It takes a hacker half an hour to penetrate the company's local network

[Tomcat]

Positive Technologies experts analyzed the security level of corporate information systems and presented an overview of the most common security flaws, attack methods, and recommendations for
increasing the security level. For the study, 28 works performed in 2019 on external penetration testing of the infrastructure of those companies that allowed the use of anonymized data were selected. The sample included only the most informative projects in order to obtain objective results.

The company's research revealed that access to resources on the local network is possible for 93% of companies. Moreover, 77% of attack vectors are associated with insufficient protection of web applications, and it can take only 30 minutes to penetrate a local network.

Among the companies tested in 2019 are financial sector organizations (32%), IT (21%), the fuel and energy complex (21%), government (11%), services (7%), industry (4%) and telecommunications (4%).

As mentioned above, in the course of external penetration tests, specialists managed to get access to the local network of 93% of organizations. The maximum number of penetration vectors identified in one project was 13.

As experts have found, penetration into a local network takes from 30 minutes to 10 days. In most cases, the complexity of the attack was assessed as low, that is, it could be carried out even by a low-skilled hacker who has only basic skills. 71% of companies had at least one easy penetration method.

The largest number of attacks were aimed at brute-force credentials and exploiting vulnerabilities in web applications. In 68% of companies, credential brute force attacks were successful against web applications.

“The most vulnerable component on the network perimeter is web applications,” notes Ekaterina Kilyusheva, head of the research group of the information security analytics department at Positive Technologies. - According to the analysis, in 77% of cases, the penetration vectors were associated with weaknesses in the protection of web applications; at least one such vector was identified in 86% of companies.
It is necessary to regularly analyze the security of web applications. The most effective verification method is to analyze the source code to find the largest number of errors. It is recommended to use a web application firewall (WAF) for proactive protection of web applications to prevent exploitation of existing vulnerabilities, even if they have not yet been discovered. "

Also, in 86% of companies, shortcomings in the password policy of critical and high levels of risk were identified. Simple and dictionary user passwords have become major security flaws at the network perimeter.

One of the most popular was the password, which used combinations of month and year in the Latin layout (for example, Jrnz, hm2019, or Fduecn2019). Such passwords were found in every third company, and in one organization they were matched for more than 600 users.

During testing, well-known software vulnerabilities were widely exploited, which allowed 39% of companies to penetrate local networks, for example, vulnerabilities in outdated versions of Laravel and Oracle WebLogic Server. In addition, six zero-day vulnerabilities were found that could remotely execute arbitrary code, including CVE-2019-19781 in Citrix Application Delivery Controller (ADC) and Citrix Gateway software.

Software in which vulnerabilities have been identified

Positive Technologies experts remind that it is important to timely install security updates for the operating system and the latest software versions, as well as to regularly monitor the appearance of software with known vulnerabilities on the corporate network perimeter.