At Rapid7, our pentest team is hired to ethically hack our clients to uncover weaknesses within their organisations. It’s an important practice, with penetration testing simulating a criminal breach of a sensitive area to uncover and fix defensive failures.
This year, we uncovered many common weaknesses between organisations, from weak internal network configuration and patch management to poor password management and fragile VPN terminators.
It’s clear that organisations are still struggling in their IT security programmes through human error and misconfigurations. For example, the password pattern of SeasonYear still accounted for 36% of passwords in our latest Under The Hoodie report. However, the ever-growing attack surface means organisations need to remain vigilant and confident in their security posture.
Whilst pen testing is a bit of an occult subject, the findings from our report alone reveal the ongoing vulnerabilities that continue to plague many businesses.
Collecting creds
At Rapid7, we use a variety of practices, like social engineering tactics and internal/external network assessments. As you can imagine, the types of vulnerabilities found vary and largely depend on the type of penetration test being performed.
Collecting and exploiting user credentials is mainly done through social engineering engagements and red team attack simulations. To jargon bust, red team attack simulations tend to combine elements of social engineering and internal/external network assessments. It’s more like a crash test that resembles a real-life attack.
Typically collecting credentials requires acquiring a list of valid usernames and using tools like lyncsmash to validate the username formats. This is a method we actually conducted on one of case studies for Under The Hoodie, which resulted in 230 valid accounts. We combined this with password spraying, the method of trying unoriginal passwords such as any variation of “password” (i.e. Password1), which led to us accessing 11 accounts.
This is just one of the examples we discovered where human error allowed for easy access. However, it’s not all doom and gloom — with the proper practices in place, organisations can ensure that they no longer remain vulnerable to malicious users.
Pick a proper password
Passwords should not only be secret; they should be secure. As described above, there are many ways passwords can be collected, from password spraying to cracking password hashes.
Many employees are trusted to generate their own passwords and, while this should be fine in principle, all too often it results in easy to guess passwords such as Companyname123!. In turn, many penetration lists comprise of poorly chosen, human generated passwords.
The solution is to enforce strong credential management in your IT security programme. Adding machine-controlled password management is a simple and easy implementation that can prevent malicious users from accessing employee details.
Lockout policies and two-factor authentication (2FA) are also important security controls to both protect passwords and limit their utility once discovered by attackers. Unfortunately, their deployment is scattered or otherwise ineffective in preventing attacks. In fact, our recent Under The Hoodie report found that 64% of engagements did not encounter 2FA when compiling credentials.
Organisations should ensure strong user passwords to help enforce lockout policies and make sure 2FA is employed by all secondary authentication systems — or at the least employ a different, unique password to add another layer of protection.
Patch up your patch management
Poor internal network configuration and patch management continue to provide “easy” soft targets to penetration testers, who often use commodity attacks to move about the network without being detected.
Patch management is a critical function of IT operations, so an awareness of vulnerabilities is essential. IT operations must know where their patch management programme has blind spots, and patch these up.
Internal network assessments help organisations figure out where their patch management strategy is failing, i.e. in what areas of their IT infrastructure isn't getting routine reviews for patches and updates.
Don't place too much reliance on the users themselves to click on the update button (instead of hitting "later" again and again). There will almost certainly be many exploitable vulnerabilities as a result of individuals who have failed to keep up on updates.
Employ network segmentation wherever possible
Small, manageable network segments can do worlds of good when it comes to containing an internal breach. Pen testers will spend a large amount of time moving about a network, and big flat networks allow for easy, lateral movement.
Network segmentation is an approach that divides a network into multiple subnets, each acting as its own small network. By making it as difficult as possible for attackers to move from asset to asset through small network segments, organisations can prevent attackers from finding sensitive systems to compromise. It also makes it easier to restrict user access to more sensitive information and systems, reducing the damage from successful attacks.
Organisations that are lacking in secure password protection, have poor patch management and employ large, open networks can easily be compromised by an experienced attacker. A company that has a segmented network with reasonable patch management and machine-generated passwords for all user accounts is a secure position for most organisations to be in.