Poor information security exposes businesses to reputational and commercial risk. A review of IT systems is the starting point for uncovering security weaknesses, understanding how to fix them and mitigating associated risk.
Our client, a leading training provider, asked us to undertake just such a review covering both its current and proposed IT systems. Our review included a security assessment of the client’s web application, the company’s external infrastructure and its Citrix access controls. The focus of the assessment on the remote working system (Citrix) was to determine whether a legitimate authenticated user could break free from the restrictions on the allowed set of applications permitted by client.
Our extensive security penetration testing revealed multiple high,medium and low-risk issues. Most were due to insufficient input validations and misconfiguration on the servers. In addition, we came across a number of suspicious files on the system, which revealed that a compromise of the website had taken place up to two years previously.
In particular, we found the application and underlying system contained outdated software with known vulnerabilities, which would have allowed an external attacker to compromise the application completely. We also found poor secure storage controls, with passwords stored in plain text format. Further, a combination of technical misconfiguration and the ability to browse files on shared drives containing sensitive information such as passwords meant we were able to break free from the restrictions of the environment and take control of the system which resulted in the compromise of the entire Windows domain.
We communicated these issues immediately to our client and suggested a more thorough investigation of the earlier breach. We then provided detailed reports on all the issues we had identified along with recommendations for addressing them. Our work enabled our client to increase the security posture of the business’s network significantly and to keep its network and applications safe from hackers.
If you need to gain the assurance that your applications are secure, then get in touch with a penetration testing expert or learn more about our technical cyber security capabilities.
If you would like to develop your knowledge and skills in the latest growing cyber security techniques, then find out about our range of expert-led ethical hacking training courses.