By Samantha Woollard (Internet Security Specialist) 27 March 2017
What better way of finding the best counter measures against hackers than asking the hackers themselves. Penetration testers spend their day-to-day life breaking into computer systems and attempting to get around obstacles put in place to stop the bad guys. But why ask penetration testers? The only difference between black hat hackers and penetration testers (white hat hackers) is that one of them has a statement of work to do it legally and the other does not. The methodology and tools of attack are the same.
A large group of white hat hackers took part in a survey about the results from their penetration tests to identify the main issues they came across and what measures you should implement to not fall victim to the same attacks. 72% stated that their first plan of attack is social engineering. Employees are often regarded as the weak link in the chain which puts them at the top of the list for attack. Most hackers involved mentioned that more needed done about security awareness in the workplace as tricking an employee was an easy way to exploit their target. Having security-educated staff can often be one of the key security defences on preventing company information from going into the wrong hands.
88% of penetration tests done by the surveyed white hat hackers took less than 12 hours to compromise the target. After the initial breach, 81% of testers took under 12 hours to find and steal critical data from the target’s network. 33% stated that they were never detected during the entire assessment. From these results it is easy to see that a lot more still needs done on securing businesses and monitoring of traffic to detect and prevent real attackers in their systems. Another comment made by several penetration testers was that it does not matter what size of organisation they were targeting, the chance of exploitation and compromise was the same.
66% of tests resulted in finding exploitable software related vulnerabilities and network configuration issues that could be used to gain unauthorized access were found in 66% of businesses systems. These exist due to software suppliers caring more for ease of deployment and usability, misconfiguration of network devices and bad patching practices. From these two vulnerability types, over 80% of penetration tests are successful in compromising the target business. These can be easily protected against by implementing good patch management, network segmentation, regular scanning and assessments.
After a full penetration test, the work is not over. Remediation is a key stage after the results are acquired, however from this survey only 10% of clients remediated all vulnerabilities and retested the environment. 5% of businesses only wanted to obtain the ‘check in the box’ to achieve compliance and did not act on the results of the assessment at all. 75% only focused on critical and high vulnerabilities. Although remediating major vulnerabilities is obviously a good start, flaws rated as low or medium does not mean that an attacker use them to their advantage. Individually the chance of exploitation from these may be low but by using several of these vulnerabilities together, an attacker can still sometimes craft a successful exploit.
From the results of the survey, it was revealed that the most challenging layer to bypass in a company’s security model was intrusion detection and prevention systems. However, all controls designed to stop hackers, with enough time and effort, can be bypassed. It all boils down to defence in depth rather than depending on a single measure of security. If one layer fails, it is not game over. With the right educated people and technology combination, the chance of compromise can be minimal.
Not all risk can be removed. Although, most hackers target low hanging fruit and try to find the path of least resistance. If a hacker’s attempt into your systems is making no progress, their patience may run thin and a lot of the time they will move on to another target. For example, if one computer is patched, running up to date security software and has a strong password and another computer has not been patched for a while, has no security software in place and has a weak password, then an attacker will go for the second machine. It is all about being ahead of the game and not being an easy target.
Contact us for advice or with any questions about your security. Intact Security are here to help.
Relax. Your security is Intact.
Author: Intact Security