Sample Penetration Test Report PurpleSec
Yüklə 1,24 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Telephone-based pretexting PEN TEST REPORT: EXAMPLE INSTITUTE JANUARY 28, 2019
|
Cookie missing HttpOnly
The XSRF-TOKEN Cookie, if this site is indeed intending to use it as some form of CSRF Prevention, should be set to HttpOnly that way it cannot be read or modified by client-side JavaScript 4.3 Actions taken To determine and practically demonstrate the feasibility of gaining physical access to facilities Non-Public and High-Security zones or gaining of unauthorized, authenticated access to CLIENT’s workstations, the ISA conducted the following activities: From Zone: External communications Via: N/A To Zone: Internal network Nexus Point: Frontline staff members Method: Telephone-based pretexting PEN TEST REPORT: EXAMPLE INSTITUTE JANUARY 28, 2019 22 sales@purplesec.us CLI Current Zone Activities: PurpleSec’s Social Engineer performed phone -based social engineering with the goal of getting credentials and have staff perform tasks on their workstation. This is intended to simulate a malicious actor attempting to gain credentials and a foothold in the environment by a phone call. 10 phone contacts were made with 3 Full Breach’s with multiple (6) passwords given to the Social Engineer. One contact stated most of the systems use the same password for everyone. Nexus Point Activities: PurpleSec‘s Social Engineer called the numbers over a three -day period and spoke with CLIENT staff members. Each time a live staff member was reached, the Social Engineer claimed to be a technical support worker authorized to contact CLIENT’s personnel to provide critical support. If challenged, the Social Engineer would then drop Information Security Staff member names in a statement that they are working on their behalf. The Social Engineer’s program included the following activities: • Requesting that the user provide his/her domain username. • Feigning an attempt to perform a technical operation on the user’s behalf, and then requested that the user provide his/her domain password when the operation ‘failed.’ Three of the personnel engaged by the Social Engineer provided domain usernames or passwords. The passwords revealed were eight characters long with only alphanumeric characters. Cloud-based servers may be able to break these passwords within a manner of weeks or days depending on the resources allocated to password cracking efforts. PurpleSec recommends increased complexity and length. Risk Rating: MEDIUM Bottom Line: It was found to be feasible to induce Example ’s users to provide logon information through deceptive telephone communications. Recommendations: • Conduct Social Engineering Training to help staff properly validate the identity of the phone callers and do not provide confidential credential information. • Ensure procedures have employees report unusual or suspicious phone calls to appropriate staff. • Change password requirements to at least 10 complex characters, including alpha-numeric and special characters. |