A large technical organization was motivated to ensure that their members’ data and resources were properly secured. One step they took toward achieving that objective was to contract SecureState to perform penetration testing. Their basic motivation was no different from the majority of SecureState clients. However, their real challenge came from a server they didn’t even know they were running that was discovered during the assessment.
SecureState performed an External Attack and Penetration Test to simulate a real world attack against the external presence of the organization. While performing the external penetration test, SecureState discovered a path to achieve full compromise. SecureState located a server that was using default credentials and the consultants found a way to use this server to run commands on the machine. One of the consultants then crafted a custom exploit to compromise the server and gain access to the internal network. However, when they went to access the server and leverage the exploit, the server was no longer on the network. The organization had pulled the server without notifying SecureState, which is unusual for a pentest.
SecureState contacted the client to ask why the server had been removed. The answer was surprising: The IT Director said that an internal group had placed it on the network without letting him know. When the internal group noticed that something was wrong, they panicked and took the server offline. So the entire internal domain of the major organization was almost compromised through an attack vector that management was not even aware existed, because they never authorized the system to be put online in the first place.
While this was a surprising result, without the proper controls, this type of scenario could be repeated within your organization, but with a much more detrimental final outcome. You may have vulnerable machines sitting on your network right now that no one knows about. Only by performing discovery scans on your external presence on a regular basis can you verify that no rogue devices exist.
The organization clearly needed to implement a more effective change control process. With the help of SecureState’s Risk Management Team, the organization was able to create a documented, repeatable process to follow before placing any new server online. This ensured that systems were not added without the knowledge and approval of management. All servers were hardened before being placed on the network, eliminating the possibility that default credentials would be used on live systems.