Following on from my previous article on web application penetration testing, this time we are stepping back and looking at IT infrastructure testing.
While web app testing focuses on a specific system or application, infrastructure testing examines the foundations your organisation runs on. Your networks, servers, cloud platforms, user accounts and access controls. Even if your applications are secure, weaknesses in the underlying infrastructure can still give an attacker a way in.
No two infrastructure assessments look the same. One environment might be entirely cloud based. Another might be fully on premises. Some organisations operate from a single site. Others span multiple countries. That variety is exactly what makes infrastructure testing both complex and essential.
Let’s break down what we typically find in reports from these types of tests.
Top 10 Issues We Discover through IT Infrastructure Testing
1: Weak or reused credentials (XSS)
Starting off strong with one of the most common findings. If an employee uses the same password for their Outlook account, VPN and shared file service, a bad actor finding one password suddenly has access to three systems.
However strong a firewall or security tool may be, it becomes almost useless if someone has a stolen set of credentials that works across multiple services. Password reuse dramatically increases the impact of a single compromise.
2: Weak multi factor authentication
There are many ways MFA can be misconfigured. It may only be applied to new devices, not be mandatory for all users, or only be required for external access. We also sometimes encounter organisations who believe they have MFA in place, only to realise it is effectively single factor sign on, such as Password plus PIN.
MFA is often the last line of defence if a password has been stolen or guessed. It is vital that it is configured correctly and enforced consistently.
3: Misconfigured network services
Misconfigurations can take many forms. An unused open port, default credentials, or outdated software left running in the background.
Using one of my favourite analogies, imagine your IT infrastructure is your house. Misconfigurations are like a window that looks closed but does not latch properly, or a window on the top floor that was left open and forgotten about. Everything may look secure from the outside, but small oversights can create entry points.
4: Excessive user or service privileges
This one is fairly straightforward. If you, as an employee, can access your colleague’s payroll, shared services, HR records and more, and then accidentally click a phishing email, the attacker now inherits all of that access.
Elevated privileges should be limited to as few individuals as possible to keep the attack surface small. This is what we call “the principle of least privilege”.
5: Insufficient logging
There are significant benefits to proper logging. Think of it as the black box of a plane. If something goes wrong, you need to know what happened, how it happened and why.
If someone logs in from an unusual location, at an unexpected time, or from a device you do not recognise, logs are what allow you to investigate. Without visibility, incidents are harder to detect, contain and learn from.
6: Missing security patches or outdated software
Most keys nowadays have jagged teeth of different sizes like a crocodile’s jaw and ridges down the sides, but you still find the ones that are a simple metal rod with block of metal on the end which turns the lock. The reason we now mostly have the modern ones, is because they are much more complex to pick. This is similar to outdated software and missing patches, the old-fashioned lock may still be functional, but they present less of a challenge to someone wanting to get in, so it’s important to keep things updated when it comes to our devices and software.
Security patches exist because vulnerabilities are discovered. Failing to apply them leaves known weaknesses in place, often ones that attackers are already actively exploiting.
7: Ineffective network segmentation
A helpful way to think about network segmentation is the Titanic. The ship was built with compartments designed to contain water if the hull was breached. The idea was that damage in one area would not sink the entire vessel.
Networks operate in the same way. If an attacker compromises a single user’s device, segmentation can prevent them from moving laterally across the entire organisation. Finance, HR, marketing and operational systems do not all need to be freely accessible from one another.
A bad day for one department does not need to become a bad day for the entire ship! Sorry I mean business.
8: Misconfigured Active Directory
Active Directory performs three key functions. It maintains a record of users, manages their permissions and allows administrators to control access across the environment.
When it is misconfigured, basic users may be able to install unauthorised software, access systems they do not need, or view information they should not see. An attacker with access to Active Directory effectively has a map of your entire organisation. It becomes far easier to escalate privileges and move through the environment.
9: Insecure virtual infrastructure
Virtual environments require the same level of security consideration as physical ones. Hypervisors, virtual machines and cloud management consoles must be secured properly.
Segmentation, logging and authentication controls still apply. Just because something is virtual does not mean it is isolated or automatically secure.
10: Unencrypted internal or external communication
Finally, encryption.
If someone attempts to intercept traffic between users or systems within your network, you want them to see a jumbled, unreadable stream of data rather than the original message.
Encryption should be applied wherever data is transmitted, both internally and externally. It ensures that even if traffic is intercepted, it cannot be understood or exploited.
Abigail’s Advice Summary on Penetration Testing
Until Next Time….
That’s all from me for now. Hopefully this has given you a straightforward insight into what I’m assessing during an infrastructure test, and more importantly why it matters.
If anything we’ve covered has raised questions, or made you wonder how your own environment would stand up to scrutiny, have a chat with the team. We’re always happy to talk things through in plain English and help you understand where you stand.
And yes, I’m still very much available for a proper cyber natter.
Call us today on 0333 305 5348 or use our Contact Us page to arrange a chat if we can be any help at all!
