Three-quarters of corporate network breaches are via web applications
According to a new report from Kaspersky Lab, 73 percent of successful perimeter breaches on corporate networks in 2017 were achieved using vulnerable web applications.
In addition to web applications, another common vector for penetrating the network perimeter was attacks on publicly available management interfaces with weak or default credentials.
In 29 percent of external penetration test projects, Kaspersky Lab experts successfully gained the highest privileges in the entire IT infrastructure, including administrative-level access to the most important business systems, servers, network equipment, and employee workstations, on behalf of an 'attacker' that had no internal knowledge of the target organization.
Kaspersky produces an annual penetration test report is to educate IT security specialists and raise awareness of relevant vulnerabilities and attack vectors against modern corporate information systems.
The report identifies the level of protection against internal attackers as low or extremely low for 93 percent of all analyzed companies. Researchers could obtain the highest privileges in the internal network in 86 percent of the analyzed companies, and for 42 percent of them, it took only two attack steps to achieve this. On average, two to three attack vectors were identified with which the highest privileges could be gained in each project. Once the attackers get them, they can obtain complete control over the whole network including business critical systems.
"Qualitative implementation of the simple security measures like network filtering and password policy would significantly increase the security stance," says Sergey Okhotin, senior security analyst of security services analysis at Kaspersky Lab. "For example, half of the attack vectors could have been prevented by restricting access to management interfaces."
Obsolete software was identified on the network perimeter of 86 percent of the analyzed companies and in the internal networks of 80 percent. Poor implementation of basic IT security processes is therefore putting many enterprises at risk. Government organizations were least secure, with 100 percent of web apps identified as having high risk vulnerabilities.
You can find out more and access the full report on the SecureList blog and there’s an overview of key findings in the infographic below.