Simulated Cyberattacks Reveal Corporate Passwords Are Weak, Internal Threats Are Strong

Cybersecurity investments are soaring. Unfortunately, for many corporates, vulnerabilities in their systems even with the latest technology won’t be discovered until they’re taken advantage of by cyber attackers. It’s why attack simulations have emerged as a critical component of a holistic enterprise security strategy.

Cybersecurity software firm Rapid7 recently published a report on its efforts to find these vulnerabilities before hackers do. For nearly a year, the firm conducted 268 simulated cyberattacks on corporates across a range of industries. Most of them, the company explained, were “live” meaning Rapid7 was attempting to infiltrate corporate systems with actual, sensitive data.

The firm compiled the results of its tests in its “Under the Hoodie 2018” report, published last week, and the findings are discouraging. Below, PYMNTS eyes the top data points in Rapid7’s report, which concluded that, at a glance, corporate security measures fell short.

Eighty-four percent of simulated tests found at least one kind of vulnerability, and yielded compromises as a result of the tests. Researchers noted that, throughout this time, software vulnerabilities spiked. During the testing period, there was “a significant increase in the rate that software vulnerabilities were exploited in order to gain control over a critical networked resource,” compared to testing done in 2016.

Fifty-three percent of tests successfully captured credentials. In nearly all cases, Rapid7 explained, that means a username and password. Passwords are notoriously weak, and password requirements are often the same across systems: upper and lower case usage, a special character, with both letters and numbers. Researchers noted that these requirements mean passwords like “Summer2018!” are too common and too easily exploited. The most common way credentials were captured was simply by manual guessing, used successfully in more than 10 percent of cases.

Thirty-two percent of engagements were internal, meaning nearly a third of penetration tests simulated an internal cyberattack. It’s an increase from the 21 percent of engagements that were internal in 2016 and, according to Rapid7, suggests corporates are “taking the insider threat a little more seriously this year.” Still, clients mostly preferred external threats. “After all,” the report noted, “we tend to think of that externally-based attacker who is likely sitting in a far-off, extradition-proof region of the world.”

Ninety-six percent of internal penetration tests found a vulnerability, suggesting enterprise resources lack preparedness for an internal attack.

Twenty-one percent of organizations were interested in assessing vulnerabilities to internal data, making it the most common category of data cited by companies engaging in the penetration tests. Personal data, authentication credentials, payment card data and bank account data were also top concerns, researchers noted.

Nearly sixty-one percent of engagements revealed account lockouts had no effect on a hacker’s ability to penetrate a network. Account lockouts, which may occur when a person unsuccessfully tries to submit a username and password combination too many times, may make things longer for a cyberattacker — in 3.8 percent of cases, it resulted in detection of the penetration tester. But most of the time, account lockouts were not effective in deterring a hacker.

Twenty-eight percent of tests resulted in successful capture of administrative control, which requires a domain administrator or enterprise administrator credential. However, that figure rises to 67 percent when the data zeroes in on internal engagement penetration tests.

One day is how long a company has to detect a breach. According to Rapid7, the data suggests that “if the penetration tester is not detected within a day, it’s unlikely the malicious activity will be detected at all.” Eight percent of engagements that included detection evasion were detected within an hour, while more than one-fifth were detected within a day. Unfortunately, more than 61 percent were not detected at all. When broken down by company size, 63 percent of small firms were unable to detect evasion, yet more than half of large enterprises were also unable to detect the breach.