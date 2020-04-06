Infosecurity Group Websites
Latest
News

Common Flaws Discovered in Penetration Tests Persist

Brute forcing accounts with weak and guessable passwords, and exploitation using the EternalBlue vulnerability remain among the top 10 findings in penetration tests.

According to research by Lares, the most frequently encountered vulnerabilities and attack vectors during engagements in the past six months have remained exactly the same as in it's previous report, which came out in July last year.

Its latest report analyzed the similarities between hundreds of engagements throughout 2019 and the following list represents the most frequently observed penetration test findings encountered:

  • Brute forcing accounts with weak and guessable passwords
  • Kerberoasting
  • Excessive file system permissions
  • WannaCry/EternalBlue
  • WMI lateral movement
  • Inadequate network segmentation
  • Inappropriate access control
  • Post-exercise defensive control tuning
  • Malicious multi-factor enrolment or MFA bypass
  • Phish-in-the-Middle (PiTM)

In an email to Infosecurity, Lares COO Andrew Hay said that a mix of the top findings are seen in “nearly every engagement.” He said: “Our analysis concludes that regardless of industry or vertical, these findings are evident in most environments we assess.”

Hay also confirmed that the top five findings are still prevalent, whilst implementations of the bottom five were described as “inadequate, inappropriate and ineffective.” Hay added that “those controls were either partially implemented but not tuned correctly, improperly implemented and not correctly hardened during initial deployment, or insufficiently monitored when the control capability exists.”

The fourth finding was unpatched instances of MS17-010, which enabled the WannaCry and NotPetya attacks of 2017. Lares said that despite this vulnerability being resolved, many organizations have yet to deploy this patch or disable SMBv1. “We observed slightly less EternalBlue during the second half of 2019, but we still encounter it quite frequently,” Hay said.

Commenting, Travis Biehn, principal security consultant at Synopsys, said that these sorts of issues come down to a server (or, maybe tens or even hundreds of ‘those servers’) that nobody maintains. He argued: “Perhaps it has been online for a decade, the individual or team that used to manage it is no longer with the company, or somehow it runs software that nobody on the team fully understands: this server may also be home to software that is mysteriously responsible for maintaining a large percentage of revenue.”

Biehn said often fixing these sorts of flaws ends up near the bottom of the pile year after year, and as a result attackers love such servers. “After establishing a foothold on the internal network, say a Linux server, they may hunt for that one Windows XP machine that’s still online. In doing so, there’s no need to worry about next generation anti-virus, EDR, logging, or a nosy sys-admin.”

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Zoom Blow as Thousands of User Videos Are Found Online

2
News

Zoom Patches Three New Bugs in Scramble to Support Remote Workers

3
News

Chinese #COVID19 Conspiracy Theories Date Back to January

4
News

Google Mobility Reports Show Impact of Lockdown

5
News

Common Flaws Discovered in Penetration Tests Persist

6
News

Threat Group Lures Victims with Teddy Bears

1
News

Vulnerabilities Detected in Government-sanctioned COVID-19 App

2
News

Data Thieves Hit California Property Management Company

3
News

Australians Arrested Over $2.6m Email Scam

4
Opinion

WannaCry – Please Meet #COVID19

5
News

Common Flaws Discovered in Penetration Tests Persist

6
News

DoJ: Zoombombing Could Land You Behind Bars

1
Webinar

The Impact of #COVID19 on the Infosec Industry

2
Webinar

Zero Trust: A Cybersecurity Essential and the Key to Success

3
Webinar

Using SIEM to Protect Against Top Cybersecurity Threats

4
Webinar

2FA or MFA: Which Authentication is Right for Your Business?

5
Webinar

Gain Control and Security of Your File Collaboration

6
Webinar

Advanced Protection Against Zero Day Threats and Malware

1
News Feature

Infosec Industry Shows Compassionate Side Amid #COVID19 Pandemic

2
Interview

Interview: Doug Dooley, COO, Data Theorem

3
Blog

Best Practices in Designing a Data Decommissioning Policy

4
News Feature

The Unique Dangers Posed by #COVID19 Phishing Scams

5
Opinion

Respecting Data Privacy Rights Through Data Encryption

6
Interview

Interview: Len Shneyder, Co-Chair, Election Security Working Group, M3AAWG