Attackers can get into a network in 30 minutes
Penetration of a local network takes between 30 minutes to 10 days and in most cases, attack complexity is low, meaning that an attack is within the capabilities of a hacker with basic skills.
Moreover there is at least one easy penetration vector in 71 percent of companies according to the research from Positive Technologies which analyzed the security of corporate information systems and prepared an overview of the most common security flaws and attack methods.
At 93 percent of companies, pentesters succeeded in breaching the network perimeter and accessing the local network. And at 68 percent of companies, successful attacks on web applications involved brute forcing attacks to crack credentials.
In 77 percent of cases penetration vectors were related to insufficient protection of web applications. Testers discovered at least one such vector at 86 percent of companies.
"Web applications are the most vulnerable component on the network perimeter," says Ekaterina Kilyusheva, head of research and analytics at Positive Technologies. "In 77 percent of cases, penetration vectors involved insufficient protection of web applications. To ensure protection, businesses need to perform security assessments of web applications regularly. Penetration testing is performed as a 'black box' analysis without access to source code, which means businesses can leave blind spots to some issues which might not be detected using this method. Therefore, companies should use a more thorough testing method as source code analysis (white box). For proactive security, we recommend using a web application firewall to prevent exploitation of vulnerabilities, even ones that have not been detected yet."
In order to protect themselves, Positive Technologies recommends that companies install OS security updates and the latest versions of the software in a timely manner and ensure that software containing known vulnerabilities do not appear on the network perimeter.
The full Penetration Testing of Corporate Information Systems report is available from the Positive Technologies site.