The level of security of Wi-Fi networks and user awareness regarding information security has fallen significantly in 2016 compared to the previous year according to the findings of a Positive Technologies security audit which highlighted the main culprit as common vulnerabilities not needing much skill to implement.
During audits, Positive Technologies reports that its experts simulated how actual attackers (external and internal) would try to penetrate corporate systems and thereby identified a large number of protection flaws.
Findings include critical vulnerabilities detected in 47 percent of investigated corporate systems, frequently related to configuration errors (40 percent of systems), errors in web application code (27 percent of systems), and failure to install security updates (20 percent of systems). Among out-of-date systems, the average age of the oldest uninstalled updates is a surprising (to this writer) nine years.
An intruder with minimum knowledge and skills would be able to bypass the network perimeter on 55 percent of systems as, in most cases, an external intruder needs only two steps to penetrate the perimeter.
It was very much a case of rounding up the usual suspects, with common perimeter vulnerabilities including dictionary passwords, unencrypted data transfer protocols (detected on all systems), vulnerable software versions (91 percent of systems), as well as publicly available interfaces for remote access, equipment control, and connection to database management systems (also 91 percent of systems). Although web application vulnerabilities are not the largest threat, they are still dangerous: web application vulnerabilities made it possible to bypass the network perimeter on 77 percent of systems.
Full control over corporate infrastructure was achievable on 55 percent of systems tested acting as an external intruder, while as an internal intruder, the testers were successful on all systems. In 2015, these figures were 28 and 82 percent, respectively.
Among the most common internal network vulnerabilities are flaws in network layer and data link layer protocols leading to traffic redirection and interception of information about network configuration (100 percent of systems tested).
Despite the seemingly endless barrage of media reports of data breaches and hacking, staff awareness of information security was extremely low in half of systems in 2016 (compared to 25 percent of systems in 2015). In addition, wireless network security was also extremely poor in most cases (75 percent) with every second system allowing access to LAN from Wi-Fi.
In an email to SC Media UK, Evgeny Gnedin, head of Information security analytics at Positive Technologies, commented: "The vast majority of attacks on corporate infrastructures involve exploitation of common vulnerabilities and flaws. Companies can dramatically improve their security stance and avoid falling victim to attacks by applying basic information security rules: develop and enforce a strict password policy, minimise privileges of users and services, do not store sensitive information in cleartext, minimise the number of open network service interfaces on the network perimeter, regularly update software, and install operating system security updates."