Cyber attacks have become an issue of growing concern for institutions across a variety of industries. With so much of everyday life conducted online, it’s no wonder a new breed of hackers is intent on stealing information. How can you be sure your business is protected?
In 2018, a number of high-profile companies have already experienced data breaches. Now they are left to deal with the repercussions of a dip in consumer trust, along with penalties, fines and perhaps even lawsuits.
The Meltdown, Spectre, Heartbleed, and ShellShock cyber breaches in recent years have proven that there is no one-size-fits-all solution to this growing problem. The time for businesses to act is now. Man-in-the-middle attacks, distributed denial of service attacks, and session cookie tampering all played a role in these data breaches, leading to the conclusion that businesses must do more to prepare themselves against a range of attacks.
According to CSO, cybercrime damage is expected to cost over $6 trillion annually by the year 2021. Software firm Rapid7, intent on cracking down on cyber attacks, conducted hundreds of penetration tests over the past 10 months to determine how well networks can combat cyber threats. The study, named “Under the Hoodie 2018” is filled with interesting data that sheds light on some of the most common cyber targets and what businesses can do to arm themselves.
What Is A Penetration Test?
A penetration test, or pentest, is a simulated cyber attack conducted to determine exploitable vulnerabilities in any given computer system. Pen tests can involve the attempted breach of a variety of application systems, including APIs, front and backend servers, and others. These tests are designed to uncover network vulnerabilities that may make a company susceptible to breaches.
Studies of this nature are vital for pinpointing which type of network misconfigurations are liable for hacker access, and how user credentials are being used. The insights provided by pen tests can help businesses create a plan of action against attacks, allowing them to fine-tune their security policies and find solutions to fix vulnerabilities before they’re impacted.
What Are The Stages Of Pen Testing?
Pen testing is typically divided into five stages. The first involves planning and reconnaissance, which means defining the goals of a test and clearly outlining the systems and testing methods that will be addressed. Gathering data is another important part of this stage, as it allows the test conductors to more clearly understand a target and the potential vulnerabilities to be encountered.
The second stage involves scanning and static analysis, which means inspecting an application’s code to determine its behaviors. Dynamic analysis, also part of the second stage, involves inspecting this code in a running state, offering a real-time view into its performance.
A pen test’s third phase most often includes gaining access to a network by way of web application attacks to uncover a specific target’s vulnerabilities. It is then the duty of the tester to attempt to exploit these by escalating privileges, intercepting traffic, stealing data, or doing other damage.
Maintaining access, the fourth stage of a pen test, involves determining how a specific vulnerability can be used to present a persistent threat. Often, persistent threats are used to steal sensitive data from an organization over a period of months.
Finally, comes the analysis of collected data. The tester will compile a report that details which specific vulnerabilities were exploited, what type of data was accessed, and the amount of time the tester was able to maintain access to the system while remaining undetected. All of this information combined paints a clear picture of what a business can do to protect itself against similar attacks in the future.
What Were The Results?
Rapid7 conducted more than 268 pen tests across a wide range of industries, 251 of which involved live production networks likely to hold real and confidential data. Of these 268 tests, 59% of the simulated hackers attacked from outside the target network, which would most likely be the case for the majority of today’s businesses.
The study helped gather a world of insight into the everyday user’s online security habits, or lack thereof. One interesting finding was that of password patterns. The findings suggest that the majority of users choose passwords of the minimum required length, and tend to use numbers at the end of the password.
The most common password used? “Password1.” According to a popular password hacking website, it would take hackers .29 milliseconds to crack this password.
Overall, the study concluded that Rapid7 testers exploited at least one in-production vulnerability in nearly 85% of all engagements. For internally-based penetration tests in which the pen tester had local network access, that number rose to 96%. This means that success rates are significantly higher for penetration testers when they have access to internal LAN or WLANs.
This type of information is imperative in giving businesses a leg up in preparing their defense against cyber attacks.
“My passion for quality IT service is at the forefront of my career.”
Lance Skipper Client Engineer
Always at your service to provide the highest level of quality support to our customers.
Anthony Firth Client Engineer
“I’m passionate about building and fostering relationships, and finding solutions for success.”
Michael Koenig Client Account Manager
“Enabling IT to become an effective and valuable partner by delivering premier customer service and quality IT solutions achieving business goals.”
Jake Parrott Business Development Manager
“Serving the client through IT solutions is my passion. A happy client is a happy me.”
Jason RichardsonClient Engineer
“Striving to provide friendly and quality service to our customers”
Ted Rorabaugh Client Engineer
“I help clients stabilize and grow their IT infrastructure so they can focus on growing their core business.”
Josh Wilshire Systems Engineer Team Lead
“Providing courteous, quality IT service for our customers.”
Rich Yoest Rapid Response Team Supervisor
“Striving to be your trusted adviser and IT teammate in accomplishing all your business goals”
Brandan Bishop Client Account Manager
“I strive to provide the highest level of quality service to our customers.”
Tommy Williams Sr. Hardware Engineer
“I’m driven by the steadfast belief that technology must serve as a business enabler. This mantra has driven 21
Years of successful partnerships.”
Stephen Riddick VP Sales & Marketing
“CSP doesn’t succeed unless your company succeeds.”
Stephen Allen Inventory Manager
“Through my intuition and genuine concern to help others I have built long-lasting relationships with our customers, co-workers and business partners.”
Scott Forbes VP Support Services
“Every day, I work with clients to help plan the future of their businesses.”
Michael Bowman vCIO
“Your IT problems become our IT solutions.”
Mark McLemore Project Engineer
“Managing internal and external operations to ensure that CSP provides quality and reliable customer service .”
Margie Figueroa Business Manager
“Helping customers get the most out of their IT Infrastructure.”
Marc Gillet Project Engineer
“Providing quality internal and externals financial support to our customers and accounting support to CSP.”
Katie Steiglitz Accounting Administrator
“Your satisfaction is our #1 priority.”
Heather Moore Project Manager
“Some call me the CEO. I call myself the Cheerleader for an awesome team!”
William B. Riddick Founder & CEO
“CSP is here to assist you with your IT needs.”
Beth Wylie Inside Sales Manager
Thinking ofHiring A New IT Company?
On What Questions You Need To Ask Before Signing Any Agreement.