If you're wondering whether your organization's practices and procedures have left it open to a cyber-attack, there is a more than 98% chance the answer is yes.
RSM, a Top Five Firm, analyzed the results of over 500 penetration tests for its middle- and upper-market clients between 2021 and 2023, and found that only 1.6% of them had no vulnerabilities at all, and the average organization had around eight. Major vulnerabilities were found in one-third of tests, with only 16.54 not having at least one high or critical-level issue.
However, despite the wide variety of clients RSM professionals assessed, the firm said the majority of security issues came from four places: poor digital identity management; poor network configuration and network architecture; missing critical software patches; and human error.
In terms of digital identity management, the study found 19.5% of organizations had at least one vulnerability in this area. Of those, about half had at least one critical vulnerability. One of the more common issues in this area is excessive account privileges where, for example, domain users have local administrator rights on their workstations, or an organization has a larger number of administrators than is necessary, or too many computers with administrative control over other systems. This serves to greatly increase an organization's "attack surface" since there are many more areas an attacker could compromise to gain access. Researchers also identified people maintaining default passwords on systems, reusing the same password over multiple logins and weak password policies overall.
"A strong digital identity program can also help mitigate and prevent many common access control vulnerabilities," said the report. "This program should include maintaining detailed policies and procedures, performing regular access reviews and implementing mechanisms for multifactor authentication and privilege management."
Regarding missing software patches, RSM said 51% of the internal penetration tests included in its analysis had at least one patch management vulnerability. Just over 40% had two or more distinct vulnerabilities in this category, with some having as many as seven or eight. Patch management deficiencies, in fact, continue to be one of the most consistent and exploited vectors for cyberattacks: systems with missing patches are low-hanging fruit for attackers, making them more likely to be attacked and potentially compromised. Because Microsoft is so common in the business environment, vulnerabilities related to its products are especially relevant, particularly patches that address remote code execution.
For example, in April 2023, an elevation-of-privilege vulnerability was discovered in Microsoft's MSMQ service. This vulnerability allows an uncredentialed user to bypass the authentication process entirely by sending a malicious MSMQ packet to the server running the MSMQ service. Once the bypass is complete, an attacker can execute arbitrary code or commands on the remote system, typically resulting in taking control of the system and launching further attacks.
However, third-party patches are important, since they can affect remote access software, IT management software, monitoring platforms and other important tools used throughout a network. Penetration testers were able to exploit missing third-party patches to gain access to sensitive systems, retrieve sensitive data or network information from those systems or make unauthorized modifications to the systems.
"Robust, consistent and repeatable patch management processes are a fundamental component of an effective cybersecurity strategy. Applying critical missing patches is an essential way to harden systems. Applying patches in a timely manner helps protect systems against unauthorized access, thus helping secure the data that lives in those systems and the processes that rely on those systems," said the report.
On this point, the report also noted that many companies are using software that is no longer supported by the vendor and so has not received current security patches. Of the internal penetration tests included in RSM's analysis, 40.9% had at least one unsupported technology vulnerability. A little under one-fifth (18.1%) had two or more vulnerabilities. Windows 2000 SP4, Windows XP, Windows 7, Windows 2008 R2 and unsupported web servers such as IIS and Apache were common unsupported platforms found in the research. Organizations, therefore, should develop a schedule for decommissioning unsupported systems based on the risk and criticality of affected systems. Strong asset management procedures and an updated asset inventory would help organizations identify and track systems nearing the end of life.
Network misconfigurations, meanwhile, were among the leading root causes of vulnerabilities identified within an organization's network. Of the internal penetration tests included in RSM's analysis, 97.7% yielded at least one configuration management vulnerability. Of that number, 68.4% had five or more vulnerabilities. The report singled out excessive network permissions, insecure network communication protocols and a flat network architecture that "allows users comprehensive access across the network once they breach the internal perimeter, enabling them to move laterally between systems with ease." The report said organizations need to follow the principle of least privilege when developing user accounts or applying user permissions (in which users are only provided with the minimum degree of access necessary to perform their job duties and grants no additional access to applications or data), establish minimum security baselines, and establishing network segmentation and microsegmentation.
Finally, there is plain old human error, particularly when it comes to not even being aware there is a security vulnerability. RSM found 34.6% of penetration tests yielded at least one user awareness vulnerability. Out of that number, nearly a quarter of them (23.8%) had two or three vulnerabilities. In addition, 13.7% included at least one critical-rated vulnerability. Most commonly, this was linked to weak passwords, passwords being re-used among multiple accounts, and insecure storage of sensitive information.
"Our top recommendation for reducing user awareness vulnerabilities is a robust security awareness and training program. An effective security awareness program will leverage an organization's current governance model, internal tools and processes to drive employee security awareness to a more mature state," said the report.
Overall, the report noted that attackers tend to follow the path of least resistance. Cultivating a robust cybersecurity program, which includes strong security practices related to digital identity, configuration management, vulnerability and asset management, architecture and user awareness and training, can go a long way toward discouraging an attack or mitigating the worst impacts when one happens.
