A lot of companies believe that once they have fixed all the issues identified by pen tests then their job is over but they are wrong. For a secure system it is important to identify the ways data is stored, transported and accessed correctly and hence the system architecture should be robust to begin with. The data if accessed from a compromised front-end system should be sparse and meaningless to an attacker and should only compromise those, if it ever comes to that, that are logged in.

For e.g. recent PITB document venerability shows us that they were storing important data on front-end servers. Knowing that they now have a massive bulls eye drawn on their website, fixing the permissions means nothing at all if the attackers know exactly where the data is stored under the hood. Also if there was data stored on the front-end server then how were they scaling when under load? It should not be possible for a front-end process to have access to data that does not belong to a given security token.

The back-end servers should be extremely restrictive of the data usage and should not give wholesale access to user data. This usually happens when an admin section of a website resides on the same server and needs access to user data directly and that is a mistake. Admin sections should be completely separate unless it is a public information only site hosted externally and does not hold personal data and the cost is just not worth it. In case of cloud hosting the OS is frequently updated and ZERO day attacks are difficult. Are self-hosted systems updated that regularly? Are the sites protected against simple attacks like session hijack, XSS and dictionary attacks if not the whole OWASP top ten list?

The security comes in layers and for the most part it is easy to just walk in and take their server away obviously there are easier ways than that but most organisations do not understand how easy it is for the attackers to just come in and attack. Wireless input devices, camera pointing towards admin keyboards, USB keyboard wedges, WiFi based fake hot spots, rigged USB devices and chargers, you name it all exists and the most venerable are the users of these systems as most organisations fail on basic training let alone training for social engineering, phishing and more advanced techniques.