Penetration Tests are a key part of assuring strong security, so naturally, security professionals are very curious about how this best practice goes down from the pen tester perspective. Jack Daniel, Director of Services at Rapid7 with 13 years of penetration testing under his belt, recently shared which flaws pen testers are regularly using to access sensitive data on the job in the webcast, “Campfire Horror Stories: 5 Most Common Findings in Pen Tests”. Read on for the top takeaways from this webcast:

  1. Patching & Passwords – Patching trends have shown great progress over the last few years but are still a large area of concern. Organizations have adopted patching standards, and are certainly more mature compared to 5-8 years. The bulk of systems, especially critical patches, are being patched regularly. However, pen testers still find organizations are missing critical patches from years and years ago, even if they are up-to-date with recent patches. As for passwords, when pen testers are able to gain access and do a massive password dump or brute forcing, over 30% of passwords include variations of an employee's company name or their company's product names. Pen testers are able to quickly work around or crack weak passwords and password hashes. To avoid these pitfalls, make sure passwords are audited regularly, don't use weak roots, and do not store password hashes locally.
  2. Beware the Default – Misconfigurations and default configurations are consistently the number 1 most common finding for penetration testers as an issue at almost every organization. If configurations are not regularly reviewed, it can lead to accidental information leaks. A default account left enabled on a device that gets rolled out without a security review is a quick foothold into any network. A system that is different from most others on a network, and outliers within the network in general, are also weak points for attackers to focus on since they know securing an outlier device will require additional expertise from the security team. To prepare for misconfiguration and default configuration issues, know your network and what it will look like to an attacker, and segment wherever possible so that a blind spot cannot spiral into a devastating breach.
  3. Encryption Good, XSS Bad – Storing or transmitting sensitive data in clear text and cross site scripting are two other common missteps that pen testers come across. Data left unencrypted is completely reliant on network controls for protection and vulnerable to attackers. Put an emphasis on securing an app or device itself, and encrypt your data while storing or transmitting it, keeping in mind that databases tend to be less secure. Web flaws and cross site scripting are becoming more pervasive. To combat this, ensure your users and their browsers have client side scripts disabled wherever possible.

  To learn more about the most common findings in pen tests: view the on-demand webinar now.