What happens when you perform ethical hacking on 60 enterprise companies that believe their security is up to par?
Pentera conducted penetration testing on the networks of 60 leading companies in banking, investment, legal, insurance, and retail. Working alongside some of the industry’s sharpest CISOs, our ethical hacking lessons revealed that few companies are sufficiently prepared for a cybersecurity attack.
While most enterprise organizations believe that they have every vulnerability covered, the truth is often more complex. Below are the six crucial lessons your company needs to learn if you want to improve your cyber resilience.
Lesson 1: Ethical Hacking Lessons on the Human Factor
Your employees are your most valuable asset but also the primary entry point for cyber threats. Despite training and redundancies, human error remains a significant vulnerability. These ethical hacking lessons highlight two common patterns of concern:- Inappropriate Network Behavior: Even with limited administrative privileges, misuse can occur. For instance, a domain admin might improperly use their superuser account to access personal email, exposing the organization to unnecessary threats.
- Misconfiguration: Another issue is misconfiguration of your network or configuration changes that go untracked and monitored. Mistakes, such as these, leave you vulnerable. For example, you might grant an employee temporary extended permissions for a project and then forget to revoke them.
Lesson 2: Ethical Hacking Lessons: Guard More Than the Perimeter
Companies often adopt a narrow view of vulnerabilities. Many organizations assume that securing the perimeter ensures the safety of their on-premises network. Our ethical hacking lessons prove otherwise. The truth is that 70% of security breaches result from insider activities, highlighting the importance of safeguarding your network’s core. Unfortunately, for most of the companies we ethically hacked, it was quickly evident that a relatively knowledgeable hacker could easily implement a full attack on-premise with no problem. Companies need to start looking at their core network defense differently. We need to assume that the perimeter WILL be breached; it’s just a question of when. With that in mind, penetration testing from the “outside in” is crucial but should complement an “inside out” approach that begins with the “crown jewels” and expands outward. By thinking about security in this way, you continually sanitize your inner network, so that even if a malicious hacker gets inside, they’ll find it much more difficult to implement a meaningful attack.Lesson 3: Ethical Hacking Lessons from SOC Implementation
While a competent IT department can handle most network security issues, they were found lacking when it came to “surviving” our penetration testing. However, companies with a security operations center (SOC)—a centralized unit that deals with security issues on an organizational and technical level—performed far better. The reality is that organisations with a SOC team have a much more developed understanding of cyber security and a higher level of awareness of what is happening in their network. Through constant monitoring and analysis, a SOC team offers timely detection of security incidents, keeps a pulse on the network, and helps companies stay on top of threats to their environment.Lesson 4: Implement a Least Privileges Policy
It’s far better to contend with a high number of support calls from users asking for permission privileges than to deal with vulnerabilities created by over-privileged employees. Yes. There’s no doubt that it can be annoying for your IT department to field constant minor requests for privileges, but it’s better than opening your network to attackers looking to exploit your vulnerabilities. It doesn’t take much for a hacker to gain a foothold in your organization’s IT or developer network segments where privileged users abound. Once they gain this access, lethal exploits become a matter of course. Running Penetration Testing on dozens of companies, we discovered that the best vulnerability management plan is to have fewer privileged users, which increases your resiliency to attacks. For example, we found that law firms and accounting firms and companies where most users are of low-tech profiles- were far better protected than high-tech firms who had many super users. It’s that simple.Lesson 5: Yesterday’s Vulnerabilities Are Still Here
MS17-010 (EternalBlue) is a well-documented and critical security breach that’s been around since March 2017. To our surprise, we discovered that many companies are still exposed to it. The same applies to other known vulnerabilities that we hadn’t expected to encounter in our penetration testing campaigns. Why are organizations still exposed to well-known security vulnerabilities?- Lack of Time: Security teams are busy. In 2018, there were a record 16,500 known security vulnerabilities cataloged by CEOs and security teams across the globe. That’s too many vulnerabilities to handle all of them. The key is to prioritise the vulnerabilities that could have the largest impact on your organisation. Without the right tools, this prioritisation is easier said than done.
- Device Importance: Prioritization issues arise when organizations secure high-priority devices but neglect others. Hackers exploit these overlooked devices as gateways to critical assets.
