Cookie missing HttpOnly The XSRF-TOKEN Cookie, if this site is indeed intending to use it as some form of
CSRF Prevention, should be set to HttpOnly that way it cannot be read or modified by
client-side JavaScript
4.3 Actions taken
To determine and practically demonstrate the feasibility of gaining physical access to
facilities Non-Public and High-Security zones or gaining of unauthorized, authenticated
access to CLIENT’s
workstations, the ISA conducted the following activities:
From Zone: External communications
Via: N/A
To Zone: Internal network
Nexus Point: Frontline staff members
Method:
Telephone-based pretexting
PEN TEST REPORT: EXAMPLE INSTITUTE
JANUARY 28, 2019
22
sales@purplesec.us
CLI
Current Zone Activities: PurpleSec’s Social Engineer performed phone
-based social engineering with the goal
of getting credentials and have staff perform tasks on their workstation. This is
intended to simulate a malicious actor attempting to gain credentials and a foothold
in the environment by a phone call.
10 phone contacts were made with 3 Full Breach’s with multiple (6) passwords given to
the Social Engineer. One contact stated most of the systems use the same password for
everyone.
Nexus Point Activities: PurpleSec‘s Social Engineer called the numbers over a three
-day period and spoke
with CLIENT staff members. Each time a live staff member was reached, the Social
Engineer claimed to be a technical support worker authorized to contact CLIENT’s
personnel to provide critical support. If challenged, the Social Engineer would then
drop Information Security Staff member names in a statement that they are working on
their behalf. The Social Engineer’s program included the following activities:
•
Requesting that the user provide his/her domain username.
•
Feigning an attempt to perform a technical operation on the
user’s
behalf, and
then requested that the user provide his/her domain password when the operation
‘failed.’
Three of the personnel engaged by the Social Engineer provided domain usernames or
passwords. The passwords revealed were eight characters long with only alphanumeric
characters. Cloud-based servers may be able to break these passwords within a manner
of weeks or days depending on the resources allocated to password cracking efforts.
PurpleSec recommends increased complexity and
length. Risk Rating: MEDIUM
Bottom Line: It was found to be feasible to induce Example
’s users to provide
logon
information through deceptive telephone communications.
Recommendations:
•
Conduct Social Engineering Training to help staff properly validate the identity
of the phone callers and do not provide confidential credential information.
•
Ensure procedures have employees report unusual or suspicious phone calls to
appropriate staff.
•
Change password requirements to at least 10 complex characters, including
alpha-numeric and special characters.
PEN TEST REPORT: EXAMPLE INSTITUTE
JANUARY 28, 2019