Pen Testers Abuse Configuration, Capture Creds

Over a period of nearly 10 months, penetration testers conducted external tests where the testers were able to exploit at least one in-production vulnerability in a large majority of the simulated attacks, according to a new report, Under the Hoodie, from Rapid7. The majority, 59%, of the 268 penetration tests performed in the survey period – September 2017 to June 2018 – were externally based, where the targets tend to be internet-facing vectors, such as web applications, email phishing, cloud-hosted assets and VPN exposure. Rapid7’s pen testers were able to abuse at least one network misconfiguration in 80% of engagements and one in-production vulnerability in 84% of all engagements. In 53% of all engagements, the testers were able to capture at least one credential, and that number jumped to 86% when looking solely at internal engagements. The report also revealed the top five security priorities of the participating organizations. When it comes to protecting sensitive information, 21% prioritize sensitive internal data, 20% focus on personally identifiable information (PII). Only 14% of organizations ranked protecting authentication credentials as a top-five priority, 7.8% prioritize payment card data and only 6.5% ranked bank account data.