Gray Box Pentesting for a US Nonprofit Supporting 7 Million Households
About Our Customer
The Customer is a nonprofit organization advocating for a more equitable and efficient benefits system in the US. In almost 20 years of its existence, the organization has supported over 7 million households in need of healthcare, food, and shelter.
Need for a Cybersecurity Expert to Verify Sensitive Data Security
The Customer assists American citizens with accessing public benefits and has a web application with a self-screening tool that helps individuals find public benefit programs they may be eligible for. The organization was looking for an experienced cybersecurity vendor to verify the security of the personal health information (PHI) and personally identifiable information (PII) of its beneficiaries.
Trusting our 20+ years of experience in cybersecurity, the Customer enlisted ScienceSoft to test the security of its intranet and benefits eligibility app and check employee security awareness.
Gray Box Pentesting and Phishing Campaign Simulation
Vulnerability assessment and penetration testing
ScienceSoft’s pentesters started the vulnerability assessment with automated scanning of the target public-facing app and private network. They followed up with manual verification of the detected security weaknesses to eliminate false positives.
The Customer provided ScienceSoft with user credentials to enable gray box pentesting. Our pentesters evaluated the potential impact of the verified security weaknesses using techniques like input data manipulation and access control checks. The testing activities were based on the PTES, OWASP Web Security Testing Guide, and NIST 800-115 methodology.
During the pentest, ScienceSoft revealed that the Customer had a network device with the Cisco Smart Install feature enabled. By design, this feature does not enforce any authentication. Without appropriate security controls in place, this could be abused by a remote attacker to steal configuration files with password hashes, encryption keys, and other sensitive information. An attacker could also force the device to reload, causing a denial of service (DoS) condition.
Another device on the internal network used default credentials, which allowed our pentesters to guess the login details and access the device's control interface.
ScienceSoft also revealed the lack of brute-force protection in the web app: pentesters could perform 3,400+ login attempts without being interfered by any anti-brute-force mechanisms like account lockout or IP blocking.
To fix these and other detected issues, our team recommended the following measures:
- Applying access control lists (ACLs) to ensure that only the Smart Install director has a TCP connection to all Smart Install clients. Our pentesters also advised configuring Cisco Control Plane Policing to protect the routing protocol from unnecessary traffic.
- Making sure devices on the network are not using default credentials and implementing a strong password policy.
- Implementing rate limiting mechanisms, brute force protection, and account lockout or captcha mechanism.
- Configuring a High or FIPS Compliant encryption level for Remote Desktop Protocol (RDP). Otherwise, using weak cryptography with Terminal Services could allow an attacker to eavesdrop on the communications more easily.
- Updating the outdated and vulnerable software to the latest versions to avoid exploitation of known vulnerabilities and data breaches.
Social engineering testing
ScienceSoft’s pentesters ran several social engineering scenarios against the 325 email addresses of the Customer’s employees. They sent emails with malicious URLs, fake forms, and executable files.
Based on the phishing campaign results, ScienceSoft recommended that the Customer provide security awareness training to its employees. Even though most of the users stayed vigilant and did not fall for the phishing emails, eight employees followed the malicious link, and one employee submitted their credentials via a fake form.
Full Insight Into Cybersecurity Posture and Employee Vigilance
In ten days, ScienceSoft performed security testing of 30+ IP addresses, 3 URLs, and 325 email addresses for a prominent US nonprofit. The Customer got a comprehensive report detailing the identified vulnerabilities, their potential impact, and actionable remediation guidelines. Using ScienceSoft’s remediation advice, the Customer enhanced the protection of its beneficiaries’ PHI and PII, which our pentesters confirmed during a retest.
Technologies and Tools
Metasploit, Nessus, Burp Suite, Acunetix, Nmap, tcpdump, SQLMap, Zed Attack Proxy (ZAP), JWT_Tool, SMBMap, Responder, Impacket, Invoke-Obfuscation, enum4linux, snmp-check, DNSRecon, NBTscan, Printer Exploitation Toolkit, Remote Server Administration Tools (RSAT), PHP, Bash, Python, PowerShell.