View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 26, 2018updated 08 Jul 2022 11:37am

Company123! Lessons from a Year of Penetration Testing (2FA, Anyone?)

Only 15% of organisations using 2FA; easy passwords proliferate

By CBR Staff Writer

Penetration testing professionals were able to find exploitable weaknesses in businesses networks in a shocking 84 percent of engagements, analysis by Boston-based cybersecurity firm Rapid 7 revealed this week.

Among the most egregious were network misconfiguration (exploitable 80 percent of the time) and a startling absence of two-factor authentification (2FA); used by just 15 percent of businesses.

2FA Two Factor Authentication (2FA) is an extra security layer for accounts normally only secured with a username and password. It can work through texted second passwords, special browser plugins, USB keys or a number of other approaches and is widely considered a core component of better enterprise security.

2FA: Unused by 85 Percent 

“It is pretty safe to say that one of the most common reasons we are able to access systems and networks to reach sensitive information is because of weak credentials resulting from weak password policies”, Rapid 7 investigator Steven Laura wrote in the report.

The company added: “While 2FA continues to grow in popularity, it is still rare to find it in the field. 2FA was present and effective on only 15% of all engagements, with the remaining 85% of engagements unperturbed by this defensive strategy.”

See also: Microsoft Just Made Hackers’ Lives a Lot Harder – but Has Anybody Noticed?

As a result, at least one credential was captured in over half (53 percent) of all engagements, and 86 percent of the time when looking purely at internal engagements.

Rapid 7’s analysis was based on 268 real-world penetration tests carried out by its security staff since 2017 and was published this week.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

penetration testing

Pushing at an Unlocked Door

From exploiting OpenSSL installations that had not been updated for years and were vulnerable to the “Heartbleed” bug of 2014, to scraping memory for cached credentials, the company’s teams had an impressive exploitation rate that often demonstrated a basic lack of security hygiene.

After securing user account privileges, the most common mechanism of elevating them to a privileged account remains the use of open source tool Mimikatz, they noted.

On Windows networks, if a domain account (including service accounts) has logged in to a workstation, that password hash will be stored in memory, available to users who have at least local administrator privileges.

“This includes domain accounts with domain passwords; therefore, in cases where local users have local administrator access (either intentionally or accidentally), it is often trivial to escalate privileges to domain administrator,” Rapid 7 noted.

(As Computer Business Review reported recently, A host of Microsoft security updates released as part of the latest Windows 10 in May significantly reduces vulnerabilities, with five new attack surface reduction rules making it much harder for attacks like Petya and other lateral movement offensives to take place on a network, including such Mimikatz-based pwning.)

Penetration Testing Password Pwning

penetration testing, rapid 7

The company noted that in its data set of 130,000 passwords culled from recent exercises, it had been able to identify three most common password patterns – perhaps unsurprisingly, with the word “password” occurring in 4,001 entries.

the second included seasons – as most companies require password changes every 90 days; the most common company password policy requires that people change their password every 90 days; examples like Winter2018, Summer2017! and Spring16! accounted for 1,788 passwords, or 1.4% of the total.

“The third password pattern isn’t a specific word, but it is the most common approach in the list: the organization’s name. When guessing passwords, one of the first patterns penetration testers will try are variations of the company’s name,” Rapid 7 said.

“We found a total of 6,332 instances of passwords that included the target company’s name, which works out to just under 5% of the total set. The base of these passwords includes the company name, but then the variations on it are similar to what we saw with “password.” Examples include Company123!, Company1, C0mp@ny1, and Company2018. So, while “password” is the most common password pattern base across our data set, decorating the organization’s name as a password is the most common strategy employed.”

Rapid 7 concluded: “These percentages may not seem large, but keep in mind that a malicious actor might only need a single set of working credentials to gain access a network. If you have 100 users, then there’s a good chance that five will contain the company’s name, three will be based on the word “password,” and one or two will be the current season and year. Multiply these percentages out to the number of users a company has, and it increases the likelihood of a correct password guess in the absence of site-wide, username-agnostic rate-limiting.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.