‘Authorised tests conducted recently reveal weak passwords, misconfigured networks and exposed services remain common entry points for hackers’

PETALING JAYA: Even the simplest security lapses can leave companies wide open to cyberattacks, with ethical hackers being able to breach some corporate systems in hours.

Ethical hackers, also known as white-hat hackers or penetration testers, are authorised to simulate real-world cyberattacks to uncover weaknesses before criminals can exploit them.

Authorised tests conducted recently for Malaysian companies reveal that weak passwords, misconfigured networks and exposed services remain common entry points for attackers.

Many breaches still arise from basic security oversights rather than sophisticated hacking techniques.

These findings were the result of legally approved white-hat hacking exercises designed to mimic real attacker behaviour in a controlled environment.

Exclusive Networks Malaysia country manager Yuri Zaharin and Firmus CEO Datuk Alan See said in a joint statement to theSun that initial access could sometimes be achieved within 48 hours of a penetration test.

They said authorised penetration testing follows a structured process to simulate cyberattacks.

“In one engagement involving a large conglomerate, we managed to get into their official portal as administrator within 24 hours using default credentials to the admin page. It can be that easy.

“People often think attackers are using highly advanced AI-driven methods. While that does happen in some cases, it is often not the reality. Most of the issues we find exploitable by attackers are due to the fact that basic security hygiene is not practised. For example, usage of weak passwords and failure to enable multi-factor authentication.

“We start with reconnaissance to understand the target environment, then attempt to identify weak points such as exposed services, misconfigurations or credential issues.

“From there, we simulate how an attacker would try to gain access and move across the network.”

He added that teams use established testing frameworks and a mix of commercial and open-source tools, many of which are publicly available.

“The tools themselves are not secret. The difference comes down to intent. Ethical hackers use them to identify and report weaknesses so that organisations can fix them while malicious actors use similar methods to exploit those gaps.”

Yuri and See both agreed that poor cyber hygiene could have severe consequences.

“In one ransomware-related case we handled, the organisation was out of business for three weeks and incurred losses amounting to millions of ringgit to fix and revive the environment.”

In another forensic investigation involving a construction and property development firm, a flawed network design allowed attackers to escalate access into a full compromise.

The company had placed critical systems on the same internal network, with office computers and servers sharing the same environment while allowing remote desktop access directly from the internet.

“Attackers found this weakness by scanning the service ports and started exploiting the service.

“They eventually got into the server, moved laterally to other systems and caused the organisation’s storage and files to be stolen and then deleted.”

While some organisations act swiftly after penetration testing, others delay remedial measures for months, sometimes until after a breach occurs.

The statement said a persistent misconception among executives is that annual penetration testing is sufficient.

“A penetration test is only a point-in-time assessment. Systems continue to change and new risks can be introduced.”

 The Sun Malaysia