Robert Petrunić

October 10, 2023 2:33 pm Published by

Penetration testing is usually done in such a way as to identify the vulnerability (root cause) and to stop there without full penetration. Then, the process is repeated until as many vulnerabilities are identified as possible. This is a good approach because it allows the penetration tester to identify as many vulnerabilities as possible in as short time as possible. To put it in the business language, we talk about cost-benefit, as this approach gives better ROI (Return on Investment). However, this approach might have some drawbacks because we are left in the dark about what might have happened before we identified this vulnerability and what the attacker might have access to if this vulnerability had already been compromised in the past. For instance, what if the attacker gained access to a web server through the web application vulnerability and then scanned the network behind the web server where other servers and services are accessible, usually not accessible directly from the Internet? It might allow the attacker horizontal and possibly vertical movement through the systems behind, systems not intended to be exposed to the Internet atoll!

This lecture will discuss some real-world examples of how the full penetration (going as deep as possible after initial compromise by hacking not only the compromised application, service, or OS but also everything else that is hackable) identified additional misconfigurations and vulnerabilities which could lead to an entire company and supply chain compromise just because one service exposed to the Internet was hacked. We will use some interesting case studies (anonymized, of course) to show the importance of full penetration. This led to a computer forensics project because Pentest identified the possibility of system compromise or even live attackers in the system. Some case studies covered: Atlassian Confluence, Magento, AD, managing app for 10 000+ IoT devices and vCenter server appliance, ...

Robert is a senior information security consultant at Eduron IS, a company dedicated to IT security education, penetration testing, and computer forensics. He also works as a lecturer in the most successful Croatian private college, Algebra - University College for Applied Computer Engineering, where he has designed several computer security and forensics courses.

Robert has been a Microsoft certified trainer since 2002, an EC-Council certified trainer since 2008, and an ISC2 accredited trainer since 2014. He has worked mainly in the security field starting in 2004, and Microsoft acknowledged this in 2008, assigning him Microsoft's most valuable professional recognition for nine years in a row.

For the last twenty years, Robert has worked on programs related to ethical hacking and IT security awareness for systems administrators, developers, and IT security consultants. He is also often a lecturer at regional IT conferences.

Categorised in: 2023

This post was written by user_298812