Many enterprises are constantly attempting to address emerging threats, but an analysis of more than 2,000 penetration tests found that older, longstanding problems are often the path of least resistance for attackers.
The security community continues to focus on new attack vectors, while older threats are often overlooked, ineffectual security controls are implemented, and problems that have existed for years persist.
Ineffective password management, poor security controls and misconfigured legacy devices plague many enterprise networks, according to the analysis conducted by Trustwave SpiderLabs. In addition to penetration tests, the vendor reviewed more than 300 breach investigations conducted by its team.
“The security community continues to focus on new attack vectors, while older threats are often overlooked, ineffectual security controls are implemented, and problems that have existed for years persist,” the company said in its 2012 Global Security Report issued today.
Network authentication topped the list of issues encountered by Trustwave’s penetration testers. The company said the problem stems from poor password policies and security controls enabling an attacker to gain access to Microsoft Active Directory and network and printer file shares. Some organizations fail to revoke temporary administrative accounts. An attacker can access moderately privileged accounts and work their way into the network using valid account credentials, Trustwave said.
“An abundance of networks and systems were still found vulnerable to legacy attack vectors; many of these vectors date back 10 years or more,” Trustwave said. “Organizations are implementing new technology without decommissioning older, flawed infrastructure.”
Another common way pen testers gain access to the corporate network is to target routers, network switches, firewalls and other devices set up with weak or default passwords. Trustwave said 28% of Apache Tomcat installations were discovered with an accessible administrative interface with default credentials. Databases, sometimes unused and forgotten about also can be a stepping stone to systems containing sensitive data, Trustwave said.
Other network security weaknesses include unencrypted file transfers or poorly configured encrypted transfers, which enable attackers to view sensitive data. More than a quarter of all HTTP services scanned by TrustKeeper, the company’s remote scanning tool had login pages that transmitted credentials unencrypted, according to the report.
Remote file sharing software as point of entry
Symantec has been under fire to correct vulnerabilities in its pcAnywhere software after a 2006 security breach exposed the source code of the remote access software. But according to Trustwave, all remote access software could potentially be weak points for an attacker. The software, used by IT teams to remotely address problems with laptops and other workstations, is often poorly configured enabling an attacker to exploit flaws, steal cached domain credentials and hop to more sensitive systems. According to the company’s analysis, 22% of organizations continue to use insecure remote access applications.
"Remote access solutions are still the most widely used method of infiltration into target networks," Trustwave said. Companies without extensive IT teams hire third-party providers to maintain systems. In many cases, remote access applications or a virtual private network (VPN) is used to gain access the customer systems, Trustwave said. "When these services are left enabled, an attacker can access them as easily as an approved administrator." Trustwave said remote access weaknesses were used in 61.7% of the tests it conducted.
Top 10 network risks
- Weak or blank password for administrative account.
- Sensitive data transmitted unencrypted
- Microsoft SQL Server with weak or no credentials for administrative account
- Address resolution protocol cache poisoning
- Wireless clients probed for ESSIDs from stored passwords
- Continued use of Wired Equivalent Privacy (WEP) encryption
- Client sends LAN manager response for NTLM authentication
- Misconfigured firewall rules permit access to internal resources
- Storage of sensitive information outside designated secure zone
- Sensitive information transmitted over Bluetooth
“Many issues found in network penetration tests and vulnerability scans are well known, some more than 10 years old, and others date back to the very beginning of shared and networked computing,” Trustwave said. “These vulnerabilities are actively exploited by attackers and often represent the path of least resistance.”