Common Enterprise Weakness: Only scan this and that server

Case Study:
https://www.trustwave.com/downloads/Trustwave-Case-Study-Internal-Penetration-Test.pdf


Analysis:
TrustWave team pointed out that via insecure network segment, they eventually compromised the highly critical network segment that processes payment card information.

Lesson Learnt:
Based on our experience, nowadays small and medium (sometimes, even big) enterprise hire pentest services only for their critical servers whilst they fail to secure all their work station on different network segment portions. Password issues (weak password, blank password of both OS and other servers of database/commercial applications) are always common in some organizations because of the laziness of system admins there even if there is a written policy and rule for setting strong passwords.
According to the case study, TrustWave team would find it harder to attack probably tightened payment card network if they targeted only that portion. We're sure that TrustWave would explain to and negotiate with their client that targeting only secure portion might not portray/represent its actual security state.

Comments

Popular posts from this blog

XSS: Gaining access to HttpOnly Cookie in 2012

Jumping out of Touch Screen Kiosks

HttpOnly Session ID in URL and Page Body | Cross Site Scripting