In-brief: A survey of penetration testers by Rapid7 finds most organizations are failing to detect malicious activity on their networks.
Fewer than one in three corporate networks are free of exploitable vulnerabilities or capable of promptly spotting malicious activity on their network, according to a survey of security pros who test the security of corporate networks.
The report by the firm Rapid7 analyzed the findings of 128 distinct penetration tests of corporate networks. It concludes that most organizations have “a severe lack of usable, reliable intrusion detection capabilities,” leaving them blind to the actions of hackers or other malicious actors on their networks.
“Over two-thirds of our pentesters (sp) completely avoided detection during the engagement,” Rapid7 observed. “This is especially concerning given that most assessments don’t put a premium on stealth.”
When pen testers were instructed to try to avoid detection, a majority were successful in doing so. The report (PDF) found that more than three-quarters of pen testers (76%) were able to probe client networks for a week or more without being detected by security products or other monitoring tools at the client site. Sixty six percent of testers said they were not detected at any point during their engagement, Rapid7 said.
Penetration tests are a way for companies to asses the security of their IT environment by hiring internal or external security experts to try to hack into a network or a specific resource (such as a public facing application).
The company’s analysis of penetration tests show that they almost always succeed in finding security holes. The penetration tests studied by Rapid7 concluded with successful exploitation of the target network about two-thirds of the time. Of those, most (80%) were accomplished using exploitable software vulnerabilities or network misconfiguration. In fact, fewer than one in three tested networks were free of exploitable software vulnerabilities.
The problems with network security stretched across industry segments and were independent of the size of the company being tested, Rapid7 found.
The problem stems, in part, from the homogeneity of most enterprise network environments, which use network infrastructure built from “commonly available software and hardware” and an information technology market dominated by large and popular software distributors that “tend to favor deployability (sp) and usability over security. As a result, the problems that are common in one company’s network tend to be problems in all company networks,” Rapid7 said.
And corporations and other organizations appear to be missing the message of recent, high-profile attacks such as the compromise of the Democratic National Committee and the Clinton Presidential Campaign. Those attacks relied on spear phishing and credential theft to obtain sensitive information from targets. But the penetration testers Rapid7 surveyed found that stealing credentials from network users is low hanging fruit in most engagements. Nearly half of the engagements (46.0%) resulted in compromised credentials. Around a third of external penetration tests (31%) resulted in the theft of user credentials. In internal (versus external) assessments of network security, testers were successful in compromising credentials 81% of the time.
As dangerous as these compromises are, companies do little to thwart them. More than half of the engagements (56%) reported that the target either had no account lock out enabled to prevent password guessing, or that the limit they set was ineffective at stopping an account takeover. And just 13% of the domains tested used two-factor authentication, a technology that raises the bar on account takeovers significantly.