World Surf League Strengthens Cyber Security Efforts With Penetration Test

Mitnick Security Consulting successfully infiltrated World Surf League to uncover vulnerabilities and recommend improvements.

This is what happens when an IT Manager realizes that employee security awareness training and outsourced IT solutions need enhancement to better protect the organization from potential cyber threats.


Attack Overview: Swimming with the Great Whitehats

When professional surfers get off the board, they surf the web for content about their favorite sport. World Surf League (WSL) is a catch-all for surf-related news, live events, athletic rankings, and more— a digital ocean for lovers of the waves.

When WSL welcomed IT Manager, Jesse Duell, he knew the company wasn’t doing enough to protect itself from cyber threats. After interviewing several cybersecurity companies and hearing of Mitnick Security’s unique Red Teaming methodology, WSL chose Kevin and his Global Ghost Team to deep dive into their infrastructure and find gaps in their security. 

The Mitnick Security team was able to successfully infiltrate World Surf League by targeting internet-facing infrastructures and employees via a specially-crafted spear-phishing email campaign, gaining complete access across several domain controllers and domains. A small sample of WSL’s proprietary data was stolen to simulate a real adversary and prove the success of the pentest. 

In the end, World Surf League left with actionable recommendations for bettering their security posture and mitigating their current risk threshold— far beyond what their IT team ever expected.

“10/10 would hire them again! The process was literally the most fun I've had at any job, period. They are very hands on and very professional.”

Jesse Duell, IT Manager World Surf League


The Cyber Security Problem: Too Many Defaults


"We're Not that Kind of Company"

When Jesse Duell joined World Surf League as their IT Manager, he quickly realized that their employee security awareness training and outsourced IT solutions could be enhanced to better protect the organization from potential cyber threats.

"I knew i needed a pentest when I adopted the environment and was shocked to find many default settings and passwords still in use. While some may not think we have high risk exposure as a company, I knew we could do better to improve our security, both internally and through our partners," Duell shared.

It was only after WSL had an employee fall for an extremely costly phishing scheme that the C-suite agreed to conduct Duell’s recommended assessment. 

Unfortunately, World Surf League is not alone in underestimating the risk of a breach until faced with one, head-on. In this case, an unsuspecting employee routing actual funds to a dubious social engineer was enough of a financial wipeout to shock the leadership team that they chose to properly access their security measures.

“We ended up choosing Mitnick Security because I knew that we were getting a company that had a fundamental understanding of security and Red Teaming. Once you have a conversation with Mr. Mitnick and his team members, you instantly know that they have a very deep understanding of cyber security and that they are enthusiastic about it.”

Jesse Duell, IT Manager World Surf League


The Attack: Looming Beneath the Surface

Our team began the pentest as usual— conducting diligent preliminary research and gleaning open-source information about World Surf League and its employees from the internet, just as a real hacker would. 

After discovering the Single Sign-On (SSO) solution staff used and details about WSL team members, The Red Team poised sophisticated, highly-targeted phishing attacks on dozens of users, masquerading as a trusting source and baiting employees to enter their credentials on a look-alike SSO domain. 

True to our team’s esteemed track record, we found multiple security gaps beyond the phish. For instance, we exploited a firewall weakness to access a connecting VPN and snuck through backdoors.

Once inside of their cyber infrastructure, our Global Ghost Team capitalized on insufficient password management to brute-force attack our way into high-permission WSL account holder’s logins. After that, a wealth of private data was at our fingertips.


The Takeaway: Strategic Cyber Security Recommendations

Our Red Team compiled our findings into an extensive penetration testing report, outlined by short-term, medium-term, and long-term goals by risk and priority.

Some tangible mitigation advice included*:

  • Enable multi-factor authentication for VPN, email hosting providers, and other workspaces
  • Implement a password lockout policy for all Active Directory accounts to avoid brute-force attacks
  • Establish a clear patch management process for all systems and devices
  • Implement a monitoring product to detect unauthorized changes to the Active Directory
  • Reinforce existing security awareness training methods 
  • Etc.

*While our report contained many more specific remediations, we excluded exact details for our client’s security protection.

“I found the report to be very detailed, as it outlined the exact steps that were taken when the Mitnick Team tested our environment. The report gave me valuable insight into our vulnerabilities that I never would have seen had I not hired them."

Jesse Duell, IT Manager World Surf League

More Lessons: Safeguarding Your Business

Here are a few high-level takeaways from our pentesting report, many of which could apply to businesses just like yours:

  • Do not assume that addressing something in security awareness training once keeps you safe. Users need frequent education and reminders.
  • No company is “unhackable;” every business needs to prioritize cyber security and have routine penetration tests to access their protection.
  • Look for a penetration testing company that offers ongoing support for addressing cybersecurity concerns post-test.

Want to keep exploring? Find more real-world lessons from notorious cybersecurity compromises here.

Mitigate your risk threshold by requesting a consultation with our nationally-revered Red Team at Mitnick Security, today. We’ll start with a series of discovery and scoping calls to determine your own needs and organizational challenges to help you become as successful as the team at World Surf League. 

Request a Pentest

Request a Pentest

More from the Mitnick Security Consulting Team

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

The Growth of Third-Party Software Supply Chain Cyber Attacks

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Read more ›

Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

Read more ›

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›