Penetration Testing: Staffing Firm
High Bit Security (HBS) was engaged by a national staffing firm (SF) with offices across the United States, providing employment placement services across all business sectors. This firm stores extensive sensitive employee data, including personally identifiable information (PII), social security numbers, background check information, and employment history.
To evaluate the security of their sensitive data, the SF engaged HBS to perform an external penetration test - an IT security test performed from outside of the network (akin to the way a hacker attack would take place). HBS also performed an internal penetration test, which is an IT security testing performed against the inside of the network to emulate what a hacker could do once they compromise the environment. Upon completion of the testing, HBS provided a 125 page report detailing security holes, where they were found, what they mean, and the specific detail on how to correct the issues.
External Penetration Testing Results
- Website Account Registration Enumeration: The website provided insight to the hacker of the existence / non-existence of account information, making it easier for a hacker to identify valid account credentials.
- Website Misconfiguration: Allowed for remote debugging of the web application, revealing valuable information to a hacker that gained access control.
- Website Password Storage: Website allowed for the storage of authentication credentials, opening client logins to the possibility of abuse from each local client instance.
- Website Misconfiguration: Allowed for the clear text submission of the password, allowing account credentials to be intercepted in clear text.
- Webserver Misconfiguration: Allowed for insecure storage and transport of sensitive authentication and session information.
- Credit Card Data Disclosure: PCI Compliance mandates the masking of full card numbers via the web interface, however, this interface was showing full card numbers.
- Website Information Disclosure: Web application headers sharing extensive information when passing existing visitors to outside sites.
- Website Vulnerability: The website was susceptible to cross site scripting, which could be leveraged to execute malicious scripts to reveal sensitive data or even rewrite content of the HTML pages being served.
- Website poor coding practice: Allowing scripts from foreign websites.
- Webserver Misconfiguration: Allowing directory listing, revealing significant details about the web application and very helpful for hackers.
- Web Application Authentication Vulnerability: The web application did not lock out accounts after limited invalid authentication attempts, allowing for brute forcing of accounts.
- Web Application Authentication Vulnerability: The web application allowed weak password complexity, improving the likelihood that account credentials would be breached.
Internal Penetration Testing Results
- Default or Guessable Passwords: Internal SQL server had guessable passwords, which were cracked very quickly. This vulnerability allowed for reading and writing information from the host file system, in addition to full access to the SQL server.
- Open Administrative Interfaces: Allowing administrative control over several peripheral devices, exposing significant sensitive data.
- Anonymous Enumeration of LDAP: Allowing unauthenticated retrieval of sensitive information about internal accounts on the domain.
- Host Misconfiguration: Allowing unauthenticated connection, and exposing extremely sensitive information about the target hosts.
- Host Misconfiguration: Allowing ports and protocols on servers where it wasn’t necessary, exposing sensitive information about the environment that would facilitate hacking activities.
Upon receipt of the testing results, the SF was able to review with their IT staff, and close security vulnerabilities on their external web applications, servers and internal systems. Once SF staff completed making corrections, HBS validated the vulnerabilities were remediated.