This past week I was able to uncover some massive vulnerabilities, stemming from terrible configuration and just lazy work, on our cloud ERP provider. I can access other company’s data, including but not limited to, employee details, XML for tax documents, and even have access to the ERP provider’s DC (not as admin but that wouldn’t be too hard). None of this was acquired through penetration – hacking – but instead just knowing what to look for and where to look for it. Note, cybersecurity in the country I’m in is light years behind the ‘developed world.’
Anyways, we have been in the process of transitioning to this cloud ERP for about 5 months now, 1 of which I was not yet working for this company. Tomorrow I will be meeting with our company lawyer early to explain what was acquired and how, and later in the day we are attempting to schedule a meeting with the higher- ups of this ERP provider. I wanted to ask for some advice here as this is my first time in this situation. I am working towards a pen testing career so have taken some basic certs, but nothing has prepared me for being “thrown into the game” like this. I am worried about how to present my findings; any recommendations? Anything to focus on or anything to avoid? I know this is a very general question, and I apologize for it, but any advice at all would help me!