What a year of penetration testing data can reveal about the state of cybersecurity
By Brandon Vigliarolo
From web app flaws to a lack of 2FA, Rapid7 found lots of common soft targets in the networks it breached on behalf of clients. SecOps firm Rapid7 has released its annual look at the state of the penetration testing industry, with findings including a significant spike in the number of vulnerable VPN connections, widespread lack of multifactor authentication, and a high volume of poorly configured internal networks making it easier for attackers to move laterally once inside.
Rapid7’s findings are compiled from penetration tests that it and its subcontractors performed between June 2019 and June 2020, with 206 total engagements. That may not seem like a large data pool, but it is significant: “The busiest individual pen tester in the world tends to be involved in fewer than 25 penetration tests a year,” the report said.
Rapid7 made particular mention of three common problems (mentioned above), and said that none of them are particularly shocking. That alone is a troubling sign for businesses looking to protect themselves in 2020, especially with the COVID-19 pandemic placing so many workers on potentially vulnerable VPN connections without multifactor authentication enabled. When considered alongside the rest of the report those three highlighted problems are even more alarming.
It’s too easy to guess a password
Passwords are supposed to be kept secret, the report states, but “humans and their woefully unoriginal meat brains” make guessing those passwords far easier than can be considered safe. Password spraying, in which an attacker uses a few known usernames and a short list of common, relevant, unoriginal passwords, ranks as by far the most common way to successfully gain a working username plus password combination.
Organizational password rules often require resets every 90 days, and the average person is more concerned with something easy to type, easy to remember, and easy to change on a 90-day schedule, the report said. That means doing the minimum to meet organizational requirements, leading to easily guessed passwords like “Summer2020!” and other basic, seasonably rotatable combinations.
Guessable cracked passwords, Rapid7 found, most commonly fell into three categories: A season and year combination, some part of the company’s name, and variations of the word “password.” On top of that, 65% of organizations that were tested during the period the report considered failed to use multifactor authentication. “In order to be effective, 2FA needs to cover every egress point, which means that all secondary authentication systems either need 2FA, or they need to employ a different, unique password,” the report states.
VPNs: A rising problem
Compared to 2019, VPN security flaws rose significantly in terms of the frequency they were discovered. 2020 found a common VPN issue as the 18th most commonly encountered security flaw, and that same flaw was the 50th most common in 2019. The particular flaw in question are VPNs with support for internet key exchange (IKE) aggressive mode, which results in faster connections that are less secure. IKE aggressive mode sends pre shared keys (PSK) in an unencrypted message that can be intercepted by commonly available software tools.
The rise in VPNs with IKE aggressive mode enabled “almost certainly reflect[s] the new, mid-pandemic reality of VPN reliance to get a suddenly huge population of stay-at-home workers online and productive,” Rapid7 said. Despite its importance to enabling businesses to stay afloat, however, the tradeoff is that their organizations are now less secure and remote employees are more open to attack.
How to protect your network against penetration
Network security professionals should give the entire report a read: There’s far too much information to cover in a single article. If you don’t have the time to read through all 32 pages there are three recommendations that Rapid7 makes which shouldn’t be ignored: Rethink password management: It’s far too common, Rapid7 said, for a penetration test to return “lists and lists of poorly chosen, human-generated passwords.” Good credential management should be a full-time function of security teams, it recommends, and users should be made to use machine-controlled passwords and multifactor authentication.
Review patch management strategies: Everyone has “dark, cobwebby corners of their IT infrastructure [that] aren’t getting routine review,” the report said. Find those corners, update them now, and review your entire architecture for adherence to patch installation. “If an enterprise is relying on the users to do the right thing and click through those nag screens for updates, your penetration testers will almost certainly be overwhelmed with so many exploitable vulnerabilities that you’ll only hear about the most egregious examples,” Rapid7 said. Segment your network: As mentioned above, poor network architecture was a commonly found flaw in Rapid7’s pentests. “The name of the game here is to bottle up attackers, both criminals and penetration testers, and make it difficult to move from asset to asset in search of systems that are both compromisable and useful launching points for the next compromise,” the report said. Small, manageable segments can be the difference between trapping someone in a cluster of a few machines and giving them the keys to your entire architecture.
Companies that lack in even one of those three fundamentals, the report concludes, are easily compromised by an experienced attacker. Given the choice between paying for an expensive pentest and being clued in to vulnerabilities while recovering from an attack, the choice is obvious. “To be honest, paying for a penetration test when one or more of these practices aren’t being followed is probably a waste of everyone’s time,” Rapid7 said.