Corporate information systems became more vulnerable in 2016, even as user awareness regarding information security significantly decreased.
That’s the word from Positive Technologies, which found in an overview of security audit findings that critical vulnerabilities were detected in 47% of investigated corporate systems last year.
During audits, experts simulate how actual attackers (external and internal) would try to penetrate corporate systems. In an alarming development, when acting as an external intruder, PT testers could gain full control over corporate infrastructure on 55% of systems. As an internal intruder, they were successful on all systems. In 2015, these figures were 28% and 82%, respectively.
At the same time, staff awareness of information security was extremely low in half of systems in 2016 (compared to 25% of systems in 2015). In addition, wireless network security was also extremely poor in most cases (75%), with every second system allowing access to LAN from Wi-Fi.
The audits identified a large number of common protection flaws, including high-risk vulnerabilities are frequently related to configuration errors (40% of systems), errors in web application code (27% of systems) and failure to install security updates (20% of systems). Among out-of-date systems, the average age of the oldest uninstalled updates is a whopping nine years.
The analysis also found that bypassing the network perimeter is possible on 55% of systems for an intruder with minimum knowledge and skills. In most cases, an external intruder needs only two steps to penetrate the perimeter. Common perimeter vulnerabilities include dictionary passwords, unencrypted data transfer protocols (detected on all systems), vulnerable software versions (91% of systems), as well as publicly available interfaces for remote access, equipment control and connection to database management systems (also 91% of systems).
"The vast majority of attacks on corporate infrastructures involve exploitation of common vulnerabilities and flaws,” said Evgeny Gnedin, head of information security analytics at Positive Technologies. “Companies can dramatically improve their security stance and avoid falling victim to attacks by applying basic information security rules: Develop and enforce a strict password policy, minimize privileges of users and services, do not store sensitive information in cleartext, minimize the number of open network service interfaces on the network perimeter, regularly update software and install operating system security updates."
The research also found that although web application vulnerabilities are not the largest threat, they are still dangerous: Web application vulnerabilities made it possible to bypass the network perimeter on 77% of systems.
The most common internal network vulnerabilities are flaws in network layer and data link layer protocols leading to traffic redirection and interception of information about network configuration (100% of systems).