Lessons from Penetration Testing: 7 Real-World Findings

The internet today is swarming with cybercriminals just waiting for the right opportunity to gain a foothold into your organization's network. One of the best ways to stay ahead is to find your organization's weak spots before cyber criminals do. 

Finding weaknesses can be done by conducting a penetration test, or pen test, in which ethical hackers attempt to attack your network to find holes that criminals could exploit. 

Knowledge is power, and knowing about the vulnerabilities in your network could be the only defensive barrier between your data and an attacker.

Kevin Mitnick and his team of highly skilled ethical hackers have performed countless penetration tests. While each assessment is unique in its own right, the team has found that many organizations suffer from the same weaknesses. As a result, the team is often able to use the same attack techniques to gain access to networks. Unfortunately, it's not just ethical hackers who are aware of these common vulnerabilities; attackers are too. 

Is your organization falling prey to these common pitfalls? Here are some of the lessons we've learned from performing real-world penetration tests.

Are you doing everything you can to protect your organization? Discover our top  tips here.

1. Weak passwords are an easy target. 

In an organization that doesn't use multi-factor authentication, passwords are typically the only thing standing between an attacker and unauthorized access. Still, users don't want to be bothered with remembering complex passwords. As a result, they choose a simple password that is easy to remember and easy for an attacker to guess. 

Throughout various pen tests, we've found users with passwords using the organization's name and a combination of numbers, such as the current year. Our team makes quick work of these types of passwords allowing them often unrestricted access to the network. 

One common technique used during penetration tests (and real attacks) is password spraying. Password spraying is done by taking a common password, such as 123456 or Password1, and trying it across many accounts before attempting another common password. This method provides a way to circumvent techniques to prevent brute force attacks such as account lockout.


Instead of creating a simple password that is easily guessed or a complex password that is hard to remember, we recommend using a passphrase. For instance, instead of the password Bunny51, use HowTheBlueBunnyHops. Now, take that password and add special characters: H0wTh3BlueBunnyH0ps!51. Each time a password/passphrase must be changed, choose a completely new passphrase instead of merely changing a couple of characters. Discover more password security tips here.


2. Avoid storing passwords in your browser.

A common technique that our team has found success with, in numerous penetration tests, is obtaining passwords stored in an internet browser, such as Google Chrome. Users tend to store passwords for both personal and corporate accounts within their browsers. 

This feature may be convenient, but it's also a dangerous practice. If an individual, such as a penetration tester or actual attacker, can access that browser, they can export these credentials and, therefore, receive a plethora of data about the user and organization.


Instead of storing passwords in the browser, use a password manager such as LastPass or 1Password. Password managers store all of your credentials in an encrypted vault so that you only have to remember one strong password.


3. Make proper use of multi-factor authentication. 

In certain instances, our team has come close to gaining network access only to be thwarted by multi-factor authentication. Multi-factor authentication (MFA or 2FA) requires two or more pieces of authentication provided before granting access. As a result, cracking a weak password isn't enough to gain access to the network. 

While MFA alone won't prevent an attacker from gaining access to the network, it will make it a bit more challenging. We've seen MFA in use throughout many organizations. Unfortunately, these organizations don't always follow best practices. Many organizations allow the use of a password and security question to gain access. 

Multi-factor authentication includes three types of evidence: something you know (password, security question), something you have (SMS code, token, key fob), and finally something you are (biometrics). A successful MFA policy requires that a user provide two or more types of evidence to gain access. MFA policies that only require a password and security question are making use of one evidence type: something you know. 


Our team, and the attackers, can use social engineering techniques to find the answers to the security questions, making them a weak choice.A combination of a password and an authentication app such as Google’s authenticator is a much better solution than a password and security question.  To take security to the next level, consider implementing hardware 2FA using items such as a Yubikey or RSA token. 


4. Segment the network. 

A penetration test (or real-world attack) won't end after the initial foothold within the network. The goal of any penetration test is to see how far that access can take the tester. 

For example, if a pentester gains access through an IoT device, can we use it to perform lateral movement to the file servers? If we can compromise VPN access? Does that provide us access to the rest of the internal network? Unfortunately, in many cases, the answer is yes. 


Proper network segmentation should be put in place to prevent these types of lateral movement attacks.   Systems that are not required to communicate with each other should be separated into different network segments and security zones. Network segmentation allows for stronger security rules to be applied to the most critical and sensitive data. Only select individuals should be granted access to the critical and sensitive resources. Implement a jump box to access and manage devices in separate security zones. A jump box is a hardened device that administrators must connect to first before accessing an additional security zone. 


5. Ensure all firmware is up-to-date, and security patches installed.

After a vulnerability is discovered in a piece of hardware or software, the developers release a security patch to fix the issue. At that point, attackers should no longer be able to utilize that vulnerability anywhere. Unfortunately, many organizations fail to install security patches or update the firmware promptly. 


Unpatched programs leave organizations wide open for attack. If the developers already know about the vulnerability, you can be sure that the attackers do as well. Implement a proper patch management policy to ensure that your organization isn’t falling behind. 


6. Educate users on the threats of social engineering and phishing. 

Phishing and social engineering are just as prevalent today as they’ve ever been. A popular technique used by attackers is to send a phishing email and attempt to instill a sense of urgency to the recipient. This sense of urgency can cause an untrained user to make a rash judgement call. Read more about the ways social engineers target employees here

One of the most significant threats to an organization's security remains untrained users. Individuals who haven't gone through formal security awareness training are far more likely to click on a malicious link or fall for a fraudulent email. It’s important to note that security awareness training shouldn’t be a one time occurrence. The goal is to keep security awareness front and center in employees’ minds. 


Organizations should implement a robust and ongoing security awareness program for users. Instead of performing security awareness training once or even once a year, perform security awareness training quarterly. 

KnowBe4 offers great insight into the pitfalls to avoid when developing a great security awareness program such as: 

  • Avoid singling out users that click on a phishing link and making a public example of them. 
  • Avoid sending the same phishing template instead of randomizing the templates to each user.
  • Avoid starting out with 5-star phishing templates that are too difficult to identify.


Learn more about Kevin Mitnick's Security Awareness Training here


7. Perform annual penetration tests. 

Cyber threats are continually evolving, and your organization needs to evolve with it. Performing a penetration test isn't a one-and-done scenario. We've found that organizations that perform regular testing have a better security posture overall than those who do not. 


Penetration tests should be performed on an annual basis. Each new penetration test provides a way to ensure that the previous vulnerabilities were mitigated and identify new threats to the organization. 

Curious to learn more about what a penetration test entails? Read more about the four phases of pentesting and what’s included in a penetration test report. 


Real-World Application with Mitnick Security

Do you suspect any of these vulnerabilities and common pitfalls may apply to your organization? 

Vulnerability management starts with knowing your weaknesses. That’s what Kevin Mitnick and The Global Ghost Team are here for.

New call-to-action

Learn more about what makes our penetration tests different at Mitnick Security.

Topics: penetration testing

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

Read more ›

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›

Understanding Post-Inoculation Cybersecurity Attack Vectors

If you’ve recently improved your cybersecurity posture, you should know that the work to protect your company’s data is not over.

Read more ›