Regardless of the efforts put in place surrounding cybersecurity, malicious parties continue to find ways to hack organizations around the globe. As a result, security departments are forced to put a heavy focus in the effort to prevent data breaches. According to a recent report, from information security company Positive Technologies, penetration testers, colloquially known as ‘pentesters’ were successful in breaching the network perimeter, accessing the local networks, of 93% of organizations the tested.
Penetration testers, such as those here at Packetlabs, are essentially ethical hackers hired by an organization to simulate the actions of criminal hackers, looking for vulnerabilities within the company’s security posture. With this consideration in mind, a penetration test is best conducted once a client has a security system in place that they are confident is effective in its purpose. As well, given the nature of the internet and continued development of malicious party tactics, it’s important to recognize that penetration testing is not to be thought of as a one-time event. It is best conducted on an annual basis, and whenever significant changes are made to the environments. Just as hackers are continuously looking for new ways to breach organizations, it’s important to have an expert eye on security to stay ahead of the proverbial security curve.
External vs Internal Networks
The penetration testing of an external network, such as the internet, is what is known as an external penetration test (pentest). During an external penetration test, pentesters will attempt to ascertain as many ways as possible to penetrate the local network. According to the report, a combination of external and internal network breaches represents approximately 58% of breaches, whereas external alone sits at approximately 19% of breaches.
In contrast, during an internal penetration test, 23% of attacks originate from within the company. This is typically accomplished using standard employee privileges or with the use of physical access to a random visitor (or rogue cleaner). As expected, the greatest benefit of an internal penetration test is to determine the highest level of privileges an attacker is able to obtain. This offers valuable information to an organization seeking to minimize both the risk and resulting damage in the event the organization is successfully breached. As an aside, this is also why it’s critical for an organization to have a segmented network, rather than a flat network. It is much more difficult for an attacker to move laterally if a network is effectively segmented.
Penetration Testing Value
As is the case in any field or industry, an expert’s astute opinion and analysis offers great value for any client, often saving them time and money in the grand scheme of things, despite it’s initial expense. In the world of cybersecurity, penetration testers are those experts. Pentesters can offer an expert opinion and analysis regarding the efficacy of their clients’ security system, as well as their ability to respond to external and internal threats.
In the study, one sixth of pentested organizations indicated traces of previous attacks. The average time to penetrate to the local network was a mere four days. Penetration testers found, in most instances, network penetration could be accomplished in less than 30-minutes. In the majority of cases, the successful attacks lacked complexity and would be fairly trivial for a hacker of moderate skills.
Overall, the testing in the study revealed some startling facts. First, only 7% of tested systems were effective enough to withstand all attempts. Further, 25% of systems were hacked in a single step, 43% within two steps, and 25% within three steps, proving that even the most prepared of organizations cannot let their guard down when it comes to maintaining security practises.
Perhaps the most alarming statistic the study revealed is that 71% of companies were vulnerable to even the most unskilled hackers. Another eye-opener is the fact that 77% of breaches were related to inadequate web application security, with pentesters discovering at least one open attack vector in 86% of businesses.
In terms of successful breaches, across the study, penetration testers were able to compromise 77% of businesses through web application vulnerabilities, 15% through brute-forcing database management system credentials, 6% through brute-forcing credentials used for remote access services, 1% through brute-forcing domain-user credentials with software vulnerabilities, and finally 1% for brute-forcing credentials for the FTP server.
When it comes to the classification of discovered vulnerabilities, pentesters often will often assign a grade or severity level, based on their potential impact. From the order of low to high impact, the scale will look something to the effect of informational, low, medium, high and critical.
To put things in perspective, in terms of critical vulnerabilities, web applications top the list at 57%, password policy flaws at 50%, software vulnerabilities at 29% and lastly configuration flaws at 25% of identifiable vulnerabilities.
How We Can Help
From the results of the study at hand, the value of penetration testing cannot be overstated. At Packetlabs, our penetration testing services begin with the latest tools and technologies, and leverage them to bypass the security of corporate networks protected by even the most sophisticated security controls.
Packetlabs consultants think outside of the box to find weaknesses others overlook, and continuously learn new ways to evade controls in modern networks. We take the time to understand each of the in-scope components and their role in the overall system tested to custom tailor our approach to each environment we assess.
Another important take away from the report is the importance of web application security, which happens to be our specialty. Packetlabs’ unique approach to application security testing begins with developing a threat model and taking the time to understand the overall purpose, the components, and their interaction with sensitive information or functionality. This approach enables realistic simulation of how an attacker would target your application and in turn, provides you with more value. Only after thorough analysis do we begin attempting to manually compromise each layer of defence within the environment.
If you would like to learn how Packetlabs would approach and prioritize cybersecurity at your organization, please contact us for more information!
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications