Over a period of nearly 10 months, penetration testers conducted external tests where the testers were able to exploit at least one in-production vulnerability in a large majority of the simulated attacks, according to a new report, Under the Hoodie, from Rapid7.
The majority, 59%, of the 268 penetration tests performed in the survey period – September 2017 to June 2018 – were externally based, where the targets tend to be internet-facing vectors, such as web applications, email phishing, cloud-hosted assets and VPN exposure.
Rapid7’s pen testers were able to abuse at least one network misconfiguration in 80% of engagements and one in-production vulnerability in 84% of all engagements. In 53% of all engagements, the testers were able to capture at least one credential, and that number jumped to 86% when looking solely at internal engagements.
The report also revealed the top five security priorities of the participating organizations. When it comes to protecting sensitive information, 21% prioritize sensitive internal data, 20% focus on personally identifiable information (PII). Only 14% of organizations ranked protecting authentication credentials as a top-five priority, 7.8% prioritize payment card data and only 6.5% ranked bank account data.
Organizations are more interested in securing their own sensitive data – such as internal communications and financial metrics – than that of their customer and employees.
According to the report, humans are predictable when it comes to creating passwords. Given that pen testers captured credentials most of the time, it is more likely than not that an adversary could impersonate at least one authorized user on the network. Malicious actors often find that manual guessing of usernames and passwords to be the most effective method.
Some of the most common passwords (5% of total set) captured by pen testers included passwords with the company’s name (e.g., PAN123!), while variations of “password” (e.g., Password1) came in second at 3% of the total set. Seasonal passwords, such as Winter2018, placed third at 1.4% of the total set.
Additionally, Rapid7’s pen testers remained undetected on 61% of all engagements and just 8% were detected within an hour. “Even mature security teams in established enterprises still struggle with their attack detection capabilities,” said Tod Beardsley, director of research, Rapid7.
“Generally, even the best pentesters aren't particularly stealthy, since they are dealing with pretty strict time boxes and don't have the luxury of taking a low-and-slow approach to network breaches. The fact that so few organizations detect pentesters tells me that the security industry still has work to do to make incident detection and response a normal and robust component of any security program.”