It’s not unusual for businesses to have generally good security around their IT systems, with our testing identifying only a few weaknesses, which never-the-less exposes systems and businesses to risk. In other cases, our penetration tests highlight a multitude of issues that combine to create very weak security overall. This was the case when we performed penetration testing for an organisation that specialises in developing end-to-end products and services for the insurance market.
Our infrastructure assessment identified several issues: a web application was running with default credentials and elevated privileges, which could allow a malicious user to gain control over the server and deploy their own application;
multiple hosts had outdated software running on the server, making them vulnerable to publicly available exploits that would allow a malicious user to perform multiple cyber attacks; and the use of a plain text connection for sending credentials made it easy for potential attackers to steal usernames and passwords for the application.
During our web application security test, we identified further issues: web pages that accepted input from users did not have proper checks in place, meaning it was possible to add malicious scripts to the pages; the application allowed external users to download any document from the application without authentication, exposing confidential client information to exploitation; and sensitive information, such as usernames and passwords, was being transmitted over the unencrypted HTTP protocol, putting data confidentiality at risk.
We provided our client with a detailed report on the system’s vulnerabilities, explaining how cyber attackers could exploit them and including our recommendations for closing the security gaps. Because of the overall weakness of security, we kept our client informed about vulnerabilities found during the course of our assessment so that the client’s technical team could patch business-critical systems and safeguard them from attackers.
If you require a cyber security assessment to improve the security posture of your organisation, speak to one of our experts now or learn more about our cyber security services.
To develop your own cyber capabilities, find out about our range of expert-led information security training courses.