Survey: Hackers for Hire Find Most Networks Easy Prey

A survey of penetration testers by Rapid7 finds most organizations are failing to detect malicious activity on their networks. (Image courtesy of Rapid7)

In-brief: A survey of penetration testers by Rapid7 finds most organizations are failing to detect malicious activity on their networks. 

Fewer than one in three corporate networks are free of exploitable vulnerabilities or capable of promptly spotting malicious activity on their network, according to a survey of security pros who test the security of corporate networks.

The report by the firm Rapid7 analyzed the findings of 128 distinct penetration tests of corporate networks. It concludes that most organizations have “a severe lack of usable, reliable intrusion detection capabilities,” leaving them blind to the actions of hackers or other malicious actors on their networks.

“Over two-thirds of our pentesters (sp) completely avoided detection during the engagement,” Rapid7 observed. “This is especially concerning given that most assessments don’t put a premium on stealth.”

When pen testers were instructed to try to avoid detection, a majority were successful in doing so. The report (PDF) found that more than three-quarters of pen testers (76%) were able to probe client networks for a week or more without being detected by security products or other monitoring tools at the client site. Sixty six percent of testers said they were not detected at any point during their engagement, Rapid7 said.

Credential theft was a common path to successful penetration of a company’s network, Rapid7 found. (Image source: Rapid7)

Penetration tests are a way for companies to asses the security of their IT environment by hiring internal or external security experts to try to hack into a network or a specific resource (such as a public facing application).

The company’s analysis of penetration tests show that they almost always succeed in finding security holes. The penetration tests studied by Rapid7 concluded with successful exploitation of the target network about two-thirds of the time. Of those, most (80%) were accomplished using exploitable software vulnerabilities or network misconfiguration. In fact, fewer than one in three tested networks were free of exploitable software vulnerabilities.

The problems with network security stretched across industry segments and were independent of the size of the company being tested, Rapid7 found.

The problem stems, in part, from the homogeneity of most enterprise network environments, which use network infrastructure built from “commonly available software and hardware” and an information technology market dominated by large and popular software distributors that “tend to favor deployability (sp) and usability over security. As a result, the problems that are common in one company’s network tend to be problems in all company networks,” Rapid7 said.

And corporations and other organizations appear to be missing the message of recent, high-profile attacks such as the compromise of the Democratic National Committee and the Clinton Presidential Campaign. Those attacks relied on spear phishing and credential theft to obtain sensitive information from targets. But the penetration testers Rapid7 surveyed found that stealing credentials from network users is low hanging fruit in most engagements. Nearly half of the engagements (46.0%) resulted in compromised credentials. Around a third of external penetration tests (31%) resulted in the theft of user credentials. In internal (versus external) assessments of network security, testers were successful in compromising credentials 81% of the time.

As dangerous as these compromises are, companies do little to thwart them. More than half of the engagements (56%) reported that the target either had no account lock out enabled to prevent password guessing, or that the limit they set was ineffective at stopping an account takeover. And just 13% of the domains tested used two-factor authentication, a technology that raises the bar on account takeovers significantly.

4 Comments

  1. Pingback: Paul Roberts: How Machine Learning Supplements Security Workforce - InfoSecHotSpot

  2. Hack with a style of touch with software that cannot be traced.
    Our services include:
    *School Grades Hack
    *Improve your credit scores
    *Hack into any database server
    *spy on partner or employees sincerity
    *Facebook
    *Instagram
    *whatsApp *Twitter hacks and Customized Software services… Try us and you will be glad you did. Interested parties should Email via steelbreaker@techie.com

  3. I am so happy to tell y’all that I met a great hacker from a comment someone posted online. To my amazement i contacted the hacker and she helped me run an Instagram hack in less than 12hr…she goes by the name Ella Mane, she has been a really to i and my friends. If you ever need her service please don’t hesitate to contact her via mail: felchapo9@gmail.com. She can hack into anything with no traces what’s so ever…she hacks any social account like …kik, Facebook, what’s app, criminal records, hospital record, gmail, hot mail, yahoo mail, hangout, twitter, linden, computer, companies, and so many more. She the best!

  4. Back then in 09′,when i wanted to get a house for my family because i wanted a bigger space for my kids they were always complaining they wanted separate rooms, but i couldn’t get a loan because i had a poor score, then i started dropping my contact on different blogs and site, so i met some guy who mailed me saying he could help me raise my score to 780,and that was good for me… i didn’t believe him at first but i decided to try him out to my surprise he helped me raise my score and cleared my report now i have a bigggg house! !… honestly i have never seen the kids more happier in their lives I made their dreams come through ‘I’M THEIR SUPER MAN’thanks to him…i think you guys should try him out via cagedpeter@fastservice.com….you will love me after this