The Multi-State Information Sharing and Analysis Center (MS-ISAC) published its 2016 mid-year review on August 22, 2016, highlighting large incidents of malware infections, with particular emphasis on ransomware and click fraud malware. In contrast to the MS-ISAC report, however, an August 2016 report suggests most organizations would benefit from addressing issues of credential management and network segmentation. The report is based on data collected over the course of 100 internal penetration tests (i.e., tests assuming one user on the network has already had their account compromised) on third party clients and found that four of the top five methods their testers used for compromising networks focused on network segmentation and credential management:
- Abuse of weak domain user passwords (66% of successful attacks)
- Broadcast name resolution poisoning (a form of man-in-the-middle attack that can be used to capture credentials) (64% of successful attacks)
- Local admin password attacks (61% of successful attacks)
- Attacks on cleartext (i.e., unencrypted) passwords in memory (59% of successful attacks)
- Insufficient network segmentation (52% of successful attacks)
In other words, expert penetration testers compromised these 100 networks without exploiting unpatched software vulnerabilities. The report notes that their results were based on tests with a primary goal of “full compromise of the environment,” and an attacker motivated by a different goal may instead focus on other techniques like vulnerability exploitation. For most organizations, however, credential management and network segmentation remain a risk.
The report argues that addressing these security risks may not be prohibitively expensive, and suggests that upgrading password policies, particularly if based on the new National Institute for Standards and Technology (NIST) password guidelines, can provide high-value security increases at relatively low cost. The FTC’s recent interest in incorporating external standards, such as those published by NIST, also provides added value to such policy upgrades. A full list of the report’s recommended fixes for credential management and network segmentation issues are available here.