This article is more than 1 year old

It's mid-year report time, let's see how secure corporate networks are. Spoiler alert: Not at all

Pen test bods probe about two dozen orgs – all fail

Companies are still leaving basic security flaws and points of entry wide open for hackers to exploit.

This according to research from security house Positive Technologies, which says that its penetration testers found that enterprises were rife with things like months-old unpatched vulnerabilities and unsecured access points.

The 22 infiltration attempts, performed between April and December 2017, were for corporate customers and various industries who had hired Positive to test out their security systems. What the researchers found, unfortunately, was that getting in to every single one of these companies was all too easy.

Despite being the most-publicized malware infection in years, a vulnerability to the WannaCry nasty was found in nearly a third (31 per cent) of the companies. Additionally, 60 per cent of the machines tested were found to have not patched MS17-010, a remote code execution bug that had been addressed in March 2017, months before the tests were performed. That single bug caused the vulnerability rate from the tests to double from the previous year.

In one case, pentesters found a public-facing system that was vulnerable to CVE-1999-0532, a bug that is now more than 18 years old.

Networks are dodgy too

Network security was not much better. Pentesters were able to get into the internal LAN of targets 68 per cent of the time, and that 75 per cent of companies allowed wi-fi networks to access the company intranet. 40 per cent of companies had a dictionary password (vulnerable to brute-forcing) on their wireless network.

None of the companies tested were able to stop an insider attack: every single one of them allowed an internal account to take full control over the infrastructure. On top of that, 26 per cent of employees sent phishing emails in the tests followed the dodgy links and half of those people were convinced to submit data into a fake authentication page.


So long and thanks for all the phish: Red teams need to be smarter now


If Positive Technologies' numbers weren't enough to keep you awake at night, there's also a mid-year report from ZDI based on its own bug-hunting numbers.

That report found a 33 per cent increase in bug reports (though that is in part due to ZDI logging 500 more researchers in its program) while SCADA bugs (30 per cent of all advisories), Microsoft browser flaws, and virtual machine bugs all surging in popularity.

If there is some good news to be had, it's that vendors are getting better at patching. ZDI said that instances where a vendor was unable to patch a flaw before its researchers went public were down 42 per cent from the first half of last year. ®

More about


Send us news

Other stories you might like