News

Integrity360 2018 Penetration Testing Vulnerability Report

Do you know what your company’s network vulnerabilities are?

Businesses that invest in penetration testing do. Today, we’re sharing the findings of Integrity360’s first annual Penetration Testing Vulnerability report to raise awareness of the myriad exploits found in even the most secure network infrastructures. 

Penetration Testing Vulnerability Report Results 

Integrity360 conducted its first annual Penetration Testing Vulnerability Report in 2017. The penetration testing team compiled anonymised data from a variety of clients across 15 major industries. 

The results represent the most common vulnerabilities attackers exploit in any company and industry across the world, and underscore the importance of regular penetration testing in an ever-evolving cyber security landscape. 

1,002 vulnerabilities were identified in 2017, which equates to roughly four per every working day. Nearly 42 percent of the vulnerabilities were classified as either ‘critical’ or ‘high-risk’ and required immediate remediation. Approximately 39 percent were labelled ‘medium-risk’, and 19 percent as ‘low-risk’ or ‘informational’.

The internal network, web applications and external network were the top three most vulnerable components of the average organisation’s infrastructure, and represented nearly 88 percent of the identified risks. 

The most common critical and high-risk vulnerabilities found with web applications include: 

  • Cross-Site Scripting (XSS) 
  • Cleartext Submission of Passwords 
  • Vulnerable WordPress Version in Use 
  • Web Application Web Admin Page Open to the Public 
  • SQL Injection (Error-based) 
  • Unsupported Microsoft Windows Server 2003 Running IIS 6.0 Detected 
  • Website Comments Unauthorised Access to Email Messages 
  • Website Live Comments Email Feature Allows Open Relay 

Most common critical and high-risk vulnerabilities found on internal networks include:

  • Apache Multiple Vulnerabilities
  • ESXi Multiple Vulnerabilities
  • VMware ESC / ESXi Multiple Vulnerabilities
  • VMware vCenter Multiple Vulnerabilities
  • HP System Management Homepage Multiple Vulnerabilities
  • IPMI v2.0 Password Hash Disclosure
  • Unsupported Microsoft Windows Server Detected
  • Microsoft Windows SMB Shares Unprivileged Access
  • Missing Microsoft Patches
  • OpenSSH Multiple Vulnerabilities
  • SNMP Agent Default Community Names
  • Unsupported Web Server Detection Vulnerabilities 

Most common critical and high-risk vulnerabilities found on the external network include: 

  • Microsoft Windows 2003 Unsupported Installation Detected 
  • Oracle Database Unsupported Version Detected 
  • Cisco ASA Software IKEv2 UDP Packet Handling RCE 
  • Unsupported Microsoft Windows Server Detected 
  • Missing Microsoft Patches 
  • Apache Multiple Vulnerabilities 
  • Cisco Multiple Vulnerabilities 
  • MTA Open Mail Relaying Allowed 
  • Oracle Portal Demo Organisation Chart SQL Injection 
  • SNMP Agent Default Community Names 
  • TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products 
  • Unsupported Web Server Detection 
  • Outdated Apache Server

What is penetration testing?

In today’s cyber security landscape, complacency is a liability. Industry leaders are recognising that, and are using every available resource to figure out the faults of their network infrastructures before an attacker can. 

Penetration tests is a popular way of doing so. Integrity360 simulates the methodology of a malicious threat actor, which allows our experts to infiltrate a network to uncover any vulnerabilities. 

After uncovering any potential exploits, organisations receive a report detailing – both to IT staff and corporate leadership – what the risks are, how they could impact business operations and how to resolve them. 

The ultimate goal is to not only uncover vulnerable endpoints before an attacker can, but also to help IT staff implement countermeasures that prevent criminals from infiltrating a network undetected. 

Download our free penetration testing eBook to learn more.