In advance of RSAC, Rapid7 unveiled its latest research paper, highlighting the real-life experiences of dozens of penetration testers to help demystify the occult art of hacking for hire.
Taking the results of 128 penetration tests conducted by Rapid7 throughout Q4 2016, key findings included:
– Only 33% of client sites had no found vulnerabilities, showing the significant needed improvement on enterprise security.
– Of the 86% of engagement where credential theft was in scope, two-factor authentication was simply not a factor. Considering the millions of large-scale breaches in 2016, and the endemic problem of password reuse, this finding was particularly disheartening.
– Despite the recent uptick in online industrial espionage, the surveyed organisations seemed the least interested in protecting copyrighted material, digital certificates, source code or trade secrets.
More details about the report can also be found here: https://community.rapid7.com/community/infosec/blog/2017/02/08/under-the-hoodie-actionable-research-from-penetration-testing-engagements
Tod Beardsley, Research Director at Rapid7:
“Rapid7’s latest research paper, “Under the Hoodie: Actionable Research from Penetration Testing Engagements,” draws on the real-life experiences of Rapid7’s dozens of penetration testers to help demystify the occult art of hacking for hire. Using rigorous census and polling methodology, we’re able now to track and publish trends in pen testing, ranging from what’s the most effective means for gaining access and elevating privilege in a company’s network, the practical effects and deployment rates of intrusion detection and two-factor authentication technologies, and the kinds of information that attackers can exfiltrate from a compromised network. We hope that general ITOps and dedicated security professionals alike are able to use our research to better understand how and why organisations get breached, and ultimately make the most of their next penetration test.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.