Report looks at penetration testing of corporate information systems: identifies many weaknesses

Published: Thursday, 07 February 2019 09:40

In external penetration testing undertaken for corporate clients in industrial, financial, and transport verticals in 2018, Positive Technologies found that, at the vast majority of companies, there were multiple vectors in which an attacker could reach the internal network.

As described in a new report, ‘Penetration Testing of Corporate Information Systems: Statistics and Findings’, companies were vulnerable to an average of two vectors, and in one case, as many as five. Reaching an internal network from the outside can typically be accomplished with well-known security vulnerabilities, without requiring exceptional skill or knowledge on the part of would-be attackers.

Testers found that vulnerabilities in web application code are the main problem on the network perimeter. Overall, 75 percent of successful penetration vectors leveraged poor protection of web resources. At half of companies, an attacker can breach the network perimeter in just one step, most often by exploiting a vulnerability in a web application.

Vulnerabilities on internal systems

Full control of infrastructure was obtained on all tested systems in internal pentesting. In addition, the testers obtained access to critical resources such as ICS equipment, SWIFT transfers, and ATM management. The most common successful attack vectors against internal networks included:

More details.