Penetration testing professionals were able to find exploitable weaknesses in businesses networks in a shocking 84 percent of engagements, analysis by Boston-based cybersecurity firm Rapid 7 revealed this week.
Among the most egregious were network misconfiguration (exploitable 80 percent of the time) and a startling absence of two-factor authentification (2FA); used by just 15 percent of businesses.
2FA Two Factor Authentication (2FA) is an extra security layer for accounts normally only secured with a username and password. It can work through texted second passwords, special browser plugins, USB keys or a number of other approaches and is widely considered a core component of better enterprise security.
2FA: Unused by 85 Percent
“It is pretty safe to say that one of the most common reasons we are able to access systems and networks to reach sensitive information is because of weak credentials resulting from weak password policies”, Rapid 7 investigator Steven Laura wrote in the report.
The company added: “While 2FA continues to grow in popularity, it is still rare to find it in the field. 2FA was present and effective on only 15% of all engagements, with the remaining 85% of engagements unperturbed by this defensive strategy.”
As a result, at least one credential was captured in over half (53 percent) of all engagements, and 86 percent of the time when looking purely at internal engagements.
Rapid 7’s analysis was based on 268 real-world penetration tests carried out by its security staff since 2017 and was published this week.
Pushing at an Unlocked Door
From exploiting OpenSSL installations that had not been updated for years and were vulnerable to the “Heartbleed” bug of 2014, to scraping memory for cached credentials, the company’s teams had an impressive exploitation rate that often demonstrated a basic lack of security hygiene.
After securing user account privileges, the most common mechanism of elevating them to a privileged account remains the use of open source tool Mimikatz, they noted.
On Windows networks, if a domain account (including service accounts) has logged in to a workstation, that password hash will be stored in memory, available to users who have at least local administrator privileges.
“This includes domain accounts with domain passwords; therefore, in cases where local users have local administrator access (either intentionally or accidentally), it is often trivial to escalate privileges to domain administrator,” Rapid 7 noted.
(As Computer Business Review reported recently, A host of Microsoft security updates released as part of the latest Windows 10 in May significantly reduces vulnerabilities, with five new attack surface reduction rules making it much harder for attacks like Petya and other lateral movement offensives to take place on a network, including such Mimikatz-based pwning.)
Penetration Testing Password Pwning
The company noted that in its data set of 130,000 passwords culled from recent exercises, it had been able to identify three most common password patterns – perhaps unsurprisingly, with the word “password” occurring in 4,001 entries.
the second included seasons – as most companies require password changes every 90 days; the most common company password policy requires that people change their password every 90 days; examples like Winter2018, Summer2017! and Spring16! accounted for 1,788 passwords, or 1.4% of the total.
“The third password pattern isn’t a specific word, but it is the most common approach in the list: the organization’s name. When guessing passwords, one of the first patterns penetration testers will try are variations of the company’s name,” Rapid 7 said.
“We found a total of 6,332 instances of passwords that included the target company’s name, which works out to just under 5% of the total set. The base of these passwords includes the company name, but then the variations on it are similar to what we saw with “password.” Examples include Company123!, Company1, C0mp@ny1, and Company2018. So, while “password” is the most common password pattern base across our data set, decorating the organization’s name as a password is the most common strategy employed.”
Rapid 7 concluded: “These percentages may not seem large, but keep in mind that a malicious actor might only need a single set of working credentials to gain access a network. If you have 100 users, then there’s a good chance that five will contain the company’s name, three will be based on the word “password,” and one or two will be the current season and year. Multiply these percentages out to the number of users a company has, and it increases the likelihood of a correct password guess in the absence of site-wide, username-agnostic rate-limiting.”