Penetration Testing: Mortgage Company
High Bit Security (HBS) was engaged by a full-service mortgage bank (MB) that offers in-house expertise in many areas of mortgage lending, licensed to lend across most of the United States with over 100 locations. This firm stores extensive sensitive client data, including mortgage applications containing extensive personal data, copies of client tax returns, social security numbers, credit data with available balances, banking and investment accounts, income and employer information.
To evaluate the security of their sensitive customer data, the MB engaged HBS to perform an external penetration test - an IT security test performed from outside of the network (akin to the way a hacker attack would take place). Upon completion of the testing, HBS provides a report detailing security holes, where they were found, what they mean, and the specific detail on how to correct the issues.
Testing resulted in a 55 page pen testing report containing many vulnerabilities:
- Unsupported Operating Systems: High Bit Security identified vulnerabilities on these platforms that could allow full breach of the server, and the operating system provider is no longer providing security patches. Well known exploits exist on these platforms, and are regularly taken advantage of by the hacking community.
- Firewall / Database Server Misconfiguration: High Bit Security identified a misconfiguration that exposed what was supposed to be an internal only database server directly to the Internet. Compounding this issue was the fact that the database server was susceptible to remote code execution and memory corruption vulnerabilities. The combination of these additional vulnerabilities would have made it possible to remotely take full control of the database server.
- SSL vulnerabilities were identified with both weak encryption cipher strength and vulnerable communication protocols. Both of these issues would allow man in the middle attacks to intercept and decrypt traffic that was intended to be encrypted.
- Server Misconfiguration / Patch Management Vulnerabilities: Over one third of the servers had some form of misconfiguration or missing patches. These vulnerabilities included problems with their FTP server, servers that supported insecure communication protocols and vulnerabilities allowing authentication credentials to be intercepted.
- Remote Access Vulnerability: Misconfiguration of remote access on multiple servers allowed for insecure communication and remote breach of the target systems in scope.
Upon receipt of the testing results, the MB was able to review with their IT staff, and make immediate modifications to their externally facing systems to secure their customer data. Once MB staff completed making corrections, HBS validated the vulnerabilities were remediated.