From Open Ports to Organisational Maturity: Why Pen Testing Is the Foundation of a Healthy Security Posture

There is something satisfying about running a vulnerability scan on your own home network at midnight. No abstraction, no vendor assurances, no tick box compliance reports, just you, a Kali Linux instance, and the unvarnished reality of what is actually exposed to the world.

I did exactly that recently. What I found was instructive, not because it revealed exotic, nation-state-level threats, but because the vulnerabilities were so ordinary, so well-documented, and yet so persistently present in networks belonging to individuals and organisations alike. This post is a reflection on those findings, what they imply about the broader threat landscape, and why penetration (PEN) testing paired with genuine security maturity is the only credible response.

What a Home Network Scan Reveals About Organisational Risk

Using Kali Linux and Airmon-ng, tools widely used by both security professionals and malicious actors, I surveyed my home network for open ports and wireless exposure. The results were a reminder that threat surfaces are rarely where we expect them.

An open port on what appeared to be a generic consumer device turned out to be the management access point for my HVAC internal wireless system. A quick cross-reference with the NIST National Vulnerability Database (NVD) returned a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10, classified as Critical under the CVSS v3.1 framework.

The CVSS v3.1 scoring standard, maintained by NIST, defines a score of 9.0–10.0 as Critical, representing vulnerabilities that allow unauthenticated remote code execution or full system compromise with no user interaction required.

The manufacturer had issued limited guidance, and remediation required a moderate level of technical expertise, not something most home users, let alone small businesses, would readily navigate. My response was pragmatic: I replaced the ISP-supplied fibre modem with a modern router-firewall combination, and segmented my network to isolate IoT devices, including the HVAC system and smart home components, onto their own VLAN, separate from primary computing devices.

"The vulnerability was not exotic. It was catalogued, scored, and publicly known. The only thing standing between exploitation and safety was whether anyone had bothered to look."

Smart televisions deserve mention. The BadBox campaign, documented by HUMAN Security in late 2023 and still active into 2025, demonstrated that consumer Android-based devices, including smart TVs, were being shipped with pre-installed malware that enrolled them in botnets used for distributed denial-of-service (DDoS) attacks and residential proxy fraud.

HUMAN Security's research identified over 74,000 Android devices compromised through the BadBox infrastructure, many of which were sold through mainstream retail channels.

The RDP Problem: Legacy Access, Modern Consequences

Over the years I have seen a lot of technical debt based on Out of Support operating systems, Remote Desktop Protocol (RDP) services across publicly routable IP ranges and aging equipment. Many organisations do not recognise the risk that they have these vulnerabilities in their defence. In some cases, these vulnerabilities are not known as the installation or the applications and devices managed have been decommissioned or have been forgotten about.

If we concentrate on RDP (TCP port 3389) as it remains one of the most exploited initial access vectors in ransomware and business email compromise incidents. There are still large numbers of endpoints running Windows Server 2003, a product that Microsoft formally ended support for on 14 July 2015.

That means these systems have received no security patches for over a decade. Microsoft's End of Support documentation is unambiguous: after the support lifecycle ends, no new security updates, patches, or technical support are provided, leaving the system permanently vulnerable to all subsequently discovered exploits.

A lot of these endpoints are not just inside organisations they are also in the infrastructure of ICT providers providing information technology and network services -, providers who, one would expect, are maintaining current security standards for their own infrastructure. This raises uncomfortable questions about the gap between what providers promise clients and what they practise internally.

The specific concerns with exposed, legacy RDP services include:

• No Jump Host or Bastion Architecture: Exposing RDP directly to the internet without an intermediary access control layer bypasses fundamental network segmentation principles. Current Zero Trust frameworks, including NIST SP 800-207, explicitly require that no resource be inherently trusted based solely on network location.
• No Multi-Factor Authentication: Unconstrained RDP endpoints relying solely on password authentication are trivially brute forced. CISA has specifically called out internet-exposed RDP as a primary enabler of ransomware deployment.
• Deprecated Cryptographic Standards: Legacy Windows systems support only deprecated protocols including SHA-1, RC4, and SSLv3, all of which have known practical attacks. The NVD lists dozens of CVEs directly attributable to these deprecated implementations in Windows Server 2003.
• Simplified Active Directory Attack Surface: Older directory structures often lack modern tiered administration models, meaning lateral movement and privilege escalation following initial access are significantly easier for an attacker.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI published a joint advisory in 2021 specifically addressing the exploitation of RDP and legacy systems as primary attack vectors in ransomware campaigns against critical infrastructure.

Technical Debt: The Invisible Threat Multiplier

The exposed RDP endpoints are not merely a configuration problem. They are a symptom of a deeper, structural challenge facing organisations of all sizes. Technical debt impacts security due to the accumulated risk created by deferred maintenance, prolonged use of end-of-support systems, and the gap between the security architecture an organisation has and the one it needs.

In New Zealand, the consequences of security-related technical debt have been made tangible. The ransomware attack on Waikato DHB in May 2021 disrupted healthcare services across the Waikato region for weeks, with patient records inaccessible and clinical staff reverting to paper-based processes. Subsequent analysis identified unpatched systems and inadequate network segmentation as contributing factors. The outages In the Southland (Invercargill) and Northland DHB’s have also been attributed to technical debt with older equipment failing, causing cascading failure impacting the day-to-day operations of the hospitals and clinics.

The New Zealand National Cyber Security Centre (NCSC) has consistently highlighted unpatched vulnerabilities and legacy system exposure in its annual Cyber Threat Reports as primary enablers of successful attacks against New Zealand organisations.

Technical debt compounds in two distinct ways that are often underestimated:

External Attack Surface Expansion

Every unpatched system, every deprecated protocol still in use, and every externally reachable service without modern authentication controls represents an opportunity for a threat actor. Unlike well-resourced advanced persistent threat (APT) groups, many successful breaches do not require novel techniques, they exploit known, catalogued vulnerabilities in systems that simply not updated.

The CISA Known Exploited Vulnerabilities (KEV) Catalogue, which tracks actively exploited CVEs requiring prioritised remediation by US federal agencies, includes numerous vulnerabilities in systems more than five years past their end-of-support date, demonstrating that attackers continue to exploit legacy weaknesses long after vendors stop patching them.

Internal Resilience Erosion

Technical debt is not solely an external security risk. Legacy systems fail more frequently, and those failures cascade. When a network-connected device fails in an environment with poor segmentation and no redundancy, the resulting outage affects staff productivity, service delivery, and, critically, organisational trust. It is the erosion of that trust, both from staff and from customers, which can do lasting damage to an organisation's reputation far beyond the immediate technical incident.

"Technical debt is not a technology problem. It is a risk management problem, and it belongs on the board's agenda, not just the IT team's backlog."

Compliance vs. Maturity: Passing the Test vs. Knowing the Material

Observation of organisational compliance, protective security, and enterprise architecture has shown a consistent pattern as to how organisations approach security audits: they treat them like school examinations. The preparation is intense, the result is achieved, and then the material is forgotten until the next cycle.

This approach produces documentation, not security. It satisfies an auditor on the day of the audit. It does not build organisational muscle memory, the ingrained, practised response capability that determines whether an organisation survives a real incident intact.

A mature compliance posture achieves three things that a tick-box audit cannot:

• Reduced Reaction Time: When an incident occurs, the response should not begin with reading the playbook for the first time. Practised, tested procedures allow teams to act decisively within the critical early window of an incident.
• Reduced Incident Frequency: Regular procedural practice and technical testing, including PEN testing, identifies gaps before a threat actor does. The cost of finding a vulnerability internally is always lower than the cost of a breach.
• Limited Blast Radius: Sound architecture, network segmentation, least-privilege access, tested backup and recovery, ensures that when a breach occurs, it is contained rather than catastrophic.

The response to the 2021 Waikato DHB ransomware attack, and the subsequent analysis of what information was and was not preserved about the attack's progression, illustrates a broader principle: organisations that have not practised their incident response procedures, including preserving forensic evidence, cannot learn from incidents, cannot improve, and cannot demonstrate to regulators and clients that they have taken the matter seriously.

Pen Testing as the Bridge Between Policy and Reality

Penetration testing is the independent, structured process of testing whether the security controls an organisation believes it has in place perform as intended. It is, in essence, an honest audit, conducted by skilled practitioners attempting to breach those controls using the same techniques a malicious actor would employ.

Pen testing serves several functions that internal reviews and compliance audits cannot replicate:

• Independent Verification: PEN testing confirms whether your IT, application, network, and cloud providers are meeting the security standards you are paying for, not just asserting in their documentation that they are.
• Technical Risk Quantification: A PEN test translates abstract policy gaps into concrete, exploitable vulnerabilities with measurable risk scores, enabling informed prioritisation of remediation investment.
• Compliance Evidence: Structured PEN testing, conducted under recognised frameworks, provides defensible evidence for regulatory compliance requirements under frameworks including the New Zealand Information Security Manual (NZISM), the Protective Security Requirements (PSR), NIST Cybersecurity Framework, and ISO/IEC 27001.
• Supply Chain Assurance: Modern PEN testing engagements increasingly extend to third-party suppliers and managed service providers, recognising that an organisation's security posture is only as strong as its weakest connected partner.

The NZISM, maintained by the Government Chief Digital Officer (GCDO) under the New Zealand Government's protective security framework, explicitly requires that agencies conduct regular vulnerability assessments and penetration tests as part of their information security assurance activities.

PEN testing methodologies provide the rigour and repeatability necessary for meaningful results. Liverton Security's consulting practice conducts engagements aligned to:

• OWASP Testing Guide (OTG): The Open Web Application Security Project's comprehensive methodology for web application security testing.
• MITRE ATT&CK Framework: A globally accessible, curated knowledge base of adversary tactics and techniques based on real-world observations, used to structure both offensive testing and defensive gap analysis.
• PTES (Penetration Testing Execution Standard): A technical framework covering the full lifecycle of a PEN testing engagement from pre-engagement through reporting.

Security Maturity Assessments: Knowing Where You Stand

PEN testing tells you whether your technical controls hold up against an active adversary. Security maturity assessments tell you whether your organisation's people, processes, and governance can sustain those controls over time.

A maturity assessment benchmarks your current state against a recognised model, such as the NIST Cybersecurity Framework (CSF) or ISO/IEC 27001 Annex A controls and identifies the procedural and behavioural gaps that pure technical testing cannot surface. These include:

• Whether security policies exist and are understood by staff
• Whether incident response procedures have been tested under realistic conditions
• Whether change management processes prevent the accidental introduction of new vulnerabilities
• Whether third-party risk management is systematically applied to suppliers and service providers
• Whether leadership has visibility of the organisation's real risk posture, not just its compliance status

The combination of a maturity assessment and PEN testing provides a complete picture: the maturity assessment identifies where organisational gaps exist in governance and process; the PEN test identifies whether those gaps have created exploitable technical vulnerabilities. Together, they produce a roadmap for meaningful, sustainable security improvement.

"We do not practise these standards to satisfy an auditor. We practise them so that when the pressure is on, the organisation's response is automatic, not accidental."

About Liverton Security

At Liverton Security, we work with New Zealand and international organisations to address security risk across the full spectrum, from technology to governance to culture.

Our product suite addresses the threat vectors most commonly exploited in contemporary attacks:

• SmartGate enforces email controls at the gateway this including domain verification against the centralised Membership API list. Controls apply to all outbound flows automatically.
• MailAdvisor a MS Outlook email content policy application protecting against phishing, business email compromise, and malicious attachments
• WebAdvisor ^AI: AI interaction security application that identifies and supports your organisations AI adoption and identifies the use of AI web access risk from AI enabled website usage within your organisation
• SHIFT For Outlook is a MS Outlook Client Plug In, Secure File Transfer application that provides end to end encryption ensuring sensitive data moves safely between internal and external parties

Our consulting team delivers:

• Pen testing engagements aligned to OWASP, MITRE ATT&CK, PTES, and NZISM requirements
• Security maturity assessments benchmarked against ISO/IEC 27001, NIST CSF, and the PSR
• Technical debt and vulnerability exposure reviews identifying your organisation's real attack surface
• Strategic security roadmaps that translate assessment findings into prioritised, budget-aligned remediation plans

The first step is often the most important one: understanding where you actually stand before making decisions about where to invest. Our maturity assessment process is designed to provide exactly that clarity, without the noise of vendor-driven tool recommendations or compliance theatre.

If what you have read here resonates, whether it is the exposed RDP endpoints, the IoT segmentation gaps, the legacy system risk, or the gap between compliance documentation and operational security, we would welcome the conversation.