Cyber attacks have become an issue of growing concern for institutions across a variety of industries. With so much of everyday life conducted online, it’s no wonder a new breed of hackers is intent on stealing information. How can you be sure your business is protected?
In 2018, a number of high-profile companies have already experienced data breaches. Now they are left to deal with the repercussions of a dip in consumer trust, along with penalties, fines and perhaps even lawsuits.
The Meltdown, Spectre, Heartbleed, and ShellShock cyber breaches in recent years have proven that there is no one-size-fits-all solution to this growing problem. The time for businesses to act is now. Man-in-the-middle attacks, distributed denial of service attacks, and session cookie tampering all played a role in these data breaches, leading to the conclusion that businesses must do more to prepare themselves against a range of attacks.
According to CSO, cybercrime damage is expected to cost over $6 trillion annually by the year 2021. Software firm Rapid7, intent on cracking down on cyber attacks, conducted hundreds of penetration tests over the past 10 months to determine how well networks can combat cyber threats. The study, named “Under the Hoodie 2018” is filled with interesting data that sheds light on some of the most common cyber targets and what businesses can do to arm themselves.
What Is A Penetration Test?
A penetration test, or pentest, is a simulated cyber attack conducted to determine exploitable vulnerabilities in any given computer system. Pen tests can involve the attempted breach of a variety of application systems, including APIs, front and backend servers, and others. These tests are designed to uncover network vulnerabilities that may make a company susceptible to breaches.
Studies of this nature are vital for pinpointing which type of network misconfigurations are liable for hacker access, and how user credentials are being used. The insights provided by pen tests can help businesses create a plan of action against attacks, allowing them to fine-tune their security policies and find solutions to fix vulnerabilities before they’re impacted.
What Are The Stages Of Pen Testing?
Pen testing is typically divided into five stages. The first involves planning and reconnaissance, which means defining the goals of a test and clearly outlining the systems and testing methods that will be addressed. Gathering data is another important part of this stage, as it allows the test conductors to more clearly understand a target and the potential vulnerabilities to be encountered.
The second stage involves scanning and static analysis, which means inspecting an application’s code to determine its behaviors. Dynamic analysis, also part of the second stage, involves inspecting this code in a running state, offering a real-time view into its performance.
A pen test’s third phase most often includes gaining access to a network by way of web application attacks to uncover a specific target’s vulnerabilities. It is then the duty of the tester to attempt to exploit these by escalating privileges, intercepting traffic, stealing data, or doing other damage.
Maintaining access, the fourth stage of a pen test, involves determining how a specific vulnerability can be used to present a persistent threat. Often, persistent threats are used to steal sensitive data from an organization over a period of months.
Finally, comes the analysis of collected data. The tester will compile a report that details which specific vulnerabilities were exploited, what type of data was accessed, and the amount of time the tester was able to maintain access to the system while remaining undetected. All of this information combined paints a clear picture of what a business can do to protect itself against similar attacks in the future.
What Were The Results?
Rapid7 conducted more than 268 pen tests across a wide range of industries, 251 of which involved live production networks likely to hold real and confidential data. Of these 268 tests, 59% of the simulated hackers attacked from outside the target network, which would most likely be the case for the majority of today’s businesses.
The study helped gather a world of insight into the everyday user’s online security habits, or lack thereof. One interesting finding was that of password patterns. The findings suggest that the majority of users choose passwords of the minimum required length, and tend to use numbers at the end of the password.
The most common password used? “Password1.” According to a popular password hacking website, it would take hackers .29 milliseconds to crack this password.
Overall, the study concluded that Rapid7 testers exploited at least one in-production vulnerability in nearly 85% of all engagements. For internally-based penetration tests in which the pen tester had local network access, that number rose to 96%. This means that success rates are significantly higher for penetration testers when they have access to internal LAN or WLANs.
This type of information is imperative in giving businesses a leg up in preparing their defense against cyber attacks.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.