The Top 5 Vulnerabilities Uncovered During Penetration Testing

Staying ahead of cyberthreats tomorrow means ensuring that your networks, systems and applications are adequately prepared for cyberthreats right now. One of the best ways to do this is with a comprehensive penetration test.

During penetration testing, threat and vulnerability management experts will put your environment’s preventive controls to the test, “attacking” your people, processes and technology in an attempt to gain access to systems, networks or permissions that should be inaccessible without the proper authorizations.

While results of penetration tests can vary from environment to environment, we’ve seen a few common threads present throughout most organizations which security leaders should work to stay ahead of.

By now, we’re all very familiar with the need to maintain strong passwords. Cyberattackers can harvest credentials from third-party websites and attempt to use those credentials to gain access to company systems or networks. This has been the case for decades now, and the attack continues to work because, often, passwords may be weak, guessable or shared across services or websites.

Though encouraging users to choose a password with special characters and numbers can be a step in the right direction, oftentimes it’s not enough to keep attackers from guessing a password. On paper, a password such as “Companyname1” or “Winter2024” may check all the boxes of a typical strong password, but passwords like these are actually some of the most commonly used passwords we’ve found across organizations.

It’s essential to take a good, hard look at your password-related procedures and at password filtering. Using password managers and implementing effective password filtering — like prohibiting the use of your company name in passwords and setting high character counts — as well as training your users on best practices for setting strong, unique passwords (or, even better, passphrases), is more important than ever to staying ahead of this critical vulnerability. For example, is your company’s help desk setting a weak default password on all accounts, some of which sit unused and unchanged for months?

2. Gaps in Multifactor Authentication (MFA)

Though multifactor authentication (MFA), was once a nice-to-have feature, today it’s absolutely essential. It’s no secret that MFA is your second line of defense when it comes to cyberattackers stealing credentials. However, we often find that MFA has been misconfigured or does not cover all the applications an organization intended it to protect. Obviously, the biggest issue with MFA is when it’s not in use at all. However, we’ve also found subtler issues due to configuration or incomplete deployment.

Overly permissive initial enrollment is a key issue. For example, we’ve seen multiple instances where organizations have onboarded a third party using a default password, did not require the third party to change the password or set up MFA and those credentials are now unprotected. Be sure to understand process and procedure gaps that cyberattackers can exploit.

It’s also critical to train your users not only on setting up MFA on all of their accounts, but also to report any unsolicited MFA prompts to your IT team immediately. Any attempts to coax your users into giving up MFA codes or approving MFA requests likely mean that their password has been compromised, so IT needs to be aware as soon as possible.

3.  Unpatched Vulnerabilities

Though many organizations are better at patching than they were a decade ago, threats are relentless and evolving every day. Though timely patches are crucial, we’ve found through penetration testing that ensuring completeness of those patches across all systems and layers of software — including the operating system, middleware and applications — is often more important. In many cases, it’s more likely that an attacker will exploit an old vulnerability on a forgotten system rather than exploit the vulnerability that was just released yesterday.

Organizations often get themselves into a patching conundrum when they don’t keep systems and software on supported versions. Once software goes end-of-life it may no longer be possible to patch it, even when vulnerabilities are found. Lifecycle planning is an important piece of ensuring that your systems are patched.

4. Privileged Access Issues

Unfortunately, no matter how many security controls are in place, it remains difficult to keep administrative access under lock-and-key. By and large, our pen tests have uncovered that across many organizations, there are simply too many domain users who are granted widespread local admin rights — whether the organization realizes it or not. Granting users administrative rights to their own workstation is one thing, but granting users these rights to the all the workstations in the company is another. So be sure to check those group memberships.

Failure to implement adequate privilege separation means that if a malicious actor were to gain access to a user’s account via a phishing attack or a weak password, it’s more likely that the attacker would also be able to use that account as a stepping stone to gain administrative privileges. Organizations must implement extremely strict access control policies that implement need-to-know requirements and lock access down tightly.

5. Microsoft Active Directory Configuration Issues

For organizations using Microsoft Active Directory (AD), proper configuration and access rights issues can be a major blind spot. Something as simple as an unexpected account with server admin rights opens the door to unauthorized access, allowing attackers to manipulate user privileges or compromise sensitive data.

Or, if an overly permissive discretionary access control list (DACL), which governs access rights, grants unnecessary permissions, for example, this may also lead to unauthorized privilege escalation, data exfiltration and even the compromise of critical systems. Unfortunately, we find issues like this regularly, oftentimes because they are buried in the details and overlooked.

Configuration of Active Directory Certificate Services (ADCS) can be a major vulnerability as well. When properly configured and issued, these digital certificates can ensure secure data transmission and verify the integrity of communication channels while authenticating entities in the network. If a user is allowed to request and obtain an authentication certificate in an administrator’s name, however, this can often lead to unauthorized access and data breaches. As with DACLs, we often find misconfigurations in this area that organizations were not aware of.

Web Application Weaknesses. Cross-site scripting (XSS) has been a common issue for quite some time; however, broken object level authorization (BOLA), also known as insecure direct object reference (IDOR), when a web application fails to check whether the user requesting a particular resource is authorized to access it, seems to have had a resurgence. This has the potential to be a major problem for web applications of all kinds, as bad actors may be able to manipulate the application into displaying information they should not be able to access.

A lack of incident detection and response capabilities. Though it’s not necessarily a vulnerability, many organizations struggle with timely and robust detection of cyber incidents. Though penetration testing by definition is focused on testing preventive controls, the reality is that when an incident occurs, IT leaders must be confident it will be detected so they can act quickly and effectively to minimize damage.

In addition to pen testing, incident response tabletop exercises as well as red and purple team exercises are essential components of a holistic cyber resilience strategy. For example, a purple teaming exercise is collaborative evaluation and testing of your team’s detection capabilities and an incident response tabletop exercises your organizational response to a simulated cyberattack. To go a step further, a red teaming exercise will take place without most of your team’s knowledge to test your defenses in real time. All of these efforts work to ensure that your organization is prepared the next time it experiences a cyber incident.

It's important to note that these gaps and vulnerabilities are common across all major industries, including in large organizations practicing good foundational security hygiene. Even enterprises with deep security resources are often surprised at the vulnerabilities we uncover during penetration testing.

Regular testing and exercises are important parts of any robust cybersecurity program. When choosing a partner to execute your penetration test, be sure to trust an expert with unparalleled experience in the field.