Online services represent a huge benefit for users and can be a real differentiator for businesses offering them. But without tight security, online services have the potential to expose the business to significant commercial and reputational risk.
Our client, a niche law firm specialising in commercial debt recovery and contract litigation, had developed a sophisticated case management system that allowed clients to view their cases, run reports and download documents. Recognising the importance of strong security, the firm asked us to perform a security assessment of its web application and internal and external infrastructure.
Our penetration testing revealed that security controls on the application and infrastructure did not meet industry-standard security best practices. For example, we found that the application allowed unauthorised access to sensitive information belonging to users and also to confidential data and financial details about the firm.
We also found multiple vulnerabilities in the firm’s internal infrastructure which meant that if one of the hosts in the network had been compromised by an attacker, then all the hosts would have been vulnerable to unauthorised access. Default or weak passwords, and the use of the same administrator credentials for all the hosts, meant we were able to compromise the domain and gain direct access to the domain controller. We were also able to exploit the firm’s weak password policy and its use of a weak hashing algorithm to crack approximately half of the passwords used.
We documented our findings in a detailed report for the client and produced detailed recommendations on how to improve the level of security around the application and infrastructure. This ensured the firm could continue to offer clients online access to their case details without risking a security breach.
If you need to increase the level of infrastructure and application security for your organisation, speak to one of our technical cyber experts today or learn more about our cyber security services.
To develop your in-house cyber capability, learn about our expert-led cyber security certifications.