Rapid 7 Pen Tests Reveal Alarming Password Fails, Frequent Vulnerabilities
Penetration tests arguably are the most fun that a legitimate hacker can have on the dark side. A marathon of 180 internal and external pen tests, however, might be a bit too much fun.
A least that isn’t the case for the Rapid 7 penetration testing team. They added a data scientist and a research director to the mix to mine the results for useful insights.
Rapid7’s annual “Under the Hoodie” report outlines common strengths and weaknesses that security providers can help clients improve upon either through more user training or additional layers of technological protections.
Ye gads, users are still flunking Password 101. Most security providers aren’t surprised at the news that pen testers found 60% of passwords can be easily guessed. Worse still, most of those passwords included variations of “Password,” “SeasonYear (e.g. “Summer2019”), or included the company’s name.
That’s been the case for ages! Back in 2012, a CIO magazine report lamented that passwords had been the weak link for three decades. Here we are seven years later and little has changed.
The Rapid 7 pen testers also found a dismal adoption rate for two-factor authentication (2FA) — only 22% of users use it. That’s up 15% from last year, but it’s still very low. It’s no surprise then that between easy passwords and the low use of 2FA, the pen testers were able to compromise passwords in 72% of the engagements.
“As for the future of security training, companies will continue anti-phishing training as well as enacting tougher password policies to ensure that their employees select complex passwords and change them regularly,” said Alex Ryals, vice president of Security Solutions at Tech Data.
“In addition, companies will be training their employees on the importance of using multifactor authentication any chance they can and on employing good security hygiene when accessing cloud applications that house corporate data, such as using VPNs instead of unsecure networks.”
Known vulnerabilities still plague IT organizations. The pen testers discovered 30% of organizations are still vulnerable to old and worn vulnerabilities like Eternal Blue. However, they reported that “PowerShell is falling out of favor. Restrictions are becoming increasingly common in the enterprise Windows network.” Part of the problem stems from legacy hardware and software, part springs from budget constraints, and part is due to a loss of control over inventory.
In any case, patches and updates are still slow in coming and older vulnerabilities remain in place for years. Some think it’s time to strengthen user training to add another layer to offset these vulnerabilities.
“In lieu of basic hygiene like patch and vulnerability management, user training will evolve beyond phishing to include all the methods a user and their corresponding assets can be compromised including shared passwords, reused credentials, dictionary credentials, EOL BYOD devices, SMS texting attacks, and even MTM attacks using public Wi-Fi,” said Morey Haber, CTO & CISO at BeyondTrust.
Most apps and networks have at least one vulnerability. Despite the growing use of DevOps and DevSecOps policies and processes, the pen testers found at least one vulnerability open to attackers in apps and/or networks in 96% of engagements. That’s a staggering finding.
There are tools available to help find such vulnerabilities like app performance monitoring (APM) and a cornucopia of network monitoring and management tools, but still vulnerabilities persist. Attention is turning to machine learning-based tools and automation to quickly identify known vulnerabilities and either patch them via automation or flag them for security teams to address.
Risk levels are very high at admin levels. A staggering 80.6% of pen tests resulted in either domain admin access or a sensitive data breach. Given new and rigid laws like GDPR are now in force and packing huge penalties, such a high risk level is untenable and potentially devasting to most organizations.
That fact has led to the rise of another risk: ransomware attacks that resemble …