It takes hackers to just 30 minutes to penetrate a local network. New research from Positive Technologies has been shown how easy it is for hackers to breach any organisation’s local network by exploiting known software vulnerabilities.bExperts from Positive Technologies performed by external pentests on organisations in the IT, finance, fuel and energy, hospitality, government, entertainment and telecommunications industries and the results were compiled in the Penetration Testing of Corporate Information Systems report. In a penetration test, ethical hackers imitate what real attackers do. The term is often shortened to “pentest,” while the hackers in question are called “pentesters”.
During a pentest, experts search for vulnerabilities in the systems of a specific company and attempt to bypass security as part of an attack. TechRadar reports that according to their tests, Positive Technologies was able to access the local network at 93% of the tested organisations. The maximum number of penetration vectors detected at a single company was 13. Additionally, in one out of every six companies testes, Positive Technologies found it traces of previous attacks such as malicious links on official sites, web shells on the network perimeter and valid credentials in public data dumps. This indicates that the networks have already been infiltrated by hackers in the past.
Security experts also found that it takes anywhere between 30 mins at a minimum to 10 days at maximum to penetrate a local network. In most cases though, the attack complexity was low which indicates that a hacker with basic skills can break in. The research also found that brute force attacks were the most effective ways to crack credentials while launching attacks on web applications at 68% of the companies that were tested. If a hacker is able to successfully brute force the password for at least one of the domain account, they can discover identifiers for other users by simply downloading the offline address books that contain email addresses for all other company employees. At one of the organisations tested, Positive Technologies’ pentesters obtained over 9,000 email addressed through this method.