Positive Technologies recently conducted a study on the security of corporate information systems.
A study that has made several recommendations allowing these private organizations to improve their security in some way. The report is titled "Penetration Testing of Corporate Information Systems."
This article will also interest you: Fighting domestic WiFi network piracy: some ways to get there
As a result of the test, it was shown that 93% of businesses are vulnerable in terms of attempted intrusion at the local network level. It was observed that 77% of attack vectors were primarily related to poor protection of web applications. For companies that were tested in 2019, note that:
– 32% of them were from the finance sector
– 21% in the IT sector
– 21% in industrial fuel and energy activities
– 11% at the level of government agencies
– 7% for organizations in the hotel entertainment sector,
– 4% in the industry
– 4% in telecommunications.
In 93% of the organizations tested, Positives Technologies experts were able to break into the information system. On average, nearly 13 attack vectors were detected per company. For one in six companies, traces of previous cyberattacks have been identified, including "web shells on the perimeter of the network, malicious links on official websites, or valid references in public data dumps. ». Signs that clearly show that the system has necessarily been infiltrated by cyber criminals.
The study also found a significant fact. A reality that it only takes 30 minutes and 10 days for a cyber criminal, to be able to infiltrate a local network. In the majority of cases, the attacks used were not complex enough. This means that cyber criminals who have already carried out computer attacks on the networks already studied, were not competent enough or not needed to use all their skills.
It should be remembered that 68% of companies unfortunately suffered successful computer attacks because of web applications, which were not adequately protected. It would have been simply necessary for cybercriminals to force access to these applications in a brutal way by cracking certain identification data. Indeed, as we know very well, if cyber criminals can by brute force attacks crack a few passwords. It only takes one corrupted terminal to allow them, without much effort, to exfiltrate the credentials by downloading users' offline address books, which will give them access to multiple email addresses of the employees of the targeted company.
According to Positive Technologies, a tested company has enabled them to collect more than 9,000 e-mail addresses using a simple basic hacking technique. "Web applications are the most vulnerable component of the network perimeter," said Ekaterina Kilyusheva, head of research and analysis at Positive Technologies. "In 77% of cases, penetration vectors involve insufficient protection of web applications. To ensure this protection, companies must conduct regular security assessments of web applications. The penetration tests are performed as a "black box" scan without access to the source code, which means that companies can leave blind spots on certain problems that might not be detected using this method. This is why companies need to use a more in-depth testing method as a source code analysis (white box). For proactive security, we recommend using a web application firewall to prevent the exploitation of vulnerabilities, even those that have not yet been detected," continued.
On the other hand, there is an essential point to be served. Positive Technologies tests were conducted based on software vulnerabilities that are already known. Security vulnerabilities that affected older versions of Oracle WebLogic and Laravel, programs that were used by 39% of businesses, allowing them to access their local network. In addition, these Type 0 day security vulnerabilities have been discovered in computer programs. Zero-day Remote Code Execution vulnerabilities including CVE-2019-19781 in Citrix Application Delivery Controller and Citrix Gateway.
The major recommendation of positive technology and installation of security patches already available on older versions of software still used by companies that have been tested. They also asked them to do everything possible to ensure that vulnerabilities were not always present on the system.
Now access an unlimited number of passwords: