Rapid7 Releases 2020 Under the Hoodie Report: Lessons Learned from a Year of Penetration Tests

Well, it’s March 179th, 2020, and while we didn’t actually get a summer here in 2020, it’s time once again to release another Under the Hoodie report on the ins and outs of penetration testing. Since 2017, we’ve been putting together this survey report on how pen testing works, the common pitfalls our pen testers run into, and how you, the enterprise IT shop, can better prepare for your next simulated attack.

This year, we’re focusing more on the credential aspect of penetration testing. Overflowing buffers and injecting SQL is fun and all, but when it comes to bread-and-butter pentesting, there’s nearly always some credential element in play. As a matter of fact, my No. 1 takeaway from this survey is that enterprises really need to start stepping up when it comes to machine-based password management.

We all know that we humans are just terrible at picking and rotating our own passwords, and we can prove it by looking at the crackable passwords found in the hash files recovered by our penetration testing services team. The chart below, from the report, demonstrates how crackable passwords are today:

Nearly always, at least one of these three categories of guessable passwords comes up in NTDS.dit, LM hashes, database dumps, or some other source of hashed passwords. And the killer is, it doesn’t have to be this way! There are some pretty excellent password management solutions for enterprise IT out there. The technology isn’t the problem here—the biggest hurdle is changing habits of your workforce.

And boy oh boy, have we gotten good at changing habits. The global pandemic has forced radical shifts on how we live and work, and we’ve seen that we can adjust to radical changes in the environment. So, if you have the opportunity to change exactly one thing about your security program, instituting sensible password management using machine-generated random strings should be it.

Of course, in security, we don’t just get to pick one thing. Enterprises need to brush up on their patch management and network segmentation as well, but to see why that is, you’ll want to check out the Under the Hoodie report. For one, it’s free, and two, there are more than just stats and graphs—as in past years, we’ve included a selection of “This One Time on a Pen Test” stories that illustrate some particular weakness or exposure that was exercised by the quick-thinking pen tester on the scene. They’re super fun to read, and someone really should take two or three of these and turn them into cartoons or something.

Subscribe to the Rapid7 blog here!