From the article:
“I won’t say that the days of ‘point, click, and exploit’ are over, but they sure are rare,” says Chris Nickerson, CEO at pen-testing firm Lares. While security hardening, hygiene, patch management, password quality, and lack of visibility continue to remain big challenges, security organizations are evolving, he notes.
Increasingly, attackers are being forced to change their tactics and employ malware-less, “living-off-the-land” approaches to hide their malicious activity. “It is rare that ‘exploitation’ is the first hook into the environment anymore,” Nickerson says. “Now tools and technology are required to observe normal system functions to determine if they are being used maliciously.”
Lares recently analyzed data from hundreds of pen-test engagements to see what similarities it could find across enterprise networks. The results showed that accounts with weak and easily guessable passwords continue to be the biggest problem for most organizations. Other common vulnerabilities and attack vectors include weaknesses related to Kerberos authentication, excessive file system permissions, Window Management Interface (WMI)-enabled lateral movement, inadequate network segmentation, and improper access control.
You can read the full article here: https://www.darkreading.com/threat-intelligence/pen-test-results-hint-at-improvements-in-enterprise-security/d/d-id/1337591.
Andrew Hay is the COO at Lares and is a veteran cybersecurity executive, strategist, industry analyst, data scientist, threat and vulnerability researcher, and international public speaker with close to 25 years of cybersecurity experience across multiple domains. He prides himself on his ability to execute the security strategy of the company with which he works without neglecting business objectives and the needs of its customers. Andrew is the author of multiple books on advanced security topics and is frequently approached to provide expert commentary on industry developments. He has been featured in publications such as Forbes, Bloomberg, Wired, USA Today, and CSO Magazine.