Two-thirds of websites are vulnerable to hacking-for-hire.
That’s the word from security firm Rapid7, which has unveiled its latest research paper, highlighting the real-life experiences of dozens of penetration testers throughout Q4 2016. It found that only 33% of client sites had no found vulnerabilities, showing the significant needed improvement on enterprise security.
Interestingly, size doesn’t seem to matter when it comes to security flaws—all organizations exhibited roughly the same issues in the same proportions.
“This is almost certainly due to the fact that IT infrastructure pretty much everywhere is built using the same software and hardware components,” said Rapid7, in the report. “Thus, all networks tend to be vulnerable to the same common misconfigurations that have the same vulnerability profiles when patch management isn't firing at 100%. There are certainly differences in the details—especially when it comes to custom-designed web applications—but even those tend to have the same sorts of frameworks and components that power them.”
Also, shockingly, most organizations that conduct penetration testing exercises have a severe lack of usable, reliable intrusion detection capabilities. More than two-thirds of our pentesters completely avoided detection during the engagement (68.4%).
“This is especially concerning given that most assessments don't put a premium on stealth; due to constraints in time and scope, pentesters generate an enormous amount of malicious traffic,” the report noted. “In an ideal network, these would be setting off alarm bells everywhere. Most engagements end with recommendations to implement some kind of incident detection and response, regardless of the specific techniques for compromise were used.”
The loss of control over credentials remains the easiest for attackers to execute, and 46% of engagements resulted in compromised credentials. The most successful ways passwords were discerned include simple manual guessing, network challenge-response traffic, privileged storage and guessable default accounts.
Of the 86% of engagements where credential theft was in scope, two-factor authentication was simply not a factor. Considering the millions of large-scale breaches in 2016, and the endemic problem of password reuse, this finding was particularly disheartening, the team noted.
The testers also found that, despite the recent uptick in online industrial espionage, the surveyed organizations seemed the least interested in protecting copyrighted material, digital certificates, source code or trade secrets.