Like many organizations with mature cybersecurity programs, the firm wanted to get an outside assessment of its controls to uncover any gaps its security personnel might have overlooked internally. We spent a few days conducting a penetration test to provide the firm with an attacker’s view of its network.
Probing for Weaknesses
We began our work with some open-source reconnaissance. Our team scoured the internet, seeking out morsels of intelligence that could help us gain access to the firm’s network. We developed a list of domains and subdomains operated by the firm as well as a list of known employees and email addresses.
With that information in hand, we turned to automated scanning tools that searched the firm’s systems for websites and administrative portals that might present the weakness we sought in its security armor. We used password spray attacks to blast login pages with thousands of commonly used passwords for the accounts we discovered during our reconnaissance work. One by one, hundreds of websites rejected our attempts, demanding that we complete a strong multifactor authentication process.
But then we found the golden ticket — a mobile web portal for a common service that the company had deployed but forgotten about. The main service was secured with multifactor authentication, but the mobile portal used only a simple username and password combination. Our password spray attack succeeded, and we gained access to this otherwise secure network.
The security director who hired us was quite pleased. He recognized that the difficulty we had in discovering a problem demonstrated the effectiveness of his team’s work, but also that we had potentially averted disastrous consequences for the firm. If we discovered the vulnerability, it’s possible that a determined attacker might have stumbled across it as well. The security director then worked with CDW’s security team to remedy the problem, patching the hole and preventing an attacker from exploiting it.
Keeping an Eye Out for Problems
The lesson here is that cybersecurity is a complex undertaking. There is no one-size-fits-all approach to designing a secure infrastructure. Rather, strong security programs must undergo constant evaluation and assessment to maintain their strength.
CDW offers a variety of services designed to help organizations undertake these assessments. In this case, we conducted a red team assessment, where our team took on the role of an attacker, reporting vulnerabilities that we discovered to the firm’s IT personnel. We also frequently conduct educational blue team exercises that combine both offensive and defensive measures, allowing client IT teams to work hand in hand with CDW security professionals to defend against red team attacks.
Penetration testing is an excellent way to discover the current state of your cybersecurity program and identify potential weaknesses that an attacker might exploit. CDW’s trained professionals can help you feel confident that your organization is secure.