Rapid7 penetration tests reveal multitude of software flaws, network misconfigurations

In 268 pen tests, Rapid7’s testers exploited software flaws 84% of the time, abused network misconfigurations 80% of the time, and captured credentials 53% of the time.

If you are looking for a good read, look no further than Rapid7’s Under the Hoodie report (pdf), which details the results of 268 pen tests across all sorts of industries and organization sizes — 251 of which involved live, production network tests. The findings highlight external and internal weaknesses to better shore up defenses against real attackers, as well as include entertaining tales from penetration testers.

Overall, most of Rapid7’s pen testers managed to fly under the radar and remain undetected on 61 percent of all engagements. If a pen tester, or “ghost ninja,” was not detected within the first day, it was unlikely he or she would be detected at all. Eight percent, however, were detected within an hour. Large enterprises had only 6 percent more success at detecting a pen tester than small enterprises that have fewer than 1,000 employees.

When it comes to software vulnerabilities, flaws that pen testers can happily exploit to gain control over a critical networked resource, Rapid7 noted, “The environments where software vulnerabilities were encountered grew significantly.” In 84 percent of the 268 pen tests, the pen testers managed to exploit at least one in-production vulnerability. They managed to abuse at least one network misconfiguration in 80 percent of engagements.

Captured user credentials

When it comes to capturing credentials, Rapid7’s pen testers collected at least one useful username and password from the target company 53 percent of the time, meaning an attacker could most likely impersonate at least one authorized user on the network. Captured credentials jumped to 86 percent when the attacker was in the local, internal network, meaning he or she had LAN or WLAN connectivity. But the real bread and butter for obtaining passwords came down to guessing or even social engineering and asking for it.

People are simply too predictable when it comes to creating passwords, and that’s even if an organization enforces password length and complexity standards. For example, “Summer2018!” meets the objectives of a password that is required to have at least one uppercase letter, one lowercase letter, one number, and one special character. But Rapid7 noted that it is one of the worst passwords a person can choose. Seasonal passwords came in as the third most common type of password.

The most common type of password, or 5 percent of the total set, included a company’s name such as Company123!, Company1, C0mp@ny1, and Company2018. The second most common, or 3 percent of the total set, were variations of “password” such as Password1.

Rapid7 noted that while the percentages may not seem overly high, an attacker needs only one set of working credentials to gain access to a network.

“If you have 100 users, then there’s a good chance that five will contain the company’s name, three will be based on the word 'password,' and one or two will be the current season and year. Multiply these percentages out to the number of users a company has, and it increases the likelihood of a correct password guess in the absence of site-wide, username-agnostic rate-limiting,” they said.

Just in case you are curious, Rapid7 found that the most common password length was 8 characters (46 percent), followed by 10 (18 percent) and 9 (17 percent).

Although two-factor authentication (2FA) is regarded as being a wise security defense measure, Rapid7 found that 51 percent of organizations do not enable it. 2FA was present and effective on just 15 percent of all pen tests.

Company information more protected than customer data

What do organizations most care about protecting? Despite the almost-daily data breach announcements, Rapid7 found that organizations are more concerned with protecting their own sensitive data such as internal communications and financial metrics than protecting the sensitive data of their customers or employees.

As for organizations’ top five biggest priorities for protecting information, sensitive internal data is at the top with 21 percent, PII was second at 20 percent, authentication credentials were third at 14 percent, protecting payment card data came in at 7.8 percent, and bank account data was fifth at 6.5 percent.

I highly encourage you to read the full Under the Hoodie report; I don’t think you will be disappointed.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.