.
But given the number of high-profile attacks in the media recently that originated from an internal flaw, organisations are now paying attention.
Software vulnerabilities are at the core of penetration testing. Our work in 2018 saw a significant increase in the rate of vulnerabilities that we exploited to gain control over a critical networked resource. Our last report in 2017 saw about a 68pc rate of vulnerability exploitation, but this year, we achieved an 84pc success rate.
This didn’t surprise us. Unfortunately, as code and systems get more complex and more interconnected, the likelihood of introducing vulnerabilities in a networked environment increases, more or less to the point of inevitability.
What did surprise us though was the types of vulnerabilities they uncovered. Since we know that most engagements are externally based, we would expect to see a preponderance of web application-based vulnerabilities: cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection (SQLi) issues. However, this wasn’t the case — penetration testers reported encountering “some other vulnerability” more than 32pc of the time, usually (56pc) in combination with at least one of the other more specific vulnerability categories:
Network misconfigurations
Distinct from software vulnerabilities are network misconfigurations. These are issues that, while not baked into the software itself, tend to arise from implementation errors on the part of the targeted organisation’s IT staff. While our penetration testers were able to exploit software vulnerabilities about 84pc of the time, there was a slightly lower rate of leveraging misconfigurations (about 80pc of the time).
After “none” and “other,” the most prevalent named misconfiguration is a “service misconfiguration.” These tend to be network services either in default configurations, which are inappropriate for the network, or are configured in such a way that some shipping security feature is disabled. For example, if a cryptography service allows for a fallback to a weak, easily cracked encryption algorithm, then that would be a misconfiguration; it’s likely its intended functionality, but it’s also not appropriate in terms of modern security standards.
Login credentials
Across all engagements where the target organisation’s networked assets were part of the scope, penetration testers were able to successfully compromise credentials 53pc of the time, making it slightly more likely than not that an attacker could impersonate at least one authorised user on the network.
How did we do it? Most of the credentials we manage to compromise came from cached credentials and enumeration of group memberships, but some of the time we were even able to simply guess passwords because they were so weak.
These findings should worry organisations somewhat — not least because penetration testing can actually be quite a limited method for exposing vulnerabilities. Pen tests usually have a start and end date (which rarely applies to criminals), and organisations tend to know they’re about to be hacked, so at least someone in the organisation is going to be on high alert during that time. Hackers are not as constrained by these restrictions and so may find it even easier than we did to compromise systems. The key point to take away from our research is that every organisation will have vulnerabilities somewhere. Improving cybersecurity begins with first accepting that fact and then taking the necessary steps to plug as many gaps as possible.
It’s a constant battle.
