we analyzed the security of the infrastructure of financial organizations. To generate a public report, 18 projects were selected (8 external tests and 10 internal), performed for organizations of the credit and financial sector, in which the work customers did not introduce significant restrictions on the list of tested networks and systems.
Positive Technologies experts rated the overall level of protection of the network perimeter and corporate infrastructure of the studied financial institutions as low (and in some cases extremely low). In particular, the survey showed that the possibility of penetration into the internal network from the Internet was found for 7 out of 8 verified organizations.
Key Findings of the Study
On average, cybercriminals need five days to penetrate the bank’s internal network. At the same time, the overall level of perimeter protection in six tested organizations was rated as extremely low. Most attack vectors (44%) are based on exploiting vulnerabilities in web applications.
Using outdated versions of software on the network perimeter remains a serious problem: at least one pentest attack using a well-known public exploit was successful in every second bank. Moreover, during five pentests six zero-day vulnerabilities were identified and successfully exploited. One of these vulnerabilities was the vulnerability CVE-2019-19781 discovered by Positive Technologies experts in the Citrix Application Delivery Controller (ADC) and Citrix Gateway, which hypothetically allows arbitrary commands to be executed on the server and penetrate the company’s local network from the Internet.
In the event that a potential attacker has already gained access to the network, it will take an average of two days to capture full control over the infrastructure. The overall level of protection of financial companies from attacks of this type is estimated by experts as extremely low. In particular, in 8 out of 10 banks, anti-virus protection systems installed on workstations and servers did not prevent the launch of specialized utilities, such as secretsdump. There are also known vulnerabilities that allow you to get full control over Windows. Some were considered a few years ago in the security bulletins MS17-010 (used in the WannaCry attack) and (!) MS08-067.
In all organizations where an internal pentest was conducted, they managed to obtain maximum privileges in the corporate infrastructure. The maximum number of attack vectors for one company is five. In a number of testing projects, the goals were access to an ATM network, card processing servers (with a demonstration of the possibility of embezzlement of money), top management workstations, and anti-virus protection control centers. In all cases, the achievement of these goals was demonstrated to the testing customer.
The result of the pentest in one of the cases was the identification of traces of earlier hacks. That is, the bank was not only attacked by a real attacker, but also could not timely detect the attack.
Given these facts, as well as the overall low level of security, we recommend regularly conducting penetration testing and training of IS employees as part of red teaming. This will make it possible to detect and timely eliminate potential attack vectors for critical resources, as well as work out the actions of IS services in the event of a real cyber attack, and increase the effectiveness of the protection and monitoring tools used.
Professional crackers learned to carefully hide their presence in the infrastructure of compromised companies. Often, their ingenious actions can be detected only in the course of an in-depth analysis of network traffic with analysis of protocols to the application level (L7). This problem is solved by the network traffic analysis (NTA) class systems.
In 2019, we analyzed network traffic in 36 large companies using the PT Network Attack Discovery NTA system. In almost all organizations, suspicious traffic, clear passwords and malicious activity were noticed.
On Thursday, February 27 at 14:00 Positive Technologies analyst Yana Avezova, during a free webinar entitled “Top IS Threats in Corporate Networks in 2019”, will share the results of the study, talk about the six most common IS threats in corporate networks and the five most frequently detected types of malware. You will learn what kind of activity on the network is considered suspicious and why, as well as the danger of non-observance of network hygiene.
Participation in the webinar is free, but for this registration required.