If you’re wondering whether your organization’s practices and procedures leave it vulnerable to cyberattacks, there’s a 98%+ chance the answer is yes.
Top 5 firm RSM analyzed the results of over 500 penetration tests across mid-market and publicly listed clients from 2021 to 2023 and found that only 1.6% had zero vulnerabilities, while the average organization had around eight vulnerabilities. Critical vulnerabilities were found in one-third of tests, and only 16.54 had zero high- or critical-level issues.
But despite the wide variety of clients evaluated by RSM’s experts, the company said the majority of security issues stem from four things: poor digital identity management, poor network configuration and network architecture, missing critical software patches, and human error.
When it comes to digital identity management, the study found that 19.5% of organizations had at least one vulnerability in this area. Of those, roughly half had at least one critical vulnerability. One common issue in this area is excessive account privileges. For example, when domain users have local administrator rights on their workstations, when an organization has more administrators than necessary, or when there are too many computers with administrative control over other systems. This significantly increases an organization’s “attack surface” by providing far more areas that an attacker can penetrate and gain access to. Researchers also identified people who maintained default passwords on their systems, people who reused the same passwords across multiple logins, and overall weak password policies.
“A strong digital identity program also helps mitigate and prevent many common access control vulnerabilities,” the report states. “The program should include maintaining detailed policies and procedures, performing regular access reviews, and implementing multi-factor authentication and privilege management mechanisms.”
Regarding missing software patches, RSM states that 51% of internal penetration tests included in the analysis had at least one patch management weakness. Just over 40% had two or more distinct weaknesses in this category, with some having seven or eight. In fact, patch management deficiencies are one of the most consistent and most exploited vectors for cyber attacks. Systems that are missing patches are easy targets for attackers, making them more likely to be attacked and compromised. Because Microsoft is so common in business environments, vulnerabilities related to its products are especially important, especially patches that address remote code execution.
For example, in April 2023, a privilege escalation vulnerability was discovered in Microsoft’s MSMQ service. This vulnerability allowed unauthenticated users to completely bypass the authentication process by sending malicious MSMQ packets to a server running the MSMQ service. Once bypassed, an attacker could execute arbitrary code or commands on the remote system, typically allowing them to take control of the system and launch further attacks.
However, third-party patches are important because they can affect remote access software, IT management software, monitoring platforms, and other critical tools used throughout your network. Penetration testers can exploit missing third-party patches to gain access to sensitive systems and obtain sensitive data or network information from those systems, or make unauthorized changes to them.
“A robust, consistent, and repeatable patch management process is a fundamental element of an effective cybersecurity strategy. Applying critical missing patches is an important way to harden systems. When applied in a timely manner, patches help protect systems from unauthorized access and help ensure the security of the data residing in those systems and the processes that rely on them,” the report states.
In this regard, the report also notes that many companies use software that is no longer supported by the vendor and does not receive the latest security patches. Of the internal penetration tests included in the RSM analysis, 40.9% had at least one unsupported technology vulnerability. Just under one in five (18.1%) had two or more vulnerabilities. Windows 2000 SP4, Windows XP, Windows 7, Windows 2008 R2, and unsupported web servers such as IIS and Apache were common unsupported platforms found in the study. Organizations should therefore develop a schedule for decommissioning unsupported systems based on the risk and criticality of the affected systems. Strong asset management procedures and an up-to-date asset inventory can help organizations identify and track systems that are nearing the end of their life.
Meanwhile, network misconfiguration was one of the main root causes of vulnerabilities identified within organizations’ networks. Of the internal penetration tests included in the RSM analysis, 97.7% found at least one configuration management vulnerability. Of those, 68.4% had five or more vulnerabilities. The report specifically cited excessive network privileges, insecure network communication protocols, and flat network architectures where “once a user breaches the internal perimeter, they have comprehensive access to the entire network and can easily move between systems.” The report states that organizations should follow the principle of least privilege when developing user accounts and applying user privileges (users are given only the minimum access necessary to perform their job duties and are not granted additional access to applications or data), establish minimum security baselines, and establish network segmentation and microsegmentation.
Finally, there’s good old human error: not realizing you have a security vulnerability. RSM found that 34.6% of penetration tests found at least one user-aware vulnerability. Of those, nearly a quarter (23.8%) had two or three vulnerabilities. Additionally, 13.7% contained at least one critical-rated vulnerability. Most commonly, this was related to weak passwords, reusing passwords across multiple accounts, and insecure storage of sensitive information.
“Our top recommendation for reducing user security awareness vulnerabilities is a strong security awareness and training program. An effective security awareness program leverages an organization’s current governance model, internal tools, and processes to raise employee security awareness to a more mature state,” the report states.
Overall, attackers tend to follow the path of least resistance, the report noted. Cultivating a robust cybersecurity program that includes strong security practices related to digital identity, configuration management, vulnerability and asset management, architecture, and user awareness and training can go a long way in thwarting attacks or mitigating their worst impacts if they occur.