Pen Testing Firm Claims 92% Successful Breach Rate of Their Clients

On the 6 February, cyber-security firm Positive Technologies published its penetration testing activity report for 2018. The firm claimed that its researchers breached the external perimeter and gained access to the internal networks of 92 percent of the companies they tested.

Test Report

Positive Technologies placed most of these successes on vulnerabilities in the source code external-facing web applications. The company’s findings found that 75 percent of exploitation were because of web resources.

Pentesters found that they were able to gain access to internal computers and servers. This included critical resources such as SWIFT money transfer and ATM controls.

Accessing The Internal Network

To access the systems of these companies, Positive Technologies said its experts used basic techniques such as brute-force of account passwords and exploiting old vulnerabilities. They also used social engineering techniques like phishing and vulnerabilities in the WiFi networks.

Of the companies tested, 87 percent had WiFi networks that were accessible from outside the clients building. In some cases, they could access the WiFi network from nearby coffee shops and parking areas.

Around 63 percent of systems featured weak WiFi security allowing access to the computer network. By weak WiFi security, the company means companies that failed to encrypt WiFi traffic or used weak protocols.

No Company Was Perfect

Positive Technologies discovered that even those companies that offered strong security, there was always at least one way open to hackers. Some of these companies were using strong WiFi authentication, had well-trained employees, and were resistant to brute-force attacks.

One company had the oldest vulnerability they had found which was 19-years old. The CVE-1999-0024 was a flaw affecting BIND, a widely used DNS server software.

Overall, Positive Technologies tested 33 companies which were the basis of their report. These companies were active in the industrial, financial and transport industries.

 

 

 

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients