Penetration testing - a milestone in corporate security

Penetration tests still have a niche existence in the field of information security. Even the most busy testers rarely carry out more than 20 orders per year, the results of which are almost always secret and protected by strict confidentiality agreements. Accordingly, it is difficult to obtain penetration test evaluations. Rapid7 collected data from 180 penetration tests over a period of nine months from mid-September 2018 to the end of May 2019. The results cover not only internal and external network analysis, but also physical intrusion, personal and electronic social engineering techniques, and source code analysis.

Penetration testing - a milestone in corporate security

Network vulnerabilities are almost standard

The penetration testers reported at least one vulnerability in 96% of all internal and external network and code review jobs reported.But not every weakness is the same. Taking the CIA triad model into account, we found that the vulnerabilities detected by penetration testers in external networks tend to be confidentiality vulnerabilities such as weak encryption standards or user enumeration problems. The majority of integrity vulnerabilities, on the other hand, are only found and exploited in internal network analyses.

The most frequently reported vulnerability was "Weak Transport Layer Security (TLS)" - a vulnerability in the encryption of data connections and a prime example of a confidentiality vulnerability. These vulnerabilities indicate outdated or non-existent encryption standards used in outward-facing systems. For example, a Web site may not be encrypted at all (pure HTTP resources or authentication mechanisms that display credentials in plain text) or may use encryption that is weaker than the current standard recommendation (for example, 40-bit instead of 128-bit key length). These vulnerabilities can expose data such as passwords or other confidential information during transmission to anyone who has the ability to intercept the network connection. Such attacks are common nowadays, especially since the release of Firesheep3 by Eric Butler in 2010.

Also among the list leaders is the "Weak Password Policy", which allows users to select relatively weak passwords to access their accounts. These are usually revealed by a procedure called "Password Spraying". Combined with other threats such as the OWA timing attack and SMTP mail address enumeration, such detected vulnerabilities, although only information leaks, can quickly lead to user accounts being taken over.

Also noteworthy are the vulnerabilities "obsolete software" and "missing patches". When such vulnerabilities are externally identified, they indicate vulnerability management and asset management failures.

Nevertheless, only 20% of all orders started externally penetrated the internal network. Customer organizations are increasingly using external hosting solutions such as Amazon AWS, Microsoft Azure, Google Cloud Platform, and other cloud computing providers. As a result, there is often no clear path to a customer's internal network following the external compromise of a networked software component.

The CIA Triad

The CIA triad comprises three elements: integrity, confidentiality and availability. Penetration testers are mainly interested in vulnerabilities where integrity is affected. Their successful exploitation means that the attacker gains some degree of control over the vulnerable application or component. This opens up numerous options for the attacker: He can use the compromised system for permanent access, impersonate one of the legitimate users with the appropriate access rights or steal confidential data stored, received or transmitted by the system concerned. When penetration testers use the term "remote root," they refer to an attack that completely compromises the integrity of the underlying operating system of a targeted service.

On the other hand, vulnerabilities specific to confidentiality give the attacker access to otherwise private data, but not full, direct control over the system itself. Such vulnerabilities are definitely very valuable to an attacker because confidential data can contain things like passwords, password hashes, or session tokens that can be used to gain direct access to systems or applications. Confidentiality vulnerabilities can also bring more subtle problems, such as the ability to intercept or modify data during transmission.

The third element of the CIA triad, availability, for penetration testers usually moves quite explicitly outside its scope. Only the very few organizations want to specifically cause productivity outages, even in a test scenario. Denial of service (DoS) attacks, whether distributed or otherwise, are certainly part of the arsenal of criminal attackers, but most ransomware attacks today exploit integrity problems to cause DoS. They first exploit integrity vulnerabilities to gain access to the system. They then use this to encrypt the system's memory and leave a ransom demand. A notable exception here are so-called "Booter and Stressor" activities. In this criminal strategy, the target's network is regularly flooded with unwanted traffic and the company is offered to refrain from doing so for a price.


The use of passwords is often critical

Password management is a challenge even for the most sophisticated IT security organizations. Almost three-quarters (72%) of the contracts involving the capture of access data revealed at least one password. And this one can usually be the one too many. 60% were easy to guess passwords, for which the penetration tester performed password spraying with generic passwords, known standard passwords and easily guessable company-specific passwords.

Whenever an attempt is made to gain access data, the hacker will first try to find out which user names are valid in the target area (e.g. website). Usernames are rarely secret and tend to follow familiar patterns such as Firstname_Lastname@domain.com, FLastname@domain.com or FLast@domain.com. The attempt to fill in these patterns is usually associated with Open Source Intelligence (OSINT).

Once a list of matching usernames has been created, the corresponding passwords are the next step. Passwords should be secret and unique. Unfortunately, human users are still pretty bad at making up passwords, whereas penetration testers are pretty good at guessing bad passwords. In fact, password spraying (testing universally used passwords and password patterns), guessable organization-specific passwords, and lists of commonly used standard passwords are still the best ways to find valid passwords. Therefore, organizations should assign random passwords to their users or specify that password managers must be used to create and store passwords. Assigning random passwords through a password management application is far more secure than simply enforcing complexity and rotation rules for password creation. But today, it's common for many companies to have passwords that contain uppercase and lowercase letters, a number, and a special character, and need to be changed every 90 days. Unfortunately, however, such password restrictions tend to reduce password complexity. Because people trick the system and independently develop patterns like "Summer2019!", "Fall2019!" and so on.

Password cracking - the art of finding out which passwords these hashes generate from a list of password hashes - is surprisingly well represented in this year's study. The capture of a hash file was the most common source of password material this year. More specific origins for hashes such as challenge-response traffic and /etc/shadow were also reported. Again, many of the cracked passwords could have been easily guessed with a little time and luck, they were that simple. Most of them came unsurprisingly from sources in Microsoft Windows. The captured LM-hashes should be particularly noted. These are extremely insecure, run counter to some basic recommended methods of cryptography, and have long been rejected by Microsoft in favor of stronger hashing mechanisms. However, while they are basically irrelevant in Microsoft environments updated over the past decade, they still persist and wait to be exploited by attackers. Domain administrators are urged to eradicate these LM hashes once and for all, and Microsoft's advice on how to disable LM hashes can help.

There is also reason for optimism

Basic network segmentation between "internal" and "external" networks seems to be having a general impact, especially in view of the ongoing migration of externally accessible resources to the cloud. Penetration testers who carried out an external attack were only able to penetrate the internal LAN in 21% of all cases. Attacks directed specifically against web applications almost never (less than 3% of all cases) ended up endangering the entire site. Most web applications (over 70%) were not hosted in the customer's data center. This makes it considerably more difficult for the attacker to use a compromised web application.

How companies can defend themselves against these dark arts

Penetration testers usually "win", in other words: they achieve the goal set in the context of the contract, be it penetration into the network from outside, the theft of confidential data or a domain admin access. Expressed in concrete figures, 80.6% of all external penetration tests lead to internal access and this usually results in either compromise of domain admin access (75.9% of all cases) or the theft of confidential data (87% of all cases). In view of these figures, some may give up hope of defending themselves against an ingenious and determined attacker: "What is the point of securing anything at all then?"

To counteract such desperation, this may help: First, in about 15 to 20% of all cases, the penetration tester is held up quite effectively by the existing security measures. This shows that the tested customer is doing a pretty good job of backing up the data that is important to him. Second, the penetration tester's job is to meticulously locate those dark, forgotten corners of the infrastructure where there is a hidden (or less hidden) gap in the existing security concept. If an organization has serious problems with patch management and securing its web applications, it probably is not yet ready for penetration testing. What such organizations need is a thorough vulnerability analysis that identifies "easy" goals. Then they can hire a consultant to tell them where something went wrong.

The recipe for success for defenders, with which one can "win" the next penetration test, is therefore to devote oneself to the areas that attackers often and often successfully target:

  • First and foremost, patch management is the absolute foundation of network security. Make sure you are not among the 30% of organizations that are still vulnerable to old, well-known vulnerabilities such as MS17- 010 (EternalBlue). If you lack a solid, comprehensive vulnerability management strategy, almost every penetration test will tell you that you need to focus on it first.
  • If you really want to impress (and drive insane) your penetration testing consultant, establish strong password management in your organization. There are several solutions for this, but if you manage to equip all user and service accounts with randomly generated, long passwords, any password spraying attempt will ultimately fail.
  • To succeed with these two "initial strategies", it is imperative that you constantly monitor your network for new assets and services. The best vulnerability and password management is useless if any forgotten device with the default access data "admin/admin" offers a wide open gateway into your network - especially if this device also has write permission for otherwise secure systems. "Scan yourself" is the first commandment of network security. Do not be afraid to continuously scan for the weakest link in your security chain during the remaining 50 weeks of the year when the penetration tester is not inhouse.
  • On a Friday afternoon, training courses against social engineering can offer varied entertainment and serve not only to build trust and promote team spirit, but also at the same time convey how to remain polite but determined in the face of a social engineering attempt. Even if technical security measures of all kinds have already been put in place, the weak point of an organisation may be sitting at a keyboard or standing in front of a locked elevator. As everyday IT services are increasingly moved to the cloud, criminal attackers and penetration testers are increasingly using email-based phishing campaigns and both personal and telephone persuasion methods.


About the author

Tod Beardsley is Research Director at Rapid7. He has more than 20 years of practical safety knowledge and experience. He has held IT operations and IT security positions in large organizations such as 3Com, Dell and Westinghouse. Today, Beardsley often speaks at security and developer conferences.

Image rights: Rapid7

Date: 4 November 2019, 7:11 am   |   Author: ED
Keep Reading: