Researchers found that 100% of corporate networks tested in 2017 were vulnerable to insider attacks, with Wi-Fi networks and employees among the top areas of weakness.
During penetration testing performed as an internal attacker, Positive Technologies researchers were able to obtain full control of infrastructure on all corporate networks they attempted to compromise.
The difficulty of accessing critical resources could be considered “moderate” on only 7% of networks tested, according to the research report.
Penetrating the network perimeter has become easier over time, the report reveals, with the difficulty of accessing the internal network assessed as “trivial” in 56% of tests in 2017, compared with just 27% in 2016.
On average, Positive Technologies testers found two attack vectors (vulnerabilities) per client that would allow their internal network to be penetrated.
For one client, 10 different penetration vectors were detected, with the oldest vulnerability (CVE-1999-0532) dating back 20 years.
The report shows that corporate Wi-Fi networks are a convenient launch point for attackers, with 40% of companies tested using easy-to-guess dictionary passwords for access to their Wi-Fi networks. In addition, 75% of Wi-Fi networks were accessible from outside of company offices, and the same proportion failed to enforce per-user isolation. As a result, intruders can attack personal and corporate laptops connected to Wi-Fi without ever having to set foot in the target’s building.
Another weak point at most companies was found to be their employees, who are vulnerable to social engineering attacks. In testing, 26% of employees clicked a link for a phishing website and almost half of them proceeded to enter their credentials in a fake authentication form. One in six employees opened a simulated malicious file attached to an email and 12% were willing to communicate with intruders.
Leigh-Anne Galloway, analyst at Positive Technologies said that to gain full control over the corporate infrastructure, an attacker usually penetrates the network perimeter and takes advantage of vulnerabilities in out-of-date operating system (OS) versions.
“From this point, the sequence of events is predictable – the attacker runs a special utility to collect the passwords of all logged-in OS users on these computers. Some of these passwords might be valid on other computers, so the attacker repeats this process.
“Gradually, system by system, the attacker continues until obtaining the password of the domain administrator. At that point, it’s game over—the attacker can burrow into the infrastructure and control critical systems while staying unnoticed.”
Stopping insider attackers requires a comprehensive, in-depth defensive approach, the research report said, adding that basic security measures include keeping operating systems and applications up to date, as well as enforcing use of strong passwords on all systems by all users, especially administrators.
Positive Technologies recommends using two-factor authentication for administrators of key systems and refraining from giving administrator privileges to ordinary employees on their computers. Even if some systems have been compromised already, the report said rapid detection can still minimize the damage.
Organizations should also consider implementing security information and event management(Siem) and other systems to enable them to respond to security breaches effectively and in a timely manner.