In as little as half an hour, hackers can exploit two security failings and gain access to your internal networks!
Positive Technologies, a leading vulnerability assessment, compliance management, and threat analysis company, recently conducted penetration testing against organisations from a wide variety of sectors. Their cybersecurity researchers and ethical hackers discovered common security risks across all types of industry. All detailed in a new report called Penetration Testing of Corporate Information Systems.
Most importantly the report was put together based off real company data, businesses that have had their networks tested. Even though they were anonymous.
Firstly, it found that for 71% of businesses there’s at least one weakness that stands out. In other words, an avenue for malicious cyber criminals to gain- entry into their business network.
For example weak passwords, is one of the most common avenues of concern. As a result of a weak password, hackers gain access to accounts by cracking the password. Often it only takes one account to be breached for the hacker to gain access to an internal network. That is to say, by cracking the password and exploiting known vulnerabilities they easily get in.
Ekaterina Kilyusheva, the head of information security analytics at Positive Technologies, says “the problem lies in the low levels of protection even for large organizations. Attack vectors are based primarily on exploiting known security flaws.” In other words, “companies do not follow basic information security rules.”
Secondly, it found that over 65% of businesses are not implementing the required security updates. Instead they’re still using the vulnerable old versions of software. As a result, they are leaving the business wide open for exploitation and easy access into their networks.
Kilyusheva explains, that “an attacker can quickly gain access to an internal network if a web application contains a known vulnerability for which a public exploit exist.”
For instance, due to the increase in working from home in 2020 ethical hackers attempted to access a remote desktop application – a frequent tactic used by criminal hackers. In other words, to do a test. To note the testers didn’t have access to many applications. But by opening a mapping application, the testers were able to execute commands on the operating system in Windows Explorer and gain more access.
Above all, the testers were able to show by doing this penetration exercise that a third of attempts were successful. And that’s scary! By cracking weak passwords and taking advantage of software vulnerabilities they were able to gain access to the internals of the corporate network. But this could have been easily avoided with the use of strong passwords and security patches applied to any of their applications.
Thankfully this was just a test conducted by ethical hackers. If this had been done by cybercriminals it could have been used to get access to a- number of corporate networks. On average It took about 4 days for the testers to get in. But in one case, it took just thirty minutes.
Why do we want to keep on corporate networks safe? Firstly, a hacker can attack a critical business system like financial systems. They can gain access to the CEO or CFO account and check the financial transactions emails and authorisers for payments. Send a dodgy invoice, for direct payment into their own account. Before you know it, the company has lost thousands of dollars. Secondly, hackers can of course sell the obtained access on the darknet to other criminals and they attack using ransomware.
But corporations can help avoid this by ensuring staff have:
- Strong passwords
- Multifactor authentication
And lastly, that their network is patched with software updates.
We really don’t want to make it easy for cybercriminals to commit these crimes against corporations. We have to ensure we have locked up properly.