What happens when you hack 60 companies who think their security is up to par?
We ran penetration testing on the networks of 60 leading companies in banking, investment, legal, insurance, and retail. Working alongside some of the industries sharpest CISO’s, our ethical hacking with PenTeraTM uncovered that few companies are sufficiently prepared for a cybersecurity attack.
While most enterprise organizations believe that they have every vulnerability covered, the truth is often more complex. Below are the six crucial lessons your company needs to learn if you want to improve your cyber resilience.
Lesson 1: Remember the Human Factor
Your employees are your most valuable asset, but also the primary gateway for cyber threats. No matter the amount of training or redundancies entrenched in your company, human error is always a vulnerability. In particular, there are two highly common patterns that should concern you.
- Inappropriate Network Behavior: Even if you’re careful about granting administrative privileges to only high-level staff, that doesn’t mean you’re protected. For example, a domain admin might use their super user inappropriately, such as when they’re just connecting to a private mailbox as a regular user. This action opens the door for potential and unnecessary threats.
- Misconfiguration: Another issue is misconfiguration of your network or configuration changes that go untracked and monitored. Mistakes, such as these, leave you vulnerable. For example, you might grant an employee temporary extended permissions for a project and then forget to revoke them.
Whatever the case, automated penetration testing conducted in over 60 companies revealed that the human factor is, without a doubt, the largest vulnerability for most companies. Frequent over site is required.
Lesson 2: Don’t Guard the Perimeter and Neglect the Core
Often, companies have a narrow view of their vulnerabilities. Many organisations believe that if their perimeter is covered— the interior (on-premise) network is safe. This leaves many companies with an interior network that to an experienced hacker looks like Swiss cheese filled with holes.
The truth is that as much as 70% of all security breaches are the result of insider/employee activities, so protecting the interior of your network is essential. Unfortunately, for most of the companies we ethically hacked, it was quickly evident that a relatively knowledgeable hacker could easily implement a full attack on-premise with no problem.
Companies need to start looking at their core network defense differently.
We need to assume that the perimeter WILL be breached; it’s just a question of when. With that in mind, penetration testing from the “outside in” is important but should not replace an “inside out” testing approach starting from the “crown jewels” and expanding . By thinking about security in this way, you continually sanitize your inner network, so that even if a malicious hacker gets inside, they’ll find it much more difficult to implement a meaningful attack.
Lesson 3: Security Operation Centers (SOC) Are Vital
While a competent IT department can handle most network security issues, they were found lacking when it came to “surviving” our penetration testing. However, companies with a security operations center (SOC)—a centralized unit that deals with security issues on an organizational and technical level—performed far better.
The reality is that organisations with a SOC team have a much more developed understanding of cyber security and a higher level of awareness of what is happening in their network. Through constant monitoring and analysis, a SOC team offers timely detection of security incidents, keeps a pulse on the network, and helps companies stay on top of threats to their environment.
Lesson 4: Implement a Least Privileges Policy
It’s far better to contend with a high number of support calls from users asking for permission privileges than to deal with vulnerabilities created by over-privileged employees. Yes. There’s no doubt that it can be annoying for your IT department to field constant minor requests for privileges, but it’s better than opening your network to attackers looking to exploit your vulnerabilities.
It doesn’t take much for a hacker to gain a foothold in your organization’s IT or developer network segments where privileged users abound. Once they gain this access, lethal exploits become a matter of course.
Running Penetration Testing on dozens of companies, we discovered that the best vulnerability management plan is to have fewer privileged users, which increases your resiliency to attacks. For example, we found that law firms and accounting firms and companies where most users are of low-tech profiles- were far better protected than high-tech firms who had many super users. It’s that simple.
Lesson 5: Yesterday’s Vulnerabilities Are Still Here
MS17-010 (EternalBlue) is a well-documented and critical security breach that’s been around since March 2017. To our surprise, we discovered that many companies are still exposed to it. The same applies to other known vulnerabilities that we hadn’t expected to encounter in our penetration testing campaigns.
Why are organisations not immune to such well known security vulnerabilities?
- Lack of Time: Security teams are busy. In 2018, there were a record 16,500 known security vulnerabilities cataloged by CEOs and security teams across the globe. That’s too many vulnerabilities to handle all of them. The key is to prioritise the vulnerabilities that could have the largest impact on your organisation. Without the right tools, this prioritisation is easier said than done.
- Device Importance: On the other hand, prioritising can become a problem when organisations choose to place some devices at a higher priority for security than others. Hackers often use these neglected devices as a proxy and gateway to access more critical assets.
The organisations that were best protected from these vulnerabilities used tools such as PenTeraTM to provide full-vector visibility. This helped them expose the impact of each vulnerability so they could appropriately prioritise their security based on potential impact.
Lesson 6: Think like a Hacker
It’s an unfortunate truth, but even highly professional defense teams don’t think like attackers. It takes time, training, and hands-on practice to put yourself into the mindset of a hacker or malicious player. However, putting yourself in the attacker’s shoes is essential.
Cyber defenders think linearly, “If I block this port, I’ll disrupt any attack through that port.” Attackers think differently. They don’t look at a single port. They look for any potential port and lure their victim there. It’s creative, out-of-the-box thinking that is rarely taken into consideration by the defense team building and protecting your system.
From a functional perspective, there are many ways to build your organisation’s network—all of them valid. A hacker only needs one vulnerability to bring the entire system down. Just as your IT department is putting in the effort to make the system work, the hacker is putting in the same effort to bring it down.
Pen-testing, manual and automated, puts your security into the hands of ethical hackers and the tools that apply an attacker mindset to challenge your defenses. At the end of the day, these defenses are only as good as the tests they’ve been put through.
The protection of your organisation’s network is a complex task that’s highly dependent on your personal choices. Who you trust, to what degree, and the freedom you provide can either leave you open to vulnerabilities or protected inside and out. In our ethical hacking of 60 leading companies, we found that without automated penetration testing that mimics the mindset of a hacker with the touch of a button, companies leave the door open to malicious hackers. But with consistent and regular pen-testing runs, it’s possible to discover vulnerabilities and perform ethical exploits while keeping your networking operational. With the right data and insight, cyber security officers can now prioritize their defense efforts and stay one step ahead of the next malicious hacker.