The situation becomes even worse if the attacker

tanjimajuha20 · Post by **tanjimajuha20** » Mon Jan 20, 2025 8:09 am

Positive Technologies JSC has published a study on information security (IS) "Results of Pentests 2023". Experts analyzed the results of tests conducted throughout 2023 for internal and external penetration (pentests) into local area networks (LAN) of 24 companies from the IT industry, finance, industry, telecommunications, services, construction, space industry, pharmaceuticals, energy and came to disappointing conclusions.

96% of the LANs of the organizations that participated in the testing were not protected from external penetration into the internal network, and only in 4% of companies spain whatsapp resource were the researchers limited to a demilitarized zone (DMZ) - a special buffer space between the Internet and the internal network.

is already inside the LAN. Positive Technologies analysts reported that during the tests they managed to seize control over each tested domain.

Among the products most vulnerable to external attacks, the researchers named content management systems (24%), mail servers (23%), and project management systems (6%). The most common types of threats in web applications were SQL injection (22%), information leakage (14%), and arbitrary file upload (8%).

During testing of threats from the inside, Positive Technologies experts assumed a situation where the attacker already has access to the LAN and is trying to obtain maximum privileges within the system. On average, this required four to eight steps. In the vast majority of systems, the complexity of these actions varied from low (38%) to medium (50%). The fastest test for obtaining maximum privileges took 6.5 hours.

The authors of the study identify several reasons for the vulnerability of LANs, including obsolescence and untimely updates of information security software and the source code of web applications. In seven out of 10 infrastructures, it was possible to select credentials for unauthorized entry using attacks aimed at brute-forcing account passwords (Password guessing) and attacks aimed at brute-forcing a password using a pre-prepared list of popular dictionary passwords (Password spraying).

To ensure the security of web applications, Positive Technologies specialists recommend regularly conducting security analysis, implementing secure development and vulnerability management processes, and using application-level firewalls to protect against attacks. To minimize the risk that vendor solutions may pose, it is necessary to promptly update the software used, monitor notifications about newly discovered vulnerabilities and security patches.

"As in 2022, the share of companies vulnerable to external intruders remained the same - 96%. In those organizations where we gained access to the internal network, we were able to establish full control over domain resources in 100% of cases. Then, this figure was also maximum. It should be noted that organizations that regularly conduct pentests and take appropriate security measures based on their results ultimately reach a higher level of security. Systematically check the effectiveness of the implemented security measures, as well as the readiness of the information security service to detect and stop attacks at early stages - before unacceptable consequences occur," the authors of the study concluded.