Securealities: 2nd Annual Penetration Risk Report 2019

2 nd Annual Penetration Risk Report 2019

2019 edition

1

TABLE OF CONTENTS Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Research scope and approach . . . . . . . . . . . . . . . . . . . . . .

7

Report findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Overall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Company size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Social engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Vertical market analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Technology/Cloud services providers . . . . . . . . . . . . . . . . . . . . . . . . . 24 Retail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Healthcare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Financial services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Standardized pen testing approach and methodology . . . . . . . .

44

Social engineering methodology . . . . . . . . . . . . . . . . . . . . . 45 Risk rating scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 About Coalfire Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 About Coalfire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

2 | COALFIRE.COM

FOREWORD The sands are shifting in cybersecurity. With the

awareness functions. Offensive services mean nothing

continuing migration to the cloud, security programs

if the organization doesn’t support processes to act

and managers tasked with protecting their organizations

on the information to strengthen its defenses. Thus

from cybercrime must up their game and increase their

the “management” part of threat and vulnerability

vigilance – the stakes are getting higher. No company –

management is the key to the program’s success.

public or private – can afford to fall behind the curve.

It’s critical to integrate program feedback into other

With years of best-practice diligence in data capture and analysis, Coalfire holds a unique position in the cybersecurity industry. As a result, our penetration testing division, Coalfire Labs, is committed to sharing our knowledge and experience by making this comprehensive Penetration Risk Report an annual milestone to support organizations of all sizes and across all industries. A robust information security program should encompass many features, from the highest levels of governance structure and risk management framework down to the most technical details of system configuration and hardening standards. Each program may contain additional components as well – such as disaster recovery, incident response, and security operations and monitoring – all critical to day-to-day security assurance and customized in accordance with organization mission, market, and threat levels.

potentially external initiatives. For example, if exploited application vulnerabilities aren’t fed into a development team, or if the magnitude of risk isn’t demonstrated to stakeholders, an organization may fail to take the necessary action to secure its assets. This process of demonstrating risk and monitoring remediation is the “long tail” that goes along with the “sexy bits” of offensive security testing. As you may imagine, running a threat and vulnerability management program can be challenging for many organizations for many reasons. For one, there’s a cybersecurity skills shortage; it’s hard to find staff who are effective at securing enterprises, let alone proficient in offensive security techniques. Additionally, a team can find itself “blinded” by business operations. We’ve seen teams with the best intentions and highly skilled staff miss key risk factors and overlook attack vectors due to organizational pressures, policies, and priorities. As a

One of the most pivotal components of organizational

result, organizations often look to external sources to help

security is a threat and vulnerability management

them with this critical process. Coalfire Labs specializes in

program. Its function is to test the effectiveness of

this work, and we’ve been doing this for companies of all

security controls deployed to protect an organization’s

sizes and across all industries for more than a decade.

most critical assets. A defensive team may be able to go through the motions as a matter of practice, but if it’s never challenged by an offense, there’s no good way to determine if the defense is effective. The threat and vulnerability program component provides this simulated offense, and penetration test “scrimmages” make the defense much stronger. A threat and vulnerability program should address recognized threat vectors

We’ve done a tremendous amount of work augmenting organizations’ threat and vulnerability management capabilities with our offensives services. As a result, we’ve amassed powerful datasets, informed by wide-ranging, on-premise experience, representing what we believe are the state-of-the-art strategies and tactics unique to our industry.

across an organization – including emulating the actions

With this knowledge and the power of our data comes

of an attacker across the internet attempting to “break

responsibility. When compiled annually in benchmark

in,” simulating the impact of a workstation on the

discipline, our findings offer valuable insight to thousands

internal network being used to attack critical systems,

of programs and teams tasked with risk management and

and carrying out attacks against custom solutions and

the protection of organizational assets and resources.

applications that support key business functions.

In 2019, Coalfire Labs enhances our commitment to

A well-developed program doesn’t stop at attack emulation. The information gathered from the offensive services must, at a minimum, be fed into the patch

stay on top of the trends and ahead of the threats with more urgency and continuity with this second annual Penetration Risk Report.

management, security architecture, and training and 3

Executive summary Through hundreds of engagements and penetration tests, the datasets tracked and analyzed over the last year by Coalfire Labs yield unexpected insights and significant new trends. Cybersecurity threat levels have always been moving targets, but are now on the rise and accelerating as businesses and institutions in all categories continue the relentless march to the cloud. The “shroud of the cloud” generates new threats and vulnerabilities that must be identified and engaged, much as the “fog of war” shifts strategies and demands new tactics when confronting chaos and confusion on the battlefield.

We’re enhancing our commitment to lead the way through the fog as enterprises large and small, public and private, shift applications, operations, and processes to the cloud. In addition to accelerated migration to the cloud and the predicted “death of the data center,” some of our most important revelations include: Last year’s report revealed that midsized organizations occupy the “security sweet spot” because they were more secure overall than their larger and smaller counterparts. But, our shift in demographics toward cloud providers completely flipped the script. During 2019, large enterprises have overtaken the sweet spot for overall security. Large providers are doing it right, and small providers can learn from their example to proactively test solutions and the enterprise for security vulnerabilities before going to market. And all enterprises must pay closer attention to basic, routine

Figure 1: High-risk vulnerabilities by client size

• Large tech providers have a mere 15% of high-risk vulnerabilities when viewed alone!

50%

• These providers are displaying

45% 40%

their security maturity

35%

and differentiation.

30%

• Small cloud providers, likely taking

25%

their first steps into the market,

20%

are 20% more vulnerable than

15%

Large 2018

Large 2019

Medium Medium 2018 2019

Small 2018

Small 2019

Small = <$100M in revenue | Medium = $100M – $1B in revenue | Large = >$1B in revenue Source: Coalfire’s Penetration Risk Report, 2018 and 2019

4 | COALFIRE.COM

their small enterprise brethren.

l

security tasks that are still clearly being neglected. The move to the cloud is felt in applications across all enterprises. When looking at the top-five application vulnerabilities, our data calls out “what’s hot” in 2019: cross-site scripting, injection, security misconfiguration, password flaws, and sensitive data exposure. And, a few top vulnerabilities from last year have fallen off the chart, including broken authentication/session management, using known vulnerable components, and missing function-level access control. Organizations are struggling to get configurations right as they leverage multiple cloud infrastructure providers and hybrid environments. When building applications in the cloud, program managers should evaluate all components and leverage cloud services into their threat models to create effective, layered security solutions. Coalfire Labs separated cloud providers from enterprises in this report to clearly see the distinct nature and challenges within each environment. The top vulnerabilities in the enterprise space were out-of-date software and insecure protocols – as expected given the prevalence of server message block (SMB) used in Microsoft® environments. For cloud providers, security misconfiguration is one of the top vulnerabilities, much as we would expect in a cloud-heavy environment. Additional summary highlights discussed in further depth in this report: 1. While external networks are still fairly secure, and internal networks are still fairly insecure in parallel with last year’s results,

app security has increased due to migration of in-housedeveloped applications to the cloud and by leveraging the appropriate skilled resources. 2. The report takes a look at how top app vulnerabilities last year overall were changed, with cloud-specific vulnerabilities replacing some on the list. The education vertical was particularly surprising, bucking conventional wisdom by coming in with the fewest highrisk issues and a demonstrable lack of risks stemming from coding issues such as cross-site scripting and broken authentication/session management. Education seems to have “learned its lessons” about secure coding. 3. Phishing continues to be a serious issue: 71% of those clients we tested experienced at least one full compromise of credentials; 20% of companies in our sample saw around half of their employees in the test give up their credentials. 4. Vertical markets’ security postures shifted dramatically. Last year, a wide variability in security posture existed among the verticals; this year, they’ve become similar in their vulnerability rates across the board, showing fewer high-risk findings. We believe this is due to a shift toward cloud solutions in every vertical, with fewer on-premise IT assets to secure and maintain. Enterprises must address all threats, including insider threats (people and internal systems), and harden Windows® networks by enabling SMB signing and disabling LinkLocal Multicast Name Resolution (LLMNR) 5

and NetBIOS Name Service (NBT-NS). For cloud service providers (CSPs) of any size, informed security testing with a team that fully understands the architecture of the solution reduces risk to the CSP and its customers. With the proliferation of the Internet of Things (IoT), many new security concerns are cropping up everywhere, from manufacturing to financial services, and especially in healthcare, where virtually every medical device is now a node on a network. While few results in this category are inferred in this report, we see this as an area of increasing risk and a growing focus for future testing and reporting.

6 | COALFIRE.COM

Overall, the move to the cloud is not new. Some trends are easier to predict, but unpredictability is on the rise and the pace of change is quickening. Application vulnerabilities are going down, but threats posed by out-of-date software and security misconfiguration are going up. The push toward SaaS platforms and “serverless computing” promises more efficiencies and cost savings, but the tradeoff will be even more unpredictability – anything can go wrong. The best defense remains a good offense in any organization’s threat and vulnerability management program.

RESEARCH SCOPE AND APPROACH Coalfire presents findings derived from our in-depth client penetration testing engagements since our 2018 report. The data represents 525 client engagements and a total of 623 individual penetration tests (as many clients request more than one penetration test type per engagement). The data spans public and private sector clients of all sizes within the technology/cloud, retail, healthcare, financial services, and education industries. We provide penetration testing services, including internal and external network, application, and social

engineering, to help clients understand their overall security posture, as well as meet compliance (PCI, FedRAMP, HIPAA, and others) readiness requirements. Our findings represent all of these testing subtypes. Our engagements average a two-week duration. Longer tests more accurately simulate reallife conditions, as hackers are not timebound; however, clients are often working to meet deadlines for specific testing objectives (such as compliance or a software production release) or are restricted by budget.

7

Report findings In this second annual Penetration Risk Report, we expected to validate our findings from last year and demonstrate trending across industries and companies of various sizes. We didn’t expect to be surprised by the findings, as there weren’t any extreme changes to the threat and vulnerability landscape that would have logically led to a measurable difference in the security posture of organizations across industries. However, in a fast-paced, innovative industry, surprises abound, keeping the experts on their toes. The changes in the data were significant enough in certain cases that it made us ask ourselves whether we were plowing through a bunch of random statistics, or if we were actually progressing toward our lofty goal of providing valuable insights. Yet, our analysis team soldiered on tirelessly, until finally, clear meaning

emerged! As you read this report, we will present data trending and analysis that clearly demonstrates how macro changes in IT infrastructures – namely, an aggressive shift toward cloud usage – have affected overall enterprise security, along with areas where some things remain the same across all industries, emphasizing the need to remain diligent in employing tried-and-true security best-practice techniques.

Figure 2: Vulnerabilities found by test type

Source: Coalfire’s Penetration Risk Report, 2018 and 2019

8 | COALFIRE.COM

High risk

Medium risk

Low risk

OVERALL When looking at the overall vulnerability posture of all organizations (all sizes and in all verticals), we found that results met expectations. For the most part, organizations have their external presence under control; their internal networks and applications appear to be less of a priority and are consequently less secure. This is consistent with our findings last year. As noted earlier, we analyzed the attack vectors independently, which roughly correlate to how many organizations prioritize their security spend to combat external threats, internal threats, or application threats. Where we see notable differences emerge from last year is the state of application risk. There’s been a significant decrease in the level of risk incurred by applications. Each industry we examined shows the

same significant reduction – with about half the rate of high-risk issues over 2018. Has the state of application development techniques changed enough to make this kind of material impact? Have developers become more diligent? Maybe the toolsets or development environments have shifted. While looking at this data and the industry trends across 2018, no simple correlations were found. But let’s compare this year’s top-six most frequent vulnerabilities (overall) with last year’s. These findings were identified across all types of tests – external, internal, and application-focused attacks. Hence, there is a collection of different types of vulnerabilities in the mix, ranging from application issues like injection to internal networking flaws such as insecure protocols.

Top-six enterprise vulnerabilities (overall)

2018

2019

Insecure protocols

Out-of-date software

Password flaws

Insecure protocols

Patch management

Password flaws

Out-of-date software

Patch management

Cross-site scripting

Injection

Injection

Security misconfiguration

9

As expected, the usual suspects are in the mix, with a bit of position shuffling over last year. The biggest mover, out-of-date software, seems to be quite noteworthy. Security misconfiguration has crawled into the stack of most common vulnerabilities, displacing one of the perennial front-runners, cross-site scripting (XSS). Seeing XSS fall out of the top six aligns with the reduction in application vulnerabilities. Yet, the question remains: Why? The move to the cloud is not a new trend; however, it has accelerated, and many research and analyst firms predicted in late 2017 that adoption would rapidly accelerate in 2018. Cloud technologies are a proven solution to many infrastructure and operational challenges, and they have quelled the operational fears of many organizations. Their predictions have been validated; according to RightScale’s 2019 State of the Cloud Report by Flexera, 94% of respondents use the cloud, and 84% have a multicloud strategy (an increase of 7% over the prior year).1 Trends forecasted for 2019 included the rise of Softwareas-a-Service (SaaS) solutions, coupled with “serverless computing,” the emerging software architecture that eliminates the need for infrastructure provisioning and management.2 With the predicted “death of the data center,” the push across industries to adopt SaaS platforms, and the advent/ growing popularity of serverless computing, it became pretty obvious that the cloud was poised to have an impact on our dataset. Is cloud computing a panacea for application security? Surely not. Many other things can go wrong, and it certainly doesn’t address some core application problems. But our data shows that it doesn’t hurt. The impact of the cloud RightScale. “State of the Cloud Report from Flexera.” 2019. http:// googliers.net/static/media/uploads/ download_files/2019_state_of_the_ cloud_report.pdf 1

Deloitte Insights. “Tech Trends 2019: Beyond the digital frontier.” https:// www2.deloitte.com/content/dam/ Deloitte/uk/Documents/technology/ deloitte-uk-tech-trends-2019.pdf 2

10 | COALFIRE.COM

We examined our dataset and found that, indeed, we had tested a significantly higher proportion of cloud service providers (CSPs), SaaS applications, Platform-as-a-Service (PaaS) solutions, and other cloud-enabled solutions across all industries than we had the year before. CSPs alone represented 30.5% of the engagements that comprised our dataset, an increase over last year’s comparatively paltry 18.7%.

To get an idea of how cloud providers have influenced our findings, we examined CSPs as a standalone group and compared them to all other organizations. When viewing the data in this manner, the security afforded by CSPs, as well as the potential pitfalls, become quite evident.

Figure 3: Top cloud vulnerabilities 35 30 25 20 15 10 5 0 Cross-site scripting

Injection

Security misconfiguration

Broken authentication and session management

Password flaws

Figure 4: Top enterprise vulnerabilities 250 200 150 100 50 0 Out-of-date software

Insecure protocol

It should be noted that the top enterprise findings contain vulnerabilities that are typically found in networks and infrastructure environments, whereas the top cloud vulnerabilities are dominated by applicationspecific vulnerabilities such as XSS and session management. Why are we proposing that the migration to the cloud makes enterprises more secure when the top cloud vulnerabilities contain more

Password flaws

Patch management

Injection

application flaws than those of enterprises? The answer lies in the volume. While those are indeed the top vulnerabilities in the cloud, the numbers of findings are rather low. For example, only 33 XSS vulnerabilities were found across all 192 cloud provider engagements (17%), versus 210 out-of-date software findings across the remaining 431 enterprise engagements (a whopping 48.7%).

11

The impact of security misconfiguration Security misconfiguration may seem to be a small, insignificant entry in cloud vulnerabilities. So how did it get so big that it crept into the top six? Simply put, the volume of those findings is enough to bounce the phisher’s favorite, XSS, off the extended listing. Security misconfiguration is a finding category that includes numerous security flaws. In particular, this category contains some of the most common cloud architecture mistakes we see. Unprotected storage, insufficient access controls, and overly broad permissions fall into this category, and they are all found quite often in cloud environments. This finding was not just restricted to cloud providers. Enterprises are migrating solutions to the cloud, and this finding category applies to these newly spun up environments and solutions. A note about out-of-date software In comparing this year’s data to last, the increase in out-of-date software findings jumps right off the page. This category can be confusing, as it’s different from

12 | COALFIRE.COM

both “patch management” and “using components with known vulnerabilities” in the following ways: 1. Patch management findings are only called out when there is a patch available for the issue. If there’s not a patch because the software is no longer supported, it’s “out-of-date software.” 2. Using components with known vulnerabilities is a “library” issue. This only applies to applications. It’s quite similar to patch management, but it applies to dependencies in software. Recommendations Through all the tests we executed, we saw a lot of issues that are unique to the business with which we worked. Each situation is unique, and each solution is unique. But the underlying vulnerabilities that are the root cause of the findings can be remediated consistently throughout the environments we assessed. Implementing these recommendations proactively can lead to significant improvements in any environment.

Top-five issues

Insecure protocols

Password flaws

Recommended fix Harden your Windows® environment. Disabling Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) and enabling server message block (SMB) signing across the enterprise are the most effective ways to combat this threat. Implement two-factor authentication. Weak passwords, poorly managed passwords, and insufficient password encryption are rendered moot when requiring a second factor for authentication.

Patching / patch management

Expand patch management beyond “Windows® update.” Organizations that rely on Windows® update or Windows® services to manage patches in their environments are missing many common application packages that address the typical first targets of an attack.

Out-of-date software

Maintain accurate asset inventory. Solutions designed leveraging third-party libraries, tools, and solutions that are no longer maintained can expose a network to an attack based on vulnerable components. Maintaining an accurate inventory of systems and their dependencies will help control the spread of this vulnerability.

Injection

Implement a threat and vulnerability management function within your organization and ensure any applications that are built by (or for) your organization undergo a thorough test prior to being put into production. Injection flaws can be hard to find – particularly those that are beyond the garden-variety SQL injection like XML, XPath, or OS command injection. On the development side, implementing a robust data validation routine within each application for all data provides great “bang for the buck” when implemented comprehensively, including server-side variables and other input that’s not expected to be provided by an application end user.

13

COMPANY SIZE In our 2018 study, we examined the data based on company demographics. Our single factor of differentiation was revenue, where companies under $100M were considered “small,” between $100M – $1B were “midsized,” and over $1B were large. Ultimately, we found that the midsized businesses were in the “sweet spot” of security. They have enough resources to secure their operations, yet haven’t grown so large that they’re challenged with getting

their arms around asset management at scale, let alone securing these unknown assets. Again this year, we stratified our data the same way, and found a strikingly different result. The script has been flipped: Our midsize clients are the least secure, statistically. Last year’s most secure is this year’s least secure, and by a large margin.

Figure 5: High-risk vulnerabilities by client size 50% 45% 40% 35% 30% 25% 20% 15% Large 2018

Large 2019

Medium 2018

Medium 2019

Small 2018

Small 2019

Small = <$100M in revenue | Medium = $100M – $1B in revenue | Large = >$1B in revenue Source: Coalfire’s Penetration Risk Report, 2018 and 2019

In our data analysis that identified the top vulnerabilities, we noted a “cloud provider effect:” In 2019, our data was skewed by the sheer number of CSPs we had tested.

14 | COALFIRE.COM

To examine what kind of effect our cloud provider data had on our overall dataset, we extracted those companies to compare:

Figure 6: High-risk vulnerabilities found by client size (Cloud service providers) 40% 35%

Figure 7: High-risk vulnerabilities found by client size (Enterprises) 35% 30%

30% 25% 25% 20% 15%

As you can see, large cloud providers vastly skewed the overall risk level for large companies. Our year’s worth of data demonstrated that the largest cloud providers had what amounted to a fabulous security posture across their offerings, reducing high risks by almost 20%. Yet, even after extracting cloud providers from the dataset, midsized companies still show up as “worst” overall. Comparing year-over-year data, we can see that nothing has actually happened to midsized companies – they are still afflicted with the same proportion of high risk as last year. But in 2019, large and small organizations got significantly better by comparison. Extending the cloud theory to these large and small companies led us to the following theories: • Large cloud providers are highly invested in maintaining a strong security posture. Cloud security has been the top concern and barrier to entry for cloud solutions consistently, year after year; in a recent

20% 15%

study, more than 70% of respondents cited security as a barrier to cloud solution or SaaS adoption.3 Being secure is a top differentiator, and more cloud customers are looking to inherit cloud platform security tools. Their efforts and investments can be seen in this year’s data. • Large enterprises that are not cloud providers have, as previously stated, been aggressively moving to the cloud. Less shy about leveraging cloud-native security controls and hyperscale cloud architectures, they are inheriting much of the security posture of their cloud providers. Their risk comes primarily in the form of maintaining their part of the shared responsibility model and securing their on-prem gear, which reflects why their risk is still not up to the “large cloud provider” par; however, they have more sophisticated staff to manage that risk than midsized enterprises.

Ping Identity. “Ping Identity 2018 Survey: The State of Enterprise IT Infrastructure & Security.”

3

15

• Small companies are also deploying cloud-native infrastructure, are developing solutions on these architectures, and have less investment into legacy or traditional solutions and infrastructure. Like last year, they are small enough to present less of a target or opportunity for malicious actors – and have better overall awareness with their organization and employees to be on top of phishing and unusual activity.

SOCIAL ENGINEERING Phishing is still one of the most prevalent attacks and is the first way by which an attacker gains a foothold within an enterprise. Verizon’s 2019 Data Breach Investigations Report highlighted that, while eclipsed by other causes (denial of service, data loss, etc.), phishing was still the leading cause of data breaches, followed by “stolen credentials” – which, as you’d imagine, come frequently from phishing attacks. Our success rate in phishing testing mirrored the same statistics.4 This year, we chose to only evaluate the number of individuals who would provide credentials in response to a phishing email. Ultimately, it only takes one person to fall for a phishing scam to result in total compromise, so we focused on this metric only.

As the data demonstrates, phishing continues to be a serious issue: 71% of the clients we tested experienced at least one compromise of credentials; 20% of companies in our sample saw around half of their employees in the test give up their credentials. Not all phishing campaigns are created equal. The more an attacker understands about their target, the more legitimate that phish will seem. Highly targeted phishing tactics are referred to as spearphishing. Spearphishing is phishing that targets a specific individual, organization, or small group, leveraging information known about the subject to maximize results. A smaller population of targets can be attacked to reduce the possibility of detection and increase the probability of return.

Verizon. “2019 Data Breach Investigations Report.” https://enterprise.verizon.com/resources/reports/dbir/

4

16 | COALFIRE.COM

Figure 8: Social compromise via phishing (top tests)

Targeted but did not give up credentials Gave up credentials

17

Best campaigns of 2019 (i.e., most effective attacks)

Worst campaigns of 2019

The best campaigns are supported by research into the company and some insight into how they communicate with partners. Our top campaign this year involved opensource intelligence (OSINT) research that uncovered a particular company was changing healthcare insurance companies. An email from a domain that sounded similar to the new company requesting login credentials yielded a 48% credential return rate. That won’t work on every company of course, as the timing of this engagement aligned with the timing of the change in benefits providers, and there was enough public information to lend legitimacy to the email. The second-most effective, and more general-purpose, spearphishing campaign was last year’s champ: compensation changes (earning a 42% compromise rate). In this test a Microsoft® Office document with embedded “malware” written by our team claimed to describe compensation package changes and was purportedly sent from the target’s payroll group.

Our worst performance mimicked what almost everybody with an email address sees at least a few times every month. This campaign consisted of an email sent purportedly from the IRS to individual targets at a company. The message was crafted to indicate the recipient owes the IRS $10,000 in taxes and directed them to a website that looked like the IRS but asked for name, address, and social security number. It was crafted well enough to evade filtering, but not one person in more than 1,000 targets clicked on it. Zero. Interestingly, this attack vector was specifically requested by our client to make the point that the bog standard phish is not something that the organization should fear, and that they should make investments into ongoing training and awareness programs that include targeted spearphishing and not simple bulk “trawling.” Are there more phish in a bigger ocean? Stratified by size, the data told a familiar story, echoing the same results as last year. Large companies come out looking best, with midsize companies trailing in last.

Figure 9: Social compromise by client size 45% 40% 35% 30% 25% 43%

20%

38%

15% 10%

19%

5% 0% Large

18 | COALFIRE.COM

Medium

Small

In a similar conclusion to last year, we believe the characteristics of small and large organizations lend themselves to be better at securing the person. Smaller organizations tend to be more intimate environments, where individuals are more in tune with the operation of the business. While they lack mature processes and perhaps have underdeveloped training and awareness programs, they make up for it by being small enough to promote awareness of what is going on throughout the business, which is key to identifying a potential scam. Large

businesses are more impersonal but benefit from having “seen it all� by nature of having such a large staff. Lessons learned from that experience tend to manifest in the form of strictly administered, recurring, and regularly audited security training and awareness programs. Midsized organizations are stuck being too big to provide staff with a natural awareness of company operations, yet too small to have assembled formal training, awareness, and draconian email controls. This leaves them susceptible to the broadest range of social attacks.

19

VERTICAL MARKET ANALYSIS Vertical markets’ security postures shifted dramatically: Last year, a wide variability in security postures existed among the verticals. This year, they’ve all become similar in their vulnerability rates across the board, showing fewer high-risk findings. We believe this is due to a shift toward leveraging cloud solutions in every vertical, with fewer on-prem IT assets to secure and maintain. New to the dataset this year is our “education” vertical. There were enough educational institutions included this year that it merits discussion. It also presents some interesting findings, which we’ll examine in a drill-down section on each industry. Overall, we examined each industry by susceptibility to different attack vectors. We stratified by external, internal, and application attacks. External attacks are those initiated

from outside the organization, emulating an attacker attempting to break into the organization over the internet. Internal attacks are those that attempt to gain unauthorized access to systems starting from a point connected to the organization’s network, emulating the impact of a compromised workstation or rogue system connected to the network. Application attacks are those that target key applications within the organization, typically addressing web interfaces, application programming interfaces (APIs), and mobile interfaces. Risk of compromise due to an external attack decreased across all industries this year with the exception of the financial services vertical, which saw a modest increase. Overall, the level of risk across industries demonstrates that they have not incurred significant issues impacting the security posture of their organizations.

Figure 10: Level of external risk found by vertical

High risk

20 | COALFIRE.COM

Medium risk

Low risk

Like last year, internal risk is still significant, and can lead to compromise once an attacker gains access to the internal network. Yet, like the risk of external attack, we still saw

a decrease across all verticals, ranging from a modest 1% difference in healthcare to a 17% difference in retail. Nonetheless, this represents a trend that is worth considering.

Figure 11: Level of internal risk found by vertical

High risk

Medium risk

Ultimately, there was nothing terribly notable across the internal and external vectors; the data merely reinforced the notion that companies invest in a “hard and crunchy exterior” and considerably less so in their internal network posture, leaving a “moist and chewy inside.”

Low risk

Applications were a different matter entirely. There was a significant improvement this year across all verticals: Application risk across all except financial services reduced by more than half.

21

Figure 12: Level of application risk found by vertical

Source: Coalfire’s Penetration Risk Report, 2018 and 2019

High risk

Medium risk

Low risk

Why? With the increasing number of companies that are realizing the benefits of cloud technologies, the significance of having people within the organization with the requisite skillsets increases accordingly. According to Indeed, more than half of tech pros say that cloud and hybrid IT is their

organization’s number-one, most important IT strategy.5 This is reflected by a 141% increase in search terms used on Indeed that include cloud computing and cloud engineer. Additionally, the number of job openings that include those terms has gone up 27% since 2015. That data strongly

Alison DeNisco Rayome. “How to get a job in cloud computing: 10 skills to master.” TechRepublic, May 3, 2018.

5

22 | COALFIRE.COM

suggests that organizations are opening and filling roles that are specific to this technology stack. Given the prevalence of SaaS providers in the market, it is our belief that this increase in application security is driven primarily through migration of in-house developed applications to the cloud – and leveraging skilled resources to do it. Financial services was the outlier, bucking that trend by displaying an increasing proportion of high risks by 50% over last year. In last year’s report, financial services was the most secure industry by a wide margin. Perhaps this year’s findings are “normalizing” from the prior year, as financial services engagements only accounted for 17% of our dataset. While the change gives them the dubious honor of being the most susceptible to application risk this year, they’re doing better than all other industries’ postures from last year.

23

Technology/CSPs As indicated in the introduction, we did more work with CSPs this year than any other vertical market. These organizations provide a level of security that other organizations would be remiss not to leverage. However, service providers aren’t perfect. Ultimately, we found more vulnerabilities within the applications used to manage their services

Figure 14: Top cloud vulnerabilities

24 | COALFIRE.COM

than their services themselves. Analyzing CSP risks in isolation demonstrates how significant applications are to their solution set. The top-five cloud vulnerabilities included three application-specific vulnerabilities along with two more broad vulnerabilities that comprise both infrastructure and servicelevel issues as well as application concerns.

Focusing on the industry as a whole and then considering the various attack vectors, again we see the technology/CSP sector struggling with many of the same vulnerabilities that other industries experience.

Figure 15: Technology external testing results

High risk Medium risk Low risk

Of note, there was a much higher proportion of encryption issues across the technology/ CSP sector. Encryption vulnerabilities are challenging to exploit as they require considerable time and resources to achieve meaningful access. This is a comparable finding across all industries: Each has a high number of findings classified as “medium” and “low,” due to the feasibility of meaningful exploitation. 25

In terms of internal network posture, the technology/CSP vertical seems to be typical of any other industry, demonstrating weak internal controls. However, it should be noted that while Figure 16 demonstrates the same “soft and chewy center� that is represented across industries, the technology/CSP vertical was statistically the most secure of all.

Figure 16: Technology internal testing results

High risk Medium risk Low risk

Application security in the technology/CSP sector improved significantly over last year. While XSS was still the number-one vulnerability found, security misconfiguration has become nearly as significant as injection flaws this year (last year’s third-most frequent finding). High risk

Figure 17: Technology application testing results

Medium risk Low risk

26 | COALFIRE.COM

Our analysis of the security misconfiguration finding indicates there is an increasing occurrence of cloud component vulnerabilities that have a direct impact

on applications. And, given that CSPs fall into the technology/CSP vertical, it’s no surprise that this category is elevated within this sector.

27

Retail The state of retail security is a conundrum. Our data demonstrates that retailers have made the most progress in reducing risk in their environments compared to last year. But ahead of 2019, there were no significant changes in the state of retail technologies that would justify this change. Or were there? Since 2016, the industry has seen a quick adoption of Europay, Mastercard, and Visa (EMV) terminals (often referred to as “chip readers”). These are intended to reduce the instances of fraud at the point of sale, but they weren’t designed to do much for securing environments otherwise. The most impactful solution for securing payment transactions are point-to-point encryption (P2PE) solutions. However, adoption of these technologies has been slow. The standard is challenging to meet, and there are not a lot of qualified assessors in the industry; and accordingly, there aren’t many solutions available. As of April 2017, there were 28 solutions available, and as of September 2019, there were 86. While momentum is building, there’s still a long 28 | COALFIRE.COM

way to go. While a threefold increase is impressive at its face, it is slightly more than 10% of the 841 non-P2PE payment application solutions available. Retailer options are currently limited and slowing the adoption rate. That’s not to say that retailers don’t have options. Many solutions are on the market but are yet to be certified. A retailer can opt for one of these – but at a cost. Until that solution is certified, the retailer won’t recognize any scope-reduction benefits that are inherent with it. For example, certification eliminates the need for an annual penetration test per the standard. Until certified, the environment still requires one. Our dataset includes a number of clients that have implemented such solutions to secure their environments, as well as a high proportion of clients that have implemented EMV payment solutions. This migration to technologies such as EMV has resulted in the overall increase in security across our clients’ environments, despite not reducing overall scope.

As depicted in Figure 18, retail organizations have a pretty good grasp of their external security postures. This year, the retail sector saw a decrease in high-risk findings, primarily due to a significant improvement in their patch management. (Patch management was last year’s most significant finding, yet it didn’t even make the chart this year.)

A majority of our clients have been offloading “things they don’t do well” by moving to the cloud. By relying on CSPs to handle many of their challenging IT issues, they’ve improved their security postures, as shown in the data.

High risk

Figure 18: Retail external testing results

Medium risk Low risk

29

Similar to every other industry, this year’s data shows retail still struggles with a higher number of high-risk findings in their internal networks. The vertical has improved year over year – although, like all industries, much is still to be done. The Payment Card Industry (PCI) standard allows organizations to limit their PCI compliance scope for implementing specific controls only to

specific in-scope systems. Yet, organizations must be cautious here. There’s a continued misconception that the confines of PCI mean that only the systems that are in scope need to be secured; this is not the case. In our engagements, we found that there are security issues in out-of-scope systems that can be leveraged to eventually reach in-scope systems.

High risk

Figure 19: Retail internal testing results

Medium risk Low risk

30 | COALFIRE.COM

This year, retail applications demonstrated significantly less overall risk. The categories of findings were congruent with last year, with the notable exception of a reduction in the Open Web Application Security Project (OWASP) favorite, “using components with known vulnerabilities.�

Again, with the migration to the cloud and the ubiquity of platforms being offered as SaaS, we can attribute the reduction in risk to the proportion of clients that have migrated to SaaS providers for their internet-facing solutions.

High risk

Figure 20: Retail application testing results

Medium risk Low risk

31

Healthcare Healthcare is unique; and it presents several unique security challenges. First, industry technology and security trends have a greater impact on healthcare due to the mission of hospitals and healthcare companies. The regulatory requirement to have high-availability health data puts cloud technologies in an attractive position to healthcare organizations as cloud solutions are architected with high availability in mind. Organizations migrating systems to the cloud (yet continuing to maintain internally accessible redundancies in the event of emergencies) are confronted with a classic data risk both from an integrity and a confidentiality perspective. Additionally, the rapid pace of emerging technologies is a threat itself. Virtually every

medical device is now part of the Internet of Things (IoT), and many new security considerations from the manufacturer’s level to the end-user’s complicate the deployment of potentially life-saving technologies. Finally, ransomware poses threats to continuity of patient care. As one can imagine, the effects of data unavailability for a healthcare organization can be more far-reaching on its customers than it would in, say, your average thrift store. Healthcare institutions account for over one quarter of all data breaches (by count, per Baker Hostetler and cited by Corporate Counsel).6 That makes them the numberone high-risk vertical sector. Compounding that already alarming statistic, the cost per breach is twice the industry average, per

Sue Reisinger. “Cyberbreach Trends in Health Care: The Hardest Hit Industry Ramps Up Security Efforts.” Law.com, April 10, 2019. https://www.law.com/corpcounsel/2019/04/10/cyberbreach-trends-in-health-care-the-hardest-hit-industry-ramps-up-securityefforts/?slreturn=20190923182812 6

32 | COALFIRE.COM

a 2018 IBM report.7 And it’s not slowing down. Due to the high profitability of medical fraud, healthcare identities sell for about $250 on the black market, versus credit cards, which sell for up to $75 if the full information of the cardholder comes with it. Given all these challenges, one would expect this vertical to show marked improvement year over year. According to our data, they have. Healthcare has improved across all attack vectors. Some

were modest improvements, like the risk to external attack, whereas others were very significant, such as the risk to application attacks. Externally, healthcare looked much the same as the other verticals examined, with a modest increase in security and with many of the same top vulnerabilities. One highlight is that the significance of password flaws has increased greatly this year over last.

Fred Donovan. “Healthcare Data Breach Costs Remain Highest Among Industries.” Health IT Security, July 12, 2018. https:// healthitsecurity.com/news/healthcare-data-breach-costs-remain-highest-among-industries

7

33

High risk

Figure 21: Healthcare external testing results

Medium risk Low risk

The information security community has increasingly focused on client care systems over recent years, and numerous systems flaws have been found and publicized by community researchers. To that end, vast compendiums of default credentials are available on the internet, and these can quickly lead to compromise if left active. Internally, the companies that comprised our healthcare vertical were found to suffer from much the same as previous years – out-of-date software, insecure protocols, patch management, and password flaws made the top four, with injection and sensitive data exposure as the runners-up.

34 | COALFIRE.COM

Notably, healthcare didn’t markedly improve its internal security posture over last year, only seeing a 2% decrease in high-risk issues. Healthcare applications saw a significant change, similar to the technology/CSP and retail verticals. Not only did we see less than half the proportion of high-risk findings as we discovered last year, the types of high-risk findings also decreased across the board. In addition, the top-four vulnerabilities in last year’s dataset also shuffled. These two factors combined indicate significant change in this industry year over year.

Figure 23: Healthcare application testing results

the Bro an ntica ken ma d s t na ess ion ge ion me nt

Figure 22: Healthcare internal testing results

au

Inf o dis rmat clo ion su re

ing v kn co ulne own mp ra on ble en ts

Us

S nfi ecu gu rity rat ion

sco

mi

fu M ac nctio issin ce ss n-le g co vel ntr ol

Cr os scr s-sit ipt e ing

tio n

ec

Inj

ryp tio n

En c

High risk

Medium risk Low risk

Medium risk

High risk

50 Low risk

40

30

20

10

0

Vulnerability types

35

Financial services The financial services vertical has been faced with significant pressure on the regulatory side. With this change comes challenges that are quite mundane – but still taxing. More privacy management, increasing third-party vendor assessments, and a move to address organizational risk to drive security controls all contribute to the stagnation we see in the financial vertical. We believe this vertical is

exhibiting signs of being negatively affected by compliance-related struggles. This is demonstrated by an overall decrease in the security posture of the companies we worked with. Financial services clients demonstrated an increase of high-risk findings across all three attack vectors examined.

Figure 24: Financial services external testing results

High risk Medium risk Low risk

36 | COALFIRE.COM

Risk from internal attacks rose by a mere 7%. Financial services has its share of what we typically see across enterprises. Last year, the top issues were dominated by insecure protocols (which is ultimately a euphemism

for “unhardened WindowsŽ network�), followed by password flaws and patch management. This year, out-of-date software tops the list, followed by those three familiar faces from last year.

Figure 25: Financial services internal testing results

High risk Medium risk Low risk

37

38 | COALFIRE.COM

d

vu

an

ln

Vulnerability types le Us c in om g po kn ne ow nt n s

ue Cr st os fo s-s rg it er e y

f ac un ce cti ss on co - le nt ve ro l l

ng

it ex ive po da su ta re

ns

fig Se ur cur at i t y io n

Se

co n

re q

si

is

is

er ab

M

m

je

ct io ro n se ke ss n io au n m the an nt ag ica em tio en n t C ro ss -s ite sc rip tin g B

In

Relative frequency

Figure 26: Financial services application testing results High risk

Medium risk Low risk

On the application front, financial services significantly trailed the pack as the lone vertical that posted an increase in risk. Compared to last year, financial services had a 41% increase in the proportion of high risks found across their applications. Of the highest risks, XSS unseated last year’s broken authentication and session management for the top of the chart, followed by injection and password flaws.

reinforces the need to maintain an environment of continuous monitoring and ongoing improvement of security practices. Cybersecurity is a constantly evolving challenge; attacker techniques, tactics, and procedures are ever-changing. To properly defend the environment, the people, processes, and technologies in financial services need to change and evolve accordingly.

The across-the-board decline in security posture of the financial services vertical

39

Education The education vertical is what surprised us the most. There’s a commonly held notion that educational institutions take a rather glib view of security, merely giving it lip service while standing up systems as needed, willy-nilly, in pursuit of whatever academic purpose is most pressing. That statement is way over the top, of course, but the perception that educational institutions

are less diligent about hardening systems prior to use is prevalent. Our data disproved this. Or at least it did for one of the three attack vectors we examined. Externally, education was tied with healthcare – which was within 2% of security posture either way from technology/CSP and financial services. Only retail fared better.

Figure 27: Education external testing results

High risk Medium risk Low risk

40 | COALFIRE.COM

For the susceptibility of internal attacks, the education vertical landed squarely in the middle of our industries: better than financial services and healthcare, yet worse off than retail and technology. But the difference can be considered meaningless, as each industry demonstrates generally relaxed

internal security postures. The highest risk issues across the education vertical are virtually identical to the highest risks in all other verticals, which all generally match last year’s findings as well. Education, like other industries, also saw a spike in out-of-date software as a new high-ranking vulnerability.

Figure 28: Education internal testing results

High risk Medium risk Low risk

41

Figure 29: Education application testing results

High risk Medium risk Low risk

42 | COALFIRE.COM

As far as application risk goes, this is where the education industry truly shined. While our representative sample of applications was the smallest of our datasets, representing only 7% of the tests we analyzed, applications represented 35% of all educational tests performed. We were shocked to find education to have the fewest high-risk issues, edging out their nearest competitor by a 3:1 margin. The top vulnerabilities were information

disclosure, security misconfiguration, and using components with known vulnerabilities. There was a demonstrable lack of high risks that stem from coding issues such as XSS and broken authentication/session management. This data conveys that the education vertical seems to have “learned its lessons� about secure coding, yet still needs to take a remedial internal network engineering course or two.

43

Methodology STANDARDIZED PEN TESTING APPROACH AND METHODOLOGY Coalfire leverages a cyclical approach to penetration testing, so new information is incorporated into subsequent attacks on the environment. This process is applied to both network penetration testing as well as web application penetration testing. Figure 30 is a visual representation of our overall penetration testing process.

Figure 30: Coalfire’s penetration testing process

Information gathering

Enumeration

Scope and understand client’s business

Discover open ports, services, and web application pages

Vulnerability identification Use automated scans and manual techniques to discover vulnerabilities

Attack surface analysis Determine attack vectors and possibilities, and develop attack plan

Penetration and exploitation Exploit low-hanging fruit first, then other targets of opportunity

Pivot

Privilege escalation

Identify new targets based on new information

Elevate permissions and further enumeration

44 | COALFIRE.COM

We utilize a series of automated tools along with manual exploitation methods to identify security vulnerabilities and perform tests to actively exploit them in a non-harmful manner. In addition to the process described above, every penetration test is approached with varying amounts of prior knowledge about the environment to meet goals and replicate numerous different scenarios; these approaches can be black-box, grey-box, or white-box. Black-box testing: Simulates a malicious attacker with limited information about the network or application being tested. In black-box testing, more time is spent on reconnaissance and discovery through publicly accessible information. In addition, Coalfire’s source IP addresses will not be whitelisted. Grey-box testing: Involves limited information about the environment obtained through interviews with the client. This approach allows Coalfire to target specific systems in scope to produce better results rather than spending resources on discovery and reconnaissance and helps simulate an attacker with knowledge of the systems. Grey-box testing can include whitelisting but it is not required. White-box testing: Simulates an internal attack from an authenticated user such as a disgruntled employee or customer. Hence, the client can provide Coalfire with user credentials to gain access and perform indepth testing activities to identify issues an authenticated user could identify and exploit.

SOCIAL ENGINEERING METHODOLOGY As technical approaches to security become more sophisticated and effective, social engineering is often the easiest way to gain access to a company’s information assets. Social engineering relies on human interaction and involves “tricking” other people to break normal security procedures. A person using social engineering frequently tries to gain the confidence of someone with access to a network, and then get him or her to reveal information that compromises the security measures put in place. Given enough time, effort, and resources, most people can be tricked into revealing confidential information. Coalfire keeps social engineering tests cost-effective and relevant by focusing on awareness issues. We do not encourage targeting a specific person or department with social engineering attacks. Although our tests may trick certain individuals, it is more a statement of general company awareness and training than an individual’s failing. Our social engineering tests assess whether the organization as a whole: • Understands and adheres to policies on giving out information • Understands that individual employees have access to valuable information • Understands that social engineers exist

45

RISK RATING SCALE The risk rating assigned to each finding is translated into a high-, medium-, and low-risk rating to simplify reporting, analysis, and remediation planning. Often, an attacker may leverage a combination of vulnerabilities to exploit

and gain remote unauthorized access to applications and data. If the penetration tester was able to chain vulnerabilities in this manner, it may alter the risk rating of a specific individual vulnerability accordingly.

Figure 24: Risk rating scale

46 | COALFIRE.COM

About Coalfire Labs The Coalfire Labs team leverages highly skilled penetration testers with focused expertise in helping organizations of all sizes improve their security posture by thinking and acting like an attacker. Coalfire Labs simulates threats, evades defenses, and hunts for active breaches in clients’ environment, and then helps clients understand the risk and impact to their organization.

About Coalfire Coalfire is the trusted cybersecurity advisor that helps private and public sector organizations avert threats, close gaps, and effectively manage risk. By providing independent and tailored advice, assessments, technical testing, and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives, and fuel their continued success. Coalfire has been a cybersecurity thought leader for nearly two decades and has offices throughout the United States and Europe. Coalfire.com

Copyright Š 2019 Coalfire. All rights reserved. 47

Copyright Š 2014-2019 Coalfire. All rights reserved. Coalfire is solely responsible for the contents of this document as of the date of publication. The contents of this document are subject to change at any time based on revisions to the applicable regulations and standards (HIPAA, PCI DSS, et.al). Consequently, any forward-looking statements are not predictions and are subject to change without notice. While Coalfire reliable sources, there may be regulatory, compliance, or other reasons that prevent us from doing so. Consequently, Coalfire is not responsible for any errors or omissions, or for the results obtained from the use of this information. Coalfire reserves the right to revise any or all of this document to reflect an accurate representation of the content relative to the current technology landscape. All product names, trademarks, and registered trademarks are the property of their respective owners.

Reduce risk and simplify compliance with trusted insight from the cybersecurity experts. 877.224.8077 | Coalfire.com 48 | COALFIRE.COM

RR_Q2_103019

has endeavored to ensure that the information contained in this document has been obtained from