Compromising an Organization’s “Internet of Things” Can Lead to Serious Operational Security Consequences
Client was regularly conducting penetration testing, by multiple firms, and had a large internal staff devoted to information security.
On the external advanced penetration test, HORNE Cyber team members quickly gained access to email SPAM-filtering systems. This breach then allowed the team to access credentials needed to compromise the VPN gateway to the internal network. In the process, team members identified other sensitive data being transmitted outside of the company and reported on the potential data loss.
On the internal advanced penetration test, the HORNE Cyber approach to testing ensured that no stone was left unturned. Zero-day vulnerabilities were found in internal applications, allowing team members to demonstrate multiple ways that malicious attackers would be able to steal customer records, as well as sensitive purchasing and billing transactions. By breaching security cameras, the team was able to visually identify when key employees were at work, as well as when the “coast was clear” to compromise their network operation center computers.
A portion of the team compromised and monitored a network administrator’s laptop for a period of two weeks, exactly the way a true advanced persistent threat would monitor target systems. During this time, the team gathered information about systems, passwords, and sensitive communications. To avoid detection by antivirus, software custom-developed by HORNE Cyber was used to extract credentials and other data from this and other workstations during the course of the test.
HORNE Cyber is a leader in conducting penetration tests securely, ensuring that we do not open our clients up for attack or the loss of sensitive data. During the engagement, a team member identified a system that had been compromised by a third party, potentially a previous penetration tester on an earlier test. The system had been left wide-open to attackers for months, with the penetration tester’s backdoor still operational. Our team immediately reported this to the client and the backdoor was closed.
Lesson #1: Internally-developed applications often contain vulnerabilities that require a well-trained and experienced team to identify.
Lesson #2: A compromise in an organization’s “Internet of Things” can lead to serious operational security consequences.
Lesson #3: Anti-virus is a necessary measure, but it cannot be the only measure.
Lesson #4: If a penetration testing firm does not employ secure practices, they can leave a client more vulnerable than they were before the test.