100 percent of corporate networks vulnerable to insider attacks
Penetration testing company Positive Technologies has released some alarming figures surrounding the vulnerability of corporate networks to insider attacks.
During testing performed as an internal attacker, the company's researchers were able to obtain full control of infrastructure on all the corporate networks they attempted to compromise. Only seven percent of systems were assessed as having 'moderate' difficulty of accessing critical resources.
Penetrating the network perimeter has become easier over time too. The difficulty of accessing the internal network was assessed as 'trivial' in 56 percent of tests in 2017, compared to 27 percent in 2016.
On average, Positive Technologies testers found two attack vectors per client that would allow their internal network to be penetrated. For one client, 10 different penetration vectors were detected. The oldest vulnerability found dated back 18 years.
Wi-Fi networks prove a handy entry point for attackers. Among tested companies, 40 percent were using easy-to-guess dictionary passwords for access to their Wi-Fi networks. In addition 75 percent of Wi-Fi networks were accessible from outside company offices, and the same proportion failed to enforce per-user isolation. As a result, intruders can attack personal and corporate laptops connected to Wi-Fi without ever having to set foot in the target's building.
As ever employees are a weak link. In testing 26 percent of employees clicked a link for a phishing website and almost half of them proceeded to enter their credentials in a fake authentication form. One in six employees opened a simulated malicious file attached to an email and 12 percent of were willing to communicate with intruders.
"To gain full control over the entire corporate infrastructure, an attacker usually penetrates the network perimeter and takes advantage of vulnerabilities in out-of-date OS versions," says Positive Technologies analyst Leigh-Anne Galloway. "From this point the sequence of events is predictable - the attacker runs a special utility to collect the passwords of all logged-in OS users on these computers. Some of these passwords might be valid on other computers, so the attacker repeats this process. Gradually, system by system, the attacker continues until obtaining the password of the domain administrator. At that point, it's game over—the attacker can burrow into the infrastructure and control critical systems while staying unnoticed."
You can find out more about the results and how to protect your business on the Positive Technologies site.