How penetration testing helped a major organization avoid a potentially serious security breach
Snapshot
A major charitable foundation came to Kalles Group with a request: they wanted us to test their new “modern device” laptops to make sure their security features were as foolproof as possible. We provided them with the services of one of our consultants, who acted as a penetration tester – they went into these laptops and attempted a number of different kinds of attacks on the devices, including attacks on their communication ports and the software used to boot them up, as well as social engineering attacks, meaning the use of deception and manipulation to get people to hand over sensitive data.
Our consultant’s work did indeed pinpoint some critical vulnerabilities. We provided our client with a report that gave them the information they needed to fix these issues before distributing the laptops to staff.
Challenge
This organizations laptops had already been imaged, or formatted, appropriately with the right systems and data for staff. But the organization needed to be sure that these machines would still be secure if they were lost or stolen and ended up in the hands of a malicious actor. Could someone with physical access to the machine get into the operating system, or otherwise extract meaningful data from the laptop?
Simply put, our job was to put these devices through the wringer and make sure that even sophisticated attackers couldn’t compromise the organization’s security.
Approach
Our penetration tester was given two devices in two different states: One of them was powered on, with the user signed in, but with the device closed and locked. The other was powered off completely.
The tester went to work to see if they could compromise the laptops’ security and gain access to the operating system or sensitive data. They attempted attacks on the devices’ communication ports, on the BIOS (that is, the basic software used when a computer is booting up), and even attempted to access the laptop by booting a different operating system on top of the installed one – in this case, the open-source Linux OS that’s favored by hackers. The tester evaluated whether a hacker could use OSINT (open-source intelligence, i.e. freely available information) to help with their attack, and whether social engineering methods (deception or manipulation) could be used as well.
Results
Our penetration tester found two possible scenarios in which a skilled attacker could compromise the device and gain access to the organization. Both these scenarios relied on the laptops being in their out-of-box state, that is, it’s loaded up with the necessary software but no user has signed in yet. In this instance, the most likely ways for a malicious actor to gain access would be by intercepting the device during shipping (for example, by stealing it from a porch), by convincing the helpdesk to perform a remote wipe of the device, or by using a USB device to reset the laptop, assuming they have prolonged physical access to the device.
With the devices in this out-of-box state, our tester was able to use the operating system’s audit mode to gain administrator-level access to the device. They were also able to embed some backdoor features on the device, such as additional users with various levels of access to the operating system, and were able to plant simulated malware samples that remained on the device after a legitimate user logged on and completed the setup process. The tester was then able to use these backdoors to get into the organization’s remote access environment from a device outside of the organization – a serious threat to the organization’s security.
Kalles Group delivered a report to the organization that provided it with the information needed to address these issues. Thanks to this, they were able to correct this problem before distributing these laptops, potentially saving the organization from a serious security breach.