2FA? We've heard of it: White hats weirded out by lack of account security in enterprise
Plus: Appetite for internal pen-testing appears to be growing
Few companies bother to secure employee accounts with simple protections like two-factor authentication (2FA) and lockouts, an analysis by security company Rapid 7 has found.
These were only the most glaring weaknesses that emerged from 268 real-world penetration tests carried out by its security staff since 2017 for the report "Under The Hoodie" (PDF).
Of this, only 15 per cent of networks had enabled 2FA, leaving 34 per cent where it was impossible to detect and a remaining 50 per cent where it was not present.
The even more basic practice of setting an account lockout – restricting incorrect password attempts to deter or slow brute-force attacks – was missing on almost one in five networks tested by Rapid 7.
In a further 16 per cent of cases, lockout only added time to the tester's attempted compromise. They were only completely locked out and detected in 7 per cent of occasions.
Pen-testers are, of course, experts at avoiding being locked out, but so are a lot of cybercriminals. This is the whole point of pen-testing – to simulate a compromise from the attacker's point of view.
The strangest omission, however, was still the failure to implement 2FA. "While 2FA continues to grow in popularity, it is still rare to find it in the field," the authors noted.
One company that does use multi-factor authentication internally is Google, which this week told security blogger Brian Krebs that there had been "no reported or confirmed account takeovers since implementing security keys at Google".
Unless a weakness is found in the way the technology has been implemented, an attacker needs to have physical access to keys as well as password and username.
And network credentials are not well protected, it seems, as testers were able to get their hands on these more than half of the time. During internal network tests, this rose to 86 per cent.
The number of ways testers were able to do this was dizzying: ranging from guessing default passwords, scraping compromised ones from the internet and social engineering.
Other findings included that 84 per cent of networks were vulnerable to software and hardware vulnerabilities to some extent, with 96 per cent affected by at least one vulnerability on internal tests.
A small encouragement here was that attackers wouldn't have been able to make much of these without manual skills – automated tools and canned exploits only got the pen-testers so far. Nevertheless, in two-thirds of pen-tests, Rapid 7's mavens gained complete admin access to the target networks.
The growth in internal pen-testing is a noticeable theme. Most tests were still traditional external tests but 32 per cent were purely internal, a significant rise on the previous analysis in 2016.
"This uptick in internal assessments is an indicator that organizations are, in general, taking a more holistic approach to their network security and are more likely to assess both their internal and external attack surfaces."
This makes sense: once an attacker has breached the network's perimeter, they see the network in the same way someone on the inside would. ®