5 Embarrassing Mistakes Found in Penetration Tests

As you heard from Bobby last week, it is that special time of the year, Black Hat, when all of our friends are gathered together in Vegas to see just what hacks, exploits, tips and tricks there are for us to be concerned about. As a cyber-security specialist, it’s the most wonderful time of the year. However, for consumers and business owners, it is the reminder that what you thought was safely tucked away is actually only a moment away from being breached. On the heels of the Democratic Party’s email breach and the proliferation of hacking in mainstream media with Mr. Robot and the Vice channel's Cyber-War, we thought that we would give you a peek at some of the mistakes that we have seen in our 15+ years of penetration testing. From our CISSP, CCFP, HCISPP certified specialists, here are the Top 5 Most Embarrassing Penetration Testing Mistakes:

1. Passwords in Plain Text

Once, just once, I would like to run a pen test where a scan for the word “password” on an open network doesn’t yield intriguing results. Often, its developer, admin or other privileged accounts to applications and production systems, including databases with sensitive information.

2. Unpatched machines with ancient vulnerabilities

Let’s be honest, we’ve seen enough MS08-067 vulnerable boxes to last a lifetime. Did you know, according to the 2016 Verizon Data Breach Report, “half of all exploitations happen within 30-100 days after a vulnerability is published”? The median time? 30 days. That is barely a month between a vulnerability being published and your network being exploited. As if that wasn’t insane enough, we have seen machines with vulnerabilities that were old enough to rent a car. There is no excuse for 25 year old vulnerabilities to exist in your system.

3. Hidden Passages

We aren’t talking about the ones that you see in horror films, although, these are just as scary when you think about it. Intentional or not, it is typically the most innocuous things that can leave you vulnerable to an attack. That VOIP phone in reception that never had the data port disabled? Or the network port in the lobby that was so helpfully wired up? Those may not seem like cause for concern but for bad actors they are the pathway to your network.

4. Zombie Printers

When is the last time you thought about your printer? Do you even know the brand that you use in your office? No? Me either. That is exactly my point. No-one thinks to update the firmware on printers or apply ACLs. This makes it easy for the bad actors to use these living-dead machines to establish hidden bridgeheads into your network.

5. TOR (The Onion Router) Exit Nodes

While I appreciate what TOR was designed to do, if you find that one is running on your network I can almost guarantee that you really don’t want to know what else you might find on that device. We’ve been involved in several forensic investigations involving not-so-white-hat actors and having to catalog what is left of those involvements is especially soul-numbing. These mistakes weren’t found in neglected networks. These were all found on well run, well maintained, well-staffed networks resulting in a highly embarrassed cyber-security team. There is no excuse for these.

Letting these five mistakes exist in your network not only puts you at risk, but your virtual neighbors as well. You don’t want that surprise knock on your door, do you? So how do you avoid these mistakes? Consistent penetration testing. You should be carrying out penetration tests quarterly and every time that changes occur on your network. Penetration tests evaluate your organization’s ability to protect its networks, applications, endpoints and users from internal and external attempts to evade your security controls and gain unlawful and/or privileged access to your protected assets. By more frequent and comprehensive testing, you can more effectively anticipate emerging security risks and prevent unauthorized access to critical systems and valuable information.