A Lesson from Real Life Security Consulting
We recently completed an information security audit for one of our professional services clients that centred around penetration testing – the simulation of a series of attacks intended to reveal weaknesses in the client’s network so they can be remedied before a real-life attacker exploits them.
The study took three weeks to execute in full and involved a range of techniques and technology.
Here’s just one weakness that we found. It underlines how important it is to have an external company assess your organisation from time-to-time… because you just can’t see your own weaknesses very well.
Weakness: Single factor authentication over printing and scanning
Single factor authentication is where only a username and password are required to access a system. Single-factor is frequently able to be compromised by a brute force password attack – that’s where a huge number of password variations are tried by software until one is successful.
Multi-factor authentication includes things like soft tokens (SMS messages sent to a user’s registered phone number) or hard tokens (keyring attachments with ever-changing number sets on them) or a challenge issued in response to your logon that further confirms your identity.
In our client’s case, the single-factor authentication applied to a customised software application that handled the company’s documents, meaning that it may have been relatively easy to obtain access to all the documents scanned by the company, some of which would inevitably have included sensitive personal or corporate information.
Once we identified the issue we demonstrated how it could be exploited and made a recommendation to mitigate the risk. The client opted for multi-factor authentication and we are in the midst of the deployment project.
All up, we found weaknesses in 16 different areas of their business. If we ran a penetration testing exercise on your company, how many might we find?
Wouldn’t you rather find them before an attacker does? Contact Us.