Most businesses suffer from cyber security vulnerabilities, with security firm Rapid 7 finding in tests that it was able to exploit at least one in-production vulnerability in 84 per cent of all engagements.
In its ‘Under the Hoodie 2018: Lessons from a Season of Penetration Testing’ report, the firm also found that the figure is even higher for internal tests – when the tester has or gains local network access – where just four per cent of companies are free of flaws that hackers could target.
The researchers said that their report reveals that while penetration testers don’t always win – by gaining administrative control of a network – when they are able to touch the internal LAN or WLAN, the attacker success rate rises significantly.
Some 59 per cent of all penetration tests performed for the study were based externally, where the targets tend to be internet-facing vectors, such as web applications, email phishing, cloud-hosted assets, and/or VPN exposure.
Rapid 7 said that just over half the time (53 per cent) on a given engagement, at least one useful username and password was collected from the target organisation, with that figure rising 86 per cent when the attacker is already in the local, internal network.
According to Tod Beardsley, Rapid 7 director of research: “Penetration testers will be the first to tell you that it’s usually easier to simply guess (or ask for) passwords than to exploit vulnerabilities and leverage network misconfigurations, and attacks involving capturing credentials tend to afford longer-lasting access.”
His firm said external penetration tests are logical for most companies, due to the prevalence of internet-based attackers. However, it added that always advocates for a test that includes an internal component. This allows organisations to understand the impact of a compromise and to quantify the gaps in its defence strategy.
Share This Post, Choose Your Platform!
With over 20 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.