Vulnerabilities in transport layer security and exposure to a 10-year-old botnet are the most common findings from penetration testing engagements.
According to data from investigations between June 2019 to June 2020 from 206 engagements by Rapid7, internal network configuration and patch management continue to provide “easy” soft targets to penetration testers, who can often use off-the-shelf commodity attacks to escalate privileges and move laterally about the network without being detected. It also found that issues with EternalBlue and Conficker are still not being excised from internal networks.
According to Tod Beardsley, research director at Rapid7, over the 12 months work, it also found password management and secondary controls such as two-factor authentication are severely lacking on the enterprise level, leading to “easy” compromises involving both password spraying and decrypting hashed passwords acquired during simulated breaches.
Also as there is more dependence on VPNs and internet-based applications, rather than traditional internal network controls, penetration testers were finding significant flaws in those VPN terminators and custom web apps.
“While none of this is particularly shocking to even the most Pollyanna security researcher (we are a cynical bunch), this is solid data that can help enterprises around the world understand what to expect from their next penetration test and be used as a checklist of what to investigate and remediate before then,” he said.
The report also found two vulnerabilities “as pretty standard go-tos for any internally scoped network assessment.” These were MS08-067, which was weaponized in the Conficker exploit back in 2008, and MS17-10, which was the central vulnerability to the EternalBlue exploit kit of 2017.
“These two issues are among the famous vulnerabilities of the past decade, so you would think that IT and IT security teams would have long ago excised these vulnerabilities from their internal networks,” Beardsley said.
Mark Kedgley, CTO at New Net Technologies, told Infosecurity he felt the cause of EternalBlue and Conficker still being so prominent because of the numbers of Windows-based systems that cannot easily be upgraded or even patched, such as EPoS and ATM systems.
“Even within the UK NHS, one of the highest profile victims of WannaCry, there are reports of still widespread use of Windows 7 due to budget and the practical challenges of large-scale IT,” Kedgley said. “It’s clear then upgrading and patching systems is a big challenge and while this remains the case, exploitable, known vulnerabilities will still be present and a threat. Other security controls, such as change control and breach detection, can play a role in compensating for environments where patching is an issue.”
Also, the top vulnerabilities encountered by external penetration testers were: weak transport layer security (10.48%), weak password policy (7.08%), missing strict-transport-security (STS) response headers (6.23%), user enumeration (5.67%).
Kedgley said: “Public websites are naturally prone to attack. Therefore, this has been a critical security risk ever since older TLS implementations were found to be weak and prone to compromise. The PCI DSS outlawed SSL and early TLS versions five years ago as it was known then this was a major problem for virtually every website.
“TLS 1.3 will plug the holes known in earlier versions, but the same issues apply in that just having a patch or update available doesn’t make us secure – its only when it is fully implemented and tested that the attack surface is fixed.”