Contents
Introduction3
Assessment of protection against external intruders4
Attack vectors used to penetrate network perimeter5
Attacks via vulnerabilities in web applications5
Attacks via management interfaces7
Statistics on the most common vulnerabilities and security faws8
Assessment of protection against internal intruders9
Most commonly used attacks and techniques12
Statistics on the most common19
Web application security assessment20
Vulnerability analysis23
Statistics on total number of vulnerabilities24
Statistics for applications25
Recommendations for improving web application security26
Conclusion26Introduction
Each year, Kaspersky Lab’s Security Services department carries out dozens of
cybersecurity assessment projects for companies worldwide. In this publication
we present a general summary and statistics for the cybersecurity assessments of
corporate information systems Kaspersky Lab has conducted throughout 2017.
The primary goal of this publication is to ofer information support to IT security
specialists in the area of vulnerabilities and attack vectors against modern
corporate information systems.
We have analyzed several dozens of projects for companies from various sectors,
including government bodies, fnancial organizations, telecommunication and
ITcompanies, as well as manufacturing and energy companies. The charts below
demonstrate the distribution of the analyzed companies by industry and by region.
The distribution of the analyzed companies by industry and by region
Government bodies
Other
E-commerce
IT / Telecom
Manufacturing
Financial organizations
31%
35%
17%
4%9%
4%
Europe
22%
META
57%
CIS
17%
APAC
4%
The summary and statistics on detected vulnerabilities are provided separately
for each type of service provided:
External penetration testing is an assessment of an organization’s
cybersecurity posture when challenged by an external intruder from the
Internet who only has access to publicly available information.
Internal penetration testing is an assessment of an organization’s
cybersecurity posture when challenged by a threat actor who is located
inside the client’s corporate network, has physical access to the analyzed
objects only and has no privileges on the internal network.
Web application security assessment is the search for vulnerabilities and
security faws resulting from mistakes made during the design, development
or operation of a web application.
This publication includes statistics on the most common vulnerabilities
and security faws that Kaspersky Lab’s experts have detected and that can
potentially be used by threat actors for unauthorized penetration into company
infrastructures.Assessment of protection against
external intruders
Analyzed companies
by economic sector
Organizations were assessed for security levels on the following scale:
Extremely low
Low
Below medium
Medium
Above medium
High
The overall security levels were assessed using Kaspersky Lab’s own methodology
which takes into account the level of access gained during testing, the priorities of
the information resources, how difcult it was to gain access and the time it took.
An extremely low level of protection corresponds to those cases where we were
able to penetrate the network perimeter and gain access to the critical resources
of the internal network (i.e. gain maximum privileges in the internal network, gain
complete control over key business systems and access critical information).
Moreover, gaining such access does not require special skills or a lot of time.
A high level of protection corresponds to those cases where only insignifcant
vulnerabilities were identifed at the client’s network perimeter, the exploitation of
which does not carry risks for the company.
Information
technologies /
Telecom
14%
43%
29%
14%
Financial
organizations
ManufacturingE-commerce
Distribution of analyzed companies according to access level
gained during testing
Company security levels
Above
average
Average
Below average
Low
Extremely low
29%
29%
14%
14%
14%
Maximum
privileges
within internal
network
29%
Application-level
access
Access to executing
OS commands
Access to web
applications with
administrative
privileges
14%
% of companies analyzed
Web
hosting
provider hosts
14%
Internal
network
14%
DMZ
29%。