Many organizations are failing to manage high-risk vulnerabilities
- Published: Friday, 30 October 2020 10:08
Positive Technologies (PT) performed instrumental scanning of the network perimeter of selected corporate information systems. A total of 3,514 hosts were scanned, including network devices, servers, and workstations. The results show the presence of high-risk vulnerabilities at most companies. However, half of these vulnerabilities can be eliminated by installing the latest software updates.
The research shows high-risk vulnerabilities at 84 percent of companies across finance, manufacturing, IT, retail, government, telecoms and advertising. One or more hosts with a high-risk vulnerability having a publicly available exploit are present at 58 percent of companies. Publicly available exploits exist for 10 percent of the vulnerabilities found, which means attackers can exploit them even if they don't have professional programming skills or experience in reverse engineering. However, half of the vulnerabilities can be eliminated by installing the latest software updates.
The detected vulnerabilities are caused by the absence of recent software updates, outdated algorithms and protocols, configuration flaws, mistakes in web application code, and accounts with weak and default passwords.
As part of Positive Technologies’ automated security assessment of the network perimeter, almost half of detected vulnerabilities (47 percent) can be fixed by installing the latest software versions. All companies had problems with keeping software up to date. At 42 percent of them, PT found software for which the developer had announced the end of life and stopped releasing security updates. The oldest vulnerability found in automated analysis was 16 years old.
Analysis revealed remote access and administration interfaces, such as Secure Shell (SSH), Remote Desktop Protocol (RDP), and Network Virtual Terminal Protocol (Internet) TELNET. These interfaces allow any external attacker to conduct bruteforce attacks. Attackers can bruteforce weak passwords in a matter of minutes and then obtain access to network equipment with the privileges of the corresponding user before proceeding to develop the attack further.
Ekaterina Kilyusheva, Head of Information Security Analytics Research Group of Positive Technologies said:
“Network perimeters of most tested corporate information systems remain extremely vulnerable to external attacks. Our automated security assessment proved that all companies have network services available for connection on their network perimeter, allowing hackers to exploit software vulnerabilities and bruteforce credentials to these services. Even in 2020, there are still companies vulnerable to Heartbleed and WannaCry. Our research found systems at 26 percent of companies are still vulnerable to the WannaCry encryption malware.
“At most of the companies, Positive Technologies experts found accessible web services, remote administration interfaces, and email and file services on the network perimeter. Most companies also had external-facing resources with arbitrary code execution or privilege escalation vulnerabilities. With maximum privileges, attackers can edit and delete any information on the host, which creates a risk of denial of service (DoS) attacks. On web servers, these vulnerabilities may also lead to defacement, unauthorized database access, and attacks on clients. In addition, attackers can pivot to target other hosts on the network.
“We recommend minimizing the number of services on the network perimeter and making sure that accessible interfaces truly need to be available from the Internet. If this is the case, it is recommended to ensure that they are configured securely, and businesses install updates to patch any known vulnerabilities.
“Vulnerability management is a complex task that requires proper instrumental solutions,” Kilyusheva added. “With modern security analysis tools, companies can automate resource inventories and vulnerability searches, and also assess security policy compliance across the entire infrastructure. Positive Technologies experts emphasize that automated scanning is only the first step toward achieving an acceptable level of security. To get a complete picture, it is vital to combine automated scanning with penetration testing. Subsequent steps should include verification, triage, and remediation of risks and their causes.”