Pen testing and analytics don't lie. These are the evils the white hats found this round.

Pam Baker

July 29, 2019

5 Min Read
Someone's bad password posted on a sticky note on a laptop.
ThinkStock

Penetration tests arguably are the most fun that a legitimate hacker can have on the dark side. A marathon of 180 internal and external pen tests, however, might be a bit too much fun.

A least that isn’t the case for the Rapid 7 penetration testing team. They added a data scientist and a research director to the mix to mine the results for useful insights.

Rapid7’s annual “Under the Hoodie” report outlines common strengths and weaknesses that security providers can help clients improve upon either through more user training or additional layers of technological protections.

Ye gads, users are still flunking Password 101. Most security providers aren’t surprised at the news that pen testers found 60% of passwords can be easily guessed. Worse still, most of those passwords included variations of “Password,” “SeasonYear (e.g. “Summer2019”), or included the company’s name.

That’s been the case for ages! Back in 2012, a CIO magazine report lamented that passwords had been the weak link for three decades. Here we are seven years later and little has changed.

The Rapid 7 pen testers also found a dismal adoption rate for two-factor authentication (2FA) — only 22% of users use it. That’s up 15% from last year, but it’s still very low. It’s no surprise then that between easy passwords and the low use of 2FA, the pen testers were able to compromise passwords in 72% of the engagements.

Ryals-Alex_Tech-Data.jpg

Tech Data’s Alex Ryals

“As for the future of security training, companies will continue anti-phishing training as well as enacting tougher password policies to ensure that their employees select complex passwords and change them regularly,” said Alex Ryals, vice president of Security Solutions at Tech Data.

“In addition, companies will be training their employees on the importance of using multifactor authentication any chance they can and on employing good security hygiene when accessing cloud applications that house corporate data, such as using VPNs instead of unsecure networks.”

Known vulnerabilities still plague IT organizations. The pen testers discovered 30% of organizations are still vulnerable to old and worn vulnerabilities like Eternal Blue. However, they reported that “PowerShell is falling out of favor. Restrictions are becoming increasingly common in the enterprise Windows network.” Part of the problem stems from legacy hardware and software, part springs from budget constraints, and part is due to a loss of control over inventory.

In any case, patches and updates are still slow in coming and older vulnerabilities remain in place for years. Some think it’s time to strengthen user training to add another layer to offset these vulnerabilities.

Haber-Morey_BeyondTrust-2019.jpg

BeyondTrust’s Morey Haber

“In lieu of basic hygiene like patch and vulnerability management, user training will evolve beyond phishing to include all the methods a user and their corresponding assets can be compromised including shared passwords, reused credentials, dictionary credentials, EOL BYOD devices, SMS texting attacks, and even MTM attacks using public Wi-Fi,” said Morey Haber, CTO & CISO at BeyondTrust.

Most apps and networks have at least one vulnerability. Despite the growing use of DevOps and DevSecOps policies and processes, the pen testers found at least one vulnerability open to attackers in apps and/or networks in 96% of engagements. That’s a staggering finding.

There are tools available to help find such vulnerabilities like app performance monitoring (APM) and a cornucopia of network monitoring and management tools, but still vulnerabilities persist. Attention is turning to machine learning-based tools and automation to quickly identify known vulnerabilities and either patch them via automation or flag them for security teams to address.

Risk levels are very high at admin levels. A staggering 80.6% of pen tests resulted in either domain admin access or a sensitive data breach. Given new and rigid laws like GDPR are now in force and packing huge penalties, such a high risk level is untenable and potentially devasting to most organizations.

That fact has led to the rise of another risk: ransomware attacks that resemble …

… blackmail in that the ransom is less than the legal penalties so that victims will pay in an attempt to avoid legal woes.

Now for the Good News

Network segmentation at its most basic level, between internal and external networks, appears to be working. Specifically, the pen testers found:

  • Externally based engagements only gained internal LAN access 21% of the time.

  • Under 3% of web application-specific engagements led to a total site-wide compromise.

  • Over 70% of web applications were hosted somewhere other than the client’s data center, which complicates an attack from a compromised web application.

But as MSSP Insider reported earlier, some VPNs aren’t so private anymore, and police-friendly laws around the globe are increasing security risks.

Moral of the Pen Testers’ Story

Old security issues remain far from conquered. Security providers dare not divert their attention away from them. But the attack vector also is growing, spreading like a cancer into niches and corners where they are least expected. And attackers constantly are changing their methods to fool even the most advanced security protocols.

Pen testing remains an excellent way to discover vulnerabilities and other problems; however, even human pen testing will give way to machine learning and automation soon. It’s necessary to manage the sheer scale of old and new risks.

But what of the white hats? What then will they hack in the name of security? Probably AI. Man versus machine will be the ultimate pen-testing battle.

Read more about:

MSPs

About the Author(s)

Pam Baker

A prolific writer and analyst, Pam Baker’s published work appears in many leading print and online publications including Security Boulevard, PCMag, Institutional Investor magazine, CIO, TechTarget, Linux.com and InformationWeek, as well as many others. Her latest book is “Data Divination: Big Data Strategies.” She’s also a popular speaker at technology conferences as well as specialty conferences such as the Excellence in Journalism events and a medical research and healthcare event at the NY Academy of Sciences.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like