Three quarters of successful corporate network penetration tests in 2017 broke in through vulnerable web apps
Three quarters of successful corporate network penetration tests in 2017 broke in through vulnerable web apps
A staggering three-quarters (73%) of successful perimeter breaches were achieved using vulnerable web applications
This is the conclusion of analysis of penetration tests conducted by Kaspersky Lab researchers on corporate networks during 2017, and summarised in a new report, ‘Security assessment of corporate information systems in 2017’
Each IT infrastructure is unique, and the most dangerous attacks are specially planned to take into account the vulnerabilities of a particular organisation
Every year, Kaspersky Lab’s Security Services department carries out a practical demonstration of possible attack scenarios to help organisations worldwide identify vulnerabilities in their networks and avoid financial, operational and reputational damage. The aim of the annual penetration test report is to make IT security specialists aware of relevant vulnerabilities and attack vectors against modern corporate information systems, and thereby strengthen their organisation’s protection
The results of the 2017 research show that the overall level of protection against external attackers was assessed as low or extremely low for 43% of analysed companies. 73% of successful external attacks on the network perimeters of organisations in 2017 were achieved using vulnerable web applications. Another common vector for penetrating the network perimeter was an attack on publicly available management interfaces with weak or default credentials. In 29% of external penetration test projects, Kaspersky Lab experts successfully gained the highest privileges in the entire IT infrastructure, including administrative-level access to the most important business systems, servers, network equipment, and employee workstations, on behalf of an ‘attacker’ that had no internal knowledge of the target organisation and located in the Internet
The information security situation in companies’ internal networks was even worse. The level of protection against internal attackers was identified as low or extremely low for 93% of all analysed companies. The highest privileges in the internal network were obtained in 86% of the analysed companies; and for 42% of them it took only two attack steps to achieve this. On average, two to three attack vectors were identified with which the highest privileges could be gained in each project. Once the attackers get them, they can obtain complete control over the whole network including business critical systems
According to the results of the security assessment projects, web applications of government bodies occurred to be the most insecure, with high-risk vulnerabilities found in each application (100%). By contrast, e-commerce applications are better protected from possible external interference. Only a bit over a quarter has high-risk vulnerabilities, which makes them the most protected ones