At Risk: Mortgage Companies
Cyber Espionage Presentation with Congressman Rogers and FBI
At Risk: Staffing Firms
At Risk: Medical Facilities
High Bit 2012 Report: 95.83% Businesses Vulnerable
Hospice Fined For Data Breach
High Bit 2013 Predictions
Cybersitter China Hack
Hospitals 94% Breached
Samsung TV Vulnerability
Penetration Testing Identifies Serious Flaws in 95.83% of Companies
Tested in 2012. High Bit Security's Year-End Report Shows
Majority of Companies Vulnerable to Hackers.
by High Bit Security on January 29, 2013 www.HighBitSecurity.com
Rochester MI based High Bit Security, known nationwide for their comprehensive and thorough IT Security testing, posted the results of their 2012 testing, and the numbers aren't good for US Businesses.
"In 2012 High Bit Security performed testing across multiple sectors," said High Bit COO Adam Goslin. "It did not seem to matter what business the clients were in. Medical, Banking, Mortgage, E-Commerce, Software, Industrial Design, Staffing, Business Intelligence, Insurance, Accounting, Legal, Hospitality, and even Internet Payment processors - almost all failed their tests. This past year, 95.83% of the businesses we tested had vulnerabilities that would allow their systems to be compromised. Even those who were running regular vulnerability scans, or had penetration testing performed with other companies the previous year."
The most common - 58.5% of the vulnerabilities - were found in the application layer (web applications, web services, and API's) while doing external testing. Performed from the outside, external testing simulates a hacking attack originating anywhere from across the parking lot to across the globe. "We were contacted by a customer after they discovered one of their web pages was being re-routed to a site selling fake merchandise," said Goslin. "That was just the tip of the iceberg. Sensitive client data was being extracted from their systems without their knowledge. Ultimately, when we gave the findings report to their web developer, it was an easy fix. We showed them the code changes needed and the issues were easily resolved." The next largest segment of vulnerabilities - 41.5% - were found in the network layer - the firewall, server, and infrastructure configurations. "I feel bad for IT service providers who assure customers they are secure," said High Bit Security Chief Business Development Office Barbara Goushaw. "IT security is a specialty, and expecting your IT provider to know all of the ways a company can be compromised is like expecting your family doctor to do open heart surgery."
Internal penetration testing engagements (testing performed from within the network of the target environment, similar to an attacker breaching a system via malware or Trojan) consistently show how network layer and host vulnerabilities are potentially the most devastating. "Often, organizational focus is limited to the boundary defenses, with the erroneous belief that running external testing is sufficient." said Goslin. "All it takes is one employee clicking on the wrong site, downloading the wrong file, or a zero-day vulnerability, and the attacker is on the internal environment. If you identify and close the vulnerabilities on internal networks and applications, you make the attacker's job significantly more difficult. If they can't get to the valuable data, they will move on to an easier target. Our goal is to make sure our clients are not an easy target." High Bit Security's full 2012 Security Testing Review report is located on their website by clicking here (no need to supply credentials), and provides details about the most prolific security vulnerabilities their customers experienced during the 2012 Security Testing cycle.
External Penetration Testing Findings - Executive Summary:
External penetration testing findings are vulnerabilities that have the capability of exploitation by anyone with access to the applications or networks in question. Vulnerabilities were spread across both the application and the network layers or target systems, thus it speaks to the challenges both network administrators and application developers have in providing secure systems. Business owners and managers should not expect their internal or outsourced IT staff to provide secure systems, as they generally lack the experience and the bandwidth to ensure the security of the systems they support. IT Security is a specialty. Test and Know.
External Application Layer Penetration Testing Findings:
During external application layer penetration testing engagements, the most common vulnerability identified was Cross Site Scripting. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. These vulnerabilities may be leveraged to bypass authentication, or even to store scripts on the vulnerable server that are executed by subsequent users of the vulnerable system. Effectively, applications that are susceptible to cross site scripting vulnerabilities may be exposing sensitive data, and be the cause of a significant data breach.
The next most discovered external application layer vulnerabilities centered on username / password handling vulnerabilities. The mishandling of application authentication included insecure transmission of authentication details, weak passwords, and problems with the target websites that would enable hackers to brute force application authentication.
External Network Layer Penetration Testing Findings:
External Network layer vulnerabilities centered on hosts with a wide variety of missing patches, or hosts configured in an insecure manner. These vulnerabilities ranged from un-patched device firmware to missing software / operating systems patches, and covered a wide range of devices on the customer target networks. Insecure configurations were identified in all manner of devices that faced externally, including firewalls and servers.
Many web servers were leveraging weak encryption ciphers, another significant network layer vulnerability. Applications depend on the configuration of the application server to only allow communication in a secure manner. This finding is disturbing in that the application server may be misconfigured to allow communication that appears to the user to be transmitted securely (HTTPS appears in the URL), however, in reality the communication may not even leverage basic encryption. The fact that this is even possible surprises virtually everyone exposed to this vulnerability for the first time.
Internal Penetration Testing Findings - Executive Summary:
Many security engagements focus exclusively on the external boundaries of the of the network. Thus it was not surprising that the volume of INTERNAL vulnerabilities was 40% higher than the findings on the external engagements. This underscores the importance of internal penetration testing. Leaving vulnerabilities on internal systems means that when a hacker gains access to the internal network, their job is made that much easier by leaving well known vulnerabilities on internal networks.
Internal Network Layer Penetration Testing Findings:
Internal networks were most commonly afflicted by network administrators leaving default authentication mechanisms and open administrative interfaces that could be leveraged to expose additional vulnerabilities and provide paths to sensitive data that could be extracted from the internal systems. Many target systems allowed outbound connections from the environment on any port, and to any system. Since the traffic is coming from the internal network, it is considered to be "trusted". This effectively means that a hacker that gains access to an internal network can exploit vulnerabilities, gather sensitive information, load back doors to return to the environment in an easier manner, and export sensitive information.
Similar to results during external penetration testing engagements, internal penetration testing findings also included weak cipher suites supported on internal servers and a wide variety of patching issues with software and firmware on hardware.
About High Bit Security:
High Bit Security is a national security services provider, providing
penetration testing solutions to clients who need to protect sensitive data in industries such as
Healthcare, Credit Card, Financial, or companies that otherwise store Intellectual Property
or Personally Identifiable Information. High Bit Security also provides security consulting
services to our clients to assist them with their compliance objectives across PCI-DSS,
SSAE-16 or simply wish to perform a security best practices audit of their organization.
Contact High Bit Security today for a free consultation to take steps toward protecting your sensitive information.