How We Compromised a Major Corporate Network During a Physical Pen Test
Here’s a “pro tip” for any company out there using armed guards to protect their facility:
If you’re not properly segmenting your network, those armed guards can’t do anything to stop an attacker from compromising your company’s private data.
We recently conducted a penetration test for a client that proved how simple it was for someone to gain entry to the building, access the computer network, remove critical information, and send that information to another location – all under the guise of interviewing for a job as a landscaper.
Gaining On-Premises Access to a Corporate Network – ID Badges and All
Our team was scheduled to conduct a physical penetration test at an office location for one of our clients; however, because this particular location was protected by armed guards, our team sought out a way to get into the building by being invited in, rather than breaking in.
One of our team members was able to secure an on-site interview for a position he applied to online, and when he arrived, he was given an ID badge and directed to a recruiting center to wait for his interview.
In the recruiting center were several computers available for applying to open positions, and after getting permission to log on, our team member discovered that the computer was connected directly to the company’s corporate network. At this point, it only took a few minutes for him to plant and hide a dropbox network device, tap into the network, and make an outbound connection to DirectDefense’s main office via SSH.
This SSH connection also allowed our team member to remotely interact with the dropbox via their mobile phone.
Having completed his job interview and having obtained remote interactive access to the dropbox, our team member, armed with a pamphlet detailing the company’s benefits package, paid a visit to our main contact within the company to report his activity.
The Critical Lesson About the Importance of Network Segmentation
While we were able to enter the building under false pretenses, the biggest issue was what we were able to do once we were inside.
Even if an attacker is able to gain permissible access into a facility through a job interview or other means and log on to a public access computer, they can’t do any major damage if the network is properly segmented. In the case of our penetration test, we were able to access the corporate network with no problem and download critical data without being detected. This exercise uncovered four specific areas in which the company’s security was insufficient:
- Lack of network segmentation: The public computers were not segmented from the rest of the internal network, allowing our team full access to the entirety of the company’s network.
- Lack of egress filtering: We were able to interact with the dropbox we attached to the computer via an outbound SSH connection initiated by the dropbox. This connection was not terminated by the company’s network security appliances.
- Deficient security monitoring: The company was not alerted to an unknown device being placed on the network, or the outbound connection initiated by the device. The company was also unable to detect the outbound connection until it was terminated due to the firewall configuration.
- Lack of network access controls: The company did not have a network access control solution in place to ensure that only authorized systems and devices could connect to the network.
With these lacking protections, it was easy to gain access to the company’s private data. If we had been a real attacker with malicious intent, that data would be out the door and out of the company’s control in minutes.
And once control of a corporate network falls into the wrong hands, the fallout can be severe; an attacker can launch ransomware onto the network, infiltrating all corporate systems and locking employees out so no work can be done.
For any company, but especially companies like manufacturers or utilities that are responsible for major processes, downtime equals major dollars, and also can have a significant reputational impact – particularly if client data is compromised as well.
Leadership at many companies tend to believe their business isn’t interesting enough for an attacker to compromise, but we always stress that it’s not a matter of “if” – it’s a matter of “when.”
Our penetration testing team performs these routine tests to try and successfully compromise as much as we can within an organization to ensure someone with malicious intent won’t be able to.
If your company is interested to see what vulnerabilities our penetration testing team can uncover, contact us today.