You may recall that last year we were able to compromise a major corporate network during a physical penetration test by gaining access to the building under the guise of someone interviewing for a landscaping job. Once inside – due to a lack of network segmentation and other controls – we were able to access the corporate network, remove critical information and send that information to another location – all in a day’s work. If you need a refresher, read that story here.
Fast forward a year and the same client invited us back to review their current environment to see how their security posture stacks up a year later.
Spoiler Alert! Our client has made commendable progress in fortifying their security posture since our last visit, however, there remain weaknesses that could be leveraged by a suitably skilled and motivated attacker to gain privileged access to systems from within the internal network.
Here are our 3 key takeaways from this re-engagement:
No In-Person Testing? No Problem!
When we visited this client’s site last year, one of the first things discovered were deficiencies relating to physical security, which enabled our team to bypass their armed security guards (a little too easily). Unfortunately, this time around, we were not able to get on-site to perform an in-person penetration test due to the COVID-19 pandemic. While this meant we would not be able to re-test our client’s physical security, thanks to a process we had already put in place before COVID hit, we were able to do all of the testing remotely in three simple steps:
- We shipped our client a pre-configured drop box
- They plugged it in, and it automatically reached out to us
- We were able to connect into their network to do all the same testing that we would normally do on-site
The bottom line: Organizations need to stay on top of security, especially in the midst of a pandemic which brings new security risks such as employees logging into the network remotely. Just because you can’t physically get on-site, doesn’t mean that testing has to stop – as we demonstrated with this client. With continual enhancements being made to the capabilities of our virtual testing software, DirectDefense stands ready to test your security no matter what crisis is going on in the world.
Regular Testing = Stronger Security Posture
Last year, after waltzing past the armed security guards, it didn’t take long for our team to take control of the network. This year, thanks to the improvements that our client made based on the results and recommendations of our first penetration testing, our team had a tougher go of it. The top findings of our 2019 testing included:
- Usage of vulnerable deprecated name resolution protocols
- No network segmentation
- Lack of egress filtering
- Deficient security monitoring
- Lack of network access controls
Several key improvements effectively thwarted our team at various stages during the 2020 internal penetration test, including:
- Disabling support for vulnerable deprecated protocols
- Patching of critical Microsoft Windows vulnerabilities
- New MSSP engagement and increased visibility into attacks within the internal network
- Improved endpoint security controls
The bottom line: At many points throughout this assessment, our team observed a number of effective security controls that have been implemented by our client since our initial test, demonstrating that our client is making solid progress in fortifying their security posture. That said, DirectDefense discovered a number of weaknesses and newer attack vectors that could be exploited by a malicious adversary in order to gain privileged access to our client’s systems from within the internal network. By incorporating the new recommendations from this assessment, our client can continue to improve their cybersecurity maturity and work towards a stronger overall security posture – one pen test at a time!
The Security Landscape is Always Changing
Again, while our 2020 testing found that, overall, our client is making solid progress to fortify their security posture, by leveraging new attack vectors our team was still able to exploit vulnerabilities and eventually gain privileged access to the internal network. This is because the landscape is continually evolving as the sophistication of attackers continues to increase.
This is why it is so important to avoid the mentality that penetration testing is a “one and done” thing. In order to keep improving the security posture of your organization, we recommend that security testing be conducted yearly as an integral part of an organization’s on-going security strategy.
Worried about a tight budget? Don’t be. As part of the remediation process, our team prioritizes fixes based on many factors such as budget and staffing.
The bottom line: No matter how big or small the budget may be, the result is always the same – an improved security posture.
What are you waiting for? Schedule your yearly penetration test today to see how far you’ve come and to continue to fortify your organization’s security posture against today’s newest threats.