This article is more than 1 year old
You weren't hacked because you lacked space-age network defenses. Nor because cyber-gurus picked on you. It's far simpler than that
Three little words: Patches, passwords, policies
The continued inability of organizations to patch security vulnerabilities in a timely manner, combined with guessable passwords and the spread of automated hacking tools, is making it pretty easy for miscreants, professionals, and thrill-seekers to break into corporate networks.
This is according to the penetration-testing crew at Positive Technologies, which pored over the results of its 2019 client audits [PDF] and found that 71 per cent of the time – 20 out of 28 pentest contracts – its red team was able to get into their target using tools and tricks available to script kiddies and newbies.
"It is not that unskilled hackers are using methods that more skilled criminals would not need," Ekaterina Kilyusheva, head of Positive Tech's Information Security Analytics Research Group, told The Register last night. "But in most cases, attack complexity was low, meaning that the attack was within the capabilities of a middling hacker with basic skills."
The crews found that bugs in web apps for which patches exist yet were not applied were a particularly easy way to break into networks. In 77 per cent of the cases, web app vulnerabilities and configuration flaws allowed the red teamers to crack a company's defenses; in one case, it took as little as 30 minutes to pwn the target.
These were not exactly obscure, easily overlooked flaws, either. About 60 per cent of the web application holes used were deemed critical – think remote code execution – and should been patched as soon as possible, while mindful of the need for testing and deployment planning. Another 11 per cent were deemed high-risk vulnerabilities, again bugs that would ideally be addressed ASAP.
Pen Test Partners: Boeing 747s receive critical software updates over 3.5" floppy disksREAD MORE
The second most common method of break-in was weak login credentials. In those cases, brute-forcing passwords for database management and remote access software worked pretty well. Brute forcing is easy to block yet time and time again it's forgotten about by admins.
What's more, in most of the cases, an attacker did not need to do much, beyond gaining an initial foothold, to command full internal network access: in 68 per cent of the trials, the infiltrators only needed to take one or two steps to have the entire organization at their fingertips. Network compartmentalization, and access controls limiting who can see what, may have helped minimize intruders' reach.
While point-and-pray automated hacking tools – scanners, frameworks, toolkits of exploits, and the like – are easy enough to find and use against targets, you don't always need something that fancy. Positive noted that in seven of its 28 tests, the red team was able to break into web applications using a simple timing attack with the Autodiscover service in Microsoft Exchange Client Access Server.
There were a few success stories to be found. Positive said that in two of its 28 tests last year, the red teamers failed completely to break into the target company's network. The average test time, both for the successful and unsuccessful tests, was around four days (including the aforementioned 30 minute speed run.)
The report shows that performing what some assume is the minimum of effort – timely patching, login monitoring, and network segmentation with access limit policies, for instance – can be rather effective at keeping at least opportunistic crooks out.
"To secure the network perimeter, the first step is to follow basic information security rules," said Kilyusheva. "Web applications are the most vulnerable component on the network perimeter. Companies should perform security analyses regularly." ®