Wednesday, September 2, 2015

Key Vulnerabilities in Corporate Information Systems in 2014: Web Applications, Passwords and Employees

From 2013 to 2014, there was an increase in the vulnerability of the information systems of large enterprises. In about 60% of system attacks, the network perimeters were penetrated via web application vulnerabilities. Additionally in 2014, there was decreased awareness among employees regarding security issues, as they were more likely to follow unverified links and open files attached to e-mails from unknown sources.

These findings are outlined in detail in Positive Technologies’ 2014 penetration testing results publication and contrast significantly from the 2013 findings. The penetration testing simulates a hacker attack and provides a more realistic assessment than traditional auditing techniques alone.

General Results

The penetration testing data used in this article is drawn from testing the information systems of 18 large public and private companies. The firms are comprised of Fortune Global 500 firms and include some of the largest Russian firms in terms of volume of products produced annually, as ranked by Expert RA. More than half of the enterprises had multiple international subsidiaries and most systems had hundreds of active hosts available at the network perimeter. The majority of the firms operate in the manufacturing, banking and IT sectors.

In 2014, 94% of systems in the penetration testing study contained vulnerabilities that allowed testers to gain full control over some critical resources — Active Directory, ERP, e-mail, or network equipment control systems. In 67% of cases, an external attacker could gain full control over the most critical resources and in 27% of cases gaining access to the intranet user segment was enough to facilitate full control over the critical resource.

In both 2013 and 2014, almost all the systems had high-severity vulnerabilities and most of these critical vulnerabilities related to configuration flaws. However in 2014, most systems, 78%, had critical vulnerabilities related to outdated software updates, worse than the 2013 results of about 50%. The average age of the most outdated patch was 73 months, compared to just 32 months in 2013. In three systems, MS08-067 (CVE-2008-4250), a 6-year-old critical vulnerability widely used by both hackers and the Conficker network worm, was still in use.

System compared by maximum severity of vulnerabilities caused by the lack of updates

Additionally in 2014, almost every information system, 89%, had vulnerabilities related to web application code errors and more than half of the companies, 61%, had high-severity vulnerabilities.

Security Perimeter Flaws

In 73% of systems, an outside attacker accessing the network from the Internet could access intranet hosts without using social engineering. When combining the use of intranet hosts with social engineering outside access to the system was gained in 87% of cases. In 2014, a low-qualified attacker could successfully attack 61% of systems, compared to just 46% in 2013.

Difficulty of penetrating the perimeter

Penetrating the perimeter in 2014, as in 2013, required exploitation of, on average, only two vulnerabilities However, one vulnerability was enough to penetrate more than half of the systems (6 out of 11) in 2014. Additionally, in 60% of all cases the penetration vector is based on web application code vulnerabilities. For example, SQL Injection appears in 67% of systems, and unrestricted file upload in 40%.

The most common vulnerabilities at the network perimeter are:

  • Network equipment and server control interfaces available from the Internet, rising from 82% to 93% from 2013 to 2014. 
  • Dictionary passwords, including default and empty passwords — 87%. Also note that 67% of all systems used dictionary IDs and passwords as administrator IDs and passwords at the perimeter. Both of these factors increase the likelihood that an attacked could access the intranet.

By contrast, Heartbleed and Shellshock vulnerabilities, both of which garnered media scrutiny in 2014, have not been widely used in hacks, as the coverage encouraged most large companies to install updates to protect against them. Nevertheless, one company in this study did have an unfixed Heartbleed vulnerability that allowed attackers to obtain many customers’ credentials.

The most common vulnerabilities at the network perimeter

Gaining access to the company intranet is often the first step for an external attacker to gain access to critical resources. The 2014 report demonstrates that after gaining full control over critical resources in 80% of systems, the hacker would have been able to penetrate the network perimeter.

Privilege level gained by external attacker

Intranet Security Flaws

Positive Technologies also considered the attack vectors of an internal hacker. The results of a hack by an employee located in the user segment of the network resulted in unauthorized access privileges leading to full control over information infrastructure in 78% of cases and access to critical resources such as banking and ERP systems in all the cases.

In 56% of cases, a low skilled attacker is able to access critical resources. Complicated attacks, requiring a high skill level to coordinate, were not necessary to access critical resources in 2014. By contrast, in 2013 they were required to penetrate 17% of systems. On average, an internal attacker needed to exploit three different vulnerabilities to gain control over critical resources in 2014, worse than the 2013 results in which an attacker had to exploit an average of five vulnerabilities.

Difficulty of gaining access to critical recourses by internal attackers

Weak passwords are still the most common intranet security vulnerability detected in all the systems studied. Every system had weak administrator passwords, more than half of them were only six characters long.

Systems compared by dictionary passwords. Administrator passwords are red, user passwords are blue

The second most common intranet vulnerability is insufficient security on privileged accounts, a problem found in 88% of systems in 2014. In the case of the privileged accounts attack, the hacker can use high privileges to access the domain on behalf of an unknown account due to architecture flaws in the Kerberos protocol, an attack that is hard to detect.

The most common intranet vulnerabilities

Lack of Staff Awareness

As part of the penetration testing IS awareness checks were carried out among the system users. The results were based on the most common hacker methods — emailing messages containing an attachment or with a link embedded. The penetration testing monitored the number of links opened and files downloaded, as well as the number of credentials entered, to simulate a phishing scam.
From 2013 to 2014, staff vigilance about these types of attacks decreased significantly. In 2014, staff at 67% of companies whose systems were tested showed low or extremely low awareness level, and the others were estimated as "below average". In particular, the number of users who followed the link increased from 11% to 20% and those who entered credentials in the phishing simulation quadrupled to 15%.

The threat events, total number of messages

The results of the penetration testing presented in this article argue for improved security measures. Key areas include password policy, web application security, regular security updates, and privileged account security and user awareness. Additionally regular security audits of information systems and penetration testing both internal and external are recommended.

To access the full report please see:


  1. Very interesting blog. Alot of blogs I see these days don't really provide anything that I'm interested in, but I'm most definately interested in this one. Just thought that I would post and let you know.
    geometry dash| sniper games |happy wheels | happy wheels 2 |agario| my little pony games mickey mouse games mahjong |pacman

  2. You managed to hit the nail upon the top and outlined out the whole thing without having side effect , other folks can take
    a signal. Will likely be back to get more. Thanks Robtop games
    piano tiles 3
    zoo games

  3. We are reading best article here. Large set of writing papers and valuable information is possible. The readers can getting perfect method of information here. The quality thesis service is writing company for creating documents as high level of secured papers.

  4. 100% Free SEO tools. Let’s use and feeling. Unique content checker, unique content rewriter, keyword position, online ping website tool.

  5. Operations Management Case Studies Solution and Analysis, Operations Management Case Studies Solutions, Custom solved according to your need.
    Operations Management Case Solutions

  6. How I Was Rescued By A God Fearing And Trusted Lender {}..

    Hello, I am Andrew Thompson currently living in CT USA, God has bless me with two kids and a lovely Wife, I promise to share this Testimony because of God favor in my life, 2days ago I was in desperate need of money so I thought of having a loan then I ran into wrong hands who claimed to be loan lender not knowing he was a scam. he collected 1,500.00 USD from me and refuse to email me since then I was confuse, but God came to my rescue, one faithful day I went to church after the service I share idea with a friend and she introduce me to LEXIE LOAN COMPANY, she said she was given 98,000.00 USD by MR LEXIE , THE MANAGING DIRECTOR OF LEXIE LOAN COMPANY. So I collected his email Address , he told me the rules and regulation and I followed, then after processing of the Documents, he gave me my loan of 55,000.00 USD... well if you are interested in a loan you can as well contact him on this Email: or call/sms on: +18168926958 thanks, I am sure he will also help you. Website:

  7. This blog is so nice to me. I will continue to come here again and again. Visit my link as well. Good luck
    obat aborsi
    cara menggugurkan kandungan
    obat telat datang bulan
    obat penggugur kandungan

  8. I truly esteem your carry out the occupation and tips determined by you is useful to me. I will impart this subtle elements to my relatives and companions. Review

  9. I was searching for any article for my school homework lastly got it from you. Much obliged.
    Exercises in Lease Accounting Case Solution

  10. All the best blogs that is very useful for keeping me share the ideas
    of the future as well this is really what I was looking for, and I am
    very happy to come here. Thank you very much
    earn to die
    earn to die 2
    earn to die 3
    Hi! I’ve been reading your blog for a while now and finally got the
    earn to die 4
    courage to go ahead and give youu a shout out from
    earn to die 6
    Austin Texas! Just wanted to tell
    earn to die 5
    Hi! I’ve been reading your blog for a while now and finally got the
    happy wheels
    strike force heroes
    you keep up the fantastic work!my weblog
    age of war
    earn to die 5

  11. It is a good comparison of the key vulnerabilities in cooperative information systems in 2014 to the same in 2013. From 2013 to 2014, The graph shows an increase in web application vulnerabilities. The diagrammatic explanation helps to quickly catch the ideas. Dissertation writing service UK

  12. I cherished the way you talk about the point awesome work much obliged for the share Your useful post.
    Online Programming Assignment Help