We continuously learn from our mistakes and so do the penetration testers – the protectors of the virtual world. By analyzing series of hacking attempts as well as the successful ones, several inferences have been draws by cyber security experts. It includes the most basic mistakes that leave companies vulnerable to attack.
As per the results published, hackers can potentially gain access to the internal networks of an organization by exploiting two basic flaws in as little as an hour. Cyber experts at Positive Technologies that perform vulnerabilities testing against organizations across wide variety of sectors have found the common security mistakes. The findings have been shared in a report titled “Penetration Testing of Corporate Information Systems”.
The report is based on anonymized data from real organizations, that had their networks tested for vulnerabilities and real life exploits. The report says “for around 71% of the companies, there is at least one obvious weakness that enable hackers entry into their network”.
One of the most common cyber security issued found was weak password, allowing hackers to gain access to the accounts through brute force attacks. Cracking password of one account is usually not enough to gain full access to an internal network. However, weak passwords often act as initiator of account’s compromise. Weak passwords coupled with other exploitable vulnerabilities can further provide access of internal systems to hackers.
As per the report, even large organizations are committing the same basic mistakes as others. Even corporates have failed in following the basic information security rules. And attack vectors are primarily based on exploiting the known security flaws.
Next to weak passwords, the most common mistake is use of vulnerable versions of the soft-wares that hasn’t received the required security updates, leaving them open to attack. As per the report, over two-third organizations are using such un-patched soft-wares. It’s no brainer that hackers can easily gain un-authorized access to internal networks if web applications, servers, soft-wares etc contain a known vulnerability for which public exploit exists. Such exploits are often available on dark web forums and paste websites.
The threat vectors have enhanced as more and more people are working from home due to COVID-19 related restrictions.
In about one-third of penetration exercises, researchers were able to gain access into internal systems of a network by combining the brute force and software related vulnerabilities. Thus, attacks could have been prevented by using super crazy, unbreakable passwords and by applying updates and patches to soft-wares on real time basis, to prevent their exploitation by hackers. In these controlled testing, the networks were accessed by ethical hackers as part of cyber security exercise, but cyber criminals by exploiting the same set of vulnerabilities, can cause catastrophic damage to the organizations.
Attackers can potentially attack on critical business systems for examples, financial or health and then hold them onto ransom. In addition, hackers are known to sell the data and information gathered from hacking on dark net to other criminals for money. The data sold can further be used to launch attacks against these systems, for example, ransom-ware attacks.
The solution lies in following the basic cyber security practices, especially keeping password of sufficient length and complexity. On top of complex passwords, two-factor-authentication or multi-factor-authentication must be resorted to in case of critical internal systems. In a study published by Google, 2FA were found almost 100?fective in preventing brute force attacks of accounts. Similarly, organizations as well as individuals must patch their soft-wares with latest updates to protect themselves from myriad number of known public exploits.