According to a recent report by an enterprise security solution provider, corporate networks are highly vulnerable to attacks that would give hackers full control of their infrastructure. The report outlines a study of 22 security assessments of corporate information systems at companies across many industries, including information technology, finance, retail and transportation. Researchers at the reporting agency, Positive Technologies, were able to gain full control of infrastructure on every corporate network they attempted to compromise.
Each company had an average of two attack vectors that allowed their network to be infiltrated, according to the report. For one corporation, researchers found 10 vectors. The oldest vulnerability found by the report dates back 18 years.
These results also indicated that penetrating a network perimeter has become easier than in the past. Researchers rated the difficulty of accessing the internal network as trivial in 56 percent of the 2017 tests, compared to 27 percent in 2016. Only 7 percent of the systems studied were moderately difficult to access.
Common attack vectors include:
- Corporate Wi-Fi networks
- Phishing
- Unpatched vulnerabilities
Companies can reduce the likelihood of compromise and protect their networks by taking the following steps:
- Develop and enforce strict password policies to prevent the use of easily cracked passwords.
- Implement multifactor authentication, particularly for privileged accounts such as those of domain administrators.
- Restrict the number of services on the network perimeter.
- Verify that any interfaces available for connection should really be accessible to all Internet users.
- Install operating system and application security updates promptly.
- Ensure the security of wireless networks using robust authentication methods and isolation of access point users.
- Implement regular information security awareness training and verify employee knowledge on an ongoing basis.
- Use logging and monitoring systems for timely detection of attacks.
- Protect web applications using a web application firewall (WAF).
- Perform regular penetration testing for enumerating vulnerabilities and assessing the effectiveness of applied security controls.
The full Positive Technologies report on corporate cybersecurity vulnerabilities can be found here.