During penetration testing performed as an internal attacker, Positive Technologies researchers were able to obtain full control of infrastructure on all corporate networks they attempted to compromise. Penetrating the network perimeter has become easier over time, the report reveals, with the difficulty of accessing the internal network assessed as “trivial” in 56% of tests in 2017, compared with just 27% in 2016. On average, Positive Technologies testers found two attack vectors (vulnerabilities) per client that would allow their internal network to be penetrated. Christopher Day, Chief Cybersecurity Officer at Cyxtera commented below.
Christopher Day, Chief Cybersecurity Officer at Cyxtera:
“Organizations must reduce the attack surface to effectively combat today’s cyber threats. Insiders shouldn’t have access to systems they don’t need to do their job. External threat actors shouldn’t be able to exploit a weak password and gain the keys to the digital kingdom. We recommend that organizations adopt a Zero Trust mindset and build their security controls accordingly. Also, take a fresh look at your tool set and determine whether it’s adequate to secure today’s hybrid, decentralized infrastructure. For example, the network perimeter is not only easy to penetrate, it has extended well beyond traditional premise-based boundaries. Software-defined perimeter (SDP) solutions can address the entirety of the IT environment, wherever it is, and employ fine-grained access controls to reduce the attack surface dramatically. Wi-Fi networks continue to be an area of weakness so we need to do more than merely scan them to identify possible vulnerabilities. Newer technologies can determine whether assets behind the vulnerable access point can be compromised and whether or not a mitigating control is in place.”