Security penetration testers, or hired ethical hackers, were able to grab administrative control of a targeted organization’s network nearly 70 percent of the time, according to a new report examining 268 client engagements.
Rapid7, whose security analytics and automation cloud supports security operations (SecOps) teams, has issued an updated Under the Hoodie: Lessons From a Season of Penetration Testing report, in which it surveyed pen testers on what they typically see in the field -- “providing visibility into this often occult niche of information security,” as the developer put it.
Here’s some drill down:
- Software vulnerabilities, network misconfigurations, and network credentials are the weak points the penetration testers pursued. Of note, the new data saw a significant uptick in the rate of software vulnerabilities exploited to gain control over a network.
- Penetration testers were able to exploit at least one in-production vulnerability in 84% of all 268 engagements. That figure rises to 96% of all internally-based penetration tests.
- Penetration testers were able to abuse at least one network misconfiguration at an 80% rate. Among internal assessments a misconfiguration was leveraged in the investigator’s favor 96% of the time.
- At least one credential was captured in 53% of all engagements and 86% of the time when looking purely at internal engagements.
- User credentials are the next most exploitable point of entry, with at least one credential captured in more than half (53%) of all the tests. Simply guessing passwords yielded the best results to gain access credentials.
- Only 16% of the organizations the group tested did not have an exploitable vulnerability, down from 32% of organizations included in last year's report.
- 62% of all engagements included an external component, or web-based attacks such as email phishing and social engineering. Client organizations tend to be primarily concerned with external threats attacking their enterprise from the the internet. However, the number of internal engagements rose 11% this year, an indication that organizations are taking a more holistic approach to their network security, the report said.
- Penetration testers, nearly always limited by a relatively short engagement window of two weeks or less, remained undetected on 61% of engagements. If a penetration tester is not detected within a day, it’s unlikely the malicious activity will be detected at all, according to the report.
“Rarely are penetration tests structured in such a way that the pen testers are told to just go wild and see what they can see—organizations nearly always have some outcome in mind,” the study reads. Validating security that protects sensitive internal data, personal identifying information and authentication credentials together accounts for roughly 45 percent of what’s most important to the surveyed organizations, the data showed.
