Logistics organizations have A LOT to deal with in terms of cybersecurity and legacy systems. From shipping software to onboard maritime navigation, they have various types of systems they need to secure properly. Fortunately for this multi-national logistics firm, FalconOps was able to identify gaps in their security, through penetration testing, that a hacker could have exploited.
Penetration testing an organization with systems in Hong Kong, New York, California, and intermediary points presents a challenge in terms of client data being transmitted over potentially insecure links. In addition, the latency between testing equipment and the client network can potentially have detrimental effects on testing.
However, in this case, we were able to overcome those by shifting our infrastructure to key positions that would allow for a seamless test.
I can't wait to see what you found... I have a few ideas...
Our team quickly enumerated and discovered a VPN (Virtual Private Network) system that was misconfigured to allow Aggressive Mode. This means that we were able to obtain a hash of the PSK (Pre-Shared Key) to the VPN appliance. From there, we were able to crack the hash using our extensive hash-cracking hardware.
Our team put the VPN vulnerability on the backburner while the hash was being cracked. However, the environment did not reveal to have any other vulnerabilities that would be easily exploited by an attacker. Aside from a few things (like a security camera without authentication), we were thankful the organization had taken steps to identify their gaps - prior to testing.
In the end, we were able to exploit the VPN issue to gain further access to the network and the client was extremely thankful for the feedback and recommendations to fix the issue.
We have a few basic controls that we strongly suggest to mitigate a large number of the common attack vectors:
While there are plenty of other suggestions, we believe these will give you the biggest "bang-for-your-buck"
Our team is composed of former NSA analysts and operators. We have the know-how and will ensure the best price compared to other comparable organizations.