Penetration Test Data Shows Risk to Domain Admin Credentials
Rapid7 has released a new report combining data from 180 real-world penetration tests carried out in enterprise environments. The research indicates that the data protection efforts of nearly all organizations (96%) are seriously undermined by at least one serious flaw in their systems. Moreover, pentesters managed to obtain at least one password in 72% of pentests, commonly because default or common passwords were used.
The research also shows that most company networks lack adequate internal security measures, since pentesters that managed to obtain an initial foothold on a network, were able to escalate privileges to the administrator level in 3 out of 4 cases.
However, external attacks on Internet-facing services were far less likely to be successful, with only 20% of these probes allowing pentesters to gain access to the internal network of the targeted organization. This shows that companies still mostly focus on security at the perimeter, but neglect security within their networks.