When professional surfers get off the board, they surf the web for content about their favorite sport. World Surf League (WSL) is a catch-all for surf-related news, live events, athletic rankings, and more— a digital ocean for lovers of the waves.
When WSL welcomed IT Manager, Jesse Duell, he knew the company wasn’t doing enough to protect itself from cyber threats. After interviewing several cybersecurity companies and hearing of Mitnick Security’s unique Red Teaming methodology, WSL chose Kevin and his Global Ghost Team to deep dive into their infrastructure and find gaps in their security.
The Mitnick Security team was able to successfully infiltrate World Surf League by targeting internet-facing infrastructures and employees via a specially-crafted spear-phishing email campaign, gaining complete access across several domain controllers and domains. A small sample of WSL’s proprietary data was stolen to simulate a real adversary and prove the success of the pentest.
In the end, World Surf League left with actionable recommendations for bettering their security posture and mitigating their current risk threshold— far beyond what their IT team ever expected.
“10/10 would hire them again! The process was literally the most fun I've had at any job, period. They are very hands on and very professional.”
Jesse Duell, IT Manager World Surf League
When Jesse Duell joined World Surf League as their IT Manager, he quickly realized that their employee security awareness training and outsourced IT solutions could be enhanced to better protect the organization from potential cyber threats.
"I knew i needed a pentest when I adopted the environment and was shocked to find many default settings and passwords still in use. While some may not think we have high risk exposure as a company, I knew we could do better to improve our security, both internally and through our partners," Duell shared.
It was only after WSL had an employee fall for an extremely costly phishing scheme that the C-suite agreed to conduct Duell’s recommended assessment.
Unfortunately, World Surf League is not alone in underestimating the risk of a breach until faced with one, head-on. In this case, an unsuspecting employee routing actual funds to a dubious social engineer was enough of a financial wipeout to shock the leadership team that they chose to properly access their security measures.
“We ended up choosing Mitnick Security because I knew that we were getting a company that had a fundamental understanding of security and Red Teaming. Once you have a conversation with Mr. Mitnick and his team members, you instantly know that they have a very deep understanding of cyber security and that they are enthusiastic about it.”
Jesse Duell, IT Manager World Surf League
Our team began the pentest as usual— conducting diligent preliminary research and gleaning open-source information about World Surf League and its employees from the internet, just as a real hacker would.
After discovering the Single Sign-On (SSO) solution staff used and details about WSL team members, The Red Team poised sophisticated, highly-targeted phishing attacks on dozens of users, masquerading as a trusting source and baiting employees to enter their credentials on a look-alike SSO domain.
True to our team’s esteemed track record, we found multiple security gaps beyond the phish. For instance, we exploited a firewall weakness to access a connecting VPN and snuck through backdoors.
Once inside of their cyber infrastructure, our Global Ghost Team capitalized on insufficient password management to brute-force attack our way into high-permission WSL account holder’s logins. After that, a wealth of private data was at our fingertips.
Our Red Team compiled our findings into an extensive penetration testing report, outlined by short-term, medium-term, and long-term goals by risk and priority.
Some tangible mitigation advice included*:
*While our report contained many more specific remediations, we excluded exact details for our client’s security protection.
“I found the report to be very detailed, as it outlined the exact steps that were taken when the Mitnick Team tested our environment. The report gave me valuable insight into our vulnerabilities that I never would have seen had I not hired them."
Jesse Duell, IT Manager World Surf League
Here are a few high-level takeaways from our pentesting report, many of which could apply to businesses just like yours:
Want to keep exploring? Find more real-world lessons from notorious cybersecurity compromises here.
Mitigate your risk threshold by requesting a consultation with our nationally-revered Red Team at Mitnick Security, today. We’ll start with a series of discovery and scoping calls to determine your own needs and organizational challenges to help you become as successful as the team at World Surf League.
Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”
Social engineering attacks account for a massive portion of all cyber-attacks.
Read more ›
Toll Free (USA & Canada)
(855) 411-1166
Local and International
(702) 940-9881
Security Services and Support:
info@mitnicksecurity.com
Engagements and Media:
socialmedia@mitnicksecurity.com
© Copyright 2004 - 2024 Mitnick Security Consulting LLC. All rights Reserved. | Privacy Policy