Web applications were by far the top cause of successful breaches of corporate networks last year, according to researchers at Kaspersky Lab.
According to the cybersecurity vendor's report, Security Assessment of Corporate Information Systems 2017, issued this month, 73% of successful perimeter breaches in 2017 were done through vulnerable web applications. In addition, while companies seem to understand the need to protect their networks against external threats, they are much more lax when the threat comes from within, according to Sergey Okhotin, senior security analyst of security services analysis at Kaspersky and one of the study's authors.
The report was based on an analysis of penetration tests conducted on corporate networks.
The overall level of protection against external attackers that was deemed low or extremely low for 43% of all companies, the researchers wrote in a blog post. However, the protection against internal threats rated at low or extremely low was 93%.
"The overall security level against external intruders is higher than against internal intruders," Okhotin told Security Now in an email. "Companies pay insufficient attention to the security of the internal network. It means that once the attacker is able to get inside the corporate network via breaching the network perimeter, social engineering attack or other possible vector, there is a high probability that the attacker would be able to obtain total control over the entire network and get access to the business's critical resources."
Insider security threats continue to haunt corporations. A report conducted earlier this year by the Ponemon Institute for startup ObserveIT found that enterprises spend an average of $8.76 million every 12 months to address the damage done from an inside threat, work that usually takes about two months. (See Insider Threats Cost Enterprises More Than $8M Every Year – Report.)
The rate of network breaches caused by vulnerable web applications and the low level of defenses against internal threats were part of a larger pattern of security shortfalls that some organizations should be able to shore up fairly easily.
"Though security of web applications is still quite often underestimated, the most common examples include rolling out untested web applications to fit in the tight schedule driven by business needs and blind trust to third-party developers providing applications to be hosted on the organization's perimeter," Okhotin said. "Both of these mentioned cases highlight the urging need to implement and enforce proper SDLC processes both for in-house and third-party application development."
Another example was related to vulnerability that was widely exploited the high-profile WannaCry and NotPetya/ExPetr ransomware attacks as well as individual targeted attacks, according to the researchers. The vulnerability, MS17-010, was detected in 75% of companies that conducted internal pen testing after information about the vulnerability was published. Some organizations didn't update their Windows systems for seven to eight months after Microsoft released the patch for the vulnerability. (See WannaCry: How the Notorious Worm Changed Ransomware.)
"Additionally, 78% of these companies were tested more than three months after the update had been released," Okhotin said. "This was unexpected because information about this vulnerability was widely covered by mass media. The cited numbers emphasize the fact that a timely and robust patch management process is still to be achieved in a significant portion of large enterprises."
That combined with the fact that obsolete software was detected on the network perimeter of 86% of analyzed companies and in the internal networks of 80% of organizations is an indication of poor implementation of the basic IT security processes, which is putting many enterprises at risk of security breaches, the researchers said.
Along with web applications, publicly available management interfaces with weak or default credentials were another common avenue for penetrating the network perimeter, according to the report. Kaspersky experts were able to gain the highest privileges in the entire IT infrastructure in 29% of external pen test projects.
Not every company was lacking in their security processes, according to Okhotin. The companies tested had a range of cybersecurity maturity levels, including some with well-established security processes like monitoring and regular security assessment. With these companies, even if there was a successful attack, their security teams were quick to detect it and prevent further development.
"The report describes the most common vulnerabilities found in both types of organizations," he said. "Some organizations have implemented the majority of the security measures mentioned in the report. Although we were still able to get access to the business-critical resources, it took much more effort and time. The result significantly depends on how well the security measures are implemented. The security is determined by the weakest element. It can be a user with a weak, common password, default built-in credentials on one system, or a recently set up web application that hadn't been tested yet."
The recommendations listed by the Kaspersky researchers include closely monitoring firewall rules and web application use, finding and using updates for vulnerable software, implementing password policies to encourage users to create strong passwords, running regular security assessments for IT infrastructures -- including applications -- and putting a strategy in place to detect cyberattacks at an early stage, along with a response plan.
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.