Skip to main content

An analysis of penetration tests conducted by Kaspersky Lab researchers on corporate networks during 2017 reveals that three-quarters (73%) of successful perimeter breaches were achieved using vulnerable web applications. The findings are summarised in a new report, ‘Security assessment of corporate information systems in 2017’.

Each IT infrastructure is unique, and the most dangerous attacks are specially planned to take into account the vulnerabilities of a particular organisation. Every year, Kaspersky Lab’s Security Services department carries out a practical demonstration of possible attack scenarios to help organisations worldwide identify vulnerabilities in their networks and avoid financial, operational and reputational damage. The aim of the annual penetration test report is to make IT security specialists aware of relevant vulnerabilities and attack vectors against modern corporate information systems, and thereby strengthen their organisation’s protection.

The results of the 2017 research show that the overall level of protection against external attackers was assessed as low or extremely low for 43% of analysed companies. 73% of successful external attacks on the network perimeters of organisations in 2017 were achieved using vulnerable web applications. Another common vector for penetrating the network perimeter was an attack on publicly available management interfaces with weak or default credentials. In 29% of external penetration test projects, Kaspersky Lab experts successfully gained the highest privileges in the entire IT infrastructure, including administrative-level access to the most important business systems, servers, network equipment, and employee workstations, on behalf of an ‘attacker’ that had no internal knowledge of the target organisation and located in the Internet. 

The information security situation in companies’ internal networks was even worse. The level of protection against internal attackers was identified as low or extremely low for 93% of all analysed companies. The highest privileges in the internal network were obtained in 86% of the analysed companies; and for 42% of them it took only two attack steps to achieve this. On average, two to three attack vectors were identified with which the highest privileges could be gained in each project. Once the attackers get them, they can obtain complete control over the whole network including business critical systems.

The notorious vulnerability MS17-010 widely exploited both in individual targeted attacks and by ransomware such as WannaCry and NotPetya/ExPetr was detected in 75% of companies that underwent internal penetration testing after information on the vulnerability was published. Some of these organisations did not update their Windows systems even after 7-8 months after patch release. In general, obsolete software was identified on the network perimeter of 86% of the analysed companies and in the internal networks of 80% of companies, demonstrating that unfortunately due to poor implementation of basic IT security processes many enterprises may become easy targets for attackers.

According to the results of the security assessment projects, web applications of government bodies were the most insecure, with high-risk vulnerabilities found in each application (100%). By contrast, e-commerce applications are better protected from possible external interference. Only a bit over a quarter has high-risk vulnerabilities, which makes them the most protected ones.

“Our research has shown that vulnerable web applications can provide gateways into corporate networks. There are many security measures that can be implemented to guard against this nature of attack – half of these breaches could have been prevented by restricting access to management interfaces. We encourage IT security specialists to identify the vulnerabilities their organisations have and focus on strengthening them,” – said David Emm, principal security researcher at Kaspersky Lab.

To improve the security stances, companies are advised to:

  • Pay special attention to web application security, timely updates of vulnerable software, password protection and firewall rules.
  • Run regular security assessments for IT-infrastructure (including applications).
  • Ensure that information security incidents are detected as early as possible. Timely detection of threat actor activities at the early stages of an attack and a prompt response may help prevent or substantially mitigate the damage caused. Mature organisations where well-established processes are in place for security assessment, vulnerability management and detection of information security incidents, may want to consider running Red Teaming-type tests. Such tests help check how well infrastructures are protected against highly skilled attackers operating with maximum stealth, as well as help train the information security service to identify attacks and react to them in real-world conditions.

To learn more about the results of security services assessments done throughout 2017, read Securelist blogpost.

73% of successful corporate network penetration tests in 2017 broke in through vulnerable web apps

An analysis of penetration tests conducted by Kaspersky Lab researchers on corporate networks during 2017 reveals that three-quarters (73%) of successful perimeter breaches were achieved using vulnerable web applications.
Kaspersky Logo