Passwords continue to be a top security challenge for organizations, with penetration testers revealing that they can easily guess passwords in the majority of their engagements, according to the 2019 Under the Hoodie report published by Rapid7.
The new report, which documents the results of 180 pen tests carried out from September 2018 through May 2019, highlights the most common external and internal weaknesses present in companies. Sample findings showed that password management continues to be a problem. In 72% of engagements hackers were able to compromise one password. Of those, 60% were easily guessed passwords.
In its fifth year, the report shows year-over-year progress. The data suggests that basic network segmentation controls between internal and external networks are generally effective, particularly when looking at migration to the cloud for externally accessible resources.
In only 21% of the attempts at an externally based engagement were hackers able to gain internal LAN access. The numbers decreased significantly for web-application–specific engagements, where hackers were rarely to never successful (under 3%) at achieving a total site-wide compromise. Over 70% of web applications were hosted somewhere other than the client's data center, making an attacker’s path far more complex.
“The traditional 'external compromise' test, where the client wants to ferret out their weaknesses and exposures that are exposed to the general internet, is the most popular scoping choice, accounting for just about 40% of the engagements surveyed,” according to the report.
“This makes sense, since most clients are concerned about external bad actors – the criminal hackers that don't already have some reach into the internal network and are seeking some kind of leverage over the target to execute whatever criminal enterprise they're involved in.”
Once attackers gain a foothold, the next task is to leverage access to more and better systems across the internal network. Increasingly attackers are veering away from using PowerShell to gain a foothold because its restrictions are “becoming increasingly common in enterprise Windows networks, and while attackers got a lot of mileage in years past with PowerShell, those techniques seem to be falling by the wayside in 2019,” the report said.