Introduction
We were approached by a UK-based oil and gas company to conduct their annual penetration test. In between pentests, they had been using active and passive automated vulnerability scanners to stay on top of their cybersecurity, but these scanners had found very little to report.
Like all oil and gas organisations, cybersecurity is of the utmost importance, and there can be no room for error. Automated scanners are a great means of achieving some level of continuous vulnerability scanning, but as the client was about to find out, they can miss some very dangerous vulnerabilities.
Problem
Whilst checking the clients’ network for vulnerabilities, we noticed several different remote management tools installed, all with access to the same environment. At face value, this isn’t necessarily a vulnerability, which is why the automated scanners never flagged it as an issue.
Remote access tools have become increasingly common post-covid, thanks to the rise of remote working. So, finding remote access tools like this is completely normal.
What isn’t normal is using several different remote access tools at the same time. A company will usually have one remote access tool that it uses company-wide, and occasionally, you see two. But finding several, all with access to the same environment is a serious anomaly.
So, what was going on?
The client faced a “shadow IT” issue. Shadow IT refers to IT systems, devices, software, applications, and/or services used inside an organisation without explicit organisational approval.
Essentially, over the years, employees, in this case, IT managers, had been adding unauthorised remote access tools to the network to make remote working easier for them. Then, when the IT managers were replaced, the new IT manager would come in and install their favourite remote access software without authorisation for the same purpose.
Perhaps the biggest issue with this is since the client had no knowledge of these unauthorised remote access tools, they wouldn’t have known to remove the IT managers’ access after they’d left. This meant that at the time of our penetration test, several ex-employees still had access to highly sensitive, confidential data.
The Solution
Thankfully, the solution here was extremely straightforward. As soon as we flagged the issue to the client, their IT department swiftly removed all the unauthorised remote access tools and put procedures in place to ensure this doesn’t happen again.
With this issue solved, we were able to crack on with the rest of our penetration test, and the client’s cybersecurity was significantly stronger for it.
Key Takeaways
Several key issues are at play here. First, the importance of running manual pentests on top of automated vulnerability scans. Second, the threat of shadow IT on an organisation’s cybersecurity. Finally, the importance of swift action to remediate critical issues.
Automated vulnerability scans are a fantastic means of receiving regular cybersecurity updates. In fact, manual pentests almost always involve the use of automated scanners to save time and money. The issue is that automated scanners lack an understanding of context, and this is why manual pentests are so important.
The automated scanners were right to not flag this as an issue because it’s normal for remote access tools to be present, but by understanding the context of the situation, our expert pentesters were able to identify this highly critical vulnerability.
Shadow IT is difficult to prevent without regular audits and pen tests. Given how dangerous it can be to a company’s cybersecurity, procedures must be in place to prevent its use.
Finally, when vulnerabilities like this are found, it is crucial that they are fixed as soon as possible. It only takes one of those former employees to become disgruntled, and you’ve suddenly got a major cybersecurity breach on your hands. By taking action immediately, the client ensured that the threat was neutralised.