Penetration Tester's Report Just Says 'Everything' Under Vulnerabilities Found

A penetration testing firm has delivered a security assessment to a mid-sized financial services company in which the executive summary, intended to provide a concise overview of critical findings, consists of a single word: "Everything." The full report, spanning 72 pages, details 347 individual vulnerabilities across the company's external-facing web applications, internal network, cloud infrastructure, and physical security controls. The pen testing team, a three-person crew from CipherBreak Security, was contracted for a two-week engagement. They gained domain administrator access in four hours. "We typically write a professional, measured executive summary," said CipherBreak lead tester Naomi Exploit. "Something like 'Several critical vulnerabilities were identified that require immediate remediation.' But after day one, I realized that would be misleading. Several implies a countable number. This was not countable. This was everything." Highlights from the report include: an internet-facing server running Windows Server 2003, a database with default credentials that had not been changed since installation in 2014, an admin panel accessible via a URL that was literally "/admin" with no authentication, and a server room whose door lock was a combination padlock with the combination written on a sticky note attached to the padlock. "The sticky note on the padlock was my favorite," Exploit said. "Not because it was the most critical finding, but because it demonstrated the organization's security philosophy in a single artifact. They knew they needed a lock. They had a lock. They defeated the lock immediately and permanently. It's almost beautiful." The company's IT director, upon receiving the report, asked whether the findings could be presented in a "more positive light" for the board of directors. CipherBreak's response, included in the report's appendix, reads: "We found your organization's commitment to consistent security practices commendable. Unfortunately, the practice is consistently poor."