Careers

For journalists

email contact@scnsoft.com en flag +1 214 306 68 37
en flag +1 214 306 68 37
Contact us
Gray Box Pentesting for a US Nonprofit Supporting 7 Million Households

Gray Box Pentesting for a US Nonprofit Supporting 7 Million Households

Industry
Public Services

About Our Customer

The Customer is a nonprofit organization advocating for a more equitable and efficient benefits system in the US. In almost 20 years of its existence, the organization has supported over 7 million households in need of healthcare, food, and shelter.

Need for a Cybersecurity Expert to Verify Sensitive Data Security

The Customer assists American citizens with accessing public benefits and has a web application with a self-screening tool that helps individuals find public benefit programs they may be eligible for. The organization was looking for an experienced cybersecurity vendor to verify the security of the personal health information (PHI) and personally identifiable information (PII) of its beneficiaries.

Trusting our 20+ years of experience in cybersecurity, the Customer enlisted ScienceSoft to test the security of its intranet and benefits eligibility app and check employee security awareness.

Gray Box Pentesting and Phishing Campaign Simulation

Vulnerability assessment and penetration testing

ScienceSoft’s pentesters started the vulnerability assessment with automated scanning of the target public-facing app and private network. They followed up with manual verification of the detected security weaknesses to eliminate false positives.

The Customer provided ScienceSoft with user credentials to enable gray box pentesting. Our pentesters evaluated the potential impact of the verified security weaknesses using techniques like input data manipulation and access control checks. The testing activities were based on the PTES, OWASP Web Security Testing Guide, and NIST 800-115 methodology.

During the pentest, ScienceSoft revealed that the Customer had a network device with the Cisco Smart Install feature enabled. By design, this feature does not enforce any authentication. Without appropriate security controls in place, this could be abused by a remote attacker to steal configuration files with password hashes, encryption keys, and other sensitive information. An attacker could also force the device to reload, causing a denial of service (DoS) condition.

Another device on the internal network used default credentials, which allowed our pentesters to guess the login details and access the device's control interface.

ScienceSoft also revealed the lack of brute-force protection in the web app: pentesters could perform 3,400+ login attempts without being interfered by any anti-brute-force mechanisms like account lockout or IP blocking.

To fix these and other detected issues, our team recommended the following measures:

  • Applying access control lists (ACLs) to ensure that only the Smart Install director has a TCP connection to all Smart Install clients. Our pentesters also advised configuring Cisco Control Plane Policing to protect the routing protocol from unnecessary traffic.
  • Making sure devices on the network are not using default credentials and implementing a strong password policy.
  • Implementing rate limiting mechanisms, brute force protection, and account lockout or captcha mechanism.
  • Configuring a High or FIPS Compliant encryption level for Remote Desktop Protocol (RDP). Otherwise, using weak cryptography with Terminal Services could allow an attacker to eavesdrop on the communications more easily.
  • Updating the outdated and vulnerable software to the latest versions to avoid exploitation of known vulnerabilities and data breaches.

Social engineering testing

ScienceSoft’s pentesters ran several social engineering scenarios against the 325 email addresses of the Customer’s employees. They sent emails with malicious URLs, fake forms, and executable files.

Based on the phishing campaign results, ScienceSoft recommended that the Customer provide security awareness training to its employees. Even though most of the users stayed vigilant and did not fall for the phishing emails, eight employees followed the malicious link, and one employee submitted their credentials via a fake form.

Full Insight Into Cybersecurity Posture and Employee Vigilance

In ten days, ScienceSoft performed security testing of 30+ IP addresses, 3 URLs, and 325 email addresses for a prominent US nonprofit. The Customer got a comprehensive report detailing the identified vulnerabilities, their potential impact, and actionable remediation guidelines. Using ScienceSoft’s remediation advice, the Customer enhanced the protection of its beneficiaries’ PHI and PII, which our pentesters confirmed during a retest.

Technologies and Tools

Metasploit, Nessus, Burp Suite, Acunetix, Nmap, tcpdump, SQLMap, Zed Attack Proxy (ZAP), JWT_Tool, SMBMap, Responder, Impacket, Invoke-Obfuscation, enum4linux, snmp-check, DNSRecon, NBTscan, Printer Exploitation Toolkit, Remote Server Administration Tools (RSAT), PHP, Bash, Python, PowerShell.

Public Services Case Studies Security Testing Case Studies

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

Upload file

Drag and drop or to upload your file(s)

?

Max file size 10MB, up to 5 files and 20MB total

Supported formats:

doc, docx, xls, xlsx, ppt, pptx, pps, ppsx, odp, jpeg, jpg, png, psd, webp, svg, mp3, mp4, webm, odt, ods, pdf, rtf, txt, csv, log

Get in touch instantly

Call us Email us WhatsApp Live chat

More Case Studies

Share:

facebook twitter linkedin