Security assessment: audits and penetration tests

Industry: Staffing & Recruiting

Country: Austria

Project Description:

A large Austrian recruiting company approached us to conduct web application security testing and pentest. The main goal of the project was to identify and remediate vulnerabilities in their web applications to ensure data protection and improve overall security.

The project included the following major phases:

1. Web Application Security Analysis. Conducting a comprehensive security analysis of the web applications used by the company.
2. Penetration Testing. Conducting a pentest to identify vulnerabilities and testing them for exploitability.
3. Preparing a report and recommendations. Developing a detailed report describing all identified vulnerabilities and providing recommendations for remediation.

Results:

• Several critical vulnerabilities were identified that could lead to compromise of user data.
• The company received a detailed report with recommendations on how to remediate the identified vulnerabilities.
• Implementation of the proposed measures significantly improved the security level of the company's web applications.

Project Features:

The project was characterized by a high degree of responsibility, as the company processed a large amount of personal data of users from different countries. Our experts used advanced methods and tools for security testing. This allowed us to identify and eliminate all critical vulnerabilities, protecting users' data, increasing their trust in the company and drastically reducing the risk of high fines for security breaches.

Industry: Banking

Country: Kyrgyzstan

Project Description:

A large bank in Kyrgyzstan approached us to conduct Performance and Volumetric DDoS Testing of their IT systems. The main goal of the project was to test the resistance of the banking system to high loads and also to ensure its stability and security.

The project included the following basic ethics:

1. Preparation of the test environment. Setting up and configuring the test environment to simulate maximum loads on the system.
2. Testing of the maximum load on the banking system to identify its weaknesses and assess its resistance to Volumetric DDoS attacks.
3. Report and recommendations. Development of a detailed report describing the test results and providing recommendations for improving the system's resistance to high loads.

Results:

• Several vulnerabilities in the system were identified that could lead to unstable performance under high loads.
• The client received a detailed report with recommendations on how to improve system stability.
• Implementation of the proposed measures significantly improved the stability and security of the bank's IT systems under high loads.

Project peculiarities:

Our specialists were not immediately able to achieve failure of the target system even when purchasing the most powerful cloud server and launching a variety of attacks.

In coordination with the customer, we rented a real botnet and resumed testing at a new level. This allowed us to achieve system denial of service on several network protocols. Our experts demonstrated a high level of professionalism and used advanced techniques of load testing, DDoS testing and chaos engineering. This allowed us to successfully identify all critical vulnerabilities, determine load limits for several parameters, and ensure the stability and security of the client's systems.

Industry: Information Technology and Services

Country: USA

Project Description:

A leading US SaaS company approached us to conduct a black box pentest. The main objective of the project was to identify vulnerabilities in the client's IT infrastructure and protect it from potential threats.

The project included the following main stages:

1. Reconnaissance and information gathering. Conducting open source intelligence (OSINT), external analysis, and gathering information about target systems without knowledge of their internals.
2. Vulnerability Analysis. Using various methods and tools to find vulnerabilities in systems.
3. Vulnerability Exploitation. Testing the exploitability of the found vulnerabilities to assess their real danger.
4. Report and recommendations. Preparation of a detailed report describing all found vulnerabilities, their criticality and recommendations for their elimination.

Results:

• The types of software in use and sensitive company data were identified in external sources outside of the company's infrastructure.
• Several critical vulnerabilities were identified and confirmed that could lead to serious operational consequences.
• The client received a detailed report with recommendations on how to fix the vulnerabilities found, fixed them on their own, and then we performed a post-assessment for verification.
• The pentest allowed us to significantly improve the security level of the company's IT infrastructure.

Project peculiarities:

This project was notable for its complexity, the amount of infrastructure and the need for full testing with no prior information about the infrastructure or systems. The customer did not provide any information other than a range of IP addresses. Nevertheless, our specialists demonstrated a high level of professionalism and used advanced techniques, which allowed us to successfully identify all critical vulnerabilities and information leaks, as well as ensure the client's security from external threats.

The security audit of a large brewery was started with the inventory of IT and OT assets. We helped the customer compile a complete register of active devices (computers, PLCs, operator panels, frequency converters, managed and unmanaged switches, etc.). Then we checked the system access mode and found serious violations. Then we checked for passwords on all devices that support it.

During the audit, we checked the availability of source code for all programmable devices. Some source code was stored in an unreliable state. We checked the correspondence of the offline and online versions and synchronized several versions.

After that, we checked the PLC firmware versions (Siemens S7-315, S7-416, S7-1215, S7-1515, Schneider Electric Quantum, M251) and the HMI/SCADA software versions (WinCC SCADA, Citect SCADA) for critical updates.

Also at this stage, we examined the availability and strength of encryption of all networks supporting it.

Then we checked all systems for viruses, ransomware, crypto miners and other malware, as well as for technical vulnerabilities in systems.

Finally, we assessed the risks and made recommendations to address deficiencies and reduce risks. All results were presented as a detailed security assessment report.

Learn more about security of industrial IT and OT and SCADA security.

A small financial organization, connected to the international payment systems Visa and Mastercard, faced the need to comply with the requirements of PCI DSS standard. Among them, there is a requirement to perform an external and internal penetration test regularly. During the analysis of the infrastructure scope (cardholder data environment), detailed parameters of the external pentest were agreed. The parameters included grey-box and black-box modes, and the list of target objects, namely, the Internet-facing services and Web applications.

As a result of the pentest, multiple vulnerabilities in the web applications were discovered (PHP injections, cross-site scripting, direct object references, missing software update mechanisms, insecure default Web server configurations, no access control on the functional level, buffer overflows, an error in the web application code).

During the project, no real penetration ways were found, but potential vulnerabilities were present. The customer received a comprehensive report on the vulnerabilities and how to enhance the security of the infrastructure. The report was made in accordance with the requirements of PCI DSS, including a description of the penetration test methodology that was used during the project.

Learn more about penetration testing.

A medium-sized retailer implemented internal and external information security requirements. Some of them required a complete analysis of the enterprise's infrastructure, including penetration tests in grey-box and white-box modes. During the pentest, the following vulnerabilities and weaknesses were found:

• Vulnerabilities in the web applications (no validity checks of requests in the applications, data transfer through an unencrypted HTTP channel).
• Deficiencies in privilege management (domain accounts for various services and applications had too high privileges).
• The possibility of e-mail forgery (no DKIM / DMARC signature systems on mail servers).
• Deficiencies in monitoring processes of security events (no "auditd" customization for events).
• The possibility of an unauthorized device connecting to the network (DHCP snooping, no port security).

During the pentest, as a demonstration of vulnerability, unauthorized access to the network equipment was emulated. The customer received a full report on the vulnerabilities and the recommendations how to eliminate them. Learn more about pentest.

A big industrial plant with about 10,000 employees needed an assessment of IT infrastructure compliance with security requirements. The plant ordered penetration test in grey-box and white-box modes. Local area network servers were chosen as the pentest target objects. During the project, the following vulnerabilities and weaknesses were found:

• Deficiencies in the event monitoring and security incident response processes (lack of measures to prevent intrusions, and recover from incidents).
• Deficiencies in configuration management (uncontrolled test and guest network hosts in the corporate domain).
• Deficiencies in access and privilege management (open login via ssh for the standard root account; single administrator account for DC, network equipment, and user workstation management).
• Other technical vulnerabilities (proxy auto-detection for software was enabled).

Unauthorized access by insiders was modelled during the project. The customer received a full report on vulnerabilities and how to eliminate them.

Learn more about penetration testing.

A mid-sized telecommunication company, motivated to comply with external security requirements, requested the implementation of a complex information security system and overall security assessment. The customer chose grey-box and white-box penetration testing modes. The target objects of the pentest were external servers, DMZ, web applications, and internal nodes of the local area network. During the project, the following vulnerabilities and deficiencies were discovered:

• Network configuration errors, lack of segmentation (lack of separate VLAN for management interfaces iLO, IMPI, IP KVM, etc.).
• Weak passwords on the active network devices.
• Hidden resources were accessible (ADMIN$, C$, D$, etc.).

As a result of the vulnerability exploitation, documents containing confidential data were extracted. Therefore, unauthorized access by an intruder was emulated. The customer received a comprehensive report about the vulnerabilities and their remediation methods.

Learn more about penetration testing.

A nationwide pharmacy network ordered an external pentest of their computer network. Black-box mode was chosen.

During the project, it was discovered that all critical IT infrastructure was behind a firewall. It seemed, there were no chances to penetrate. Then we decided to check the points of sales so checked several pharmacies. One of them had a Mikrotik router with a default password. This type of router has a blank default password, so the router was "compromised". It had OpenVPN, locally stored certificates, and allowed sniffing. We intercepted the traffic and found confidential information of the sales and accounting system. Then we extracted certificates from the compromised router, made a fake point of sale, and connected to the VPN server. We impersonated one of the pharmacies in the network. This way we penetrated the customer’s internal IT infrastructure that was protected by the firewall and seemed impenetrable. We explored the Active Directory network, found an SQL server with domain authentication and penetrated it using a password that had been extracted using ‘mimikatz’ utility.

The project was completed with the conclusion that penetration was possible, and the customer's information security level was low. The customer received the risk assessment results, information about the vulnerabilities, and recommendations on how to remediate them and harden the IT infrastructure.

Learn more about penetration testing.

We were approached by a company that was planning to enter the promising cryptocurrency market. To accomplish this goal, the company had developed a cryptocurrency exchange web application. Before publishing the application on the Internet, the company decided to perform an information security audit, using penetration testing methods according to the OWASP methodology. They requested such a service from us.

The testing was conducted in black-box mode: at the initial stage, the auditors had at their disposal only the URL of the application that was being tested.

In the course of the pentest, we found that attackers were able to do the following:

• Take advantage of the missing input filtering in the ‘meeting room’ functionality and conduct an XSS attack on a user or administrator. This was successfully confirmed when the dialog was opened by a test victim (the user or administrator who received the message). The script functionality could be anything: for example, hidden mining, a fake authentication form, etc., up to complete control over the victim's computer.
• Take advantage of flaws in the file upload functionality of the web application and access the server file system (ability to read, upload, delete files), execute arbitrary commands on the server, execute SQL queries, make connections from the server interface to other systems, i.e. the attacker could gain complete control over the server and the data could be completely compromised.
• After gaining control over the server, take advantage of the deficiencies in cryptographic protection (in particular, no integrity control of transaction data in the application) and make changes to the account balance.
• Bypass the check when sending messages and impersonate another user or administrator, therefore mislead the victim and commit fraudulent actions.
• Identify registered users.
• Attack user passwords.
• Receive unauthorized access to files that other users have downloaded.

The customer received an exhaustive report on vulnerabilities and how to fix them. After the vulnerabilities were eliminated, the auditors checked again that the system was now secure. And only after this was the web application published on the Internet.

Therefore, the audit using penetration testing methods saved the customer from possible reputational and financial losses.

Learn more about penetration testing.