Vulnerabilities in transport layer security, and simply because of 10 year outdated botnet, are the most typical results from penetration tests engagements.
According to information from investigations amongst June 2019 to June 2020 from 206 engagements by Rapid7, internal network configuration and patch management continue to supply “easy” tender targets to penetration testers, who can generally use off-the-shelf commodity assaults to escalate privileges and move laterally about the network with no getting detected. It also discovered that issues with EternalBlue and Conficker are still not staying excised from interior networks.
According to Tod Beardsley, investigate director at Immediate7, in excess of the 12 months get the job done, it also discovered password administration and secondary controls these types of as two-variable authentication are severely lacking on the company stage, leading to “easy” compromises involving both password spraying and decrypting hashed passwords acquired in the course of simulated breaches.
Also as there is additional dependence on VPNs and internet-centered purposes, alternatively than conventional interior network controls, penetration testers were being acquiring sizeable flaws in all those VPN terminators and tailor made web apps.
“While none of this is particularly shocking to even the most Pollyanna security researcher (we are a cynical bunch), this is reliable info that can help enterprises around the globe have an understanding of what to hope from their following penetration check and be employed as a checklist of what to look into and remediate right before then,” he said.
The report also observed two vulnerabilities “as quite standard go-tos for any internally scoped network assessment.” These have been MS08-067, which was weaponized in the Conficker exploit back in 2008, and MS17-10, which was the central vulnerability to the EternalBlue exploit kit of 2017.
“These two issues are between the renowned vulnerabilities of the past 10 years, so you would believe that IT and IT security teams would have long ago excised these vulnerabilities from their interior networks,” Beardsley explained.
Mark Kedgley, CTO at New Net Systems (NNT), instructed Infosecurity he felt the bring about of EternalBlue and Conficker however currently being so prominent due to the fact of the numbers of Windows-based mostly techniques that can not easily be upgraded or even patched, these kinds of as EPoS and ATM devices.
“Even inside of the United kingdom NHS, a person of the best profile victims of WannaCry, there are reports of still popular use of Windows 7 due to spending plan and the useful difficulties of large-scale IT,” Kedgley claimed. “It’s obvious then upgrading and patching techniques is a significant obstacle and when this stays the scenario, exploitable, regarded vulnerabilities will however be current and a menace. Other security controls, these types of as alter command and breach detection, can engage in a purpose in compensating for environments in which patching is an issue.”
Also, the leading vulnerabilities encountered by exterior penetration testers have been: weak transportation layer security (10.48%), weak password policy (7.08%), missing demanding-transportation-security (STS) reaction headers (6.23%), person enumeration (5.67%).
Kedgley stated: “Public web sites are normally vulnerable to attack. Thus, this has been a critical security risk at any time considering that more mature TLS implementations ended up observed to be weak and prone to compromise. The PCI DSS outlawed SSL and early TLS variations 5 many years back as it was regarded then this was a significant issue for almost each internet site.
“TLS 1.3 will plug the holes identified in earlier versions, but the exact issues utilize in that just owning a patch or update accessible doesn’t make us safe – its only when it is fully carried out and examined that the attack floor is set.”