Cybersecurity Insights: Ethical Hackers as Proofreaders?

Apr 13, 2022 | Cybersecurity & Risk Management, Technology

The technology and approach behind a cyberattack evolve daily, making you and your organization extremely vulnerable. But one thing is certain – weak security has a cost.

Cyberattacks will manipulate and disable the critical infrastructure we depend on to live, escalating threats beyond simply disrupting our lives, but with the intention of causing financial, reputational, and even mortal harm.

The Mariner penetration test uses threat intelligence to deliver real-life attack simulations to confirm you have appropriate countermeasures and responses to detect and prevent cyberattacks. We will also help you proactively manage the ‘right’ risks to improve your security posture.


A new perspective will uncover overlooked cybersecurity vulnerabilities


Think of our ethical hackers as the team proofreading your organization’s defense mechanisms. Yes, a fresh pair of eyes will generally uncover new vulnerabilities, but imagine you’re backed by a group so passionate about their craft they list hackathons as a hobby?!


In environments previously penetration tested Mariner cybersecurity consultants identified additional vulnerabilities for clients 100% of the time.


Significant vulnerabilities can be uncovered even when security assessments have been routinely performed. In working with one new client, our team quickly identified several critical vulnerabilities, including one giving our consultants Active Directory domain privileges. This resulted in our ethical hackers having complete control over the clients’ entire network. In this same engagement, our team also uncovered issues resulting in the disclosure of Private and Identifiable Information (PII), which had been overlooked by previous assessments, making their systems highly vulnerable to data breaches.


Another client asked us to perform a Vulnerability Assessment and Penetration Test (VAPT) of their web application. Said application had already been tested by another firm, receiving a clean bill of health (i.e., not one vulnerability had been identified). However, among other issues, our team identified weaknesses in the password resetting mechanism (used when someone forgets their passwords). These weaknesses, when combined, allowed our consultants to perform account takeovers of arbitrary users.




Human behaviour has the biggest impact on your cybersecurity posture


Our penetration testers use a methodology rooted in the manual application of the latest tools and technology – we don’t rely on automated simulations. The Mariner team goes beyond the basic scan, targeting and exploiting vulnerabilities with the same attack techniques utilized by malicious actors to breach an organization’s systems.


We understand how human behaviour can put your organization at risk and take advantage of that knowledge to dig deeper.


Experienced IT professionals have likely heard the tale of text files featuring passwords found in publicly accessible network shares. This notion has been repeated so many times, even in Capture the Flag (CTF) challenges, to a point some believe it’s an urban legend!


However, our pen testers have encountered variations of the scenario – database credentials in the source code of websites, and the credentials of an IT specialist in a batch script (short computer program created to automate tasks). In both cases, the credentials, written in plain text (i.e., not encrypted and easily readable) were found in shared folders and visible within the entire company, within reach of whoever was looking for it.


In a slightly different situation, we found domain administrative credentials encrypted in the configuration file for proprietary utility software. While the decryption key was available, there was no indication of what method, or algorithm, had been used to encrypt the credentials, so it seemed safe at a first glance. It did not stop our team, who used reverse engineering techniques to analyze the software and uncover the credentials.


While seemingly convenient, leaving credentials (encrypted or not) accessible by anyone adds great risk to the business. Any threat actor, be it a disgruntled employee or an external attacker who already compromised an arbitrary user (via phishing, for instance), would leverage such information to further jeopardize the business.


The good news? Mariner can protect you before the damage happens with Vulnerability Assessment Penetration Testing (VAPT) specific to your critical infrastructure environment.


If you’d like to take the first step towards implementing strong cybersecurity practices, download a copy of Mariner’s sample VAPT report or contact our team for more information on how we can protect you.



Share This