The names have been changed to protect the business and reputations of all those concerned, however the events are correct. This article attempts to peel away some of the mystery behind what penetration testing is and how it works.
Tim has a thriving business, a finance company called Imojo Finance, based in the North of England. It has a loan book of around £150M and employs 50 people. They’ve seen profits increase over the last ten years and have always outsourced their IT support to a well-established and reputable IT support company. LargeITCo Limited
Imojo’s whole business infrastructure was typical of the time, having been built in-house and onsite. However, IT was not their primary concern; they just wanted the technology to work.
Their IT company suggested they move to the cloud. LargeITCo had a cloud platform that could house them, and they did all the hard IT work already. And Tim knew that many other businesses in their sector were doing the same. Imojo Finance paid for firewalls, antivirus and backup, and LargeITCo.’s website said they were cyber security specialists too. Hey, they were doing £30M a year, so Tim figured they must know what they’re doing – right?
Imojo’s continued success meant that Tim was able to access an additional £20M of capital to lend. However, his new funder wanted to check that Imojo’s Cyber security was as good as Tim had promised, and insisted they undertake a penetration test.
For the purposes of this article, we will define penetration testing as: "A method for gaining assurance in the security of an IT system by attempting to breach some, or all, of that system's security, using the same tools and techniques as an adversary might." *
Essentially, an ethical hacker will try to break through an organisation’s IT security, which in Imojo’s case, took the same amount of time that it’s taken to read this.
Tim and his staff connect to ‘the cloud’ by clicking a link on their laptops. Once clicked, this link took them to something called a ‘reverse proxy’ (which is a device that sits in front of the servers holding Tim’s data) – then they entered their user details and passwords.
If a reverse proxy is setup properly then it helps to protect Tim’s data.
It wasn’t, and it didn’t.
It was vulnerable to something called the Heartbleed bug - a vulnerability which should have been remedied at least three years previously with a simple software update. This breach meant the ethical hacker was able to access 10 year’s worth of Imojo Finances data through simple password extraction within only a few minutes.
He didn’t extract them all, because an unusual pattern started to emerge.
Amongst the Batman/Angela44/Manchesterutd99/ passwords were a liberal sprinkling of Password1’s (including Tim Babcock) and too many others, even for a company with normal weak password management. Something else was at play.
A call into the company confirmed that after three failed consecutive login attempts, the “advanced security feature” of LargeITCo’s cloud platform, prevented further access tries. Once blocked an account could only be unlocked by a call in to LargeITCo’s helpdesk, and they would reset the password to – you guessed it - Password1.
Of course, the user was advised to change the password on the next login (in the interests of security, you understand?); however, this clearly wasn’t happening. Further investigation revealed a policy forcing a general user password change every 45 days.
These frequent password changes, imposed on Tim’s bewildered staff, meant many chose to simply leave theirs as Password1 until the next time they got locked out. A supposed security feature was actually making the company less secure.
Through the course of the next week, dozens of issues came out of the woodwork including an attacker having fully compromised Tim’s account, on a publicly accessible login portal with tim.babcock/Password1 - What did he expect?
It took over a month for LargeITCo to remediate the vulnerabilities, but thankfully only a day or so to fix the reverse proxy doling out passwords willy-nilly. In the event, Tim felt so let down that he changed his IT provider anyway.
Tim eventually got his £20M to lend, but he had to wait until he got a clean bill of health. In truth, he was very, very lucky to get away with it; this happened pre GDPR, and repeated testing and monitoring has shown up no reoccurrence of infiltration. Time may tell if the attackers got away with any of his valuable data…
The caution? – don’t give your general IT support company the last word on your cyber security, and don’t expect to be as lucky as Tim.
Invest in independent penetration testing, align your IT Systems with an IT Security framework like ISO27001 or Cyber Essentials, and always invest in awareness training for your staff.
*NCSC.gov.uk/guidance/penetration testing
https://allowlist.io/product/cognisys-group-penetration-testing/
Author: Steve Spence from Cognisys Group