Every year we work with stacks of companies providing Penetration Testing and Security Services. We love working with our clients to help them improve their security stance and reap the benefits of increased security in an ever increasing insecure world.
With the year now rapping up, I thought it would be a good opportunity to share with you some common findings we have continued to see over our engagements this year, and where organisations should be placing an emphasis.
Passwords and MFA (Multi-Factor Authentication)
In 2015 we finally saw a shift away from the word ‘password’ or any variants, in our password audits. Passwords that continue to be prevalent include the company name and a year or date, for example, company2015, or company15 and any specific roles of the company for example a manufacturing company may have passwords of manufacturing15, welding1, etc. Don’t forget AFL teams, us Aussies love our football, and users continued to use teams and years in their passwords, like Bombers16!
Even today we still came across environments not running password Complexity Requirements for their AD domains… Although these requirements are limited it will at a minimum impose 8 character limits and some levels of complexity, so if you are not using this configuration, it’s time you adopt.
The majority of environments we assessed were not utilising multi-factor authentication (mfa). Mfa is a great solution to prevent attacks against weak passwords. We were able to leverage weak credentials in multiple environments to gain our initial entry point. All organisations should be implementing mfa for their perimeter services at a minimum, i’m talking your OWA, Xenapp, vpn’s etc. A great solution is Duo Security, but there are a ton of other products as well like google Authenticator, RSA, etc.
End-User Awareness and phishing attacks
We performed countless social engineering assessments via phishing campaigns and targetted phishing attacks this year. This continues to be one of our main entry points into organisations. In the majority of our campaigns we received a 30% or higher hit rate, and the majority of the responses were received anywhere from <1 min to 1 hour, so very fast responses indeed.
There is a direct correlation between social engineering/phishing attacks and awareness training. The majority of the organisations with large hit rates and fast responses did not have any sort of awareness training / program in place. Awareness training is an absolute must for all businesses, and this should be performed regularly and as part of on-boarding for new starters. Of the organisations we provided awareness training to, we saw a huge drop in hit rates for phishing attacks after a scheduled awareness training program had been employed.