Diary of a Penetration Test Project in Kuala Lumpur, Malaysia

End of this summer I was called for a penetration test project for a very large Bank in Asia Pacific region, headquartered in Kuala Lumpur. The team consisted of five people, three of them local and two of us foreigners. The other colleague was working remotely from US, I think this is the good side of web penetration testing. 🙂
During my stay in Kuala Lumpur, especially after working hours, I changed my opinion about my colleague who didn’t need to travel. It was a perfect experience in a totally different culture.

I traveled ten hours with a direct flight from Istanbul, and I should say that if you are from the ones who cannot sleep in plane it is not good at all… I arrived in Kuala Lumpur at 6 a.m. It was raining and the temperature was about 36ºC. I went to the hotel to take a shower and get some sleep. Most probably I had made the biggest mistake. I was jet lagged. I woke up in the evening, had dinner and went to bed again. The next day I didn’t hear the alarm clock and wake up about 10 a.m. Fortunatelly, the meeting with the client was not early in the morning.
I met with the other colleagues and visited the client for the kick off meeting. We were given all the necessary information about the penetration test, including scope, time frames, responsible persons etc.

The first two days we completed all the scanning and enumeration phases. After that we started to work on reduction of false positives. Many of the vulnerabilities were very out-dated. We kindly asked if it was possible to check previous year’s penetration test report. What a surprise, the same vulnerabilities from previous year were still there. This is something which we haven’t faced in Bulgaria in our projects so far.

Our Penetration test results are compiled into a report. This report contains both a management level overview, and technical level details of the test results, including full details of each security issue uncovered. Full technical details of how to fix each security leak is included, too. In addition to security issues, the report also lists non-optimal configurations that were found during the tests.

Sharing more info about the project is against the non-disclosure agreement but talking about Kuala Lumpur is not. 🙂

Kuala Lumpur is a very well-organized city, with a perfect infrastructure. Much better than some of the European capitals. Malaysia  is a very interesting country with its 50% Malays, and the rest Chinese and Indians. It is like culture in culture. Very colorful, different languages, no need to say that everybody speaks English and Malay, besides their origin languages like Chinese, Indian etc. I didn’t know that there are three different Chinese languages out there.

The paradise of Tropical fruits! WOW, there were some fruits I had never seen, some of them never even heard of. I had the chance to taste DURIAN, the king of fruits. What a smell! If you don’t like onion, don’t even go closer 😀

I came back, hoping to visit Kuala Lumpur again in future. And I hope next time I will have more time to explore the hidden side of the country, the provincial parts.

_____________________________________________________
Deniz Kaya is a senior security instructor at New Horizons Bulgaria
Deniz has planned, directed, and coordinated multiple projects simultaneously, ensuring goals and objectives were accomplished within time limitations and funding conditions. His core competency lies in areas of penetration testing, security assessments, enterprise network design, capacity planning and vendor evaluation. Equipped with Industry recognized certification under his belt, Deniz has demonstrated his determination to continuously self-improve and make his presence felt.

Deniz currently holds the prestigious industry certifications Microsoft Certified Systems Engineer (MCSE), Certified Cisco Systems Instructor (CCSI #31650), CCIE Security Written, Cisco Certified Network Professional (CCNP), Cisco Certified Security Professional (CCSP), Cisco Ironport Certified Security Instructor (ICSI), Cisco Ironport Certified Security Professional (ICSP), Certified Penetration Testing Specialist (CPTS), Microsoft Certified Trainer (MCT).

♦ Contact us for further information on Security courses and exams.