The Challenge
A university invited organisations to quote to carry out a penetration test. They had put together an initial scope of work stating their expectations for the exercise.
The university has thousands of student users who require access to their network, as well as hundreds of employees and support functions needing varying levels of access, including multiple remote users. This presents a significant challenge when it comes to managing their cyber security. Their networks need to be accessible for long hours and, because of the nature of their student user-base, unusual activity is hard to pinpoint.
As part of the initial project, Daisy* conducted some research into the university and found data containing vital contact information for 3,000 users, including phone numbers and email addresses that were accessible to anyone online. This was an alarming discovery, considering the implications from an access perspective; however, it is not unusual for large organisations.
The university chose Daisy to carry out their penetration test based on the quotation and Daisy’s long standing security credentials. Having worked with a number of UK universities to help improve their cyber security meant we had a greater understanding of their network complexity and user needs.
The Solution
Penetration tests are carried out by an accredited security tester according to a scope defined by the customer. We helped the university to further refine the scope of their testing project and developed an understanding of their specific network complexities.
We carried out further investigation, using the previously acquired contact details to conduct a brute force attack against multiple external portals. The sheer number of usernames already available gave our tester a high chance of gaining access; our Daisy tester gained access easily to an account where the privileges were then escalated. Full control of the university network was then gained, including access to over 100,000 hashed passwords. The hashes were put through a password cracking process and within the allocated testing time over 60,000 were cracked.
Had this easily exploitable vulnerability been identified by a malicious attacker rather than in the course of a penetration test commissioned by the university, the resulting reputational damages, financial losses and fines imposed by regulatory bodies could have been catastrophic. The remediation activity required to reduce the risk of this happening included:
• A review of information storage, process and access rights
• Putting protective measures in place regarding access to contact information
• Educating users on the use of more complex passwords
• Re-testing to ensure remediation activities have been effective
Daisy continues to work with the university to improve their cyber security posture. By developing a relationship with this customer we help to ensure the most effective use of budget and prioritise areas of improvement.
The Result
• Customer gained insight into their security vulnerabilities, empowering them to take action
• Helps to maintain contractual obligations and standards such as payment card industry data security standard (PCI DSS) and ISO 27001
