If you are looking for a good read, look no further than Rapid7\u2019s Under the Hoodie report (pdf), which details the results of 268 pen tests across all sorts of industries and organization sizes \u2014 251 of which involved live, production network tests. The findings highlight external and internal weaknesses to better shore up defenses against real attackers, as well as include entertaining tales from penetration testers.Overall, most of Rapid7\u2019s pen testers managed to fly under the radar and remain undetected on 61 percent of all engagements. If a pen tester, or \u201cghost ninja,\u201d was not detected within the first day, it was unlikely he or she would be detected at all. Eight percent, however, were detected within an hour. Large enterprises had only 6 percent more success at detecting a pen tester than small enterprises that have fewer than 1,000 employees.When it comes to software vulnerabilities, flaws that pen testers can happily exploit to gain control over a critical networked resource, Rapid7 noted, \u201cThe environments where software vulnerabilities were encountered grew significantly.\u201d In 84 percent of the 268 pen tests, the pen testers managed to exploit at least one in-production vulnerability. They managed to abuse at least one network misconfiguration in 80 percent of engagements.Captured user credentialsWhen it comes to capturing credentials, Rapid7\u2019s pen testers collected at least one useful username and password from the target company 53 percent of the time, meaning an attacker could most likely impersonate at least one authorized user on the network. Captured credentials jumped to 86 percent when the attacker was in the local, internal network, meaning he or she had LAN or WLAN connectivity. But the real bread and butter for obtaining passwords came down to guessing or even social engineering and asking for it.People are simply too predictable when it comes to creating passwords, and that\u2019s even if an organization enforces password length and complexity standards. For example, \u201cSummer2018!\u201d meets the objectives of a password that is required to have at least one uppercase letter, one lowercase letter, one number, and one special character. But Rapid7 noted that it is one of the worst passwords a person can choose. Seasonal passwords came in as the third most common type of password.The most common type of password, or 5 percent of the total set, included a company\u2019s name such as Company123!, Company1, C0mp@ny1, and Company2018. The second most common, or 3 percent of the total set, were variations of \u201cpassword\u201d such as Password1.Rapid7 noted that while the percentages may not seem overly high, an attacker needs only one set of working credentials to gain access to a network.\u201cIf you have 100 users, then there\u2019s a good chance that five will contain the company\u2019s name, three will be based on the word 'password,' and one or two will be the current season and year. Multiply these percentages out to the number of users a company has, and it increases the likelihood of a correct password guess in the absence of site-wide, username-agnostic rate-limiting,\u201d they said.Just in case you are curious, Rapid7 found that the most common password length was 8 characters (46 percent), followed by 10 (18 percent) and 9 (17 percent).Although two-factor authentication (2FA) is regarded as being a wise security defense measure, Rapid7 found that 51 percent of organizations do not enable it. 2FA was present and effective on just 15 percent of all pen tests.Company information more protected than customer dataWhat do organizations most care about protecting? Despite the almost-daily data breach announcements, Rapid7 found that organizations are more concerned with protecting their own sensitive data such as internal communications and financial metrics than protecting the sensitive data of their customers or employees.As for organizations\u2019 top five biggest priorities for protecting information, sensitive internal data is at the top with 21 percent, PII was second at 20 percent, authentication credentials were third at 14 percent, protecting payment card data came in at 7.8 percent, and bank account data was fifth at 6.5 percent.I highly encourage you to read the full Under the Hoodie report; I don\u2019t think you will be disappointed.