In 268 pen tests, Rapid7’s testers exploited software flaws 84% of the time, abused network misconfigurations 80% of the time, and captured credentials 53% of the time. Credit: Thinkstock If you are looking for a good read, look no further than Rapid7’s Under the Hoodie report (pdf), which details the results of 268 pen tests across all sorts of industries and organization sizes — 251 of which involved live, production network tests. The findings highlight external and internal weaknesses to better shore up defenses against real attackers, as well as include entertaining tales from penetration testers.Overall, most of Rapid7’s pen testers managed to fly under the radar and remain undetected on 61 percent of all engagements. If a pen tester, or “ghost ninja,” was not detected within the first day, it was unlikely he or she would be detected at all. Eight percent, however, were detected within an hour. Large enterprises had only 6 percent more success at detecting a pen tester than small enterprises that have fewer than 1,000 employees.When it comes to software vulnerabilities, flaws that pen testers can happily exploit to gain control over a critical networked resource, Rapid7 noted, “The environments where software vulnerabilities were encountered grew significantly.” In 84 percent of the 268 pen tests, the pen testers managed to exploit at least one in-production vulnerability. They managed to abuse at least one network misconfiguration in 80 percent of engagements.Captured user credentialsWhen it comes to capturing credentials, Rapid7’s pen testers collected at least one useful username and password from the target company 53 percent of the time, meaning an attacker could most likely impersonate at least one authorized user on the network. Captured credentials jumped to 86 percent when the attacker was in the local, internal network, meaning he or she had LAN or WLAN connectivity. But the real bread and butter for obtaining passwords came down to guessing or even social engineering and asking for it. People are simply too predictable when it comes to creating passwords, and that’s even if an organization enforces password length and complexity standards. For example, “Summer2018!” meets the objectives of a password that is required to have at least one uppercase letter, one lowercase letter, one number, and one special character. But Rapid7 noted that it is one of the worst passwords a person can choose. Seasonal passwords came in as the third most common type of password.The most common type of password, or 5 percent of the total set, included a company’s name such as Company123!, Company1, C0mp@ny1, and Company2018. The second most common, or 3 percent of the total set, were variations of “password” such as Password1. Rapid7 noted that while the percentages may not seem overly high, an attacker needs only one set of working credentials to gain access to a network.“If you have 100 users, then there’s a good chance that five will contain the company’s name, three will be based on the word ‘password,’ and one or two will be the current season and year. Multiply these percentages out to the number of users a company has, and it increases the likelihood of a correct password guess in the absence of site-wide, username-agnostic rate-limiting,” they said.Just in case you are curious, Rapid7 found that the most common password length was 8 characters (46 percent), followed by 10 (18 percent) and 9 (17 percent).Although two-factor authentication (2FA) is regarded as being a wise security defense measure, Rapid7 found that 51 percent of organizations do not enable it. 2FA was present and effective on just 15 percent of all pen tests.Company information more protected than customer dataWhat do organizations most care about protecting? Despite the almost-daily data breach announcements, Rapid7 found that organizations are more concerned with protecting their own sensitive data such as internal communications and financial metrics than protecting the sensitive data of their customers or employees.As for organizations’ top five biggest priorities for protecting information, sensitive internal data is at the top with 21 percent, PII was second at 20 percent, authentication credentials were third at 14 percent, protecting payment card data came in at 7.8 percent, and bank account data was fifth at 6.5 percent. I highly encourage you to read the full Under the Hoodie report; I don’t think you will be disappointed. Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe