Annual Pentesting and Phishing Simulation for a Healthcare IT Provider
About Our Customer
The Customer is a US-based company specializing in healthcare software and IT services. Having decades of experience in the domain, the Customer has helped hundreds of healthcare providers optimize their clinical information systems.
Healthcare IT Vendor Looking for Cybersecurity Experts
Working in the healthcare domain, the Customer places a special emphasis on regulatory compliance and cybersecurity. To perform annual security testing of its IT infrastructure and assets, the company was looking for a reliable cybersecurity provider with expertise in healthcare IT.
Long-Term Partnership to Uphold Solid Cyber Defenses
With two decades of experience in cybersecurity and healthcare IT, ScienceSoft fully met the Customer’s criteria for a long-term partner. Since the start of our cooperation in 2020, ScienceSoft has completed a cybersecurity risk assessment of the Customer’s IT infrastructure, conducted three pentests, and implemented Microsoft Defender for endpoint protection against advanced persistent threats. Satisfied with the service quality, the Customer enlisted ScienceSoft’s Certified Ethical Hackers for the fourth annual pentest and a social engineering attack simulation.
Vulnerability assessment
ScienceSoft’s pentesters started with automated scanning of the Customer’s web application and external network to identify as many vulnerabilities as possible. They followed up with manual validation of the detected issues to exclude false positives.
Black box penetration testing
At this stage, the goal was to attempt to exploit the weaknesses and gain unauthorized access to the Customer’s IT infrastructure and data. ScienceSoft’s team conducted penetration testing, including input data manipulation and brute forcing, according to the PTES, OWASP Web Security Testing Guide, and NIST 800-115 methodology.
ScienceSoft revealed such issues as unencrypted data, security misconfigurations, software with known vulnerabilities, and an outdated software component.
To fix these issues, our team recommended the following measures:
- Encrypting the data stored in the ViewState parameter of ASP.NET — to avoid potential sensitive information disclosure.
- Implementing the missing security headers — to enhance the protection against XSS, clickjacking, and other attacks.
- Installing the latest version of the remote web server (Microsoft IIS) — to replace the version with known vulnerabilities and mitigate the risk of confidential information disclosure and DoS attacks.
- Updating the outdated software to the latest version — to avoid the risks associated with unsupported software versions that no longer receive security updates.
Social engineering testing
ScienceSoft’s team examined publicly available information about the company. Based on the collected data, the pentesters prepared and ran several phishing attack scenarios against the gathered email addresses of the employees.
The first attempt revealed that the Customer’s email security controls effectively protected users against phishing attacks. The second phishing attack simulation started after the Customer manually whitelisted our IPs to let the attacks pass through the filters. Our pentesters sent emails with malicious URLs as well as emails with fake invitations and forms. However, the Customer’s employees followed the safety precautions and did not open unknown links.
Improved Cyber Security Posture and Confidence in Employee Vigilance
Thanks to the previous knowledge of the Customer's IT environment, our team performed a vulnerability assessment, penetration testing, and social engineering testing in just five days. The Customer got a comprehensive report on the vulnerabilities identified in its web app and external network. The vulnerabilities were classified according to their severity level in line with OWASP TOP 10 and NIST CVSS threat classification standards.
The report also featured detailed remediation recommendations to reduce the risks of sensitive data disclosure and cyberattacks like XSS, clickjacking, and DoS. After implementing these recommendations, the Customer improved its cyber security posture, which was confirmed during a retest.
The social engineering simulation conducted by ScienceSoft proved the high vigilance of the Customer’s employees.
The Customer is fully satisfied with our partnership and plans to continue engaging ScienceSoft for annual security checkups.
Technologies and Tools
Metasploit, Nessus, BurpSuite, Acunetix, Nmap, DirB, SSLScan, TLSSLed, Python, C, Perl.